This commit updates Servlet based Spring Security auto-configuration to use AuthorizationFilter, which is intended to superseed FilterSecurityInterceptor.
See note in Authorize HttpServletRequests with AuthorizationFilter section of Spring Security's reference manual.
Note that SampleActuatorCustomSecurityApplicationTests#testInsecureApplicationPath fails after migrating to the new authorization model, meaning further changes might be needed in either Spring Boot or Spring Security.
Comment From: vpavic
This is effectively blocked on the following issue in Spring Security: - spring-projects/spring-security#11337
I'll keep the PR in draft state until there's some update.
Comment From: wilkinsona
Thanks, @vpavic. I've subscribed to https://github.com/spring-projects/spring-security/issues/11337. We can take a more in-depth look at this once the Security team have taken a look. Josh should be back in the office next week.
Comment From: wilkinsona
https://github.com/spring-projects/spring-security/issues/11360 is now tracking some additions to Spring Security that close some gaps in the functionality offered by AuthorizationFilter.
Comment From: vpavic
With spring-projects/spring-security#11360 resolved, this is now ready for review but at the same time apparently blocked by #31703.
@wilkinsona, note that I had to undo some of your changes from 4bd3534b as there's no #filterSecurityInterceptorOncePerRequest available on the new authorizeHttpRequests DSL. Judging by where you had to apply those, I'm now seeing the same test failures as you did when building this PR:
Found test failures in 2 test tasks:
:spring-boot-tests:spring-boot-smoke-tests:spring-boot-smoke-test-web-method-security:test
smoketest.security.method.SampleMethodSecurityApplicationTests > testManagementProtected()
:spring-boot-tests:spring-boot-smoke-tests:spring-boot-smoke-test-web-secure:test
smoketest.web.secure.CustomContextPathErrorPageTests > testPublicNotFoundPage()
smoketest.web.secure.CustomServletPathErrorPageTests > testPublicNotFoundPage()
smoketest.web.secure.ErrorPageTests > testPublicNotFoundPage()
smoketest.web.secure.NoSessionErrorPageTests > testCorrectCredentialsWithControllerException()
smoketest.web.secure.NoSessionErrorPageTests > testPublicNotFoundPage()
smoketest.web.secure.NoSessionErrorPageTests > testPublicNotFoundPageWithCorrectCredentials()
Comment From: wilkinsona
Thanks, @vpavic. We'll have a chat with the Security team.
Comment From: vpavic
@wilkinsona I believe this should now be ready meaning I don't think my observation about this being blocked by #31703 was valid.
I've taken a closer look at FilterSecurityInterceptor vs AuthorizationFilter and the latter should have once per request semantics by default as it extends OncePerRequestFilter. However it also filters all dispatch types by default, which I disabled (note the second commit). That uncovered one issue with tests but now everything should build cleanly.
Comment From: vpavic
The FilterSecurityInterceptor vs AuthorizationFilter remarks from the previous comment have been confirmed by the Security team in https://github.com/spring-projects/spring-security/issues/11337#issuecomment-1195804349.
Comment From: wilkinsona
Great stuff. Thanks, @vpavic.
Comment From: vpavic
Is there anything preventing this from making it into today's 3.0.0-M5 release?
Comment From: wilkinsona
Nothing other than the team being short on time. We'll see what we can do.
Comment From: vpavic
Got it.
I updated the PR to pick up the current main.
Update: I just spotted a couple of new usages of old authorization DSL that have emerged since this PR has last been touched.
Comment From: wilkinsona
Thanks very much, @vpavic.