diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurer.java index 1f24c4086e2..9ee138554d0 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurer.java @@ -110,7 +110,6 @@ public void configure(H http) { AuthorizationManager authorizationManager = this.registry.createAuthorizationManager(); AuthorizationFilter authorizationFilter = new AuthorizationFilter(authorizationManager); authorizationFilter.setAuthorizationEventPublisher(this.publisher); - authorizationFilter.setShouldFilterAllDispatcherTypes(this.registry.shouldFilterAllDispatcherTypes); authorizationFilter.setSecurityContextHolderStrategy(getSecurityContextHolderStrategy()); http.addFilter(postProcess(authorizationFilter)); } @@ -144,8 +143,6 @@ public final class AuthorizationManagerRequestMatcherRegistry private int mappingCount; - private boolean shouldFilterAllDispatcherTypes = true; - private AuthorizationManagerRequestMatcherRegistry(ApplicationContext context) { setApplicationContext(context); } @@ -191,36 +188,6 @@ public AuthorizationManagerRequestMatcherRegistry withObjectPostProcessor( return this; } - /** - * Sets whether all dispatcher types should be filtered. - * @param shouldFilter should filter all dispatcher types. Default is {@code true} - * @return the {@link AuthorizationManagerRequestMatcherRegistry} for further - * customizations - * @since 5.7 - * @deprecated Permit access to the {@link jakarta.servlet.DispatcherType} - * instead. 
-		 * @Configuration
-		 * @EnableWebSecurity
-		 * public class SecurityConfig {
-		 *
-		 * 	@Bean
-		 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-		 * 		http
-		 * 		 	.authorizeHttpRequests((authorize) -> authorize
-		 * 				.dispatcherTypeMatchers(DispatcherType.ERROR).permitAll()
-		 * 			 	// ...
-		 * 		 	);
-		 * 		return http.build();
-		 * 	}
-		 * }
-		 *
- */ - @Deprecated(since = "6.1", forRemoval = true) - public AuthorizationManagerRequestMatcherRegistry shouldFilterAllDispatcherTypes(boolean shouldFilter) { - this.shouldFilterAllDispatcherTypes = shouldFilter; - return this; - } - } /** diff --git a/config/src/main/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDsl.kt b/config/src/main/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDsl.kt index 5488dd0289f..9f2f8564ec9 100644 --- a/config/src/main/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDsl.kt +++ b/config/src/main/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDsl.kt @@ -1,5 +1,5 @@ /* - * Copyright 2002-2024 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -41,27 +41,8 @@ import java.util.function.Supplier * * @author Yuriy Savchenko * @since 5.7 - * @property shouldFilterAllDispatcherTypes whether the [AuthorizationFilter] should filter all dispatcher types */ class AuthorizeHttpRequestsDsl : AbstractRequestMatcherDsl { - @Deprecated(""" - Add authorization rules to DispatcherType directly. - - @Configuration - @EnableWebSecurity - public class SecurityConfig { - @Bean - public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { - http - .authorizeHttpRequests((authorize) -> authorize - .dispatcherTypeMatchers(DispatcherType.ERROR).permitAll() - // ... - ); - return http.build(); - } - } - """) - var shouldFilterAllDispatcherTypes: Boolean? = null private val authorizationRules = mutableListOf() private val rolePrefix: String @@ -291,9 +272,6 @@ class AuthorizeHttpRequestsDsl : AbstractRequestMatcherDsl { } } } - shouldFilterAllDispatcherTypes?.also { shouldFilter -> - requests.shouldFilterAllDispatcherTypes(shouldFilter) - } } } diff --git a/config/src/test/java/org/springframework/security/config/http/InterceptUrlConfigTests.java b/config/src/test/java/org/springframework/security/config/http/InterceptUrlConfigTests.java index 69245d6bac1..cffc0e090ee 100644 --- a/config/src/test/java/org/springframework/security/config/http/InterceptUrlConfigTests.java +++ b/config/src/test/java/org/springframework/security/config/http/InterceptUrlConfigTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -337,28 +337,6 @@ public void requestWhenUsingFilterAllDispatcherTypesAndAuthorizationManagerThenA assertThat(this.spring.getContext().getBean(AuthorizationManager.class)).isNotNull(); } - @Test - public void requestWhenUsingFilterAllDispatcherTypesFalseThenAuthorizesRequestsAccordingly() throws Exception { - this.spring.configLocations(this.xml("FilterAllDispatcherTypesFalse")).autowire(); - // @formatter:off - this.mvc.perform(get("/path").with(userCredentials())) - .andExpect(status().isOk()); - this.mvc.perform(get("/path").with(adminCredentials())) - .andExpect(status().isForbidden()); - this.mvc.perform(get("/error").with((request) -> { - request.setAttribute(WebUtils.ERROR_REQUEST_URI_ATTRIBUTE, "/error"); - request.setDispatcherType(DispatcherType.ERROR); - return request; - })).andExpect(status().isOk()); - this.mvc.perform(get("/path").with((request) -> { - request.setAttribute(WebUtils.ERROR_REQUEST_URI_ATTRIBUTE, "/path"); - request.setDispatcherType(DispatcherType.ERROR); - return request; - })).andExpect(status().isOk()); - // @formatter:on - assertThat(this.spring.getContext().getBean(AuthorizationManager.class)).isNotNull(); - } - private static RequestPostProcessor adminCredentials() { return httpBasic("admin", "password"); } diff --git a/config/src/test/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDslTests.kt b/config/src/test/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDslTests.kt index 87adfeb9e54..fba0a28e547 100644 --- a/config/src/test/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDslTests.kt +++ b/config/src/test/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDslTests.kt @@ -1,5 +1,5 @@ /* - * Copyright 2002-2024 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -44,6 +44,7 @@ import org.springframework.security.provisioning.InMemoryUserDetailsManager import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.* import org.springframework.security.web.SecurityFilterChain import org.springframework.security.web.access.intercept.RequestAuthorizationContext +import org.springframework.security.web.util.matcher.DispatcherTypeRequestMatcher import org.springframework.security.web.util.matcher.RegexRequestMatcher import org.springframework.test.web.servlet.MockMvc import org.springframework.test.web.servlet.get @@ -632,7 +633,6 @@ class AuthorizeHttpRequestsDslTests { open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain { http { authorizeHttpRequests { - shouldFilterAllDispatcherTypes = true authorize(anyRequest, denyAll) } } @@ -671,7 +671,6 @@ class AuthorizeHttpRequestsDslTests { open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain { http { authorizeHttpRequests { - shouldFilterAllDispatcherTypes = true authorize(anyRequest, permitAll) } } @@ -710,7 +709,8 @@ class AuthorizeHttpRequestsDslTests { open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain { http { authorizeHttpRequests { - shouldFilterAllDispatcherTypes = false + authorize(DispatcherTypeRequestMatcher(DispatcherType.ERROR), permitAll) + authorize(DispatcherTypeRequestMatcher(DispatcherType.ASYNC), permitAll) authorize(anyRequest, denyAll) } } diff --git a/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-FilterAllDispatcherTypesFalse.xml b/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-FilterAllDispatcherTypesFalse.xml deleted file mode 100644 index f3c09d2a9dd..00000000000 --- a/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-FilterAllDispatcherTypesFalse.xml +++ /dev/null @@ -1,55 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/web/src/main/java/org/springframework/security/web/access/intercept/AuthorizationFilter.java b/web/src/main/java/org/springframework/security/web/access/intercept/AuthorizationFilter.java index cdda331115d..3fb99fe6de9 100644 --- a/web/src/main/java/org/springframework/security/web/access/intercept/AuthorizationFilter.java +++ b/web/src/main/java/org/springframework/security/web/access/intercept/AuthorizationFilter.java @@ -163,36 +163,6 @@ public AuthorizationManager getAuthorizationManager() { return this.authorizationManager; } - /** - * Sets whether to filter all dispatcher types. - * @param shouldFilterAllDispatcherTypes should filter all dispatcher types. Default - * is {@code true} - * @since 5.7 - * @deprecated Permit access to the {@link jakarta.servlet.DispatcherType} instead. - * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class SecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http
-	 * 		 	.authorizeHttpRequests((authorize) -> authorize
-	 * 				.dispatcherTypeMatchers(DispatcherType.ERROR).permitAll()
-	 * 			 	// ...
-	 * 		 	);
-	 * 		return http.build();
-	 * 	}
-	 * }
-	 *
- */ - @Deprecated(since = "6.1", forRemoval = true) - public void setShouldFilterAllDispatcherTypes(boolean shouldFilterAllDispatcherTypes) { - this.observeOncePerRequest = !shouldFilterAllDispatcherTypes; - this.filterErrorDispatch = shouldFilterAllDispatcherTypes; - this.filterAsyncDispatch = shouldFilterAllDispatcherTypes; - } - public boolean isObserveOncePerRequest() { return this.observeOncePerRequest; } diff --git a/web/src/test/java/org/springframework/security/web/access/intercept/AuthorizationFilterTests.java b/web/src/test/java/org/springframework/security/web/access/intercept/AuthorizationFilterTests.java index 62f217d2325..7f2aa32953b 100644 --- a/web/src/test/java/org/springframework/security/web/access/intercept/AuthorizationFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/access/intercept/AuthorizationFilterTests.java @@ -210,7 +210,9 @@ public void doFilterWhenErrorThenDoFilter() throws Exception { public void doFilterWhenErrorAndShouldFilterAllDispatcherTypesFalseThenDoNotFilter() throws Exception { AuthorizationManager authorizationManager = mock(AuthorizationManager.class); AuthorizationFilter authorizationFilter = new AuthorizationFilter(authorizationManager); - authorizationFilter.setShouldFilterAllDispatcherTypes(false); + authorizationFilter.setObserveOncePerRequest(true); + authorizationFilter.setFilterErrorDispatch(false); + authorizationFilter.setFilterAsyncDispatch(false); MockHttpServletRequest mockRequest = new MockHttpServletRequest(null, "/path"); mockRequest.setDispatcherType(DispatcherType.ERROR); mockRequest.setAttribute(WebUtils.ERROR_REQUEST_URI_ATTRIBUTE, "/error");