AnonymousConfigurer not work using Custom DSL
shihyuho opened this issue · comments
I'm using
- Spring Boot 3.2.5
- Spring Security 6.2.4
Describe the bug
While playing around with Custom DSL, I noticed adding an anonymous configurer does not work
To Reproduce
@Configuration
@EnableWebSecurity
public class Config {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
return http
.with(new MyCustomDsl(), withDefaults())
.build();
}
}
public class MyCustomDsl extends AbstractHttpConfigurer<MyCustomDsl, HttpSecurity> {
@Override
public void init(HttpSecurity http) throws Exception {
http.anonymous(anonymous -> anonymous.principal("myAnonymousUser"));
}
}
Expected behavior
I expected the anonymous principal to be myAnonymousUser
, but the actual result was anonymousUser
, which is the default name set by AnonymousConfigurer.
Sample
https://github.com/shihyuho/anonymous-configurer-issue
Additional Notes
Upon tracing the code, the reason appears to be:
In HttpSecurityConfiguration, .anonymous(withDefaults())
is already set once when creating HttpSecurity
instance, and in the init
method of AnonymousConfigurer, the authenticationFilter
is initialized.
As a result, although the principal
can still be changed later with custom DSL, the filter is not recreated, which prevents the changes from taking effect.
I think to modify the added Configurer
, you need to modify it before building like so
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
return http
.anonymous(anonymous -> anonymous.principal("myAnonymousUser"))
.with(new MyCustomDsl(), withDefaults())
.build();
}
I think to modify the added
Configurer
, you need to modify it before building like so@Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { return http .anonymous(anonymous -> anonymous.principal("myAnonymousUser")) .with(new MyCustomDsl(), withDefaults()) .build(); }
Thank you for your suggestion @kse-music , but this is not what I am looking for. The document mentions that it is possible to add other configurers to a custom DSL:
Therefore, I'm planning to design some custom DSLs targeted at our common scenarios, providing a quick configuration to configure HttpSecurity for developers.
If the init method of the custom Configurer
supports modifying the configuration of the Configurer
that has been added to HttpSecurity
, can I understand that because the custom Configurer
is initialized last, it will cause inconsistency of the behavior in the init method and the configure method. For example like so:
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
return http
.with(new MyCustomDsl(), withDefaults())
.build();
}
static class MyCustomDsl extends AbstractHttpConfigurer<MyCustomDsl, HttpSecurity> {
@Override
public void init(HttpSecurity http) throws Exception {
http.sessionManagement(c -> c.enableSessionUrlRewriting(true).sessionCreationPolicy(SessionCreationPolicy.STATELESS));
}
}
When the SessionManagementConFigurer
initializes, the variable enableSessionUrlrewroting = false, sessionPolicy = if_required in init method, but the variable enableSessionUrlrewroting = true, sessionPolicy = STATELESS in configure method.
I think there are still some Configurer
like this
@jzheaux I don’t know what I understand, right?