spring-projects / spring-security

Spring Security

Home Page:http://spring.io/projects/spring-security

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

AnonymousConfigurer not work using Custom DSL

shihyuho opened this issue · comments

I'm using

  • Spring Boot 3.2.5
  • Spring Security 6.2.4

Describe the bug

While playing around with Custom DSL, I noticed adding an anonymous configurer does not work

To Reproduce

@Configuration
@EnableWebSecurity
public class Config {
  @Bean
  public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    return http
      .with(new MyCustomDsl(), withDefaults())
      .build();
  }
}

public class MyCustomDsl extends AbstractHttpConfigurer<MyCustomDsl, HttpSecurity> {

  @Override
  public void init(HttpSecurity http) throws Exception {
    http.anonymous(anonymous -> anonymous.principal("myAnonymousUser"));
  }
}

Expected behavior

I expected the anonymous principal to be myAnonymousUser, but the actual result was anonymousUser, which is the default name set by AnonymousConfigurer.

Sample

https://github.com/shihyuho/anonymous-configurer-issue

Additional Notes

Upon tracing the code, the reason appears to be:

In HttpSecurityConfiguration, .anonymous(withDefaults()) is already set once when creating HttpSecurity instance, and in the init method of AnonymousConfigurer, the authenticationFilter is initialized.

As a result, although the principal can still be changed later with custom DSL, the filter is not recreated, which prevents the changes from taking effect.

I think to modify the added Configurer, you need to modify it before building like so

  @Bean
  public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    return http
      .anonymous(anonymous -> anonymous.principal("myAnonymousUser"))
      .with(new MyCustomDsl(), withDefaults())
      .build();
  }

I think to modify the added Configurer, you need to modify it before building like so

  @Bean
  public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    return http
      .anonymous(anonymous -> anonymous.principal("myAnonymousUser"))
      .with(new MyCustomDsl(), withDefaults())
      .build();
  }

Thank you for your suggestion @kse-music , but this is not what I am looking for. The document mentions that it is possible to add other configurers to a custom DSL:

image

Therefore, I'm planning to design some custom DSLs targeted at our common scenarios, providing a quick configuration to configure HttpSecurity for developers.

If the init method of the custom Configurer supports modifying the configuration of the Configurer that has been added to HttpSecurity, can I understand that because the custom Configurer is initialized last, it will cause inconsistency of the behavior in the init method and the configure method. For example like so:

  @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        return http
                .with(new MyCustomDsl(), withDefaults())
                .build();
    }

    static class MyCustomDsl extends AbstractHttpConfigurer<MyCustomDsl, HttpSecurity> {

        @Override
        public void init(HttpSecurity http) throws Exception {
            http.sessionManagement(c -> c.enableSessionUrlRewriting(true).sessionCreationPolicy(SessionCreationPolicy.STATELESS));
        }

    }

When the SessionManagementConFigurer initializes, the variable enableSessionUrlrewroting = false, sessionPolicy = if_required in init method, but the variable enableSessionUrlrewroting = true, sessionPolicy = STATELESS in configure method.

I think there are still some Configurer like this

@jzheaux I don’t know what I understand, right?