GH-441 - Adapt to changes in Spring Security.

We need to use a MvcRequestMatcher now to avoid problems if multiple servlets are deployed (in case of H2 for example). spring-projects/spring-security#13568 (comment)
st-tu-dresden · Sep 12, 2023 · f5acb2e · f5acb2e
1 parent 467cce8
commit f5acb2e
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 7 deletions.
diff --git a/src/main/java/org/salespointframework/SalespointWebSecurityConfiguration.java b/src/main/java/org/salespointframework/SalespointWebSecurityConfiguration.java
@@ -24,6 +24,8 @@
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
+import org.springframework.web.servlet.handler.HandlerMappingIntrospector;
 
 /**
  * Basic Salespoint security configuration setting up the {@link AuthenticationManagerBuilder} to work with the
@@ -38,11 +40,17 @@ class SalespointWebSecurityConfiguration {
 
 	@Bean
 	@ConditionalOnWebApplication
-	SecurityFilterChain filterChain(HttpSecurity security) throws Exception {
+	MvcRequestMatcher.Builder mvc(HandlerMappingIntrospector introspector) {
+		return new MvcRequestMatcher.Builder(introspector).servletPath("/");
+	}
+
+	@Bean
+	@ConditionalOnWebApplication
+	SecurityFilterChain filterChain(HttpSecurity security, MvcRequestMatcher.Builder mvc) throws Exception {
 
 		return security
 				.userDetailsService(userDetailsService)
-				.authorizeHttpRequests(http -> http.requestMatchers("/resources/**").permitAll())
+				.authorizeHttpRequests(http -> http.requestMatchers(mvc.pattern("/resources/**")).permitAll())
 				.build();
 	}
 }
diff --git a/src/test/java/example/ExampleControllerIntegrationTests.java b/src/test/java/example/ExampleControllerIntegrationTests.java
@@ -27,8 +27,10 @@
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
 import org.springframework.util.LinkedMultiValueMap;
 import org.springframework.web.client.RestTemplate;
+import org.springframework.web.servlet.handler.HandlerMappingIntrospector;
 
 /**
  * Integration tests for sample components.
@@ -51,16 +53,19 @@ class ExampleControllerIntegrationTests {
 	static class Config {
 
 		@Bean
-		SecurityFilterChain testSecurity(HttpSecurity security) throws Exception {
+		SecurityFilterChain testSecurity(HttpSecurity security, HandlerMappingIntrospector introspector) throws Exception {
 
-			return security.csrf().disable()
-					.authorizeHttpRequests().requestMatchers("/**").permitAll()
-					.and().build();
+			var mvc = new MvcRequestMatcher.Builder(introspector);
+
+			return security
+					.authorizeHttpRequests(it -> it.requestMatchers(mvc.pattern("/**")).permitAll()
+							.anyRequest().authenticated())
+					.csrf(it -> it.disable())
+					.build();
 		}
 	}
 
 	@Test // #72
-	@SuppressWarnings("resource")
 	void usesUtf8ToDecodePayload() {
 
 		var template = new RestTemplate();