Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Additional filters registered when using Custom DSL #13203

Closed
bwgjoseph opened this issue May 21, 2023 · 3 comments
Closed

Additional filters registered when using Custom DSL #13203

bwgjoseph opened this issue May 21, 2023 · 3 comments
Assignees
@marcusdacoregio
Labels
in: config An issue in spring-security-config type: bug A general bug
Milestone
5.7.9

Comments

@bwgjoseph
Copy link

I'm using

  • Spring Boot 2.7.12
  • Spring Security 5.8.3

(I did test with Spring Boot 3.1.0, and I am facing the same issue)

Describe the bug
While playing around with Custom DSL, I noticed 2 additional filters are being applied when using custom dsl.

  • DefaultLoginPageGeneratingFilter
  • DefaultLogoutPageGeneratingFilter

Not exactly sure if this is intended behavior, but I thought it shouldn't be?

To Reproduce
Here's the following code

@Configuration(proxyBeanMethods = false)
@EnableWebSecurity(debug = true)
public class WebSecurityConfig {
    @Bean
    public SecurityFilterChain docsFilterChain(HttpSecurity http) throws Exception {
        return http
            // .apply(DummyDsl.dummyDsl())
            // .and()
            .build();
    }
}

public class DummyDsl extends AbstractHttpConfigurer<DummyDsl, HttpSecurity> {
    @Override
    public void init(HttpSecurity http) throws Exception {
        http.formLogin(AbstractHttpConfigurer::disable);
    }

    public static DummyDsl dummyDsl() {
        return new DummyDsl();
    }
}

When custom dsl is not applied, this is the filter chain

Security filter chain: [
  DisableEncodeUrlFilter
  WebAsyncManagerIntegrationFilter
  SecurityContextHolderFilter
  HeaderWriterFilter
  CsrfFilter
  LogoutFilter
  RequestCacheAwareFilter
  SecurityContextHolderAwareRequestFilter
  AnonymousAuthenticationFilter
  ExceptionTranslationFilter
]

But when it is being applied, this is the filter chain

Security filter chain: [
  DisableEncodeUrlFilter
  WebAsyncManagerIntegrationFilter
  SecurityContextHolderFilter
  HeaderWriterFilter
  CsrfFilter
  LogoutFilter
  DefaultLoginPageGeneratingFilter
  DefaultLogoutPageGeneratingFilter
  RequestCacheAwareFilter
  SecurityContextHolderAwareRequestFilter
  AnonymousAuthenticationFilter
  ExceptionTranslationFilter
]

Expected behavior
I should expect that the filter chain should be same across both setup, unless I am missing something (I hope not)?

Sample
You can find the reproduce over at spring-security-custom-dsl-bug

Additional Notes

As the docs isn't very explicit, but can I assume that the custom dsl is used for, or at least, can be used for the purpose of having a common configuration that can be re-use in different SecurityFilterChain?
@bwgjoseph bwgjoseph added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels May 21, 2023
@marcusdacoregio marcusdacoregio self-assigned this May 25, 2023
@marcusdacoregio marcusdacoregio added in: config An issue in spring-security-config and removed status: waiting-for-triage An issue we've not yet triaged labels May 25, 2023
@marcusdacoregio marcusdacoregio mentioned this issue May 26, 2023
Merged
@marcusdacoregio
Copy link
Contributor

Hi @bwgjoseph, thanks for the report.

That is not the expected behavior, since you disabled formLogin() there should be no DefaultLoginPageGeneratingFilter in place. The problem is that the builder's init() method invokes your custom DSL and the DSL adds the FormLoginConfigurer to the configurers list. Since the buildState is INITIALIZING, it also adds the FormLoginConfigurer to the configurersAddedInInitializing list, see https://github.com/spring-projects/spring-security/blob/9ec3e80e15c709502633447beeef36f957e2c4e4/config/src/main/java/org/springframework/security/config/annotation/AbstractConfiguredSecurityBuilder.java#L191C32-L193.

When you invoke disable(), the AbstractConfiguredSecurityBuilder#removeConfigurer is invoked removing that configurer from the configurers list, but not removed from the configurersAddedInInitializing list.
And then, the FormLoginConfigurer is initialized here

spring-security/config/src/main/java/org/springframework/security/config/annotation/AbstractConfiguredSecurityBuilder.java

Line 341 in 9ec3e80

configurer.init((B) this);
, setting the DefaultLoginPageGeneratingFilter#formLoginEnabled to true.

I believe that when a configurer is removed, it should be removed from both lists. That said, I opened #13235 to fix that.

@bwgjoseph
Copy link
Author

Thanks for the fix and explanation!

With what you have explained, I imagine that this should fix for anything that I configure (to disable) from customdsl.init() as well.

Also, in case you missed it, can I use custom-dsl as a way to provide as common configuration among/across different SecurityFilterChain?

@marcusdacoregio
Copy link
Contributor

Also, in case you missed it, can I use custom-dsl as a way to provide as common configuration among/across different SecurityFilterChain?

Yes, you can. You can also make the Custom DSL to be picked up by HttpSecurity by adding it to the spring.factories file.

marcusdacoregio added a commit to marcusdacoregio/spring-security that referenced this issue Jun 1, 2023
@marcusdacoregio
Does not apply a Configurer when disabled from another DSL
f797c7e 
Closes spring-projectsgh-13203
@marcusdacoregio marcusdacoregio mentioned this issue Jun 5, 2023
Closed
@marcusdacoregio marcusdacoregio added this to the 5.7.9 milestone Jun 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marcusdacoregio marcusdacoregio

Labels
in: config An issue in spring-security-config type: bug A general bug
Projects
Spring Security Team
Status: Done
Milestone
5.7.9
Development

No branches or pull requests
2 participants
@marcusdacoregio @bwgjoseph