Skip to content

Commit 1243d13

Browse files
committed
Merge branch '6.0.x'
Closes gh-12593
2 parents fa9c7fb + c3563df commit 1243d13

File tree

2 files changed

+45
-2
lines changed
  • config/src

2 files changed

+45
-2
lines changed

config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -56,7 +56,9 @@
5656
import org.springframework.security.web.access.intercept.AuthorizationFilter;
5757
import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
5858
import org.springframework.security.web.debug.DebugFilter;
59+
import org.springframework.security.web.firewall.CompositeRequestRejectedHandler;
5960
import org.springframework.security.web.firewall.HttpFirewall;
61+
import org.springframework.security.web.firewall.HttpStatusRequestRejectedHandler;
6062
import org.springframework.security.web.firewall.ObservationMarkingRequestRejectedHandler;
6163
import org.springframework.security.web.firewall.RequestRejectedHandler;
6264
import org.springframework.security.web.firewall.StrictHttpFirewall;
@@ -309,8 +311,10 @@ protected Filter performBuild() throws Exception {
309311
filterChainProxy.setRequestRejectedHandler(this.requestRejectedHandler);
310312
}
311313
else if (!this.observationRegistry.isNoop()) {
312-
filterChainProxy
313-
.setRequestRejectedHandler(new ObservationMarkingRequestRejectedHandler(this.observationRegistry));
314+
CompositeRequestRejectedHandler requestRejectedHandler = new CompositeRequestRejectedHandler(
315+
new ObservationMarkingRequestRejectedHandler(this.observationRegistry),
316+
new HttpStatusRequestRejectedHandler());
317+
filterChainProxy.setRequestRejectedHandler(requestRejectedHandler);
314318
}
315319
filterChainProxy.setFilterChainDecorator(getFilterChainDecorator());
316320
filterChainProxy.afterPropertiesSet();

config/src/test/java/org/springframework/security/config/annotation/web/builders/WebSecurityTests.java

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,8 @@
1818

1919
import java.io.IOException;
2020

21+
import io.micrometer.observation.ObservationRegistry;
22+
import io.micrometer.observation.ObservationTextPublisher;
2123
import jakarta.servlet.ServletException;
2224
import jakarta.servlet.http.HttpServletResponse;
2325
import org.junit.jupiter.api.AfterEach;
@@ -104,13 +106,32 @@ public void ignoringMvcMatcher() throws Exception {
104106

105107
@Test
106108
public void requestRejectedHandlerInvoked() throws ServletException, IOException {
109+
loadConfig(DefaultConfig.class);
110+
this.request.setServletPath("/spring");
111+
this.request.setRequestURI("/spring/\u0019path");
112+
this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
113+
assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_BAD_REQUEST);
114+
}
115+
116+
@Test
117+
public void customRequestRejectedHandlerInvoked() throws ServletException, IOException {
107118
loadConfig(RequestRejectedHandlerConfig.class);
108119
this.request.setServletPath("/spring");
109120
this.request.setRequestURI("/spring/\u0019path");
110121
this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
111122
assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_BAD_REQUEST);
112123
}
113124

125+
// gh-12548
126+
@Test
127+
public void requestRejectedHandlerInvokedWhenOperationalObservationRegistry() throws ServletException, IOException {
128+
loadConfig(ObservationRegistryConfig.class);
129+
this.request.setServletPath("/spring");
130+
this.request.setRequestURI("/spring/\u0019path");
131+
this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
132+
assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_BAD_REQUEST);
133+
}
134+
114135
@Test
115136
public void ignoringMvcMatcherServletPath() throws Exception {
116137
loadConfig(MvcMatcherServletPathConfig.class, LegacyMvcMatchingConfig.class);
@@ -143,6 +164,11 @@ public void loadConfig(Class<?>... configs) {
143164
this.context.getAutowireCapableBeanFactory().autowireBean(this);
144165
}
145166

167+
@EnableWebSecurity
168+
static class DefaultConfig {
169+
170+
}
171+
146172
@EnableWebSecurity
147173
@Configuration
148174
@EnableWebMvc
@@ -243,4 +269,17 @@ WebSecurityCustomizer webSecurityCustomizer() {
243269

244270
}
245271

272+
@Configuration
273+
@EnableWebSecurity
274+
static class ObservationRegistryConfig {
275+
276+
@Bean
277+
ObservationRegistry observationRegistry() {
278+
ObservationRegistry observationRegistry = ObservationRegistry.create();
279+
observationRegistry.observationConfig().observationHandler(new ObservationTextPublisher());
280+
return observationRegistry;
281+
}
282+
283+
}
284+
246285
}

0 commit comments

Comments
 (0)