Make AutoConfigureMockMvc use SecurityProperties' filter ordering

wilkinsona · wilkinsona · commit 48acaa4bd92c · 2020-06-10T09:51:05.000+01:00
Previously, AutoConfigureMockMvc used Spring Security's default filter ordering, ignoring the value configured by SecurityProperties that is used at runtime. This resulted in different ordering at runtime and in tests. This commit updates the configuration for AutoConfigureMockMvc to import the Spring Security filter auto-configuration, thereby ensuring that the ordering configured via SecurityProperties is applied. Fixes gh-21801
diff --git a/spring-boot-project/spring-boot-test-autoconfigure/src/main/resources/META-INF/spring.factories b/spring-boot-project/spring-boot-test-autoconfigure/src/main/resources/META-INF/spring.factories
@@ -109,6 +109,7 @@ org.springframework.boot.test.autoconfigure.web.servlet.MockMvcAutoConfiguration
 org.springframework.boot.test.autoconfigure.web.servlet.MockMvcWebClientAutoConfiguration,\
 org.springframework.boot.test.autoconfigure.web.servlet.MockMvcWebDriverAutoConfiguration,\
 org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration,\
+org.springframework.boot.autoconfigure.security.servlet.SecurityFilterAutoConfiguration,\
 org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration,\
 org.springframework.boot.test.autoconfigure.web.servlet.MockMvcSecurityConfiguration
 
diff --git a/spring-boot-project/spring-boot-test-autoconfigure/src/test/java/org/springframework/boot/test/autoconfigure/web/servlet/mockmvc/AfterSecurityFilter.java b/spring-boot-project/spring-boot-test-autoconfigure/src/test/java/org/springframework/boot/test/autoconfigure/web/servlet/mockmvc/AfterSecurityFilter.java
@@ -0,0 +1,55 @@
+/*
+ * Copyright 2012-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.test.autoconfigure.web.servlet.mockmvc;
+
+import java.io.IOException;
+import java.security.Principal;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+
+import org.springframework.boot.autoconfigure.security.SecurityProperties;
+import org.springframework.core.Ordered;
+
+/**
+ * {@link Filter} that is ordered to run after Spring Security's filter.
+ *
+ * @author Andy Wilkinson
+ */
+public class AfterSecurityFilter implements Filter, Ordered {
+
+	@Override
+	public int getOrder() {
+		return SecurityProperties.DEFAULT_FILTER_ORDER + 1;
+	}
+
+	@Override
+	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+			throws IOException, ServletException {
+		Principal principal = ((HttpServletRequest) request).getUserPrincipal();
+		if (principal == null) {
+			throw new ServletException("No user principal");
+		}
+		response.getWriter().write(principal.getName());
+		response.getWriter().flush();
+	}
+
+}
diff --git a/spring-boot-project/spring-boot-test-autoconfigure/src/test/java/org/springframework/boot/test/autoconfigure/web/servlet/mockmvc/AutoConfigureMockMvcSecurityFilterOrderingIntegrationTests.java b/spring-boot-project/spring-boot-test-autoconfigure/src/test/java/org/springframework/boot/test/autoconfigure/web/servlet/mockmvc/AutoConfigureMockMvcSecurityFilterOrderingIntegrationTests.java
@@ -0,0 +1,51 @@
+/*
+ * Copyright 2012-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.test.autoconfigure.web.servlet.mockmvc;
+
+import org.junit.jupiter.api.Test;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
+import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
+import org.springframework.context.annotation.Import;
+import org.springframework.security.test.context.support.WithMockUser;
+import org.springframework.test.web.servlet.MockMvc;
+
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+/**
+ * Tests for {@link AutoConfigureMockMvc @AutoConfigureMockMvc} and the ordering of Spring
+ * Security's filter
+ *
+ * @author Andy Wilkinson
+ */
+@WebMvcTest
+@WithMockUser(username = "user", password = "secret")
+@Import(AfterSecurityFilter.class)
+class AutoConfigureMockMvcSecurityFilterOrderingIntegrationTests {
+
+	@Autowired
+	private MockMvc mvc;
+
+	@Test
+	void afterSecurityFilterShouldFindAUserPrincipal() throws Exception {
+		this.mvc.perform(get("/one")).andExpect(status().isOk()).andExpect(content().string("user"));
+	}
+
+}
diff --git a/spring-boot-project/spring-boot-test-autoconfigure/src/test/java/org/springframework/boot/test/autoconfigure/web/servlet/mockmvc/ExampleFilter.java b/spring-boot-project/spring-boot-test-autoconfigure/src/test/java/org/springframework/boot/test/autoconfigure/web/servlet/mockmvc/ExampleFilter.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2019 the original author or authors.
+ * Copyright 2012-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -26,7 +26,9 @@
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletResponse;
 
+import org.springframework.boot.autoconfigure.security.SecurityProperties;
 import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
+import org.springframework.core.Ordered;
 import org.springframework.stereotype.Component;
 
 /**
@@ -35,7 +37,7 @@
  * @author Phillip Webb
  */
 @Component
-public class ExampleFilter implements Filter {
+public class ExampleFilter implements Filter, Ordered {
 
 	@Override
 	public void init(FilterConfig filterConfig) throws ServletException {
@@ -52,4 +54,9 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
 	public void destroy() {
 	}
 
+	@Override
+	public int getOrder() {
+		return SecurityProperties.DEFAULT_FILTER_ORDER - 1;
+	}
+
 }
