From 636a03a9db4a051b1e72bf3750487d2540eddd6d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 16 May 2024 10:11:53 +0200 Subject: [PATCH 1/6] Bump com.nimbusds:nimbus-jose-jwt from 9.39 to 9.39.1 (#1543) Bumps [com.nimbusds:nimbus-jose-jwt](https://bitbucket.org/connect2id/nimbus-jose-jwt) from 9.39 to 9.39.1. - [Changelog](https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/CHANGELOG.txt) - [Commits](https://bitbucket.org/connect2id/nimbus-jose-jwt/branches/compare/9.39.1..9.39) --- updated-dependencies: - dependency-name: com.nimbusds:nimbus-jose-jwt dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- spring-security/pom.xml | 2 +- spring-xsuaa-test/pom.xml | 2 +- spring-xsuaa/pom.xml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/spring-security/pom.xml b/spring-security/pom.xml index c8b5be1fe..239444783 100644 --- a/spring-security/pom.xml +++ b/spring-security/pom.xml @@ -22,7 +22,7 @@ com.nimbusds nimbus-jose-jwt - 9.39 + 9.39.1 org.springframework.security diff --git a/spring-xsuaa-test/pom.xml b/spring-xsuaa-test/pom.xml index ce6cf633b..25a69c41a 100644 --- a/spring-xsuaa-test/pom.xml +++ b/spring-xsuaa-test/pom.xml @@ -21,7 +21,7 @@ com.nimbusds nimbus-jose-jwt - 9.39 + 9.39.1 org.springframework.security diff --git a/spring-xsuaa/pom.xml b/spring-xsuaa/pom.xml index c9274021d..6b01a51f1 100644 --- a/spring-xsuaa/pom.xml +++ b/spring-xsuaa/pom.xml @@ -21,7 +21,7 @@ com.nimbusds nimbus-jose-jwt - 9.39 + 9.39.1 org.springframework From 2f4c9310e083f664480c21e4d085b48a56c8dced Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 16 May 2024 10:12:05 +0200 Subject: [PATCH 2/6] Bump org.owasp:dependency-check-maven from 9.1.0 to 9.2.0 (#1542) Bumps [org.owasp:dependency-check-maven](https://github.com/jeremylong/DependencyCheck) from 9.1.0 to 9.2.0. - [Release notes](https://github.com/jeremylong/DependencyCheck/releases) - [Changelog](https://github.com/jeremylong/DependencyCheck/blob/main/CHANGELOG.md) - [Commits](https://github.com/jeremylong/DependencyCheck/compare/v9.1.0...v9.2.0) --- updated-dependencies: - dependency-name: org.owasp:dependency-check-maven dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index e414b150c..ec37edec4 100644 --- a/pom.xml +++ b/pom.xml @@ -385,7 +385,7 @@ org.owasp dependency-check-maven - 9.1.0 + 9.2.0 From 805ee37afee4a42a2f05ccea97073877c0524f5c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 16 May 2024 10:12:21 +0200 Subject: [PATCH 3/6] Bump io.projectreactor:reactor-test from 3.6.5 to 3.6.6 (#1541) Bumps [io.projectreactor:reactor-test](https://github.com/reactor/reactor-core) from 3.6.5 to 3.6.6. - [Release notes](https://github.com/reactor/reactor-core/releases) - [Commits](https://github.com/reactor/reactor-core/compare/v3.6.5...v3.6.6) --- updated-dependencies: - dependency-name: io.projectreactor:reactor-test dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index ec37edec4..942889263 100644 --- a/pom.xml +++ b/pom.xml @@ -80,7 +80,7 @@ 5.12.0 3.25.3 3.5.4 - 3.6.5 + 3.6.6 1.3.2 4.8.5 4.8.5.0 From 22058f9c3e00127617379b29ffa9e451d4bd0586 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 16 May 2024 10:12:31 +0200 Subject: [PATCH 4/6] Bump io.projectreactor:reactor-core from 3.6.5 to 3.6.6 (#1540) Bumps [io.projectreactor:reactor-core](https://github.com/reactor/reactor-core) from 3.6.5 to 3.6.6. - [Release notes](https://github.com/reactor/reactor-core/releases) - [Commits](https://github.com/reactor/reactor-core/compare/v3.6.5...v3.6.6) --- updated-dependencies: - dependency-name: io.projectreactor:reactor-core dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 942889263..21569b51d 100644 --- a/pom.xml +++ b/pom.xml @@ -63,7 +63,7 @@ 2.5.2.RELEASE 1.1.1.RELEASE 12.0.7 - 3.6.5 + 3.6.6 2.23.1 2.0.13 20240303 From cbcb310fe74cc6a28e419c4f03e830b48ffac501 Mon Sep 17 00:00:00 2001 From: Marc Becker Date: Thu, 16 May 2024 10:42:25 +0200 Subject: [PATCH 5/6] Set SecurityContextStrategy based on an EnvironmentPostProcessor (#1536) Fixes an issue with MockMvc when the SecurityContexts are synced, as in this scenario the servlet initialization is not happening and the code runs too late due to that. --- .../main/resources/META-INF/spring.factories | 2 + ...ot.autoconfigure.AutoConfiguration.imports | 1 - spring-security/README.md | 60 +++++++------- .../SecurityContextAutoConfiguration.java | 68 --------------- ...curityContextEnvironmentPostProcessor.java | 34 ++++++++ .../JavaSecurityContextHolderStrategy.java | 5 +- .../SecurityContextAutoConfigurationTest.java | 82 ------------------- ...tyContextEnvironmentPostProcessorTest.java | 64 +++++++++++++++ 8 files changed, 133 insertions(+), 183 deletions(-) create mode 100644 spring-security-starter/src/main/resources/META-INF/spring.factories delete mode 100644 spring-security/src/main/java/com/sap/cloud/security/spring/autoconfig/SecurityContextAutoConfiguration.java create mode 100644 spring-security/src/main/java/com/sap/cloud/security/spring/autoconfig/SecurityContextEnvironmentPostProcessor.java delete mode 100644 spring-security/src/test/java/com/sap/cloud/security/spring/autoconfig/SecurityContextAutoConfigurationTest.java create mode 100644 spring-security/src/test/java/com/sap/cloud/security/spring/autoconfig/SecurityContextEnvironmentPostProcessorTest.java diff --git a/spring-security-starter/src/main/resources/META-INF/spring.factories b/spring-security-starter/src/main/resources/META-INF/spring.factories new file mode 100644 index 000000000..83dd57bb9 --- /dev/null +++ b/spring-security-starter/src/main/resources/META-INF/spring.factories @@ -0,0 +1,2 @@ +org.springframework.boot.env.EnvironmentPostProcessor=\ +com.sap.cloud.security.spring.autoconfig.SecurityContextEnvironmentPostProcessor diff --git a/spring-security-starter/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports b/spring-security-starter/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports index 18a9e220d..7aea67371 100644 --- a/spring-security-starter/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports +++ b/spring-security-starter/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports @@ -1,4 +1,3 @@ com.sap.cloud.security.spring.autoconfig.HybridIdentityServicesAutoConfiguration com.sap.cloud.security.spring.autoconfig.HybridAuthorizationAutoConfiguration com.sap.cloud.security.spring.autoconfig.XsuaaTokenFlowAutoConfiguration -com.sap.cloud.security.spring.autoconfig.SecurityContextAutoConfiguration \ No newline at end of file diff --git a/spring-security/README.md b/spring-security/README.md index a0c6956bb..4dfe9b8db 100644 --- a/spring-security/README.md +++ b/spring-security/README.md @@ -84,7 +84,7 @@ In addition, a bean of type [XsuaaTokenFlows](../token-client/src/main/java/com/ | [HybridAuthorizationAutoConfiguration](./src/main/java/com/sap/cloud/security/spring/autoconfig/HybridAuthorizationAutoConfiguration.java) | Creates a converter ([XsuaaTokenAuthorizationConverter](./src/main/java/com/sap/cloud/security/spring/token/authentication/XsuaaTokenAuthorizationConverter.java)) that removes the XSUAA application identifier from the scope names, allowing local scope checks to be performed using [Spring's common built-in expression](https://docs.spring.io/spring-security/site/docs/current/reference/html5/#el-common-built-in) `hasAuthority`. Supports only single Xsuaa binding | | [HybridIdentityServicesAutoConfiguration](./src/main/java/com/sap/cloud/security/spring/autoconfig/HybridIdentityServicesAutoConfiguration.java) | Configures a `JwtDecoder` which is able to decode and validate tokens from Xsuaa and/or Identity service
Furthermore it registers `IdentityServiceConfiguration` and optionally `XsuaaServiceConfiguration`, that allow overriding the identity service configurations found in the service bindings (via `identity.*` and `xsuaa.*` properties). | | [XsuaaTokenFlowAutoConfiguration](./src/main/java/com/sap/cloud/security/spring/autoconfig/XsuaaTokenFlowAutoConfiguration.java) | Configures an `XsuaaTokenFlows` bean to fetch the XSUAA tokens. Starting with `2.10.0` version it supports X.509 based authentication | -| [SecurityContextAutoConfiguration](./src/main/java/com/sap/cloud/security/spring/autoconfig/SecurityContextAutoConfiguration.java) | Configures [`JavaSecurityContextHolderStrategy`](./src/main/java/com/sap/cloud/security/spring/token/authentication/JavaSecurityContextHolderStrategy.java) to be used as `SecurityContextHolderStrategy` to keep the `com.sap.cloud.security.token.SecurityContext` in sync | +| [SecurityContextEnvironmentPostProcessor](./src/main/java/com/sap/cloud/security/spring/autoconfig/SecurityContextEnvironmentPostProcessor.java) | Configures [`JavaSecurityContextHolderStrategy`](./src/main/java/com/sap/cloud/security/spring/token/authentication/JavaSecurityContextHolderStrategy.java) to be used as `SecurityContextHolderStrategy` to keep the `com.sap.cloud.security.token.SecurityContext` in sync | #### Autoconfiguration properties | Autoconfiguration property | Default value | Description | @@ -95,7 +95,7 @@ In addition, a bean of type [XsuaaTokenFlows](../token-client/src/main/java/com/ You can gradually replace auto-configurations as explained [here](https://docs.spring.io/spring-boot/docs/current/reference/html/using-boot-auto-configuration.html). #### Multiple Xsuaa configurations -:warning: In case of multiple Xsuaa configurations, the [XsuaaTokenAuthorizationConverter](./src/main/java/com/sap/cloud/security/spring/token/authentication/XsuaaTokenAuthorizationConverter.java) bean is not autoconfigured. +:warning: In case of multiple Xsuaa configurations, the [XsuaaTokenAuthorizationConverter](./src/main/java/com/sap/cloud/security/spring/token/authentication/XsuaaTokenAuthorizationConverter.java) bean is not autoconfigured. The bean needs to be created manually based on the service configuration you want the converter to be initialized with. For example, to create a converter that removes the application identifier of the *first* XSUAA configuration from the scope names, you could create the following bean: @@ -121,7 +121,7 @@ This is an example how to configure your application as Spring Security OAuth 2. @EnableWebSecurity @PropertySource(factory = IdentityServicesPropertySourceFactory.class, ignoreResourceNotFound = true, value = { "" }) public class SecurityConfiguration extends WebSecurityConfigurerAdapter { - + @Autowired Converter authConverter; // only required for XSUAA @@ -140,11 +140,11 @@ public class SecurityConfiguration extends WebSecurityConfigurerAdapter { } ``` -> :bulb: Please note that the autoconfigured authentication converter only supports ```hasAuthority```-checks for scopes provided with the Xsuaa access token. +> :bulb: Please note that the autoconfigured authentication converter only supports ```hasAuthority```-checks for scopes provided with the Xsuaa access token. > In case you need to consider authorizations provided via an OIDC token from IAS you need to provide your own converter instead. #### Custom Authorization Converter -You may want to configure the security chain with your own Authorization Converter by implementing the `Converter` interface. +You may want to configure the security chain with your own Authorization Converter by implementing the `Converter` interface. Here is an example implementation that provides authorities based on Identity service groups. The leading prefix "IASAUTHZ_" is removed for easier authorization checks.\ The implementation delegates to the default `authConverter` in case of an Xsuaa access token. @@ -283,11 +283,11 @@ public class Listener { @Autowired JwtDecoder jwtDecoder; - + @Autowired Converter authConverter; - + public void onEvent(String encodedToken) { if (encodedToken != null) { SpringSecurityContext.init(encodedToken, jwtDecoder, authConverter); @@ -326,15 +326,15 @@ In an `application.yml` the test configuration suitable for use with `java-secur sap.security.services: identity: clientid: sb-clientId!t0815 # SecurityTest.DEFAULT_CLIENT_ID - domains: + domains: - localhost # SecurityTest.DEFAULT_DOMAIN xsuaa: xsappname: xsapp!t0815 # SecurityTest.DEFAULT_APP_ID uaadomain: localhost # SecurityTest.DEFAULT_DOMAIN clientid: sb-clientId!t0815 # SecurityTest.DEFAULT_CLIENT_ID url: http://localhost # SecurityTest.DEFAULT_URL -``` - +``` + #### Multiple XSUAA bindings If you need to manually configure the application for more than one XSUAA service instances (e.g. one of @@ -343,9 +343,9 @@ plan `application` and another one of plan `broker`). ````yaml sap.security.services: xsuaa[0]: - ... # credentials of XSUAA of plan 'application' + ... # credentials of XSUAA of plan 'application' xsuaa[1]: - clientid: # clientid of XSUAA of plan 'broker' + clientid: # clientid of XSUAA of plan 'broker' ```` :warning: Autoconfiguration for multiple Xsuaa service instance bindings is not available for @@ -354,10 +354,10 @@ You will need to provide it manually. An example can be found [here](../samples/spring-security-hybrid-usage/src/main/java/sample/spring/security/XsuaaAuthzConverter.java). ### Local testing -To run or debug your secured application locally you need to provide the mandatory Xsuaa or Identity service configuration attributes prior to launching the application. +To run or debug your secured application locally you need to provide the mandatory Xsuaa or Identity service configuration attributes prior to launching the application. There are two ways how to provide the service configuration to your Spring Boot application: -1. As Spring properties in `application.yaml` or `application.properties` files - +1. As Spring properties in `application.yaml` or `application.properties` files + The security library requires the following key value pairs to start successfully: - For Xsuaa ```yaml @@ -373,33 +373,33 @@ There are two ways how to provide the service configuration to your Spring Boot sap.security.services: identity: clientid: sb-clientId!t0815 # SecurityTest.DEFAULT_CLIENT_ID - domains: + domains: - localhost # SecurityTest.DEFAULT_DOMAIN ``` - + :bulb: The provided values above correspond with the [JwtGenerator](../java-security-test/src/main/java/com/sap/cloud/security/test/JwtGenerator.java) default values from `java-security-test` library, meaning you can generate tokens and test them with this service configuration. -2. As `VCAP_SERVICES` environment variable +2. As `VCAP_SERVICES` environment variable The value of the `VCAP_SERVICES` environment variable needs to be in the following format ```json {"xsuaa": [ { - "credentials": { + "credentials": { "clientid": "sb-clientId!t0815", - "xsappname": "xsapp!t0815", - "uaadomain": "localhost", - "url": "https://localhost" - } + "xsappname": "xsapp!t0815", + "uaadomain": "localhost", + "url": "https://localhost" + } } ] } ``` -> :bulb: To evaluate your application using an actual Identity service, you can obtain the service configuration information from the Identity or Xsuaa service instance created in the SAP BTP Cockpit. +> :bulb: To evaluate your application using an actual Identity service, you can obtain the service configuration information from the Identity or Xsuaa service instance created in the SAP BTP Cockpit. > Then, use this data to populate the application.yml or the VCAP_SERVICES environment variable. ## Troubleshooting -In case you face issues, [submit an issue on GitHub](https://github.com/SAP/cloud-security-services-integration-library/issues/new/choose) +In case you face issues, [submit an issue on GitHub](https://github.com/SAP/cloud-security-services-integration-library/issues/new/choose) and include the following details: - any security-related dependencies used including version, get maven dependency tree with `mvn dependency:tree` - [debug logs](#set-debug-log-level) @@ -445,9 +445,9 @@ Field authConverter in com.sap.cloud.test.SecurityConfiguration required a bean ``` Make sure that you have defined the following mandatory attribute in the service configuration (VCAP_SERVICES env variable or application.yaml or application.properties) - for Xsuaa - - xsappname - - uaadomain - - clientid + - xsappname + - uaadomain + - clientid - url - for Identity service - domains @@ -463,9 +463,9 @@ You will need to provide it manually. An example can be found [here](../samples/spring-security-hybrid-usage/src/main/java/sample/spring/security/XsuaaAuthzConverter.java). ## Samples -- [Hybrid Usage](../samples/spring-security-hybrid-usage) +- [Hybrid Usage](../samples/spring-security-hybrid-usage) Demonstrates how to leverage ``spring-security`` library to secure a Spring Boot web application with tokens issued by SAP Identity service or XSUAA. Furthermore, it documents how to implement Spring WebMvcTests using `java-security-test` library. -- [Basic Auth Usage](../samples/spring-security-basic-auth) +- [Basic Auth Usage](../samples/spring-security-basic-auth) Legacy example that demonstrates how to leverage ``spring-security`` library to secure a Spring Boot web application with username/password provided via Basic Auth header. Furthermore, it documents how to implement Spring WebMvcTests using `java-security-test` library. - [Webflux Hybrid Usage](../samples/spring-webflux-security-hybrid-usage)\ Shows how to use ``spring-security`` library with both tokens issued by XSUAA and SAP Identity service in an reactive environment. diff --git a/spring-security/src/main/java/com/sap/cloud/security/spring/autoconfig/SecurityContextAutoConfiguration.java b/spring-security/src/main/java/com/sap/cloud/security/spring/autoconfig/SecurityContextAutoConfiguration.java deleted file mode 100644 index 56ddd177f..000000000 --- a/spring-security/src/main/java/com/sap/cloud/security/spring/autoconfig/SecurityContextAutoConfiguration.java +++ /dev/null @@ -1,68 +0,0 @@ -/** - * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors - *

- * SPDX-License-Identifier: Apache-2.0 - */ -package com.sap.cloud.security.spring.autoconfig; - -import org.springframework.beans.factory.InitializingBean; -import org.springframework.boot.autoconfigure.EnableAutoConfiguration; -import org.springframework.boot.autoconfigure.condition.ConditionalOnClass; -import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; -import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; -import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication; -import org.springframework.boot.web.servlet.ServletContextInitializer; -import org.springframework.context.annotation.Bean; -import org.springframework.context.annotation.Configuration; -import org.springframework.core.Ordered; -import org.springframework.security.core.context.SecurityContextHolder; -import org.springframework.security.core.context.SecurityContextHolderStrategy; - -import com.sap.cloud.security.spring.token.authentication.JavaSecurityContextHolderStrategy; - -import jakarta.servlet.ServletContext; -import jakarta.servlet.ServletException; -/** - * {@link EnableAutoConfiguration} uses a - * {@link com.sap.cloud.security.spring.token.authentication.JavaSecurityContextHolderStrategy}, which keeps the - * {@code com.sap.cloud.security.token.SecurityContext} in sync - * - *

- * Can be disabled with {@code @EnableAutoConfiguration(exclude={SecurityContextAutoConfiguration.class})} or with - * property {@code sap.spring.security.hybrid.auto = false}. - */ -@Configuration -@ConditionalOnProperty(name = "sap.spring.security.hybrid.auto", havingValue = "true", matchIfMissing = true) -@ConditionalOnWebApplication -@ConditionalOnClass(ServletContextInitializer.class) -public class SecurityContextAutoConfiguration { - - @Bean - @ConditionalOnMissingBean(SecurityContextHolderStrategy.class) - @ConditionalOnProperty(name = "sap.spring.security.hybrid.sync_securitycontext", havingValue = "true", matchIfMissing = true) - SecurityContextSetter securityContextSetter() { - return new SecurityContextSetter(); - } - - static class SecurityContextSetter implements InitializingBean, ServletContextInitializer, Ordered { - - @Override - public void afterPropertiesSet() throws Exception { - if (!(SecurityContextHolder.getContextHolderStrategy() instanceof JavaSecurityContextHolderStrategy)) { - SecurityContextHolder.setContextHolderStrategy(new JavaSecurityContextHolderStrategy()); - } - } - - @Override - public void onStartup(ServletContext servletContext) throws ServletException { - // empty, used to hook early into the initialization phase - } - - @Override - public int getOrder() { - return Ordered.HIGHEST_PRECEDENCE; - } - - } - -} diff --git a/spring-security/src/main/java/com/sap/cloud/security/spring/autoconfig/SecurityContextEnvironmentPostProcessor.java b/spring-security/src/main/java/com/sap/cloud/security/spring/autoconfig/SecurityContextEnvironmentPostProcessor.java new file mode 100644 index 000000000..9cd19acd9 --- /dev/null +++ b/spring-security/src/main/java/com/sap/cloud/security/spring/autoconfig/SecurityContextEnvironmentPostProcessor.java @@ -0,0 +1,34 @@ +/** + * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors + *

+ * SPDX-License-Identifier: Apache-2.0 + */ +package com.sap.cloud.security.spring.autoconfig; + +import org.springframework.boot.SpringApplication; +import org.springframework.boot.env.EnvironmentPostProcessor; +import org.springframework.core.env.ConfigurableEnvironment; +import org.springframework.security.core.context.SecurityContextHolder; + +import com.sap.cloud.security.spring.token.authentication.JavaSecurityContextHolderStrategy; +/** + * Instantiates a {@link com.sap.cloud.security.spring.token.authentication.JavaSecurityContextHolderStrategy}, which keeps the + * {@code com.sap.cloud.security.token.SecurityContext} in sync + * + *

+ * Can be disabled with with property {@code sap.spring.security.hybrid.auto = false}. + */ +public class SecurityContextEnvironmentPostProcessor implements EnvironmentPostProcessor { + + @Override + public void postProcessEnvironment(ConfigurableEnvironment environment, SpringApplication application) { + String autoConfig = environment.getProperty("sap.spring.security.hybrid.auto"); + String syncContext = environment.getProperty("sap.spring.security.hybrid.sync_securitycontext"); + if ((autoConfig == null || Boolean.valueOf(autoConfig)) && + (syncContext == null || Boolean.valueOf(syncContext)) && + !(SecurityContextHolder.getContextHolderStrategy() instanceof JavaSecurityContextHolderStrategy)) { + SecurityContextHolder.setContextHolderStrategy(new JavaSecurityContextHolderStrategy()); + } + } + +} diff --git a/spring-security/src/main/java/com/sap/cloud/security/spring/token/authentication/JavaSecurityContextHolderStrategy.java b/spring-security/src/main/java/com/sap/cloud/security/spring/token/authentication/JavaSecurityContextHolderStrategy.java index a5dc2ba62..a75a0760d 100644 --- a/spring-security/src/main/java/com/sap/cloud/security/spring/token/authentication/JavaSecurityContextHolderStrategy.java +++ b/spring-security/src/main/java/com/sap/cloud/security/spring/token/authentication/JavaSecurityContextHolderStrategy.java @@ -5,19 +5,20 @@ */ package com.sap.cloud.security.spring.token.authentication; -import com.sap.cloud.security.token.Token; import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContext; import org.springframework.security.core.context.SecurityContextHolderStrategy; import org.springframework.security.core.context.SecurityContextImpl; import org.springframework.util.Assert; +import com.sap.cloud.security.token.Token; + /** * This is an alternative to {@code ThreadLocalSecurityContextHolderStrategy} which keeps the * {@code com.sap.cloud.security.token.SecurityContext} in sync. * * It's included in Spring Autoconfiguration - * {@link com.sap.cloud.security.spring.autoconfig.SecurityContextAutoConfiguration} + * {@link com.sap.cloud.security.spring.autoconfig.SecurityContextEnvironmentPostProcessor} *
* * In cases when Spring Autoconfiguration is not used it can be enabled by setting the system environment variable diff --git a/spring-security/src/test/java/com/sap/cloud/security/spring/autoconfig/SecurityContextAutoConfigurationTest.java b/spring-security/src/test/java/com/sap/cloud/security/spring/autoconfig/SecurityContextAutoConfigurationTest.java deleted file mode 100644 index ea30704db..000000000 --- a/spring-security/src/test/java/com/sap/cloud/security/spring/autoconfig/SecurityContextAutoConfigurationTest.java +++ /dev/null @@ -1,82 +0,0 @@ -/** - * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors - *

- * SPDX-License-Identifier: Apache-2.0 - */ -package com.sap.cloud.security.spring.autoconfig; - -import static org.junit.jupiter.api.Assertions.assertEquals; -import static org.junit.jupiter.api.Assertions.assertFalse; -import static org.junit.jupiter.api.Assertions.assertNotEquals; -import static org.junit.jupiter.api.Assertions.assertNotNull; -import static org.junit.jupiter.api.Assertions.assertTrue; - -import org.junit.jupiter.api.Test; -import org.springframework.boot.autoconfigure.AutoConfigurations; -import org.springframework.boot.test.context.runner.WebApplicationContextRunner; -import org.springframework.context.annotation.Bean; -import org.springframework.context.annotation.Configuration; -import org.springframework.security.core.context.SecurityContextHolder; -import org.springframework.security.core.context.SecurityContextHolderStrategy; - -import com.sap.cloud.security.spring.token.authentication.JavaSecurityContextHolderStrategy; - -class SecurityContextAutoConfigurationTest { - - private final WebApplicationContextRunner runner = new WebApplicationContextRunner() - .withConfiguration(AutoConfigurations.of(SecurityContextAutoConfiguration.class)); - - @Test - void autoConfigurationActiveByDefault() { - runner.run(context -> { - assertNotNull(context.getBean("securityContextSetter")); - assertEquals(JavaSecurityContextHolderStrategy.class, - SecurityContextHolder.getContextHolderStrategy().getClass()); - }); - } - - @Test - void autoConfigurationDisabledByProperty() { - runner.withPropertyValues("sap.spring.security.hybrid.auto:false") - .run((context) -> assertFalse(context.containsBean("securityContextSetter"))); - } - - @Test - void autoConfigurationDisabledBySpecificProperty() { - runner.withPropertyValues("sap.spring.security.hybrid.sync_securitycontext:false") - .run((context) -> assertFalse(context.containsBean("securityContextSetter"))); - } - - @Test - void autoConfigurationEnabledByProperty() { - runner.withPropertyValues("sap.spring.security.hybrid.auto:true") - .run((context) -> assertTrue(context.containsBean("securityContextSetter"))); - } - - @Test - void autoConfigurationEnabledBySpecificProperty() { - runner.withPropertyValues("sap.spring.security.hybrid.sync_securitycontext:true") - .run((context) -> assertTrue(context.containsBean("securityContextSetter"))); - } - - @Test - void userConfigurationCanOverrideDefaultBeans() { - runner.withUserConfiguration(UserConfiguration.class) - .run((context) -> { - assertFalse(context.containsBean("securityContextSetter")); - assertNotNull(context.getBean("customStrategy", SecurityContextHolderStrategy.class)); - assertNotEquals(JavaSecurityContextHolderStrategy.class, - SecurityContextHolder.getContextHolderStrategy().getClass()); - }); - } - - @Configuration - static class UserConfiguration { - - @Bean - static SecurityContextHolderStrategy customStrategy() { - SecurityContextHolder.setStrategyName(SecurityContextHolder.MODE_THREADLOCAL); - return SecurityContextHolder.getContextHolderStrategy(); - } - } -} diff --git a/spring-security/src/test/java/com/sap/cloud/security/spring/autoconfig/SecurityContextEnvironmentPostProcessorTest.java b/spring-security/src/test/java/com/sap/cloud/security/spring/autoconfig/SecurityContextEnvironmentPostProcessorTest.java new file mode 100644 index 000000000..c00a10cd4 --- /dev/null +++ b/spring-security/src/test/java/com/sap/cloud/security/spring/autoconfig/SecurityContextEnvironmentPostProcessorTest.java @@ -0,0 +1,64 @@ +/** + * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors + *

+ * SPDX-License-Identifier: Apache-2.0 + */ +package com.sap.cloud.security.spring.autoconfig; + +import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertTrue; + +import org.junit.jupiter.api.Test; +import org.springframework.mock.env.MockEnvironment; +import org.springframework.security.core.context.SecurityContextHolder; + +import com.sap.cloud.security.spring.token.authentication.JavaSecurityContextHolderStrategy; + +class SecurityContextEnvironmentPostProcessorTest { + + private MockEnvironment env = new MockEnvironment(); + + @Test + void securityContextStrategyActiveByDefault() { + assertStrategy(true); + } + + @Test + void securityContextStrategyDisabledByProperty() { + env.setProperty("sap.spring.security.hybrid.auto", "false"); + assertStrategy(false); + } + + @Test + void securityContextStrategyDisabledBySpecificProperty() { + env.setProperty("sap.spring.security.hybrid.sync_securitycontext", "false"); + assertStrategy(false); + } + + @Test + void securityContextStrategyEnabledByProperty() { + env.setProperty("sap.spring.security.hybrid.auto", "true"); + assertStrategy(true); + } + + @Test + void securityContextStrategyEnabledBySpecificProperty() { + env.setProperty("sap.spring.security.hybrid.sync_securitycontext", "true"); + assertStrategy(true); + } + + void assertStrategy(boolean applied) { + try { + SecurityContextHolder.setStrategyName(null); + new SecurityContextEnvironmentPostProcessor().postProcessEnvironment(env, null); + if (applied) { + assertTrue(SecurityContextHolder.getContextHolderStrategy() instanceof JavaSecurityContextHolderStrategy, "Expected custom strategy"); + } else { + assertFalse(SecurityContextHolder.getContextHolderStrategy() instanceof JavaSecurityContextHolderStrategy, "Expected default strategy"); + } + } finally { + SecurityContextHolder.setStrategyName(null); + } + } + +} From 601b29cdc926a666700cbbe179040b602d3bf145 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 16 May 2024 14:44:51 +0200 Subject: [PATCH 6/6] Bump spring.core.version from 6.1.6 to 6.1.7 (#1544) Bumps `spring.core.version` from 6.1.6 to 6.1.7. Updates `org.springframework:spring-core` from 6.1.6 to 6.1.7 - [Release notes](https://github.com/spring-projects/spring-framework/releases) - [Commits](https://github.com/spring-projects/spring-framework/compare/v6.1.6...v6.1.7) Updates `org.springframework:spring-web` from 6.1.6 to 6.1.7 - [Release notes](https://github.com/spring-projects/spring-framework/releases) - [Commits](https://github.com/spring-projects/spring-framework/compare/v6.1.6...v6.1.7) Updates `org.springframework:spring-aop` from 6.1.6 to 6.1.7 - [Release notes](https://github.com/spring-projects/spring-framework/releases) - [Commits](https://github.com/spring-projects/spring-framework/compare/v6.1.6...v6.1.7) Updates `org.springframework:spring-beans` from 6.1.6 to 6.1.7 - [Release notes](https://github.com/spring-projects/spring-framework/releases) - [Commits](https://github.com/spring-projects/spring-framework/compare/v6.1.6...v6.1.7) --- updated-dependencies: - dependency-name: org.springframework:spring-core dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: org.springframework:spring-web dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: org.springframework:spring-aop dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: org.springframework:spring-beans dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 21569b51d..26caf8ea3 100644 --- a/pom.xml +++ b/pom.xml @@ -58,7 +58,7 @@ 3.2.1 3.2.5 - 6.1.6 + 6.1.7 6.2.4 2.5.2.RELEASE 1.1.1.RELEASE