Skip to content

Commit 6455e98

Browse files
FilterSecurityInterceptor applies to every request by default
Closes gh-11466
1 parent 2c0a433 commit 6455e98

File tree

7 files changed

+25
-8
lines changed

7 files changed

+25
-8
lines changed

config/src/main/resources/org/springframework/security/config/spring-security-6.0.rnc

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -375,7 +375,7 @@ http.attlist &=
375375
## Allows a customized AuthenticationEntryPoint to be set on the ExceptionTranslationFilter.
376376
attribute entry-point-ref {xsd:token}?
377377
http.attlist &=
378-
## Corresponds to the observeOncePerRequest property of FilterSecurityInterceptor. Defaults to "true"
378+
## Corresponds to the observeOncePerRequest property of FilterSecurityInterceptor. Defaults to "false"
379379
attribute once-per-request {xsd:boolean}?
380380
http.attlist &=
381381
## Prevents the jsessionid parameter from being added to rendered URLs. Defaults to "true" (rewriting is disabled).

config/src/main/resources/org/springframework/security/config/spring-security-6.0.xsd

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1335,7 +1335,7 @@
13351335
<xs:attribute name="once-per-request" type="xs:boolean">
13361336
<xs:annotation>
13371337
<xs:documentation>Corresponds to the observeOncePerRequest property of FilterSecurityInterceptor. Defaults
1338-
to "true"
1338+
to "false"
13391339
</xs:documentation>
13401340
</xs:annotation>
13411341
</xs:attribute>
@@ -3729,4 +3729,4 @@
37293729
<xs:enumeration value="LAST"/>
37303730
</xs:restriction>
37313731
</xs:simpleType>
3732-
</xs:schema>
3732+
</xs:schema>

config/src/test/java/org/springframework/security/config/http/MiscHttpConfigTests.java

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
/*
2-
* Copyright 2002-2018 the original author or authors.
2+
* Copyright 2002-2022 the original author or authors.
33
*
44
* Licensed under the Apache License, Version 2.0 (the "License");
55
* you may not use this file except in compliance with the License.
@@ -853,7 +853,7 @@ private void assertThatFiltersMatchExpectedAutoConfigList(String url) {
853853
assertThat(filters.next()).isInstanceOf(SessionManagementFilter.class);
854854
assertThat(filters.next()).isInstanceOf(ExceptionTranslationFilter.class);
855855
assertThat(filters.next()).isInstanceOf(FilterSecurityInterceptor.class)
856-
.hasFieldOrPropertyWithValue("observeOncePerRequest", true);
856+
.hasFieldOrPropertyWithValue("observeOncePerRequest", false);
857857
}
858858

859859
private <T extends Filter> T getFilter(Class<T> filterClass) {

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-WithSecurityContextHolderStrategy.xml

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
<?xml version="1.0" encoding="UTF-8"?>
22
<!--
3-
~ Copyright 2002-2018 the original author or authors.
3+
~ Copyright 2002-2022 the original author or authors.
44
~
55
~ Licensed under the Apache License, Version 2.0 (the "License");
66
~ you may not use this file except in compliance with the License.
@@ -28,6 +28,7 @@
2828
https://www.springframework.org/schema/mvc/spring-mvc.xsd">
2929

3030
<http auto-config="true" security-context-holder-strategy-ref="ref">
31+
<intercept-url request-matcher-ref="dispatcherTypeMatcher" access="permitAll" />
3132
<intercept-url pattern="/**" access="authenticated"/>
3233
</http>
3334

@@ -37,6 +38,10 @@
3738
</b:constructor-arg>
3839
</b:bean>
3940

41+
<b:bean id="dispatcherTypeMatcher" class="org.springframework.security.web.util.matcher.DispatcherTypeRequestMatcher">
42+
<b:constructor-arg value="ASYNC"/>
43+
</b:bean>
44+
4045
<mvc:annotation-driven>
4146
<mvc:argument-resolvers>
4247
<b:bean class="org.springframework.security.web.method.annotation.AuthenticationPrincipalArgumentResolver">

docs/modules/ROOT/pages/servlet/appendix/namespace/http.adoc

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -94,7 +94,7 @@ A bean identifier, used for referring to the bean elsewhere in the context.
9494
[[nsa-http-once-per-request]]
9595
* **once-per-request**
9696
Corresponds to the `observeOncePerRequest` property of `FilterSecurityInterceptor`.
97-
Defaults to `true`.
97+
Defaults to `false`.
9898

9999

100100
[[nsa-http-pattern]]

web/src/main/java/org/springframework/security/web/access/intercept/FilterSecurityInterceptor.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -48,7 +48,7 @@ public class FilterSecurityInterceptor extends AbstractSecurityInterceptor imple
4848

4949
private FilterInvocationSecurityMetadataSource securityMetadataSource;
5050

51-
private boolean observeOncePerRequest = true;
51+
private boolean observeOncePerRequest = false;
5252

5353
/**
5454
* Not used (we rely on IoC container lifecycle services instead)

web/src/test/java/org/springframework/security/web/access/intercept/FilterSecurityInterceptorTests.java

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -50,6 +50,7 @@
5050
import static org.mockito.BDDMockito.willThrow;
5151
import static org.mockito.Mockito.mock;
5252
import static org.mockito.Mockito.never;
53+
import static org.mockito.Mockito.times;
5354
import static org.mockito.Mockito.verify;
5455
import static org.mockito.Mockito.verifyZeroInteractions;
5556

@@ -174,6 +175,17 @@ public void doFilterWhenObserveOncePerRequestThenAttributeNotSet() throws Except
174175
assertThat(request.getAttributeNames().hasMoreElements()).isFalse();
175176
}
176177

178+
@Test
179+
public void doFilterWhenObserveOncePerRequestFalseAndInvokedTwiceThenObserveTwice() throws Throwable {
180+
Authentication token = new TestingAuthenticationToken("Test", "Password", "NOT_USED");
181+
SecurityContextHolder.getContext().setAuthentication(token);
182+
FilterInvocation fi = createinvocation();
183+
given(this.ods.getAttributes(fi)).willReturn(SecurityConfig.createList("MOCK_OK"));
184+
this.interceptor.invoke(fi);
185+
this.interceptor.invoke(fi);
186+
verify(this.adm, times(2)).decide(any(), any(), any());
187+
}
188+
177189
private FilterInvocation createinvocation() {
178190
MockHttpServletResponse response = new MockHttpServletResponse();
179191
MockHttpServletRequest request = new MockHttpServletRequest();

0 commit comments

Comments
 (0)