Skip to content

Introduced DispatcherType request matcher #9278

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Dec 14, 2020
Merged

Introduced DispatcherType request matcher #9278

merged 2 commits into from
Dec 14, 2020

Conversation

nmck257
Copy link
Contributor

@nmck257 nmck257 commented Dec 11, 2020

Created a DispatcherTypeRequestMatcher and corresponding methods
for configuring an HttpSecurity object. This enables filtering of
security rules based on the dispatcher type of the incoming servlet
request.

Additionally, removed duplicative code for parsing HttpMethod objects
from the AntPathRequestMatcher and RegexRequestMatcher.

Closes gh-9205

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Dec 11, 2020
@nmck257 nmck257 force-pushed the feature/gh-9205 branch 2 times, most recently from ecdacdc to 3b667a5 Compare December 11, 2020 04:19
@nmck257 nmck257 mentioned this pull request Dec 11, 2020
Closed
@nmck257 nmck257 force-pushed the feature/gh-9205 branch 3 times, most recently from 7265c86 to 6f0975d Compare December 11, 2020 05:08
@eleftherias eleftherias self-assigned this Dec 11, 2020
@nmck257 nmck257 force-pushed the feature/gh-9205 branch 2 times, most recently from 3947552 to 6e0890e Compare December 11, 2020 14:00
@nmck257
Copy link
Contributor Author

nmck257 commented Dec 11, 2020

FYI - checks are passing now.

(sorry for the noise -- struggling to get my local checkstyle/checkformat config to match up w/ the project)

eleftherias
eleftherias suggested changes Dec 11, 2020
View reviewed changes
Copy link
Contributor

@eleftherias eleftherias left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @nmck257!
I have left some feedback inline.

@eleftherias eleftherias added in: config An issue in spring-security-config type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Dec 11, 2020
@nmck257
Introduced DispatcherType request matcher
0838d4d 
Created a DispatcherTypeRequestMatcher and corresponding methods
for configuring an HttpSecurity object. This enables filtering of
security rules based on the dispatcher type of the incoming servlet
request.

Closes spring-projectsgh-9205
@nmck257
Minor cleanup on Ant / Regex Request Matchers
b432530 
 - Removed duplicative code for transforming String into HttpMethod
 - Removed an unnecessary array initialization
@nmck257 nmck257 requested a review from eleftherias December 11, 2020 22:58
@eleftherias eleftherias merged commit 5306d4c into spring-projects:master Dec 14, 2020
@eleftherias
Copy link
Contributor

Thanks @nmck257!
This is now merged into master.

Are you interested in submitting a similar PR for the server equivalent?
This would involve creating a DispatcherTypeServerWebExchangeMatcher that implements ServerWebExchangeMatcher.

@eleftherias eleftherias added the status: duplicate A duplicate of another issue label Dec 14, 2020
@eleftherias eleftherias added this to the 5.5.0-M2 milestone Dec 14, 2020
@nmck257
Copy link
Contributor Author

nmck257 commented Dec 14, 2020

Are you interested in submitting a similar PR for the server equivalent?
This would involve creating a DispatcherTypeServerWebExchangeMatcher that implements ServerWebExchangeMatcher.

Sure @eleftherias -- I should have time to do so a little later this week.

@nmck257
Copy link
Contributor Author

nmck257 commented Dec 15, 2020

@eleftherias - want to make sure I understand the intent for the DispatcherTypeServerWebExchangeMatcher.

The ServerWebExchange and ServerHttpRequest interfaces don't expose a DispatcherType directly.

But, I do see that if a request is adapted through ServletHttpHandlerAdapter into a ServletServerHttpRequest, then that particular ServerHttpRequest implementation has an HttpServletRequest field which will preserve the DispatcherType from the servlet context. And that field is available through AbstractServerHttpRequest::getNativeRequest with some casting.

So... is that the scope? The new matcher should check whether the incoming request is an instanceof ServletServerHttpRequest, and if so, pull back the DispatcherType from the request's servlet background for the comparison? And non-match requests which aren't ServletServerHttpRequest?

@eleftherias
Copy link
Contributor

Thanks for pointing that out @nmck257.

I was too quick to assume that there should be a server equivalent, when in fact this doesn't make sense for server based applications.
That means we don't need the additional PR.

Sorry about the confusion and thank you for setting us on the right track.

@nmck257
Copy link
Contributor Author

nmck257 commented Dec 16, 2020

Got it - no worries.

Thanks @eleftherias !

@simaotwx
Copy link
Contributor

simaotwx commented Jan 8, 2025

I was too quick to assume that there should be a server equivalent, when in fact this doesn't make sense for server based applications.

What do you mean by this? The PR says

This enables filtering of security rules based on the dispatcher type of the incoming servlet request.

"incoming servlet request" → server

Why is this not for server? I don't understand that.
Also, does this work in Kotlin using the DSL?

@simaotwx
Copy link
Contributor

simaotwx commented Jan 8, 2025

Also, does this work in Kotlin using the DSL?

Found it: https://docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html#match-by-dispatcher-type

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eleftherias eleftherias Awaiting requested review from eleftherias

Assignees

@eleftherias eleftherias

Labels
in: config An issue in spring-security-config status: duplicate A duplicate of another issue type: enhancement A general enhancement
Projects
None yet
Milestone
5.5.0-M2
Development

Successfully merging this pull request may close these issues.

Match requests based on servlet dispatcher type
4 participants
@nmck257 @eleftherias @simaotwx @spring-projects-issues