Merge Add XML Based shouldWriteHeadersEagerly tests

Author: rwinch

config/src/test/java/org/springframework/security/config/http/HttpHeadersConfigTests.java

@@ -28,14 +28,17 @@
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 
+import org.springframework.beans.BeansException;
 import org.springframework.beans.factory.BeanCreationException;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.config.BeanPostProcessor;
 import org.springframework.beans.factory.parsing.BeanDefinitionParsingException;
 import org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException;
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.web.authentication.session.SessionLimit;
+import org.springframework.security.web.header.HeaderWriterFilter;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.ResultMatcher;
 import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder;
@@ -150,6 +153,16 @@ public void requestWhenHeadersElementUsedThenResponseContainsAllSecureHeaders()
 		// @formatter:on
 	}
 
+	@Test
+	public void requestWhenHeadersEagerlyConfiguredThenHeadersAreWritten() throws Exception {
+		this.spring.configLocations(this.xml("HeadersEagerlyConfigured")).autowire();
+		// @formatter:off
+		this.mvc.perform(get("/").secure(true))
+				.andExpect(status().isOk())
+				.andExpect(includesDefaults());
+		// @formatter:on
+	}
+
 	@Test
 	public void requestWhenFrameOptionsConfiguredThenIncludesHeader() throws Exception {
 		Map<String, String> headers = new HashMap<>(defaultHeaders);
@@ -955,6 +968,18 @@ public String ok() {
 
 	}
 
+	public static class EagerHeadersBeanPostProcessor implements BeanPostProcessor {
+
+		@Override
+		public Object postProcessAfterInitialization(Object bean, String beanName) throws BeansException {
+			if (bean instanceof HeaderWriterFilter headerWriterFilter) {
+				headerWriterFilter.setShouldWriteHeadersEagerly(true);
+			}
+			return bean;
+		}
+
+	}
+
 	public static class CustomSessionLimit implements SessionLimit {
 
 		@Override

config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-HeadersEagerlyConfigured.xml

@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2004-present the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~      https://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			https://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			https://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http auto-config="true">
+		<headers/>
+		<intercept-url pattern="/**" access="permitAll"/>
+	</http>
+
+	<b:bean class="org.springframework.security.config.http.HttpHeadersConfigTests.EagerHeadersBeanPostProcessor"/>
+
+	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
+
+	<b:import resource="userservice.xml"/>
+</b:beans>

oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationException.java

@@ -18,7 +18,8 @@
 
 import java.io.Serial;
 
-import org.springframework.lang.Nullable;
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.core.Authentication;
 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
 import org.springframework.security.oauth2.core.OAuth2Error;

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServerOAuth2AuthorizedClientExchangeFilterFunction.java

@@ -119,8 +119,7 @@ public final class ServerOAuth2AuthorizedClientExchangeFilterFunction implements
 			"anonymous", "anonymousUser", AuthorityUtils.createAuthorityList("ROLE_USER"));
 
 	private final Mono<Authentication> currentAuthenticationMono = ReactiveSecurityContextHolder.getContext()
-		.flatMap((ctx) -> Mono.justOrEmpty(ctx.getAuthentication()))
-		.defaultIfEmpty(ANONYMOUS_USER_TOKEN);
+		.flatMap((ctx) -> Mono.justOrEmpty(ctx.getAuthentication()));
 
 	// @formatter:off
 	private final Mono<String> clientRegistrationIdMono = this.currentAuthenticationMono
@@ -145,6 +144,8 @@ public final class ServerOAuth2AuthorizedClientExchangeFilterFunction implements
 
 	private ServerSecurityContextRepository serverSecurityContextRepository = new WebSessionServerSecurityContextRepository();
 
+	private PrincipalResolver principalResolver = (request) -> this.currentAuthenticationMono;
+
 	/**
 	 * Constructs a {@code ServerOAuth2AuthorizedClientExchangeFilterFunction} using the
 	 * provided parameters.
@@ -332,6 +333,15 @@ public void setDefaultClientRegistrationId(String clientRegistrationId) {
 
 	@Override
 	public Mono<ClientResponse> filter(ClientRequest request, ExchangeFunction next) {
+		// @formatter:off
+		return this.principalResolver.resolve(request)
+			.defaultIfEmpty(ANONYMOUS_USER_TOKEN)
+			.flatMap((authentication) -> doFilter(request, next)
+				.contextWrite(ReactiveSecurityContextHolder.withAuthentication(authentication)));
+		// @formatter:on
+	}
+
+	private Mono<ClientResponse> doFilter(ClientRequest request, ExchangeFunction next) {
 		// @formatter:off
 		return authorizedClient(request)
 				.map((authorizedClient) -> bearer(request, authorizedClient))
@@ -483,13 +493,46 @@ public void setServerSecurityContextRepository(ServerSecurityContextRepository s
 		this.serverSecurityContextRepository = serverSecurityContextRepository;
 	}
 
+	/**
+	 * Sets the strategy for resolving a {@link Mono} of the {@link Authentication
+	 * principal} from an intercepted request.
+	 * @param principalResolver the strategy for resolving a {@link Mono} of the
+	 * {@link Authentication principal}
+	 * @since 7.1
+	 */
+	public void setPrincipalResolver(PrincipalResolver principalResolver) {
+		Assert.notNull(principalResolver, "principalResolver cannot be null");
+		this.principalResolver = principalResolver;
+	}
+
 	@FunctionalInterface
 	private interface ClientResponseHandler {
 
 		Mono<ClientResponse> handleResponse(ClientRequest request, Mono<ClientResponse> response);
 
 	}
 
+	/**
+	 * A strategy for resolving a {@link Mono} of the {@link Authentication principal}
+	 * from an intercepted request.
+	 *
+	 * @since 7.1
+	 */
+	@FunctionalInterface
+	public interface PrincipalResolver {
+
+		/**
+		 * Resolve a {@link Mono} of the {@link Authentication principal} from the current
+		 * request, which is used to obtain an {@link OAuth2AuthorizedClient}.
+		 * @param request the intercepted request, containing HTTP method, URI, headers,
+		 * and request attributes
+		 * @return a {@link Mono} of the {@link Authentication principal} to be used for
+		 * resolving an {@link OAuth2AuthorizedClient}
+		 */
+		Mono<Authentication> resolve(ClientRequest request);
+
+	}
+
 	/**
 	 * Forwards authentication and authorization failures to a
 	 * {@link ReactiveOAuth2AuthorizationFailureHandler}.

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServletOAuth2AuthorizedClientExchangeFilterFunction.java

@@ -123,6 +123,7 @@
  * @author Rob Winch
  * @author Joe Grandja
  * @author Roman Matiushchenko
+ * @author Evgeniy Cheban
  * @since 5.1
  * @see OAuth2AuthorizedClientManager
  * @see DefaultOAuth2AuthorizedClientManager
@@ -154,6 +155,13 @@ public final class ServletOAuth2AuthorizedClientExchangeFilterFunction implement
 
 	private @Nullable OAuth2AuthorizedClientManager authorizedClientManager;
 
+	/*
+	 * For consistency, the default implementation resolves a principal from request
+	 * attributes. Request attributes are populated from Reactor context which is enriched
+	 * in SecurityReactorContextConfiguration.SecurityReactorContextSubscriber
+	 */
+	private PrincipalResolver principalResolver = (request) -> getAuthentication(request.attributes());
+
 	private boolean defaultOAuth2AuthorizedClient;
 
 	private @Nullable String defaultClientRegistrationId;
@@ -375,6 +383,18 @@ public void setAuthorizationFailureHandler(OAuth2AuthorizationFailureHandler aut
 		this.clientResponseHandler = new AuthorizationFailureForwarder(authorizationFailureHandler);
 	}
 
+	/**
+	 * Sets the strategy for resolving a {@link Authentication principal} from an
+	 * intercepted request.
+	 * @param principalResolver the strategy for resolving a {@link Authentication
+	 * principal}
+	 * @since 7.1
+	 */
+	public void setPrincipalResolver(PrincipalResolver principalResolver) {
+		Assert.notNull(principalResolver, "principalResolver cannot be null");
+		this.principalResolver = principalResolver;
+	}
+
 	@Override
 	public Mono<ClientResponse> filter(ClientRequest request, ExchangeFunction next) {
 		// @formatter:off
@@ -471,7 +491,7 @@ private void populateDefaultAuthentication(Map<String, Object> attrs) {
 		if (clientRegistrationId == null) {
 			clientRegistrationId = this.defaultClientRegistrationId;
 		}
-		Authentication authentication = getAuthentication(attrs);
+		Authentication authentication = this.principalResolver.resolve(request);
 		if (clientRegistrationId == null && this.defaultOAuth2AuthorizedClient
 				&& authentication instanceof OAuth2AuthenticationToken) {
 			clientRegistrationId = ((OAuth2AuthenticationToken) authentication).getAuthorizedClientRegistrationId();
@@ -485,7 +505,7 @@ private Mono<OAuth2AuthorizedClient> authorizeClient(String clientRegistrationId
 			return Mono.empty();
 		}
 		Map<String, Object> attrs = request.attributes();
-		Authentication authentication = getAuthentication(attrs);
+		Authentication authentication = this.principalResolver.resolve(request);
 		if (authentication == null) {
 			authentication = ANONYMOUS_AUTHENTICATION;
 		}
@@ -512,7 +532,7 @@ private Mono<OAuth2AuthorizedClient> reauthorizeClient(OAuth2AuthorizedClient au
 			return Mono.empty();
 		}
 		Map<String, Object> attrs = request.attributes();
-		Authentication authentication = getAuthentication(attrs);
+		Authentication authentication = this.principalResolver.resolve(request);
 		if (authentication == null) {
 			authentication = createAuthentication(authorizedClient.getPrincipalName());
 		}
@@ -587,6 +607,27 @@ public Object getPrincipal() {
 		};
 	}
 
+	/**
+	 * A strategy for resolving a {@link Authentication principal} from an intercepted
+	 * request.
+	 *
+	 * @since 7.1
+	 */
+	@FunctionalInterface
+	public interface PrincipalResolver {
+
+		/**
+		 * Resolve the {@link Authentication principal} from the current request, which is
+		 * used to obtain an {@link OAuth2AuthorizedClient}.
+		 * @param request the intercepted request, containing HTTP method, URI, headers,
+		 * and request attributes
+		 * @return the {@link Authentication principal} to be used for resolving an
+		 * {@link OAuth2AuthorizedClient}
+		 */
+		@Nullable Authentication resolve(ClientRequest request);
+
+	}
+
 	@FunctionalInterface
 	private interface ClientResponseHandler {
 

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServerOAuth2AuthorizedClientExchangeFilterFunctionTests.java

@@ -218,6 +218,13 @@ public void setServerSecurityContextRepositoryWhenHandlerIsNullThenThrowIllegalA
 				.setServerSecurityContextRepository(null));
 	}
 
+	@Test
+	public void setPrincipalResolverWhenResolverIsNullThenThrowIllegalArgumentException() {
+		assertThatIllegalArgumentException()
+			.isThrownBy(() -> new ServerOAuth2AuthorizedClientExchangeFilterFunction(this.authorizedClientManager)
+				.setPrincipalResolver(null));
+	}
+
 	@Test
 	public void filterWhenAuthorizedClientNullThenAuthorizationHeaderNull() {
 		ClientRequest request = ClientRequest.create(HttpMethod.GET, URI.create("https://example.com")).build();
@@ -791,6 +798,38 @@ public void filterWhenClientRegistrationIdFromAuthenticationThenAuthorizedClient
 		assertThat(getBody(request0)).isEmpty();
 	}
 
+	@Test
+	public void filterWhenClientRegistrationIdFromAuthenticationAndCustomPrincipalResolverThenAuthorizedClientResolved() {
+		this.function.setDefaultOAuth2AuthorizedClient(true);
+		OAuth2User user = new DefaultOAuth2User(AuthorityUtils.createAuthorityList("ROLE_USER"),
+				Collections.singletonMap("user", "rob"), "user");
+		OAuth2AuthenticationToken initialAuthentication = new OAuth2AuthenticationToken(user, user.getAuthorities(),
+				"initial-registration-id");
+		OAuth2AuthenticationToken authentication = new OAuth2AuthenticationToken(user, user.getAuthorities(),
+				this.registration.getRegistrationId());
+		OAuth2AuthorizedClient authorizedClient = new OAuth2AuthorizedClient(this.registration, "principalName",
+				this.accessToken);
+		given(this.authorizedClientRepository.loadAuthorizedClient(this.registration.getRegistrationId(),
+				authentication, this.serverWebExchange))
+			.willReturn(Mono.just(authorizedClient));
+		final ClientRequest clientRequest = ClientRequest.create(HttpMethod.GET, URI.create("https://example.com"))
+			.build();
+		this.function.setPrincipalResolver((request) -> Mono.just(authentication));
+		this.function.filter(clientRequest, this.exchange)
+			.contextWrite(ReactiveSecurityContextHolder.withAuthentication(initialAuthentication))
+			.contextWrite(serverWebExchange())
+			.block();
+		List<ClientRequest> requests = this.exchange.getRequests();
+		assertThat(requests).hasSize(1);
+		ClientRequest request0 = requests.get(0);
+		assertThat(request0.headers().getFirst(HttpHeaders.AUTHORIZATION)).isEqualTo("Bearer token-0");
+		assertThat(request0.url().toASCIIString()).isEqualTo("https://example.com");
+		assertThat(request0.method()).isEqualTo(HttpMethod.GET);
+		assertThat(getBody(request0)).isEmpty();
+		verify(this.authorizedClientRepository).loadAuthorizedClient(this.registration.getRegistrationId(),
+				authentication, this.serverWebExchange);
+	}
+
 	@Test
 	public void filterWhenDefaultOAuth2AuthorizedClientFalseThenEmpty() {
 		ClientRequest request = ClientRequest.create(HttpMethod.GET, URI.create("https://example.com")).build();

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServletOAuth2AuthorizedClientExchangeFilterFunctionTests.java

@@ -125,6 +125,7 @@
 
 /**
  * @author Rob Winch
+ * @author Evgeniy Cheban
  * @since 5.1
  */
 @ExtendWith(MockitoExtension.class)
@@ -217,6 +218,13 @@ public void constructorWhenAuthorizedClientManagerIsNullThenThrowIllegalArgument
 			.isThrownBy(() -> new ServletOAuth2AuthorizedClientExchangeFilterFunction(null));
 	}
 
+	@Test
+	public void setPrincipalResolverWhenResolverIsNullThenThrowIllegalArgumentException() {
+		assertThatIllegalArgumentException()
+			.isThrownBy(() -> new ServletOAuth2AuthorizedClientExchangeFilterFunction(this.authorizedClientManager)
+				.setPrincipalResolver(null));
+	}
+
 	@Test
 	public void defaultRequestRequestResponseWhenNullRequestContextThenRequestAndResponseNull() {
 		Map<String, Object> attrs = getDefaultRequestAttributes();
@@ -620,6 +628,39 @@ public void filterWhenChainedThenDefaultsStillAvailable() throws Exception {
 		assertThat(getBody(request)).isEmpty();
 	}
 
+	@Test
+	public void filterWhenClientRegistrationIdFromAuthenticationAndCustomPrincipalResolverThenAuthorizedClientResolved() {
+		this.function.setDefaultOAuth2AuthorizedClient(true);
+		MockHttpServletRequest servletRequest = new MockHttpServletRequest();
+		MockHttpServletResponse servletResponse = new MockHttpServletResponse();
+		OAuth2User user = mock(OAuth2User.class);
+		List<GrantedAuthority> authorities = AuthorityUtils.createAuthorityList("ROLE_USER");
+		OAuth2AuthenticationToken initialAuthentication = new OAuth2AuthenticationToken(user, authorities,
+				"initial-registration-id");
+		OAuth2AuthenticationToken authentication = new OAuth2AuthenticationToken(user, authorities,
+				this.registration.getRegistrationId());
+		OAuth2AuthorizedClient authorizedClient = new OAuth2AuthorizedClient(this.registration, "principalName",
+				this.accessToken);
+		given(this.authorizedClientRepository.loadAuthorizedClient(this.registration.getRegistrationId(),
+				initialAuthentication, servletRequest))
+			.willReturn(authorizedClient);
+		final ClientRequest clientRequest = ClientRequest.create(HttpMethod.GET, URI.create("https://example.com"))
+			.build();
+		this.function.setPrincipalResolver((request) -> authentication);
+		this.function.filter(clientRequest, this.exchange)
+			.contextWrite(context(servletRequest, servletResponse, initialAuthentication))
+			.block();
+		List<ClientRequest> requests = this.exchange.getRequests();
+		assertThat(requests).hasSize(1);
+		ClientRequest request = requests.get(0);
+		assertThat(request.headers().getFirst(HttpHeaders.AUTHORIZATION)).isEqualTo("Bearer token-0");
+		assertThat(request.url().toASCIIString()).isEqualTo("https://example.com");
+		assertThat(request.method()).isEqualTo(HttpMethod.GET);
+		assertThat(getBody(request)).isEmpty();
+		verify(this.authorizedClientRepository).loadAuthorizedClient(this.registration.getRegistrationId(),
+				authentication, servletRequest);
+	}
+
 	@Test
 	public void filterWhenUnauthorizedThenInvokeFailureHandler() {
 		assertHttpStatusInvokesFailureHandler(HttpStatus.UNAUTHORIZED, OAuth2ErrorCodes.INVALID_TOKEN);