Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FilterSecurityInterceptor applies to every request by default #11466

Closed
Tracked by #10919
marcusdacoregio opened this issue Jul 6, 2022 · 0 comments
Closed
Tracked by #10919

FilterSecurityInterceptor applies to every request by default #11466

marcusdacoregio opened this issue Jul 6, 2022 · 0 comments
Assignees
@marcusdacoregio
Labels
in: web An issue in web modules (web, webmvc) type: breaks-passivity A change that breaks passivity with the previous release type: enhancement A general enhancement
Milestone
6.0.0-M6

Comments

@marcusdacoregio
Copy link
Contributor

The new AuthorizationFilter that supersedes the FilterSecurityInterceptor applies to every dispatcher type. We should align the behavior between the filters. This will also allow the Spring Boot to remove the ErrorPageSecurityFilter #10919.
@marcusdacoregio marcusdacoregio added in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement labels Jul 6, 2022
@marcusdacoregio marcusdacoregio added this to the 6.0.x milestone Jul 6, 2022
@marcusdacoregio marcusdacoregio self-assigned this Jul 6, 2022
@marcusdacoregio marcusdacoregio mentioned this issue Jul 6, 2022
Closed
3 tasks
@marcusdacoregio marcusdacoregio changed the title FilterSecurityInterceptor should apply to every request by default FilterSecurityInterceptor applies to every request by default Jul 12, 2022
@marcusdacoregio marcusdacoregio modified the milestones: 6.0.x, 6.0.0-M6 Jul 12, 2022
@marcusdacoregio marcusdacoregio added the type: breaks-passivity A change that breaks passivity with the previous release label Jul 12, 2022
wilkinsona added a commit to spring-projects/spring-boot that referenced this issue Jul 13, 2022
@wilkinsona
Adapt to change in Security's filtering behavior
4bd3534 
Spring Security now filters every dispatch by default and not only
once-per-request. Security configuration has been updated in a number of
places to restore the old behavior as needed for the tests to pass.
gh-31703 has been opened to review this and to investigate if we can
now remove the error page security filter and rely on the filtering of
every dispatch instead.

In addition to switching to once-per-request filtering where needed,
this commit also restructures the configuration of the error page
security filter. The restructuring was necessary to ensure that the
privilege evaluator bean has been defined before the conditions on the
error page security filter are evaluated. Without the change, the filter
was no longer being configured as the privilege evaluator hadn't been
defined before the on bean condition was evaluated. We may want to back
port this change as the ordering doesn't appear to have been defined
before and we were just getting lucky.

See gh-31622
See spring-projects/spring-security#11466
@marcusdacoregio marcusdacoregio mentioned this issue Jul 26, 2022
Closed
@svorcmar svorcmar mentioned this issue Jul 12, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marcusdacoregio marcusdacoregio

Labels
in: web An issue in web modules (web, webmvc) type: breaks-passivity A change that breaks passivity with the previous release type: enhancement A general enhancement
Projects
Spring Security Team
Status: Done
Milestone
6.0.0-M6
Development

No branches or pull requests
1 participant
@marcusdacoregio