Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider alerting applications when both FilterSecurityInterceptor and AuthorizationFilter are in the same filter chain #16213

Closed
jzheaux opened this issue Dec 4, 2024 · 2 comments
Closed

Consider alerting applications when both FilterSecurityInterceptor and AuthorizationFilter are in the same filter chain #16213

jzheaux opened this issue Dec 4, 2024 · 2 comments
Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement

Comments

@jzheaux
Copy link
Contributor

jzheaux commented Dec 4, 2024
edited
Loading

This is almost definitely a misconfiguration. It could be detected in DefaultFilterChainValidator.

Since Spring Security can "work" with both of these filters, let's simply warn in the logs. Along those lines, there should be two warn messages:

  1. If they are using both filters, warn that this is probably a misconfiguration and they should migrate as soon as possible to authorizeHttpRequests.
  2. If they are only using FilterSecurityInterceptor, warn that it is due for removal and they should migrate as soon as possible to authorizeHttpRequests
@jzheaux jzheaux added in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement labels Dec 4, 2024
@franticticktick
Copy link
Contributor

Hi @jzheaux, could you assign this task to me? It seems to be related to this one. Currently the DefaultFilterChainValidator only works with xml config. In addition, it contains several bugs:

RequestMatcher matcher = ((DefaultSecurityFilterChain) chains.next()).getRequestMatcher();

Such forced castes can lead to errors if a custom filterChain is used. Therefore, we must first consider 15982.

@jzheaux jzheaux mentioned this issue Dec 5, 2024
Merged
@evgeniycheban
Copy link
Contributor

Hi, @jzheaux I'd want to work on this, can you assign it to me?

franticticktick added a commit to franticticktick/spring-security that referenced this issue Dec 19, 2024
@franticticktick
Add Alerting About Deprecated Authorize Config
4724f16 
Closes spring-projectsgh-16213
franticticktick added a commit to franticticktick/spring-security that referenced this issue Dec 19, 2024
@franticticktick
Add Alerting About Deprecated Authorize Config
6088267 
Closes spring-projectsgh-16213
jzheaux pushed a commit to franticticktick/spring-security that referenced this issue Dec 19, 2024
@franticticktick @jzheaux
Add Alerting About Deprecated Authorize Config
bbeedec 
Closes spring-projectsgh-16213
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jzheaux @evgeniycheban @franticticktick