Merge branch '2.6.x' into 2.7.x

Closes gh-29501

Author: wilkinsona

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/servlet/filter/ErrorPageSecurityFilter.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2021 the original author or authors.
+ * Copyright 2012-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -35,6 +35,7 @@
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.web.access.WebInvocationPrivilegeEvaluator;
+import org.springframework.web.util.UrlPathHelper;
 
 /**
  * {@link Filter} that intercepts error dispatches to ensure authorized access to the
@@ -48,12 +49,15 @@ public class ErrorPageSecurityFilter implements Filter {
 
 	private static final WebInvocationPrivilegeEvaluator ALWAYS = new AlwaysAllowWebInvocationPrivilegeEvaluator();
 
+	private final UrlPathHelper urlPathHelper = new UrlPathHelper();
+
 	private final ApplicationContext context;
 
 	private volatile WebInvocationPrivilegeEvaluator privilegeEvaluator;
 
 	public ErrorPageSecurityFilter(ApplicationContext context) {
 		this.context = context;
+		this.urlPathHelper.setAlwaysUseFullPath(true);
 	}
 
 	@Override
@@ -81,7 +85,7 @@ private boolean isAllowed(HttpServletRequest request, Integer errorCode) {
 		if (isUnauthenticated(authentication) && isNotAuthenticationError(errorCode)) {
 			return true;
 		}
-		return getPrivilegeEvaluator().isAllowed(request.getRequestURI(), authentication);
+		return getPrivilegeEvaluator().isAllowed(this.urlPathHelper.getPathWithinApplication(request), authentication);
 	}
 
 	private boolean isUnauthenticated(Authentication authentication) {

spring-boot-project/spring-boot/src/test/java/org/springframework/boot/web/servlet/filter/ErrorPageSecurityFilterTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2021 the original author or authors.
+ * Copyright 2012-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -36,6 +36,7 @@
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.BDDMockito.given;
 import static org.mockito.BDDMockito.willThrow;
 import static org.mockito.Mockito.mock;
@@ -118,4 +119,30 @@ void ignorePrivilegeEvaluationForNonErrorDispatchType() throws Exception {
 		verify(this.filterChain).doFilter(this.request, this.response);
 	}
 
+	@Test
+	void whenThereIsAContextPathAndServletIsMappedToSlashContextPathIsNotPassedToEvaluator() throws Exception {
+		SecurityContext securityContext = mock(SecurityContext.class);
+		SecurityContextHolder.setContext(securityContext);
+		given(securityContext.getAuthentication()).willReturn(mock(Authentication.class));
+		this.request.setRequestURI("/example/error");
+		this.request.setContextPath("/example");
+		// Servlet mapped to /
+		this.request.setServletPath("/error");
+		this.securityFilter.doFilter(this.request, this.response, this.filterChain);
+		verify(this.privilegeEvaluator).isAllowed(eq("/error"), any());
+	}
+
+	@Test
+	void whenThereIsAContextPathAndServletIsMappedToWildcardPathCorrectPathIsPassedToEvaluator() throws Exception {
+		SecurityContext securityContext = mock(SecurityContext.class);
+		SecurityContextHolder.setContext(securityContext);
+		given(securityContext.getAuthentication()).willReturn(mock(Authentication.class));
+		this.request.setRequestURI("/example/dispatcher/path/error");
+		this.request.setContextPath("/example");
+		// Servlet mapped to /dispatcher/path/*
+		this.request.setServletPath("/dispatcher/path");
+		this.securityFilter.doFilter(this.request, this.response, this.filterChain);
+		verify(this.privilegeEvaluator).isAllowed(eq("/dispatcher/path/error"), any());
+	}
+
 }

spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure/src/test/java/smoketest/web/secure/AbstractErrorPageTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2021 the original author or authors.
+ * Copyright 2012-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -41,6 +41,12 @@ abstract class AbstractErrorPageTests {
 	@Autowired
 	private TestRestTemplate testRestTemplate;
 
+	private final String pathPrefix;
+
+	protected AbstractErrorPageTests(String pathPrefix) {
+		this.pathPrefix = pathPrefix;
+	}
+
 	@Test
 	void testBadCredentials() {
 		final ResponseEntity<JsonNode> response = this.testRestTemplate.withBasicAuth("username", "wrongpassword")
@@ -52,17 +58,17 @@ void testBadCredentials() {
 
 	@Test
 	void testNoCredentials() {
-		final ResponseEntity<JsonNode> response = this.testRestTemplate.exchange("/test", HttpMethod.GET, null,
-				JsonNode.class);
+		final ResponseEntity<JsonNode> response = this.testRestTemplate.exchange(this.pathPrefix + "/test",
+				HttpMethod.GET, null, JsonNode.class);
 		assertThat(response.getStatusCode()).isEqualTo(HttpStatus.UNAUTHORIZED);
 		JsonNode jsonResponse = response.getBody();
 		assertThat(jsonResponse).isNull();
 	}
 
 	@Test
 	void testPublicNotFoundPage() {
-		final ResponseEntity<JsonNode> response = this.testRestTemplate.exchange("/public/notfound", HttpMethod.GET,
-				null, JsonNode.class);
+		final ResponseEntity<JsonNode> response = this.testRestTemplate.exchange(this.pathPrefix + "/public/notfound",
+				HttpMethod.GET, null, JsonNode.class);
 		assertThat(response.getStatusCode()).isEqualTo(HttpStatus.NOT_FOUND);
 		JsonNode jsonResponse = response.getBody();
 		assertThat(jsonResponse.get("error").asText()).isEqualTo("Not Found");
@@ -71,7 +77,7 @@ void testPublicNotFoundPage() {
 	@Test
 	void testPublicNotFoundPageWithCorrectCredentials() {
 		final ResponseEntity<JsonNode> response = this.testRestTemplate.withBasicAuth("username", "password")
-				.exchange("/public/notfound", HttpMethod.GET, null, JsonNode.class);
+				.exchange(this.pathPrefix + "/public/notfound", HttpMethod.GET, null, JsonNode.class);
 		assertThat(response.getStatusCode()).isEqualTo(HttpStatus.NOT_FOUND);
 		JsonNode jsonResponse = response.getBody();
 		assertThat(jsonResponse.get("error").asText()).isEqualTo("Not Found");
@@ -80,7 +86,7 @@ void testPublicNotFoundPageWithCorrectCredentials() {
 	@Test
 	void testPublicNotFoundPageWithBadCredentials() {
 		final ResponseEntity<JsonNode> response = this.testRestTemplate.withBasicAuth("username", "wrong")
-				.exchange("/public/notfound", HttpMethod.GET, null, JsonNode.class);
+				.exchange(this.pathPrefix + "/public/notfound", HttpMethod.GET, null, JsonNode.class);
 		assertThat(response.getStatusCode()).isEqualTo(HttpStatus.UNAUTHORIZED);
 		JsonNode jsonResponse = response.getBody();
 		assertThat(jsonResponse).isNull();
@@ -89,7 +95,7 @@ void testPublicNotFoundPageWithBadCredentials() {
 	@Test
 	void testCorrectCredentialsWithControllerException() {
 		final ResponseEntity<JsonNode> response = this.testRestTemplate.withBasicAuth("username", "password")
-				.exchange("/fail", HttpMethod.GET, null, JsonNode.class);
+				.exchange(this.pathPrefix + "/fail", HttpMethod.GET, null, JsonNode.class);
 		assertThat(response.getStatusCode()).isEqualTo(HttpStatus.INTERNAL_SERVER_ERROR);
 		JsonNode jsonResponse = response.getBody();
 		assertThat(jsonResponse.get("error").asText()).isEqualTo("Internal Server Error");
@@ -98,7 +104,7 @@ void testCorrectCredentialsWithControllerException() {
 	@Test
 	void testCorrectCredentials() {
 		final ResponseEntity<String> response = this.testRestTemplate.withBasicAuth("username", "password")
-				.exchange("/test", HttpMethod.GET, null, String.class);
+				.exchange(this.pathPrefix + "/test", HttpMethod.GET, null, String.class);
 		assertThat(response.getStatusCode()).isEqualTo(HttpStatus.OK);
 		response.getBody();
 		assertThat(response.getBody()).isEqualTo("test");

spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure/src/test/java/smoketest/web/secure/AbstractUnauthenticatedErrorPageTests.java

@@ -0,0 +1,109 @@
+/*
+ * Copyright 2012-2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package smoketest.web.secure;
+
+import com.fasterxml.jackson.databind.JsonNode;
+import org.junit.jupiter.api.Test;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.web.client.TestRestTemplate;
+import org.springframework.http.HttpMethod;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * Abstract base class for tests to ensure that the error page is accessible only to
+ * authorized users.
+ *
+ * @author Madhura Bhave
+ */
+abstract class AbstractUnauthenticatedErrorPageTests {
+
+	@Autowired
+	private TestRestTemplate testRestTemplate;
+
+	private final String pathPrefix;
+
+	protected AbstractUnauthenticatedErrorPageTests(String pathPrefix) {
+		this.pathPrefix = pathPrefix;
+	}
+
+	@Test
+	void testBadCredentials() {
+		final ResponseEntity<JsonNode> response = this.testRestTemplate.withBasicAuth("username", "wrongpassword")
+				.exchange(this.pathPrefix + "/test", HttpMethod.GET, null, JsonNode.class);
+		assertThat(response.getStatusCode()).isEqualTo(HttpStatus.UNAUTHORIZED);
+		JsonNode jsonResponse = response.getBody();
+		assertThat(jsonResponse.get("error").asText()).isEqualTo("Unauthorized");
+	}
+
+	@Test
+	void testNoCredentials() {
+		final ResponseEntity<JsonNode> response = this.testRestTemplate.exchange(this.pathPrefix + "/test",
+				HttpMethod.GET, null, JsonNode.class);
+		assertThat(response.getStatusCode()).isEqualTo(HttpStatus.UNAUTHORIZED);
+		JsonNode jsonResponse = response.getBody();
+		assertThat(jsonResponse.get("error").asText()).isEqualTo("Unauthorized");
+	}
+
+	@Test
+	void testPublicNotFoundPage() {
+		final ResponseEntity<JsonNode> response = this.testRestTemplate.exchange(this.pathPrefix + "/public/notfound",
+				HttpMethod.GET, null, JsonNode.class);
+		assertThat(response.getStatusCode()).isEqualTo(HttpStatus.NOT_FOUND);
+		JsonNode jsonResponse = response.getBody();
+		assertThat(jsonResponse.get("error").asText()).isEqualTo("Not Found");
+	}
+
+	@Test
+	void testPublicNotFoundPageWithCorrectCredentials() {
+		final ResponseEntity<JsonNode> response = this.testRestTemplate.withBasicAuth("username", "password")
+				.exchange(this.pathPrefix + "/public/notfound", HttpMethod.GET, null, JsonNode.class);
+		assertThat(response.getStatusCode()).isEqualTo(HttpStatus.NOT_FOUND);
+		JsonNode jsonResponse = response.getBody();
+		assertThat(jsonResponse.get("error").asText()).isEqualTo("Not Found");
+	}
+
+	@Test
+	void testPublicNotFoundPageWithBadCredentials() {
+		final ResponseEntity<JsonNode> response = this.testRestTemplate.withBasicAuth("username", "wrong")
+				.exchange(this.pathPrefix + "/public/notfound", HttpMethod.GET, null, JsonNode.class);
+		assertThat(response.getStatusCode()).isEqualTo(HttpStatus.UNAUTHORIZED);
+		JsonNode jsonResponse = response.getBody();
+		assertThat(jsonResponse.get("error").asText()).isEqualTo("Unauthorized");
+	}
+
+	@Test
+	void testCorrectCredentialsWithControllerException() {
+		final ResponseEntity<JsonNode> response = this.testRestTemplate.withBasicAuth("username", "password")
+				.exchange(this.pathPrefix + "/fail", HttpMethod.GET, null, JsonNode.class);
+		assertThat(response.getStatusCode()).isEqualTo(HttpStatus.INTERNAL_SERVER_ERROR);
+		JsonNode jsonResponse = response.getBody();
+		assertThat(jsonResponse.get("error").asText()).isEqualTo("Internal Server Error");
+	}
+
+	@Test
+	void testCorrectCredentials() {
+		final ResponseEntity<String> response = this.testRestTemplate.withBasicAuth("username", "password")
+				.exchange(this.pathPrefix + "/test", HttpMethod.GET, null, String.class);
+		assertThat(response.getStatusCode()).isEqualTo(HttpStatus.OK);
+		assertThat(response.getBody()).isEqualTo("test");
+	}
+
+}

spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure/src/test/java/smoketest/web/secure/CustomContextPathErrorPageTests.java

@@ -0,0 +1,39 @@
+/*
+ * Copyright 2012-2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package smoketest.web.secure;
+
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.test.context.SpringBootTest.WebEnvironment;
+
+/**
+ * Tests to ensure that the error page with a custom context path is accessible only to
+ * authorized users.
+ *
+ * @author Madhura Bhave
+ */
+@SpringBootTest(webEnvironment = WebEnvironment.RANDOM_PORT,
+		classes = { AbstractErrorPageTests.TestConfiguration.class, ErrorPageTests.SecurityConfiguration.class,
+				SampleWebSecureApplication.class },
+		properties = { "server.error.include-message=always", "spring.security.user.name=username",
+				"spring.security.user.password=password", "server.servlet.context-path=/example" })
+class CustomContextPathErrorPageTests extends AbstractErrorPageTests {
+
+	CustomContextPathErrorPageTests() {
+		super("");
+	}
+
+}

spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure/src/test/java/smoketest/web/secure/CustomContextPathUnauthenticatedErrorPageTests.java

@@ -0,0 +1,37 @@
+/*
+ * Copyright 2012-2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package smoketest.web.secure;
+
+import org.springframework.boot.test.context.SpringBootTest;
+
+/**
+ * Tests for error page that permits access to all with a custom context path.
+ *
+ * @author Madhura Bhave
+ */
+@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT,
+		classes = { AbstractErrorPageTests.TestConfiguration.class,
+				UnauthenticatedErrorPageTests.SecurityConfiguration.class, SampleWebSecureApplication.class },
+		properties = { "server.error.include-message=always", "spring.security.user.name=username",
+				"spring.security.user.password=password", "server.servlet.context-path=/example" })
+class CustomContextPathUnauthenticatedErrorPageTests extends AbstractUnauthenticatedErrorPageTests {
+
+	CustomContextPathUnauthenticatedErrorPageTests() {
+		super("");
+	}
+
+}