Support A Well-Known URL for Changing Passwords

Closes gh-8657

Author: evgeniycheban

config/src/main/java/org/springframework/security/config/Elements.java

@@ -80,4 +80,6 @@ public abstract class Elements {
 	public static final String OAUTH2_LOGIN = "oauth2-login";
 	public static final String OAUTH2_CLIENT = "oauth2-client";
 	public static final String CLIENT_REGISTRATIONS = "client-registrations";
+
+	public static final String PASSWORD_MANAGEMENT = "password-management";
 }

config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -54,6 +54,7 @@
 import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer;
 import org.springframework.security.config.annotation.web.configurers.openid.OpenIDLoginConfigurer;
 import org.springframework.security.config.annotation.web.configurers.saml2.Saml2LoginConfigurer;
+import org.springframework.security.config.annotation.web.configurers.PasswordManagementConfigurer;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
@@ -2526,6 +2527,46 @@ public HttpSecurity httpBasic(Customizer<HttpBasicConfigurer<HttpSecurity>> http
 		return HttpSecurity.this;
 	}
 
+	/**
+	 * Adds support for the password management.
+	 *
+	 * <h2>Example Configuration</h2>
+	 * The example below demonstrates how to configure password management for an
+	 * application. The default change password page is "/change-password", but can be
+	 * customized using {@link PasswordManagementConfigurer#changePasswordPage(String)}.
+	 *
+	 * <pre>
+	 * &#064;Configuration
+	 * &#064;EnableWebSecurity
+	 * public class PasswordManagementSecurityConfig extends WebSecurityConfigurerAdapter {
+	 *
+	 * 	&#064;Override
+	 * 	protected void configure(HttpSecurity http) throws Exception {
+	 * 		http
+	 * 			.authorizeRequests(authorizeRequests ->
+	 * 				authorizeRequests
+	 * 					.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
+	 * 			)
+	 * 			.passwordManagement(passwordManagement ->
+	 * 				passwordManagement
+	 * 					.changePasswordPage(&quot;/custom-change-password-page&quot;)
+	 * 			);
+	 *    }
+	 * }
+	 * </pre>
+	 *
+	 * @param passwordManagementCustomizer the {@link Customizer} to provide more options for
+	 *                                     the {@link PasswordManagementConfigurer}
+	 * @return the {@link HttpSecurity} for further customizations
+	 * @throws Exception
+	 * @since 5.4
+	 */
+	public HttpSecurity passwordManagement(Customizer<PasswordManagementConfigurer<HttpSecurity>> passwordManagementCustomizer)
+			throws Exception {
+		passwordManagementCustomizer.customize(getOrApply(new PasswordManagementConfigurer<>()));
+		return HttpSecurity.this;
+	}
+
 	public <C> void setSharedObject(Class<C> sharedType, C object) {
 		super.setSharedObject(sharedType, object);
 	}

config/src/main/java/org/springframework/security/config/annotation/web/configurers/PasswordManagementConfigurer.java

@@ -0,0 +1,60 @@
+/*
+ * Copyright 2002-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.config.annotation.web.configurers;
+
+import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
+import org.springframework.security.web.RequestMatcherRedirectFilter;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.util.Assert;
+
+/**
+ * Adds password management support.
+ *
+ * @author Evgeniy Cheban
+ * @since 5.4
+ */
+public class PasswordManagementConfigurer<B extends HttpSecurityBuilder<B>> extends
+		AbstractHttpConfigurer<PasswordManagementConfigurer<B>, B> {
+
+	private static final String WELL_KNOWN_CHANGE_PASSWORD_PATTERN = "/.well-known/change-password";
+	private static final String DEFAULT_CHANGE_PASSWORD_PAGE = "/change-password";
+
+	private String changePasswordPage = DEFAULT_CHANGE_PASSWORD_PAGE;
+
+	/**
+	 * Sets the change password page.
+	 * Defaults to {@link PasswordManagementConfigurer#DEFAULT_CHANGE_PASSWORD_PAGE}.
+	 *
+	 * @param changePasswordPage the change password page
+	 * @return the {@link PasswordManagementConfigurer} for further customizations
+	 */
+	public PasswordManagementConfigurer<B> changePasswordPage(String changePasswordPage) {
+		Assert.hasText(changePasswordPage, "changePasswordPage cannot be empty");
+		this.changePasswordPage = changePasswordPage;
+		return this;
+	}
+
+	/**
+	 * {@inheritDoc}
+	 */
+	@Override
+	public void configure(B http) throws Exception {
+		RequestMatcherRedirectFilter changePasswordFilter = new RequestMatcherRedirectFilter(
+				new AntPathRequestMatcher(WELL_KNOWN_CHANGE_PASSWORD_PATTERN), this.changePasswordPage);
+		http.addFilterBefore(postProcess(changePasswordFilter), UsernamePasswordAuthenticationFilter.class);
+	}
+}

config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java

@@ -91,6 +91,7 @@
 import static org.springframework.security.config.http.SecurityFilters.SERVLET_API_SUPPORT_FILTER;
 import static org.springframework.security.config.http.SecurityFilters.SESSION_MANAGEMENT_FILTER;
 import static org.springframework.security.config.http.SecurityFilters.WEB_ASYNC_MANAGER_FILTER;
+import static org.springframework.security.config.http.SecurityFilters.WELL_KNOWN_CHANGE_PASSWORD_REDIRECT_FILTER;
 
 /**
  * Stateful class which helps HttpSecurityBDP to create the configuration for the
@@ -144,6 +145,7 @@ class HttpConfigurationBuilder {
 	private BeanDefinition addHeadersFilter;
 	private BeanMetadataElement corsFilter;
 	private BeanDefinition csrfFilter;
+	private BeanDefinition wellKnownChangePasswordRedirectFilter;
 	private BeanMetadataElement csrfLogoutHandler;
 	private BeanMetadataElement csrfAuthStrategy;
 
@@ -193,6 +195,7 @@ class HttpConfigurationBuilder {
 		createFilterSecurityInterceptor(authenticationManager);
 		createAddHeadersFilter();
 		createCorsFilter();
+		createWellKnownChangePasswordRedirectFilter();
 	}
 
 	private SessionCreationPolicy createPolicy(String createSession) {
@@ -803,6 +806,16 @@ private void createCsrfFilter() {
 		this.csrfLogoutHandler = csrfParser.getCsrfLogoutHandler();
 	}
 
+	private void createWellKnownChangePasswordRedirectFilter() {
+		Element element = DomUtils.getChildElementByTagName(this.httpElt, Elements.PASSWORD_MANAGEMENT);
+		if (element == null) {
+			return;
+		}
+
+		WellKnownChangePasswordBeanDefinitionParser parser = new WellKnownChangePasswordBeanDefinitionParser();
+		this.wellKnownChangePasswordRedirectFilter = parser.parse(element, this.pc);
+	}
+
 	BeanMetadataElement getCsrfLogoutHandler() {
 		return this.csrfLogoutHandler;
 	}
@@ -869,6 +882,11 @@ List<OrderDecorator> getFilters() {
 			filters.add(new OrderDecorator(csrfFilter, CSRF_FILTER));
 		}
 
+		if (this.wellKnownChangePasswordRedirectFilter != null) {
+			filters.add(new OrderDecorator(this.wellKnownChangePasswordRedirectFilter,
+					WELL_KNOWN_CHANGE_PASSWORD_REDIRECT_FILTER));
+		}
+
 		return filters;
 	}
 

config/src/main/java/org/springframework/security/config/http/SecurityFilters.java

@@ -33,6 +33,7 @@ enum SecurityFilters {
 	WEB_ASYNC_MANAGER_FILTER /** {@link WebAsyncManagerIntegrationFilter} */,
 	HEADERS_FILTER, CORS_FILTER,
 	CSRF_FILTER,
+	WELL_KNOWN_CHANGE_PASSWORD_REDIRECT_FILTER,
 	LOGOUT_FILTER,
 	OAUTH2_AUTHORIZATION_REQUEST_FILTER,
 	X509_FILTER,

config/src/main/java/org/springframework/security/config/http/WellKnownChangePasswordBeanDefinitionParser.java

@@ -0,0 +1,58 @@
+/*
+ * Copyright 2002-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.config.http;
+
+import org.springframework.beans.factory.config.BeanDefinition;
+import org.springframework.beans.factory.support.BeanDefinitionBuilder;
+import org.springframework.beans.factory.xml.BeanDefinitionParser;
+import org.springframework.beans.factory.xml.ParserContext;
+import org.springframework.security.web.RequestMatcherRedirectFilter;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.util.StringUtils;
+import org.w3c.dom.Element;
+
+/**
+ * The bean definition parser for a Well-Known URL for Changing Passwords.
+ *
+ * @author Evgeniy Cheban
+ * @since 5.4
+ */
+public class WellKnownChangePasswordBeanDefinitionParser implements BeanDefinitionParser {
+	private static final String WELL_KNOWN_CHANGE_PASSWORD_PATTERN = "/.well-known/change-password";
+	private static final String DEFAULT_CHANGE_PASSWORD_PAGE = "/change-password";
+	private static final String ATT_CHANGE_PASSWORD_PAGE = "change-password-page";
+
+	/**
+	 * {@inheritDoc}
+	 */
+	@Override
+	public BeanDefinition parse(Element element, ParserContext parserContext) {
+		BeanDefinition changePasswordFilter = BeanDefinitionBuilder
+				.rootBeanDefinition(RequestMatcherRedirectFilter.class)
+				.addConstructorArgValue(new AntPathRequestMatcher(WELL_KNOWN_CHANGE_PASSWORD_PATTERN))
+				.addConstructorArgValue(getChangePasswordPage(element))
+				.getBeanDefinition();
+
+		parserContext.getReaderContext().registerWithGeneratedName(changePasswordFilter);
+
+		return changePasswordFilter;
+	}
+
+	private String getChangePasswordPage(Element element) {
+		String changePasswordPage = element.getAttribute(ATT_CHANGE_PASSWORD_PAGE);
+		return (StringUtils.hasText(changePasswordPage) ? changePasswordPage : DEFAULT_CHANGE_PASSWORD_PAGE);
+	}
+}

config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java

@@ -153,6 +153,7 @@
 import org.springframework.security.web.server.header.StrictTransportSecurityServerHttpHeadersWriter;
 import org.springframework.security.web.server.header.XFrameOptionsServerHttpHeadersWriter;
 import org.springframework.security.web.server.header.XXssProtectionServerHttpHeadersWriter;
+import org.springframework.security.web.server.ExchangeMatcherRedirectWebFilter;
 import org.springframework.security.web.server.savedrequest.NoOpServerRequestCache;
 import org.springframework.security.web.server.savedrequest.ServerRequestCache;
 import org.springframework.security.web.server.savedrequest.ServerRequestCacheWebFilter;
@@ -258,6 +259,8 @@ public class ServerHttpSecurity {
 
 	private HttpBasicSpec httpBasic;
 
+	private PasswordManagementSpec passwordManagement;
+
 	private X509Spec x509;
 
 	private final RequestCacheSpec requestCache = new RequestCacheSpec();
@@ -734,6 +737,58 @@ public ServerHttpSecurity httpBasic(Customizer<HttpBasicSpec> httpBasicCustomize
 		return this;
 	}
 
+	/**
+	 * Configures password management. An example configuration is provided below:
+	 *
+	 * <pre class="code">
+	 *  &#064;Bean
+	 *  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
+	 *      http
+	 *          // ...
+	 *          .passwordManagement();
+	 *      return http.build();
+	 *  }
+	 * </pre>
+	 *
+	 * @return the {@link PasswordManagementSpec} to customize
+	 * @since 5.4
+	 */
+	public PasswordManagementSpec passwordManagement() {
+		if (this.passwordManagement == null) {
+			this.passwordManagement = new PasswordManagementSpec();
+		}
+		return this.passwordManagement;
+	}
+
+	/**
+	 * Configures password management. An example configuration is provided below:
+	 *
+	 * <pre class="code">
+	 *  &#064;Bean
+	 *  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
+	 *      http
+	 *          // ...
+	 *          .passwordManagement(passwordManagement ->
+	 *          	// Custom change password page.
+	 *          	passwordManagement.changePasswordPage("/custom-change-password-page")
+	 *          );
+	 *      return http.build();
+	 *  }
+	 * </pre>
+	 *
+	 * @param passwordManagementCustomizer the {@link Customizer} to provide more options for
+	 *                                     the {@link PasswordManagementSpec}
+	 * @return the {@link ServerHttpSecurity} to customize
+	 * @since 5.4
+	 */
+	public ServerHttpSecurity passwordManagement(Customizer<PasswordManagementSpec> passwordManagementCustomizer) {
+		if (this.passwordManagement == null) {
+			this.passwordManagement = new PasswordManagementSpec();
+		}
+		passwordManagementCustomizer.customize(this.passwordManagement);
+		return this;
+	}
+
 	/**
 	 * Configures form based authentication. An example configuration is provided below:
 	 *
@@ -2448,6 +2503,9 @@ else if (this.securityContextRepository != null) {
 			}
 			this.httpBasic.configure(this);
 		}
+		if (this.passwordManagement != null) {
+			this.passwordManagement.configure(this);
+		}
 		if (this.formLogin != null) {
 			if (this.formLogin.authenticationManager == null) {
 				this.formLogin.authenticationManager(this.authenticationManager);
@@ -3054,6 +3112,51 @@ protected void configure(ServerHttpSecurity http) {
 		private HttpBasicSpec() {}
 	}
 
+	/**
+	 * Configures password management.
+	 *
+	 * @author Evgeniy Cheban
+	 * @see #passwordManagement()
+	 * @since 5.4
+	 */
+	public class PasswordManagementSpec {
+		private static final String WELL_KNOWN_CHANGE_PASSWORD_PATTERN = "/.well-known/change-password";
+		private static final String DEFAULT_CHANGE_PASSWORD_PAGE = "/change-password";
+
+		private String changePasswordPage = DEFAULT_CHANGE_PASSWORD_PAGE;
+
+		/**
+		 * Sets the change password page.
+		 * Defaults to {@link PasswordManagementSpec#DEFAULT_CHANGE_PASSWORD_PAGE}.
+		 *
+		 * @param changePasswordPage the change password page
+		 * @return the {@link PasswordManagementSpec} to continue configuring
+		 */
+		public PasswordManagementSpec changePasswordPage(String changePasswordPage) {
+			Assert.hasText(changePasswordPage, "changePasswordPage cannot be empty");
+			this.changePasswordPage = changePasswordPage;
+			return this;
+		}
+
+		/**
+		 * Allows method chaining to continue configuring the {@link ServerHttpSecurity}.
+		 *
+		 * @return the {@link ServerHttpSecurity} to continue configuring
+		 */
+		public ServerHttpSecurity and() {
+			return ServerHttpSecurity.this;
+		}
+
+		protected void configure(ServerHttpSecurity http) {
+			ExchangeMatcherRedirectWebFilter changePasswordWebFilter = new ExchangeMatcherRedirectWebFilter(
+					new PathPatternParserServerWebExchangeMatcher(WELL_KNOWN_CHANGE_PASSWORD_PATTERN), this.changePasswordPage);
+			http.addFilterBefore(changePasswordWebFilter, SecurityWebFiltersOrder.AUTHENTICATION);
+		}
+
+		private PasswordManagementSpec() {
+		}
+	}
+
 	/**
 	 * Configures Form Based authentication
 	 *