Support A Well-Known URL for Changing Passwords

Closes gh-8657

Author: evgeniycheban

config/src/main/java/org/springframework/security/config/Elements.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2020 the original author or authors.
+ * Copyright 2002-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -20,6 +20,7 @@
  * Contains all the element names used by Spring Security 3 namespace support.
  *
  * @author Ben Alex
+ * @author Evgeniy Cheban
  */
 public abstract class Elements {
 
@@ -135,4 +136,6 @@ public abstract class Elements {
 
 	public static final String CLIENT_REGISTRATIONS = "client-registrations";
 
+	public static final String PASSWORD_MANAGEMENT = "password-management";
+
 }

config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java

@@ -59,6 +59,7 @@
 import org.springframework.security.config.annotation.web.configurers.HttpBasicConfigurer;
 import org.springframework.security.config.annotation.web.configurers.JeeConfigurer;
 import org.springframework.security.config.annotation.web.configurers.LogoutConfigurer;
+import org.springframework.security.config.annotation.web.configurers.PasswordManagementConfigurer;
 import org.springframework.security.config.annotation.web.configurers.PortMapperConfigurer;
 import org.springframework.security.config.annotation.web.configurers.RememberMeConfigurer;
 import org.springframework.security.config.annotation.web.configurers.RequestCacheConfigurer;
@@ -2604,6 +2605,45 @@ public HttpSecurity httpBasic(Customizer<HttpBasicConfigurer<HttpSecurity>> http
 		return HttpSecurity.this;
 	}
 
+	/**
+	 * Adds support for the password management.
+	 *
+	 * <h2>Example Configuration</h2> The example below demonstrates how to configure
+	 * password management for an application. The default change password page is
+	 * "/change-password", but can be customized using
+	 * {@link PasswordManagementConfigurer#changePasswordPage(String)}.
+	 *
+	 * <pre>
+	 * &#064;Configuration
+	 * &#064;EnableWebSecurity
+	 * public class PasswordManagementSecurityConfig extends WebSecurityConfigurerAdapter {
+	 *
+	 * 	&#064;Override
+	 * 	protected void configure(HttpSecurity http) throws Exception {
+	 * 		http
+	 * 			.authorizeRequests(authorizeRequests ->
+	 * 				authorizeRequests
+	 * 					.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
+	 * 			)
+	 * 			.passwordManagement(passwordManagement ->
+	 * 				passwordManagement
+	 * 					.changePasswordPage(&quot;/custom-change-password-page&quot;)
+	 * 			);
+	 *  }
+	 * }
+	 * </pre>
+	 * @param passwordManagementCustomizer the {@link Customizer} to provide more options
+	 * for the {@link PasswordManagementConfigurer}
+	 * @return the {@link HttpSecurity} for further customizations
+	 * @throws Exception
+	 * @since 5.6
+	 */
+	public HttpSecurity passwordManagement(
+			Customizer<PasswordManagementConfigurer<HttpSecurity>> passwordManagementCustomizer) throws Exception {
+		passwordManagementCustomizer.customize(getOrApply(new PasswordManagementConfigurer<>()));
+		return HttpSecurity.this;
+	}
+
 	@Override
 	public <C> void setSharedObject(Class<C> sharedType, C object) {
 		super.setSharedObject(sharedType, object);

config/src/main/java/org/springframework/security/config/annotation/web/configurers/PasswordManagementConfigurer.java

@@ -0,0 +1,62 @@
+/*
+ * Copyright 2002-2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.annotation.web.configurers;
+
+import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
+import org.springframework.security.web.RequestMatcherRedirectFilter;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.util.Assert;
+
+/**
+ * Adds password management support.
+ *
+ * @author Evgeniy Cheban
+ * @since 5.6
+ */
+public final class PasswordManagementConfigurer<B extends HttpSecurityBuilder<B>>
+		extends AbstractHttpConfigurer<PasswordManagementConfigurer<B>, B> {
+
+	private static final String WELL_KNOWN_CHANGE_PASSWORD_PATTERN = "/.well-known/change-password";
+
+	private static final String DEFAULT_CHANGE_PASSWORD_PAGE = "/change-password";
+
+	private String changePasswordPage = DEFAULT_CHANGE_PASSWORD_PAGE;
+
+	/**
+	 * Sets the change password page. Defaults to
+	 * {@link PasswordManagementConfigurer#DEFAULT_CHANGE_PASSWORD_PAGE}.
+	 * @param changePasswordPage the change password page
+	 * @return the {@link PasswordManagementConfigurer} for further customizations
+	 */
+	public PasswordManagementConfigurer<B> changePasswordPage(String changePasswordPage) {
+		Assert.hasText(changePasswordPage, "changePasswordPage cannot be empty");
+		this.changePasswordPage = changePasswordPage;
+		return this;
+	}
+
+	/**
+	 * {@inheritDoc}
+	 */
+	@Override
+	public void configure(B http) throws Exception {
+		RequestMatcherRedirectFilter changePasswordFilter = new RequestMatcherRedirectFilter(
+				new AntPathRequestMatcher(WELL_KNOWN_CHANGE_PASSWORD_PATTERN), this.changePasswordPage);
+		http.addFilterBefore(postProcess(changePasswordFilter), UsernamePasswordAuthenticationFilter.class);
+	}
+
+}

config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java

@@ -176,6 +176,8 @@ class HttpConfigurationBuilder {
 
 	private BeanDefinition csrfFilter;
 
+	private BeanDefinition wellKnownChangePasswordRedirectFilter;
+
 	private BeanMetadataElement csrfLogoutHandler;
 
 	private BeanMetadataElement csrfAuthStrategy;
@@ -210,6 +212,7 @@ class HttpConfigurationBuilder {
 		createFilterSecurityInterceptor(authenticationManager);
 		createAddHeadersFilter();
 		createCorsFilter();
+		createWellKnownChangePasswordRedirectFilter();
 	}
 
 	private void validateInterceptUrls(ParserContext pc) {
@@ -694,6 +697,15 @@ private void createCsrfFilter() {
 		this.csrfLogoutHandler = this.csrfParser.getCsrfLogoutHandler();
 	}
 
+	private void createWellKnownChangePasswordRedirectFilter() {
+		Element element = DomUtils.getChildElementByTagName(this.httpElt, Elements.PASSWORD_MANAGEMENT);
+		if (element == null) {
+			return;
+		}
+		WellKnownChangePasswordBeanDefinitionParser parser = new WellKnownChangePasswordBeanDefinitionParser();
+		this.wellKnownChangePasswordRedirectFilter = parser.parse(element, this.pc);
+	}
+
 	BeanMetadataElement getCsrfLogoutHandler() {
 		return this.csrfLogoutHandler;
 	}
@@ -744,6 +756,10 @@ List<OrderDecorator> getFilters() {
 		if (this.csrfFilter != null) {
 			filters.add(new OrderDecorator(this.csrfFilter, SecurityFilters.CSRF_FILTER));
 		}
+		if (this.wellKnownChangePasswordRedirectFilter != null) {
+			filters.add(new OrderDecorator(this.wellKnownChangePasswordRedirectFilter,
+					SecurityFilters.WELL_KNOWN_CHANGE_PASSWORD_REDIRECT_FILTER));
+		}
 		return filters;
 	}
 

config/src/main/java/org/springframework/security/config/http/SecurityFilters.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2020 the original author or authors.
+ * Copyright 2002-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -22,6 +22,7 @@
  *
  * @author Luke Taylor
  * @author Rob Winch
+ * @author Evgeniy Cheban
  */
 
 enum SecurityFilters {
@@ -80,6 +81,8 @@ enum SecurityFilters {
 
 	OAUTH2_AUTHORIZATION_CODE_GRANT_FILTER,
 
+	WELL_KNOWN_CHANGE_PASSWORD_REDIRECT_FILTER,
+
 	SESSION_MANAGEMENT_FILTER,
 
 	EXCEPTION_TRANSLATION_FILTER,

config/src/main/java/org/springframework/security/config/http/WellKnownChangePasswordBeanDefinitionParser.java

@@ -0,0 +1,61 @@
+/*
+ * Copyright 2002-2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.http;
+
+import org.w3c.dom.Element;
+
+import org.springframework.beans.factory.config.BeanDefinition;
+import org.springframework.beans.factory.support.BeanDefinitionBuilder;
+import org.springframework.beans.factory.xml.BeanDefinitionParser;
+import org.springframework.beans.factory.xml.ParserContext;
+import org.springframework.security.web.RequestMatcherRedirectFilter;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.util.StringUtils;
+
+/**
+ * The bean definition parser for a Well-Known URL for Changing Passwords.
+ *
+ * @author Evgeniy Cheban
+ * @since 5.6
+ */
+public final class WellKnownChangePasswordBeanDefinitionParser implements BeanDefinitionParser {
+
+	private static final String WELL_KNOWN_CHANGE_PASSWORD_PATTERN = "/.well-known/change-password";
+
+	private static final String DEFAULT_CHANGE_PASSWORD_PAGE = "/change-password";
+
+	private static final String ATT_CHANGE_PASSWORD_PAGE = "change-password-page";
+
+	/**
+	 * {@inheritDoc}
+	 */
+	@Override
+	public BeanDefinition parse(Element element, ParserContext parserContext) {
+		BeanDefinition changePasswordFilter = BeanDefinitionBuilder
+				.rootBeanDefinition(RequestMatcherRedirectFilter.class)
+				.addConstructorArgValue(new AntPathRequestMatcher(WELL_KNOWN_CHANGE_PASSWORD_PATTERN))
+				.addConstructorArgValue(getChangePasswordPage(element)).getBeanDefinition();
+		parserContext.getReaderContext().registerWithGeneratedName(changePasswordFilter);
+		return changePasswordFilter;
+	}
+
+	private String getChangePasswordPage(Element element) {
+		String changePasswordPage = element.getAttribute(ATT_CHANGE_PASSWORD_PAGE);
+		return (StringUtils.hasText(changePasswordPage) ? changePasswordPage : DEFAULT_CHANGE_PASSWORD_PAGE);
+	}
+
+}