spring-projects · jzheaux · Jul 14, 2022 · Jul 12, 2022
diff --git a/...framework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurer.java b/...framework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurer.java
@@ -318,6 +318,39 @@ public AuthorizationManagerRequestMatcherRegistry authenticated() {
 			return access(AuthenticatedAuthorizationManager.authenticated());
 		}
 
+		/**
+		 * Specify that URLs are allowed by users who have authenticated and were not
+		 * "remembered".
+		 * @return the {@link AuthorizationManagerRequestMatcherRegistry} for further
+		 * customization
+		 * @since 5.8
+		 * @see RememberMeConfigurer
+		 */
+		public AuthorizationManagerRequestMatcherRegistry fullyAuthenticated() {
+			return access(AuthenticatedAuthorizationManager.fullyAuthenticated());
+		}
+
+		/**
+		 * Specify that URLs are allowed by users that have been remembered.
+		 * @return the {@link AuthorizationManagerRequestMatcherRegistry} for further
+		 * customization
+		 * @since 5.8
+		 * @see RememberMeConfigurer
+		 */
+		public AuthorizationManagerRequestMatcherRegistry rememberMe() {
+			return access(AuthenticatedAuthorizationManager.rememberMe());
+		}
+
+		/**
+		 * Specify that URLs are allowed by anonymous users.
+		 * @return the {@link AuthorizationManagerRequestMatcherRegistry} for further
+		 * customization
+		 * @since 5.8
+		 */
+		public AuthorizationManagerRequestMatcherRegistry anonymous() {
+			return access(AuthenticatedAuthorizationManager.anonymous());
+		}
+
 		/**
 		 * Allows specifying a custom {@link AuthorizationManager}.
 		 * @param manager the {@link AuthorizationManager} to use

diff --git a/...work/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurerTests.java b/...work/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurerTests.java
@@ -27,6 +27,8 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.security.authentication.RememberMeAuthenticationToken;
+import org.springframework.security.authentication.TestAuthentication;
 import org.springframework.security.authorization.AuthorizationDecision;
 import org.springframework.security.authorization.AuthorizationEventPublisher;
 import org.springframework.security.authorization.AuthorizationManager;
@@ -36,7 +38,10 @@
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
+import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.access.expression.WebExpressionAuthorizationManager;
 import org.springframework.security.web.access.intercept.AuthorizationFilter;
@@ -58,6 +63,7 @@
 import static org.mockito.Mockito.spy;
 import static org.mockito.Mockito.verify;
 import static org.springframework.security.config.Customizer.withDefaults;
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.authentication;
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.user;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
@@ -493,6 +499,50 @@ private static RequestPostProcessor remoteAddress(String remoteAddress) {
 		};
 	}
 
+	@Test
+	public void getWhenFullyAuthenticatedConfiguredAndRememberMeTokenThenRespondsWithUnauthorized() throws Exception {
+		this.spring.register(FullyAuthenticatedConfig.class, BasicController.class).autowire();
+		RememberMeAuthenticationToken rememberMe = new RememberMeAuthenticationToken("key", "user",
+				AuthorityUtils.createAuthorityList("ROLE_USER"));
+		MockHttpServletRequestBuilder requestWithRememberMe = get("/").with(authentication(rememberMe));
+		this.mvc.perform(requestWithRememberMe).andExpect(status().isUnauthorized());
+	}
+
+	@Test
+	public void getWhenFullyAuthenticatedConfiguredAndUserThenRespondsWithOk() throws Exception {
+		this.spring.register(FullyAuthenticatedConfig.class, BasicController.class).autowire();
+		MockHttpServletRequestBuilder requestWithUser = get("/").with(user("user").roles("USER"));
+		this.mvc.perform(requestWithUser).andExpect(status().isOk());
+	}
+
+	@Test
+	public void getWhenRememberMeConfiguredAndNoUserThenRespondsWithUnauthorized() throws Exception {
+		this.spring.register(RememberMeConfig.class, BasicController.class).autowire();
+		this.mvc.perform(get("/")).andExpect(status().isUnauthorized());
+	}
+
+	@Test
+	public void getWhenRememberMeConfiguredAndRememberMeTokenThenRespondsWithOk() throws Exception {
+		this.spring.register(RememberMeConfig.class, BasicController.class).autowire();
+		RememberMeAuthenticationToken rememberMe = new RememberMeAuthenticationToken("key", "user",
+				AuthorityUtils.createAuthorityList("ROLE_USER"));
+		MockHttpServletRequestBuilder requestWithRememberMe = get("/").with(authentication(rememberMe));
+		this.mvc.perform(requestWithRememberMe).andExpect(status().isOk());
+	}
+
+	@Test
+	public void getWhenAnonymousConfiguredAndAnonymousUserThenRespondsWithOk() throws Exception {
+		this.spring.register(AnonymousConfig.class, BasicController.class).autowire();
+		this.mvc.perform(get("/")).andExpect(status().isOk());
+	}
+
+	@Test
+	public void getWhenAnonymousConfiguredAndLoggedInUserThenRespondsWithForbidden() throws Exception {
+		this.spring.register(AnonymousConfig.class, BasicController.class).autowire();
+		MockHttpServletRequestBuilder requestWithUser = get("/").with(user("user"));
+		this.mvc.perform(requestWithUser).andExpect(status().isForbidden());
+	}
+
 	@EnableWebSecurity
 	static class NoRequestsConfig {
 
@@ -888,6 +938,74 @@ String path(@PathVariable("username") String username) {
 
 	}
 
+	@EnableWebSecurity
+	static class FullyAuthenticatedConfig {
+
+		@Bean
+		SecurityFilterChain chain(HttpSecurity http) throws Exception {
+			// @formatter:off
+			http
+					.httpBasic()
+					.and()
+					.rememberMe()
+					.and()
+					.authorizeHttpRequests((requests) -> requests
+							.anyRequest().fullyAuthenticated()
+					);
+			// @formatter:on
+			return http.build();
+		}
+
+		@Bean
+		UserDetailsService userDetailsService() {
+			return new InMemoryUserDetailsManager(TestAuthentication.user());
+		}
+
+	}
+
+	@EnableWebSecurity
+	static class RememberMeConfig {
+
+		@Bean
+		SecurityFilterChain chain(HttpSecurity http) throws Exception {
+			// @formatter:off
+			http
+					.httpBasic()
+					.and()
+					.rememberMe()
+					.and()
+					.authorizeHttpRequests((requests) -> requests
+							.anyRequest().rememberMe()
+					);
+			// @formatter:on
+			return http.build();
+		}
+
+		@Bean
+		UserDetailsService userDetailsService() {
+			return new InMemoryUserDetailsManager(TestAuthentication.user());
+		}
+
+	}
+
+	@EnableWebSecurity
+	static class AnonymousConfig {
+
+		@Bean
+		SecurityFilterChain chain(HttpSecurity http) throws Exception {
+			// @formatter:off
+			http
+					.httpBasic()
+					.and()
+					.authorizeHttpRequests((requests) -> requests
+							.anyRequest().anonymous()
+					);
+			// @formatter:on
+			return http.build();
+		}
+
+	}
+
 	@Configuration
 	static class AuthorizationEventPublisherConfig {
 

diff --git a/...in/java/org/springframework/security/authorization/AuthenticatedAuthorizationManager.java b/...in/java/org/springframework/security/authorization/AuthenticatedAuthorizationManager.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2020 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -21,6 +21,7 @@
 import org.springframework.security.authentication.AuthenticationTrustResolver;
 import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
 import org.springframework.security.core.Authentication;
+import org.springframework.util.Assert;
 
 /**
  * An {@link AuthorizationManager} that determines if the current user is authenticated.
@@ -31,7 +32,35 @@
  */
 public final class AuthenticatedAuthorizationManager<T> implements AuthorizationManager<T> {
 
-	private final AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
+	private final AbstractAuthorizationStrategy authorizationStrategy;
+
+	/**
+	 * Creates an instance that determines if the current user is authenticated, this is
+	 * the same as calling {@link #authenticated()} factory method.
+	 *
+	 * @since 5.8
+	 * @see #authenticated()
+	 * @see #fullyAuthenticated()
+	 * @see #rememberMe()
+	 * @see #anonymous()
+	 */
+	public AuthenticatedAuthorizationManager() {
+		this(new AuthenticatedAuthorizationStrategy());
+	}
+
+	private AuthenticatedAuthorizationManager(AbstractAuthorizationStrategy authorizationStrategy) {
+		this.authorizationStrategy = authorizationStrategy;
+	}
+
+	/**
+	 * Sets the {@link AuthenticationTrustResolver} to be used. Default is
+	 * {@link AuthenticationTrustResolverImpl}. Cannot be null.
+	 * @param trustResolver the {@link AuthenticationTrustResolver} to use
+	 * @since 5.8
+	 */
+	public void setTrustResolver(AuthenticationTrustResolver trustResolver) {
+		this.authorizationStrategy.setTrustResolver(trustResolver);
+	}
 
 	/**
 	 * Creates an instance of {@link AuthenticatedAuthorizationManager}.
@@ -43,24 +72,98 @@ public static <T> AuthenticatedAuthorizationManager<T> authenticated() {
 	}
 
 	/**
-	 * Determines if the current user is authorized by evaluating if the
-	 * {@link Authentication} is not anonymous and authenticated.
+	 * Creates an instance of {@link AuthenticatedAuthorizationManager} that determines if
+	 * the {@link Authentication} is authenticated without using remember me.
+	 * @param <T> the type of object being authorized
+	 * @return the new instance
+	 * @since 5.8
+	 */
+	public static <T> AuthenticatedAuthorizationManager<T> fullyAuthenticated() {
+		return new AuthenticatedAuthorizationManager<>(new FullyAuthenticatedAuthorizationStrategy());
+	}
+
+	/**
+	 * Creates an instance of {@link AuthenticatedAuthorizationManager} that determines if
+	 * the {@link Authentication} is authenticated using remember me.
+	 * @param <T> the type of object being authorized
+	 * @return the new instance
+	 * @since 5.8
+	 */
+	public static <T> AuthenticatedAuthorizationManager<T> rememberMe() {
+		return new AuthenticatedAuthorizationManager<>(new RememberMeAuthorizationStrategy());
+	}
+
+	/**
+	 * Creates an instance of {@link AuthenticatedAuthorizationManager} that determines if
+	 * the {@link Authentication} is anonymous.
+	 * @param <T> the type of object being authorized
+	 * @return the new instance
+	 * @since 5.8
+	 */
+	public static <T> AuthenticatedAuthorizationManager<T> anonymous() {
+		return new AuthenticatedAuthorizationManager<>(new AnonymousAuthorizationStrategy());
+	}
+
+	/**
+	 * Determines if the current user is authorized according to the given strategy.
 	 * @param authentication the {@link Supplier} of the {@link Authentication} to check
 	 * @param object the {@link T} object to check
 	 * @return an {@link AuthorizationDecision}
 	 */
 	@Override
 	public AuthorizationDecision check(Supplier<Authentication> authentication, T object) {
-		boolean granted = isGranted(authentication.get());
+		boolean granted = this.authorizationStrategy.isGranted(authentication.get());
 		return new AuthorizationDecision(granted);
 	}
 
-	private boolean isGranted(Authentication authentication) {
-		return authentication != null && isNotAnonymous(authentication) && authentication.isAuthenticated();
+	private abstract static class AbstractAuthorizationStrategy {
+
+		AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
+
+		private void setTrustResolver(AuthenticationTrustResolver trustResolver) {
+			Assert.notNull(trustResolver, "trustResolver cannot be null");
+			this.trustResolver = trustResolver;
+		}
+
+		abstract boolean isGranted(Authentication authentication);
+
 	}
 
-	private boolean isNotAnonymous(Authentication authentication) {
-		return !this.trustResolver.isAnonymous(authentication);
+	private static class AuthenticatedAuthorizationStrategy extends AbstractAuthorizationStrategy {
+
+		@Override
+		boolean isGranted(Authentication authentication) {
+			return authentication != null && !this.trustResolver.isAnonymous(authentication)
+					&& authentication.isAuthenticated();
+		}
+
+	}
+
+	private static final class FullyAuthenticatedAuthorizationStrategy extends AuthenticatedAuthorizationStrategy {
+
+		@Override
+		boolean isGranted(Authentication authentication) {
+			return super.isGranted(authentication) && !this.trustResolver.isRememberMe(authentication);
+		}
+
+	}
+
+	private static final class AnonymousAuthorizationStrategy extends AbstractAuthorizationStrategy {
+
+		@Override
+		boolean isGranted(Authentication authentication) {
+			return this.trustResolver.isAnonymous(authentication);
+		}
+
+	}
+
+	private static final class RememberMeAuthorizationStrategy extends AbstractAuthorizationStrategy {
+
+		@Override
+		boolean isGranted(Authentication authentication) {
+			return this.trustResolver.isRememberMe(authentication);
+		}
+
 	}
 
 }