Skip to content

Latest commit

 

History

History
186 lines (152 loc) · 6.56 KB

updaterequestcache.md

File metadata and controls

186 lines (152 loc) · 6.56 KB

Keep the default RequestCache querying behavior in Spring Security 5

org.openrewrite.java.spring.security6.UpdateRequestCache

By default, Spring Security 5 queries the saved request on every request, which means that in a typical setup, the HttpSession is queried on every request to use the RequestCache. In Spring Security 6, the default behavior has changed, and RequestCache will only be queried for a cached request if the HTTP parameter "continue" is defined. To maintain the same default behavior as Spring Security 5, either explicitly add the HTTP parameter "continue" to every request or use NullRequestCache to override the default behavior.

Source

GitHub, Issue Tracker, Maven Central

  • groupId: org.openrewrite.recipe
  • artifactId: rewrite-spring
  • version: 5.0.1

Example

{% tabs %} {% tab title="SecurityConfig.java" %}

Before

{% code title="SecurityConfig.java" %}

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
import org.springframework.security.web.savedrequest.HttpSessionRequestCache;

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        HttpSessionRequestCache requestCache = new HttpSessionRequestCache();

        http.authorizeHttpRequests(authorize -> authorize
                .requestMatchers("/public", "/public/*").permitAll()
                .requestMatchers("/login").permitAll()
                .anyRequest().authenticated())
            .oauth2Login(oauth2 -> oauth2
                .failureHandler(new SimpleUrlAuthenticationFailureHandler("/auth-error")))
            .requestCache((cache) -> cache
                .requestCache(requestCache));

        return http.build();
    }
}

{% endcode %}

After

{% code title="SecurityConfig.java" %}

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
import org.springframework.security.web.savedrequest.HttpSessionRequestCache;

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        HttpSessionRequestCache requestCache = new HttpSessionRequestCache();
        requestCache.setMatchingRequestParameterName("continue");

        http.authorizeHttpRequests(authorize -> authorize
                .requestMatchers("/public", "/public/*").permitAll()
                .requestMatchers("/login").permitAll()
                .anyRequest().authenticated())
            .oauth2Login(oauth2 -> oauth2
                .failureHandler(new SimpleUrlAuthenticationFailureHandler("/auth-error")))
            .requestCache((cache) -> cache
                .requestCache(requestCache));

        return http.build();
    }
}

{% endcode %}

{% endtab %} {% tab title="Diff" %} {% code %}

--- SecurityConfig.java
+++ SecurityConfig.java
@@ -16,0 +16,1 @@
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        HttpSessionRequestCache requestCache = new HttpSessionRequestCache();
+       requestCache.setMatchingRequestParameterName("continue");

{% endcode %} {% endtab %} {% endtabs %}

Usage

This recipe has no required configuration options. It can be activated by adding a dependency on org.openrewrite.recipe:rewrite-spring:5.0.1 in your build file or by running a shell command (in which case no build changes are needed): {% tabs %} {% tab title="Gradle" %} {% code title="build.gradle" %}

plugins {
    id("org.openrewrite.rewrite") version("6.1.4")
}

rewrite {
    activeRecipe("org.openrewrite.java.spring.security6.UpdateRequestCache")
}

repositories {
    mavenCentral()
}

dependencies {
    rewrite("org.openrewrite.recipe:rewrite-spring:5.0.1")
}

{% endcode %} {% endtab %} {% tab title="Maven POM" %} {% code title="pom.xml" %}

<project>
  <build>
    <plugins>
      <plugin>
        <groupId>org.openrewrite.maven</groupId>
        <artifactId>rewrite-maven-plugin</artifactId>
        <version>5.2.4</version>
        <configuration>
          <activeRecipes>
            <recipe>org.openrewrite.java.spring.security6.UpdateRequestCache</recipe>
          </activeRecipes>
        </configuration>
        <dependencies>
          <dependency>
            <groupId>org.openrewrite.recipe</groupId>
            <artifactId>rewrite-spring</artifactId>
            <version>5.0.1</version>
          </dependency>
        </dependencies>
      </plugin>
    </plugins>
  </build>
</project>

{% endcode %} {% endtab %}

{% tab title="Maven Command Line" %} {% code title="shell" %} You will need to have Maven installed on your machine before you can run the following command.

mvn -U org.openrewrite.maven:rewrite-maven-plugin:run \
  -Drewrite.recipeArtifactCoordinates=org.openrewrite.recipe:rewrite-spring:RELEASE \
  -Drewrite.activeRecipes=org.openrewrite.java.spring.security6.UpdateRequestCache

{% endcode %} {% endtab %} {% endtabs %}

Contributors

See how this recipe works across multiple open-source repositories

Moderne Link Image

The community edition of the Moderne platform enables you to easily run recipes across thousands of open-source repositories.

Please contact Moderne for more information about safely running the recipes on your own codebase in a private SaaS.