From 25086ee3e63f0c8b6ed380140a068c44404ef2b2 Mon Sep 17 00:00:00 2001 From: John Niang Date: Sun, 27 Oct 2024 18:02:01 +0800 Subject: [PATCH] Rearrange order of security configurers (#6939) #### What type of PR is this? /kind improvement /area core /milestone 2.20.x #### What this PR does / why we need it: This PR rearranges order of security configurers. Especially, SecurityWebFiltersConfigurer has lower priority to configure than other security configurers. So we can catch internal authentication in plugins. #### Does this PR introduce a user-facing change? ```release-note None ``` --- .../src/main/java/run/halo/app/security/CorsConfigurer.java | 2 ++ .../src/main/java/run/halo/app/security/CsrfConfigurer.java | 2 ++ .../java/run/halo/app/security/ExceptionSecurityConfigurer.java | 2 ++ .../java/run/halo/app/security/LogoutSecurityConfigurer.java | 2 ++ .../run/halo/app/security/SecurityWebFiltersConfigurer.java | 2 +- .../security/authentication/login/LoginSecurityConfigurer.java | 2 ++ .../authentication/oauth2/OAuth2SecurityConfigurer.java | 2 ++ .../authentication/rememberme/RememberMeConfigurer.java | 2 ++ .../twofactor/TwoFactorAuthSecurityConfigurer.java | 2 ++ 9 files changed, 17 insertions(+), 1 deletion(-) diff --git a/application/src/main/java/run/halo/app/security/CorsConfigurer.java b/application/src/main/java/run/halo/app/security/CorsConfigurer.java index 8584fb228b..dc91f21797 100644 --- a/application/src/main/java/run/halo/app/security/CorsConfigurer.java +++ b/application/src/main/java/run/halo/app/security/CorsConfigurer.java @@ -2,6 +2,7 @@ import com.google.common.net.HttpHeaders; import java.util.List; +import org.springframework.core.annotation.Order; import org.springframework.security.config.web.server.ServerHttpSecurity; import org.springframework.stereotype.Component; import org.springframework.web.cors.CorsConfiguration; @@ -10,6 +11,7 @@ import run.halo.app.security.authentication.SecurityConfigurer; @Component +@Order(0) public class CorsConfigurer implements SecurityConfigurer { @Override public void configure(ServerHttpSecurity http) { diff --git a/application/src/main/java/run/halo/app/security/CsrfConfigurer.java b/application/src/main/java/run/halo/app/security/CsrfConfigurer.java index 75d37cb20e..2d86cc31f9 100644 --- a/application/src/main/java/run/halo/app/security/CsrfConfigurer.java +++ b/application/src/main/java/run/halo/app/security/CsrfConfigurer.java @@ -2,6 +2,7 @@ import static org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers.pathMatchers; +import org.springframework.core.annotation.Order; import org.springframework.security.config.web.server.ServerHttpSecurity; import org.springframework.security.web.server.csrf.CookieServerCsrfTokenRepository; import org.springframework.security.web.server.csrf.CsrfWebFilter; @@ -12,6 +13,7 @@ import run.halo.app.security.authentication.SecurityConfigurer; @Component +@Order(0) class CsrfConfigurer implements SecurityConfigurer { @Override diff --git a/application/src/main/java/run/halo/app/security/ExceptionSecurityConfigurer.java b/application/src/main/java/run/halo/app/security/ExceptionSecurityConfigurer.java index 940b232e4b..85a762e574 100644 --- a/application/src/main/java/run/halo/app/security/ExceptionSecurityConfigurer.java +++ b/application/src/main/java/run/halo/app/security/ExceptionSecurityConfigurer.java @@ -5,6 +5,7 @@ import java.util.ArrayList; import org.springframework.context.MessageSource; +import org.springframework.core.annotation.Order; import org.springframework.http.HttpMethod; import org.springframework.http.HttpStatus; import org.springframework.security.config.web.server.ServerHttpSecurity; @@ -21,6 +22,7 @@ import run.halo.app.security.authentication.twofactor.TwoFactorAuthenticationEntryPoint; @Component +@Order(0) public class ExceptionSecurityConfigurer implements SecurityConfigurer { private final MessageSource messageSource; diff --git a/application/src/main/java/run/halo/app/security/LogoutSecurityConfigurer.java b/application/src/main/java/run/halo/app/security/LogoutSecurityConfigurer.java index f7b1160873..b8254dead2 100644 --- a/application/src/main/java/run/halo/app/security/LogoutSecurityConfigurer.java +++ b/application/src/main/java/run/halo/app/security/LogoutSecurityConfigurer.java @@ -7,6 +7,7 @@ import lombok.RequiredArgsConstructor; import org.springframework.context.ApplicationContext; import org.springframework.context.annotation.Bean; +import org.springframework.core.annotation.Order; import org.springframework.http.HttpStatus; import org.springframework.http.MediaType; import org.springframework.security.config.web.server.ServerHttpSecurity; @@ -31,6 +32,7 @@ @Component @RequiredArgsConstructor +@Order(0) public class LogoutSecurityConfigurer implements SecurityConfigurer { private final RememberMeServices rememberMeServices; private final ApplicationContext applicationContext; diff --git a/application/src/main/java/run/halo/app/security/SecurityWebFiltersConfigurer.java b/application/src/main/java/run/halo/app/security/SecurityWebFiltersConfigurer.java index 52a5e1e8d6..bb134c9f36 100644 --- a/application/src/main/java/run/halo/app/security/SecurityWebFiltersConfigurer.java +++ b/application/src/main/java/run/halo/app/security/SecurityWebFiltersConfigurer.java @@ -24,7 +24,7 @@ @Component // Specific an order here to control the order or security configurer initialization -@Order(-100) +@Order(100) public class SecurityWebFiltersConfigurer implements SecurityConfigurer { private final ExtensionGetter extensionGetter; diff --git a/application/src/main/java/run/halo/app/security/authentication/login/LoginSecurityConfigurer.java b/application/src/main/java/run/halo/app/security/authentication/login/LoginSecurityConfigurer.java index fb49212d88..43296e113e 100644 --- a/application/src/main/java/run/halo/app/security/authentication/login/LoginSecurityConfigurer.java +++ b/application/src/main/java/run/halo/app/security/authentication/login/LoginSecurityConfigurer.java @@ -3,6 +3,7 @@ import io.github.resilience4j.ratelimiter.RateLimiterRegistry; import io.micrometer.observation.ObservationRegistry; import org.springframework.context.MessageSource; +import org.springframework.core.annotation.Order; import org.springframework.http.HttpMethod; import org.springframework.security.authentication.ObservationReactiveAuthenticationManager; import org.springframework.security.authentication.ReactiveAuthenticationManager; @@ -28,6 +29,7 @@ import run.halo.app.security.authentication.twofactor.TwoFactorAuthentication; @Component +@Order(0) public class LoginSecurityConfigurer implements SecurityConfigurer { private final ObservationRegistry observationRegistry; diff --git a/application/src/main/java/run/halo/app/security/authentication/oauth2/OAuth2SecurityConfigurer.java b/application/src/main/java/run/halo/app/security/authentication/oauth2/OAuth2SecurityConfigurer.java index d4bf79f447..0f25d6883f 100644 --- a/application/src/main/java/run/halo/app/security/authentication/oauth2/OAuth2SecurityConfigurer.java +++ b/application/src/main/java/run/halo/app/security/authentication/oauth2/OAuth2SecurityConfigurer.java @@ -1,5 +1,6 @@ package run.halo.app.security.authentication.oauth2; +import org.springframework.core.annotation.Order; import org.springframework.security.config.web.server.SecurityWebFiltersOrder; import org.springframework.security.config.web.server.ServerHttpSecurity; import org.springframework.security.core.userdetails.ReactiveUserDetailsService; @@ -15,6 +16,7 @@ * @since 2.20.0 */ @Component +@Order(0) class OAuth2SecurityConfigurer implements SecurityConfigurer { private final ServerSecurityContextRepository securityContextRepository; diff --git a/application/src/main/java/run/halo/app/security/authentication/rememberme/RememberMeConfigurer.java b/application/src/main/java/run/halo/app/security/authentication/rememberme/RememberMeConfigurer.java index 97cbc683c1..7e2dbf0583 100644 --- a/application/src/main/java/run/halo/app/security/authentication/rememberme/RememberMeConfigurer.java +++ b/application/src/main/java/run/halo/app/security/authentication/rememberme/RememberMeConfigurer.java @@ -3,6 +3,7 @@ import static org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher.MatchResult; import lombok.RequiredArgsConstructor; +import org.springframework.core.annotation.Order; import org.springframework.security.config.web.server.SecurityWebFiltersOrder; import org.springframework.security.config.web.server.ServerHttpSecurity; import org.springframework.security.core.context.ReactiveSecurityContextHolder; @@ -13,6 +14,7 @@ @Component @RequiredArgsConstructor +@Order(0) public class RememberMeConfigurer implements SecurityConfigurer { private final RememberMeServices rememberMeServices; diff --git a/application/src/main/java/run/halo/app/security/authentication/twofactor/TwoFactorAuthSecurityConfigurer.java b/application/src/main/java/run/halo/app/security/authentication/twofactor/TwoFactorAuthSecurityConfigurer.java index d392c0fc37..571d49043f 100644 --- a/application/src/main/java/run/halo/app/security/authentication/twofactor/TwoFactorAuthSecurityConfigurer.java +++ b/application/src/main/java/run/halo/app/security/authentication/twofactor/TwoFactorAuthSecurityConfigurer.java @@ -2,6 +2,7 @@ import static org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers.pathMatchers; +import org.springframework.core.annotation.Order; import org.springframework.http.HttpMethod; import org.springframework.security.config.web.server.SecurityWebFiltersOrder; import org.springframework.security.config.web.server.ServerHttpSecurity; @@ -17,6 +18,7 @@ import run.halo.app.security.authentication.twofactor.totp.TotpCodeAuthenticationConverter; @Component +@Order(0) public class TwoFactorAuthSecurityConfigurer implements SecurityConfigurer { private final ServerSecurityContextRepository securityContextRepository;