spring-boot Migrate to AuthorizationFilter in Spring Security auto-config

This commit updates Servlet based Spring Security auto-configuration to use AuthorizationFilter, which is intended to superseed FilterSecurityInterceptor.

See note in Authorize HttpServletRequests with AuthorizationFilter section of Spring Security's reference manual.

Note that SampleActuatorCustomSecurityApplicationTests#testInsecureApplicationPath fails after migrating to the new authorization model, meaning further changes might be needed in either Spring Boot or Spring Security.

Jun 06 '22 14:06 vpavic

This is effectively blocked on the following issue in Spring Security:

spring-projects/spring-security#11337

I'll keep the PR in draft state until there's some update.

Jun 07 '22 12:06 vpavic

Thanks, @vpavic. I've subscribed to https://github.com/spring-projects/spring-security/issues/11337. We can take a more in-depth look at this once the Security team have taken a look. Josh should be back in the office next week.

Jun 07 '22 13:06 wilkinsona

https://github.com/spring-projects/spring-security/issues/11360 is now tracking some additions to Spring Security that close some gaps in the functionality offered by AuthorizationFilter.

Jun 17 '22 07:06 wilkinsona

With spring-projects/spring-security#11360 resolved, this is now ready for review but at the same time apparently blocked by #31703.

@wilkinsona, note that I had to undo some of your changes from 4bd3534b as there's no #filterSecurityInterceptorOncePerRequest available on the new authorizeHttpRequests DSL. Judging by where you had to apply those, I'm now seeing the same test failures as you did when building this PR:

Found test failures in 2 test tasks:

:spring-boot-tests:spring-boot-smoke-tests:spring-boot-smoke-test-web-method-security:test
    smoketest.security.method.SampleMethodSecurityApplicationTests > testManagementProtected()

:spring-boot-tests:spring-boot-smoke-tests:spring-boot-smoke-test-web-secure:test
    smoketest.web.secure.CustomContextPathErrorPageTests > testPublicNotFoundPage()
    smoketest.web.secure.CustomServletPathErrorPageTests > testPublicNotFoundPage()
    smoketest.web.secure.ErrorPageTests > testPublicNotFoundPage()
    smoketest.web.secure.NoSessionErrorPageTests > testCorrectCredentialsWithControllerException()
    smoketest.web.secure.NoSessionErrorPageTests > testPublicNotFoundPage()
    smoketest.web.secure.NoSessionErrorPageTests > testPublicNotFoundPageWithCorrectCredentials()

Jul 15 '22 08:07 vpavic

Thanks, @vpavic. We'll have a chat with the Security team.

Jul 19 '22 14:07 wilkinsona

@wilkinsona I believe this should now be ready meaning I don't think my observation about this being blocked by #31703 was valid.

I've taken a closer look at FilterSecurityInterceptor vs AuthorizationFilter and the latter should have once per request semantics by default as it extends OncePerRequestFilter. However it also filters all dispatch types by default, which I disabled (note the second commit). That uncovered one issue with tests but now everything should build cleanly.

Jul 21 '22 18:07 vpavic

The FilterSecurityInterceptor vs AuthorizationFilter remarks from the previous comment have been confirmed by the Security team in https://github.com/spring-projects/spring-security/issues/11337#issuecomment-1195804349.

Jul 26 '22 19:07 vpavic

Great stuff. Thanks, @vpavic.

Jul 27 '22 06:07 wilkinsona

Is there anything preventing this from making it into today's 3.0.0-M5 release?

Sep 22 '22 08:09 vpavic

Nothing other than the team being short on time. We'll see what we can do.

Sep 22 '22 08:09 wilkinsona

Got it.

I updated the PR to pick up the current main.

Update: I just spotted a couple of new usages of old authorization DSL that have emerged since this PR has last been touched.

Sep 22 '22 09:09 vpavic

Thanks very much, @vpavic.

Sep 22 '22 12:09 wilkinsona