spring-security-samples icon indicating copy to clipboard operation
spring-security-samples copied to clipboard

Published 20 hours ago verified publisher icon spring-projects

`HiddenHttpMethodFilter` configuration in the `hello-mvc-security` example project?

Open mklinkj opened this issue 2 years ago • 1 comments

Inquiry about the HiddenHttpMethodFilter configuration in the hello-mvc-security example project

Hello,

In the hello-mvc-security example project, to use the HiddenHttpMethodFilter correctly, wouldn’t it be better to place this filter before the Spring Security Filter?

  • https://github.com/spring-projects/spring-security-samples/blob/main/servlet/java-configuration/hello-mvc-security/src/main/java/example/MvcWebApplicationInitializer.java#L43
public class SecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer {
  ...
  // ✨  I am inquiring whether additional configuration is necessary?”
  @Override
  protected void beforeSpringSecurityFilterChain(ServletContext servletContext) {
    FilterRegistration.Dynamic encodingFilter =
        servletContext.addFilter("hiddenHttpMethodFilter", new HiddenHttpMethodFilter());
    encodingFilter.addMappingForUrlPatterns(
        null, false, "/*");
  }
}

If the HiddenHttpMethodFilter is not placed before the security filter, there have been times when setting up requestMatchers() resulted in unintended behavior.

For example, after setting the hidden input below in the form

...
<input type="hidden" name="_method" value="DELETE"/>
...

If the requestMatchers() configuration is set up as follows…

...
.requestMatchers(HttpMethod.DELETE, "/targetUrl/*")
.hasAuthority("ADMIN")
...

There were times when it didn't work as I intended. When I requested deletion with "USER" permission, it was deleted.

Even so, since there are no web pages in the hello-mvc-security example project that utilize the HiddenHttpMethodFilter, it seems that it might be okay to remove the HiddenHttpMethodFilter.

Inquiry Summary

  1. Wouldn’t it be better to remove the HiddenHttpMethodFilter configuration from the security settings of the hello-mvc-security example project?
  2. If not removed, shouldn’t the HiddenHttpMethodFilter be positioned before the SpringSecurityFilterChain?

Thank you. Have a great day. 👍

mklinkj avatar Dec 02 '23 19:12 mklinkj

hello.

I created an independent project to reproduce the issue.

  • Separate the hello-mvc-security project into an independent project and create an example project containing code that uses HiddenHttpMethodFilter.

    • Hidden Method Filter Operation Test
      • https://github.com/mklinkj/QnA/commit/2aca8b9bd95181137232f005d4cf535f960ac26b
    • Set HiddenHttpMethodFilter before Spring Security Filters
      • https://github.com/mklinkj/QnA/commit/451a0d3c8d4ad540883f1c7a12bbba83db232ab8

  • example project zip

I will rewrite the Pull Request by deleting only the part where HiddenHttpMethodFilter is declared.

Other than that, I will not include the part where Gretty requires the existence of the src/main/webapp directory. This problem will be resolved later when Gretty is modified. Since the integrationTest does not fail, I thought there was no need to intentionally include defensive code in gretty.gradle.

thank you have a good day. 👍

mklinkj avatar Jan 15 '24 12:01 mklinkj