mirror of https://github.com/halo-dev/halo
Rearrange order of security configurers (#6939)
#### What type of PR is this? /kind improvement /area core /milestone 2.20.x #### What this PR does / why we need it: This PR rearranges order of security configurers. Especially, SecurityWebFiltersConfigurer has lower priority to configure than other security configurers. So we can catch internal authentication in plugins. #### Does this PR introduce a user-facing change? ```release-note None ```pull/6964/head
parent
d44fa5f6d8
commit
25086ee3e6
|
@ -2,6 +2,7 @@ package run.halo.app.security;
|
||||||
|
|
||||||
import com.google.common.net.HttpHeaders;
|
import com.google.common.net.HttpHeaders;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
import org.springframework.core.annotation.Order;
|
||||||
import org.springframework.security.config.web.server.ServerHttpSecurity;
|
import org.springframework.security.config.web.server.ServerHttpSecurity;
|
||||||
import org.springframework.stereotype.Component;
|
import org.springframework.stereotype.Component;
|
||||||
import org.springframework.web.cors.CorsConfiguration;
|
import org.springframework.web.cors.CorsConfiguration;
|
||||||
|
@ -10,6 +11,7 @@ import org.springframework.web.cors.reactive.UrlBasedCorsConfigurationSource;
|
||||||
import run.halo.app.security.authentication.SecurityConfigurer;
|
import run.halo.app.security.authentication.SecurityConfigurer;
|
||||||
|
|
||||||
@Component
|
@Component
|
||||||
|
@Order(0)
|
||||||
public class CorsConfigurer implements SecurityConfigurer {
|
public class CorsConfigurer implements SecurityConfigurer {
|
||||||
@Override
|
@Override
|
||||||
public void configure(ServerHttpSecurity http) {
|
public void configure(ServerHttpSecurity http) {
|
||||||
|
|
|
@ -2,6 +2,7 @@ package run.halo.app.security;
|
||||||
|
|
||||||
import static org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers.pathMatchers;
|
import static org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers.pathMatchers;
|
||||||
|
|
||||||
|
import org.springframework.core.annotation.Order;
|
||||||
import org.springframework.security.config.web.server.ServerHttpSecurity;
|
import org.springframework.security.config.web.server.ServerHttpSecurity;
|
||||||
import org.springframework.security.web.server.csrf.CookieServerCsrfTokenRepository;
|
import org.springframework.security.web.server.csrf.CookieServerCsrfTokenRepository;
|
||||||
import org.springframework.security.web.server.csrf.CsrfWebFilter;
|
import org.springframework.security.web.server.csrf.CsrfWebFilter;
|
||||||
|
@ -12,6 +13,7 @@ import org.springframework.stereotype.Component;
|
||||||
import run.halo.app.security.authentication.SecurityConfigurer;
|
import run.halo.app.security.authentication.SecurityConfigurer;
|
||||||
|
|
||||||
@Component
|
@Component
|
||||||
|
@Order(0)
|
||||||
class CsrfConfigurer implements SecurityConfigurer {
|
class CsrfConfigurer implements SecurityConfigurer {
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
|
|
@ -5,6 +5,7 @@ import static org.springframework.security.web.server.util.matcher.ServerWebExch
|
||||||
|
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import org.springframework.context.MessageSource;
|
import org.springframework.context.MessageSource;
|
||||||
|
import org.springframework.core.annotation.Order;
|
||||||
import org.springframework.http.HttpMethod;
|
import org.springframework.http.HttpMethod;
|
||||||
import org.springframework.http.HttpStatus;
|
import org.springframework.http.HttpStatus;
|
||||||
import org.springframework.security.config.web.server.ServerHttpSecurity;
|
import org.springframework.security.config.web.server.ServerHttpSecurity;
|
||||||
|
@ -21,6 +22,7 @@ import run.halo.app.security.authentication.SecurityConfigurer;
|
||||||
import run.halo.app.security.authentication.twofactor.TwoFactorAuthenticationEntryPoint;
|
import run.halo.app.security.authentication.twofactor.TwoFactorAuthenticationEntryPoint;
|
||||||
|
|
||||||
@Component
|
@Component
|
||||||
|
@Order(0)
|
||||||
public class ExceptionSecurityConfigurer implements SecurityConfigurer {
|
public class ExceptionSecurityConfigurer implements SecurityConfigurer {
|
||||||
|
|
||||||
private final MessageSource messageSource;
|
private final MessageSource messageSource;
|
||||||
|
|
|
@ -7,6 +7,7 @@ import java.util.Map;
|
||||||
import lombok.RequiredArgsConstructor;
|
import lombok.RequiredArgsConstructor;
|
||||||
import org.springframework.context.ApplicationContext;
|
import org.springframework.context.ApplicationContext;
|
||||||
import org.springframework.context.annotation.Bean;
|
import org.springframework.context.annotation.Bean;
|
||||||
|
import org.springframework.core.annotation.Order;
|
||||||
import org.springframework.http.HttpStatus;
|
import org.springframework.http.HttpStatus;
|
||||||
import org.springframework.http.MediaType;
|
import org.springframework.http.MediaType;
|
||||||
import org.springframework.security.config.web.server.ServerHttpSecurity;
|
import org.springframework.security.config.web.server.ServerHttpSecurity;
|
||||||
|
@ -31,6 +32,7 @@ import run.halo.app.theme.router.ModelConst;
|
||||||
|
|
||||||
@Component
|
@Component
|
||||||
@RequiredArgsConstructor
|
@RequiredArgsConstructor
|
||||||
|
@Order(0)
|
||||||
public class LogoutSecurityConfigurer implements SecurityConfigurer {
|
public class LogoutSecurityConfigurer implements SecurityConfigurer {
|
||||||
private final RememberMeServices rememberMeServices;
|
private final RememberMeServices rememberMeServices;
|
||||||
private final ApplicationContext applicationContext;
|
private final ApplicationContext applicationContext;
|
||||||
|
|
|
@ -24,7 +24,7 @@ import run.halo.app.security.authentication.SecurityConfigurer;
|
||||||
|
|
||||||
@Component
|
@Component
|
||||||
// Specific an order here to control the order or security configurer initialization
|
// Specific an order here to control the order or security configurer initialization
|
||||||
@Order(-100)
|
@Order(100)
|
||||||
public class SecurityWebFiltersConfigurer implements SecurityConfigurer {
|
public class SecurityWebFiltersConfigurer implements SecurityConfigurer {
|
||||||
|
|
||||||
private final ExtensionGetter extensionGetter;
|
private final ExtensionGetter extensionGetter;
|
||||||
|
|
|
@ -3,6 +3,7 @@ package run.halo.app.security.authentication.login;
|
||||||
import io.github.resilience4j.ratelimiter.RateLimiterRegistry;
|
import io.github.resilience4j.ratelimiter.RateLimiterRegistry;
|
||||||
import io.micrometer.observation.ObservationRegistry;
|
import io.micrometer.observation.ObservationRegistry;
|
||||||
import org.springframework.context.MessageSource;
|
import org.springframework.context.MessageSource;
|
||||||
|
import org.springframework.core.annotation.Order;
|
||||||
import org.springframework.http.HttpMethod;
|
import org.springframework.http.HttpMethod;
|
||||||
import org.springframework.security.authentication.ObservationReactiveAuthenticationManager;
|
import org.springframework.security.authentication.ObservationReactiveAuthenticationManager;
|
||||||
import org.springframework.security.authentication.ReactiveAuthenticationManager;
|
import org.springframework.security.authentication.ReactiveAuthenticationManager;
|
||||||
|
@ -28,6 +29,7 @@ import run.halo.app.security.authentication.SecurityConfigurer;
|
||||||
import run.halo.app.security.authentication.twofactor.TwoFactorAuthentication;
|
import run.halo.app.security.authentication.twofactor.TwoFactorAuthentication;
|
||||||
|
|
||||||
@Component
|
@Component
|
||||||
|
@Order(0)
|
||||||
public class LoginSecurityConfigurer implements SecurityConfigurer {
|
public class LoginSecurityConfigurer implements SecurityConfigurer {
|
||||||
|
|
||||||
private final ObservationRegistry observationRegistry;
|
private final ObservationRegistry observationRegistry;
|
||||||
|
|
|
@ -1,5 +1,6 @@
|
||||||
package run.halo.app.security.authentication.oauth2;
|
package run.halo.app.security.authentication.oauth2;
|
||||||
|
|
||||||
|
import org.springframework.core.annotation.Order;
|
||||||
import org.springframework.security.config.web.server.SecurityWebFiltersOrder;
|
import org.springframework.security.config.web.server.SecurityWebFiltersOrder;
|
||||||
import org.springframework.security.config.web.server.ServerHttpSecurity;
|
import org.springframework.security.config.web.server.ServerHttpSecurity;
|
||||||
import org.springframework.security.core.userdetails.ReactiveUserDetailsService;
|
import org.springframework.security.core.userdetails.ReactiveUserDetailsService;
|
||||||
|
@ -15,6 +16,7 @@ import run.halo.app.security.authentication.SecurityConfigurer;
|
||||||
* @since 2.20.0
|
* @since 2.20.0
|
||||||
*/
|
*/
|
||||||
@Component
|
@Component
|
||||||
|
@Order(0)
|
||||||
class OAuth2SecurityConfigurer implements SecurityConfigurer {
|
class OAuth2SecurityConfigurer implements SecurityConfigurer {
|
||||||
|
|
||||||
private final ServerSecurityContextRepository securityContextRepository;
|
private final ServerSecurityContextRepository securityContextRepository;
|
||||||
|
|
|
@ -3,6 +3,7 @@ package run.halo.app.security.authentication.rememberme;
|
||||||
import static org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher.MatchResult;
|
import static org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher.MatchResult;
|
||||||
|
|
||||||
import lombok.RequiredArgsConstructor;
|
import lombok.RequiredArgsConstructor;
|
||||||
|
import org.springframework.core.annotation.Order;
|
||||||
import org.springframework.security.config.web.server.SecurityWebFiltersOrder;
|
import org.springframework.security.config.web.server.SecurityWebFiltersOrder;
|
||||||
import org.springframework.security.config.web.server.ServerHttpSecurity;
|
import org.springframework.security.config.web.server.ServerHttpSecurity;
|
||||||
import org.springframework.security.core.context.ReactiveSecurityContextHolder;
|
import org.springframework.security.core.context.ReactiveSecurityContextHolder;
|
||||||
|
@ -13,6 +14,7 @@ import run.halo.app.security.authentication.SecurityConfigurer;
|
||||||
|
|
||||||
@Component
|
@Component
|
||||||
@RequiredArgsConstructor
|
@RequiredArgsConstructor
|
||||||
|
@Order(0)
|
||||||
public class RememberMeConfigurer implements SecurityConfigurer {
|
public class RememberMeConfigurer implements SecurityConfigurer {
|
||||||
|
|
||||||
private final RememberMeServices rememberMeServices;
|
private final RememberMeServices rememberMeServices;
|
||||||
|
|
|
@ -2,6 +2,7 @@ package run.halo.app.security.authentication.twofactor;
|
||||||
|
|
||||||
import static org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers.pathMatchers;
|
import static org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers.pathMatchers;
|
||||||
|
|
||||||
|
import org.springframework.core.annotation.Order;
|
||||||
import org.springframework.http.HttpMethod;
|
import org.springframework.http.HttpMethod;
|
||||||
import org.springframework.security.config.web.server.SecurityWebFiltersOrder;
|
import org.springframework.security.config.web.server.SecurityWebFiltersOrder;
|
||||||
import org.springframework.security.config.web.server.ServerHttpSecurity;
|
import org.springframework.security.config.web.server.ServerHttpSecurity;
|
||||||
|
@ -17,6 +18,7 @@ import run.halo.app.security.authentication.twofactor.totp.TotpAuthenticationMan
|
||||||
import run.halo.app.security.authentication.twofactor.totp.TotpCodeAuthenticationConverter;
|
import run.halo.app.security.authentication.twofactor.totp.TotpCodeAuthenticationConverter;
|
||||||
|
|
||||||
@Component
|
@Component
|
||||||
|
@Order(0)
|
||||||
public class TwoFactorAuthSecurityConfigurer implements SecurityConfigurer {
|
public class TwoFactorAuthSecurityConfigurer implements SecurityConfigurer {
|
||||||
|
|
||||||
private final ServerSecurityContextRepository securityContextRepository;
|
private final ServerSecurityContextRepository securityContextRepository;
|
||||||
|
|
Loading…
Reference in New Issue