Merge branch 'main' of https://github.com/bbudano/spring-security into gh-17806

Author: bbudano

config/src/integration-test/java/org/springframework/security/config/annotation/authentication/ldap/LdapAuthenticationProviderBuilderSecurityBuilderTests.java

@@ -18,7 +18,6 @@
 
 import java.io.IOException;
 import java.net.ServerSocket;
-import java.util.Collections;
 import java.util.List;
 
 import javax.naming.directory.SearchControls;
@@ -39,7 +38,6 @@
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
-import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.ldap.DefaultSpringSecurityContextSource;
@@ -120,8 +118,7 @@ public void bindAuthentication() throws Exception {
 		this.spring.register(BindAuthenticationConfig.class).autowire();
 
 		this.mockMvc.perform(formLogin().user("bob").password("bobspassword"))
-			.andExpect(authenticated().withUsername("bob")
-				.withAuthorities(Collections.singleton(new SimpleGrantedAuthority("ROLE_DEVELOPERS"))));
+			.andExpect(authenticated().withUsername("bob").withRoles("DEVELOPERS"));
 	}
 
 	// SEC-2472
@@ -130,8 +127,7 @@ public void canUseCryptoPasswordEncoder() throws Exception {
 		this.spring.register(PasswordEncoderConfig.class).autowire();
 
 		this.mockMvc.perform(formLogin().user("bcrypt").password("password"))
-			.andExpect(authenticated().withUsername("bcrypt")
-				.withAuthorities(Collections.singleton(new SimpleGrantedAuthority("ROLE_DEVELOPERS"))));
+			.andExpect(authenticated().withUsername("bcrypt").withRoles("DEVELOPERS"));
 	}
 
 	private LdapAuthenticationProvider ldapProvider() {

config/src/integration-test/java/org/springframework/security/config/annotation/authentication/ldap/LdapAuthenticationProviderConfigurerTests.java

@@ -16,8 +16,6 @@
 
 package org.springframework.security.config.annotation.authentication.ldap;
 
-import java.util.Collections;
-
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 
@@ -28,8 +26,6 @@
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
-import org.springframework.security.core.authority.AuthorityUtils;
-import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders;
 import org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers;
 import org.springframework.test.web.servlet.MockMvc;
@@ -64,7 +60,7 @@ public void authenticationManagerSupportMultipleLdapContextWithDefaultRolePrefix
 				.password("bobspassword");
 		SecurityMockMvcResultMatchers.AuthenticatedMatcher expectedUser = authenticated()
 				.withUsername("bob")
-				.withAuthorities(Collections.singleton(new SimpleGrantedAuthority("ROLE_DEVELOPERS")));
+				.withRoles("DEVELOPERS");
 		// @formatter:on
 		this.mockMvc.perform(request).andExpect(expectedUser);
 	}
@@ -79,7 +75,7 @@ public void authenticationManagerSupportMultipleLdapContextWithCustomRolePrefix(
 				.password("bobspassword");
 		SecurityMockMvcResultMatchers.AuthenticatedMatcher expectedUser = authenticated()
 				.withUsername("bob")
-				.withAuthorities(Collections.singleton(new SimpleGrantedAuthority("ROL_DEVELOPERS")));
+				.withRoles("ROL_", new String[] { "DEVELOPERS" });
 		// @formatter:on
 		this.mockMvc.perform(request).andExpect(expectedUser);
 	}
@@ -108,8 +104,7 @@ public void authenticationManagerWhenSearchSubtreeThenNestedGroupFound() throws
 				.password("otherbenspassword");
 		SecurityMockMvcResultMatchers.AuthenticatedMatcher expectedUser = authenticated()
 				.withUsername("otherben")
-				.withAuthorities(
-						AuthorityUtils.createAuthorityList("ROLE_SUBMANAGERS", "ROLE_MANAGERS", "ROLE_DEVELOPERS"));
+				.withRoles("SUBMANAGERS", "MANAGERS", "DEVELOPERS");
 		// @formatter:on
 		this.mockMvc.perform(request).andExpect(expectedUser);
 	}

config/src/integration-test/java/org/springframework/security/config/annotation/authentication/ldap/NamespaceLdapAuthenticationProviderTests.java

@@ -16,7 +16,6 @@
 
 package org.springframework.security.config.annotation.authentication.ldap;
 
-import java.util.Collections;
 import java.util.HashSet;
 import java.util.Set;
 
@@ -34,7 +33,6 @@
 import org.springframework.security.config.test.SpringTestContextExtension;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.AuthorityUtils;
-import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.ldap.DefaultSpringSecurityContextSource;
 import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator;
 import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders;
@@ -79,7 +77,7 @@ public void ldapAuthenticationProviderCustom() throws Exception {
 				.user("bob")
 				.password("bobspassword");
 		SecurityMockMvcResultMatchers.AuthenticatedMatcher user = authenticated()
-				.withAuthorities(Collections.singleton(new SimpleGrantedAuthority("PREFIX_DEVELOPERS")));
+				.withRoles("PREFIX_", new String[] { "DEVELOPERS" });
 		// @formatter:on
 		this.mockMvc.perform(request).andExpect(user);
 	}
@@ -103,7 +101,7 @@ protected Set<GrantedAuthority> getAdditionalRoles(DirContextOperations user, St
 				.user("bob")
 				.password("bobspassword");
 		SecurityMockMvcResultMatchers.AuthenticatedMatcher user = authenticated()
-				.withAuthorities(Collections.singleton(new SimpleGrantedAuthority("ROLE_EXTRA")));
+				.withRoles("EXTRA");
 		// @formatter:on
 		this.mockMvc.perform(request).andExpect(user);
 	}

config/src/integration-test/java/org/springframework/security/config/ldap/LdapProviderBeanDefinitionParserTests.java

@@ -169,7 +169,7 @@ public void ldapAuthenticationProviderWorksWithPlaceholders() {
 		this.appCtx = new InMemoryXmlApplicationContext("<ldap-server />" + "<authentication-manager>"
 				+ "  <ldap-authentication-provider user-dn-pattern='uid={0},ou=${udp}' group-search-filter='${gsf}={0}' />"
 				+ "</authentication-manager>"
-				+ "<b:bean id='org.springframework.beans.factory.config.PropertyPlaceholderConfigurer' class='org.springframework.beans.factory.config.PropertyPlaceholderConfigurer' />");
+				+ "<b:bean id='org.springframework.context.support.PropertySourcesPlaceholderConfigurer' class='org.springframework.context.support.PropertySourcesPlaceholderConfigurer' />");
 
 		ProviderManager providerManager = this.appCtx.getBean(BeanIds.AUTHENTICATION_MANAGER, ProviderManager.class);
 		assertThat(providerManager.getProviders()).hasSize(1);

config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java

@@ -3033,7 +3033,8 @@ private LogoutSpec() {
 
 		/**
 		 * Configures the logout handler. Default is
-		 * {@code SecurityContextServerLogoutHandler}
+		 * {@code SecurityContextServerLogoutHandler}. This clears any previous handlers
+		 * configured.
 		 * @param logoutHandler
 		 * @return the {@link LogoutSpec} to configure
 		 */
@@ -3049,6 +3050,18 @@ private LogoutSpec addLogoutHandler(ServerLogoutHandler logoutHandler) {
 			return this;
 		}
 
+		/**
+		 * Allows managing the list of {@link ServerLogoutHandler} instances.
+		 * @param handlersConsumer {@link Consumer} for managing the list of handlers.
+		 * @return the {@link LogoutSpec} to configure
+		 * @since 7.0
+		 */
+		public LogoutSpec logoutHandler(Consumer<List<ServerLogoutHandler>> handlersConsumer) {
+			Assert.notNull(handlersConsumer, "consumer cannot be null");
+			handlersConsumer.accept(this.logoutHandlers);
+			return this;
+		}
+
 		/**
 		 * Configures what URL a POST to will trigger a log out.
 		 * @param logoutUrl the url to trigger a log out (i.e. "/signout" would mean a

config/src/test/java/org/springframework/security/config/annotation/authentication/AuthenticationManagerBuilderTests.java

@@ -32,6 +32,7 @@
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.authentication.ProviderManager;
+import org.springframework.security.authentication.SecurityAssertions;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
 import org.springframework.security.config.ObjectPostProcessor;
@@ -44,7 +45,6 @@
 import org.springframework.security.config.test.SpringTestContextExtension;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
-import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.userdetails.PasswordEncodedUser;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.password.NoOpPasswordEncoder;
@@ -107,8 +107,7 @@ public void getAuthenticationManagerWhenGlobalPasswordEncoderBeanThenUsed() thro
 			.getAuthenticationManager();
 		Authentication auth = manager
 			.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("user", "password"));
-		assertThat(auth.getName()).isEqualTo("user");
-		assertThat(auth.getAuthorities()).extracting(GrantedAuthority::getAuthority).containsOnly("ROLE_USER");
+		SecurityAssertions.assertThat(auth).name("user").hasAuthority("ROLE_USER");
 	}
 
 	@Test
@@ -119,8 +118,7 @@ public void getAuthenticationManagerWhenProtectedPasswordEncoderBeanThenUsed() t
 			.getAuthenticationManager();
 		Authentication auth = manager
 			.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("user", "password"));
-		assertThat(auth.getName()).isEqualTo("user");
-		assertThat(auth.getAuthorities()).extracting(GrantedAuthority::getAuthority).containsOnly("ROLE_USER");
+		SecurityAssertions.assertThat(auth).name("user").hasAuthority("ROLE_USER");
 	}
 
 	@Test

config/src/test/java/org/springframework/security/config/annotation/web/configurers/WebAuthnConfigurerTests.java

@@ -300,7 +300,15 @@ UserDetailsService userDetailsService() {
 
 		@Bean
 		SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-			return http.formLogin(Customizer.withDefaults()).webAuthn(Customizer.withDefaults()).build();
+			// @formatter:off
+			http
+				.formLogin(Customizer.withDefaults())
+				.webAuthn((authn) -> authn
+					.rpId("spring.io")
+					.rpName("spring")
+				);
+			// @formatter:on
+			return http.build();
 		}
 
 	}
@@ -316,7 +324,14 @@ UserDetailsService userDetailsService() {
 
 		@Bean
 		SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-			return http.webAuthn(Customizer.withDefaults()).build();
+			// @formatter:off
+			http
+				.webAuthn((authn) -> authn
+						.rpId("spring.io")
+						.rpName("spring")
+				);
+			// @formatter:on
+			return http.build();
 		}
 
 	}
@@ -332,9 +347,16 @@ UserDetailsService userDetailsService() {
 
 		@Bean
 		SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-			return http.formLogin(Customizer.withDefaults())
-				.webAuthn((webauthn) -> webauthn.disableDefaultRegistrationPage(true))
-				.build();
+			// @formatter:off
+			http
+				.formLogin(Customizer.withDefaults())
+				.webAuthn((authn) -> authn
+					.rpId("spring.io")
+					.rpName("spring")
+					.disableDefaultRegistrationPage(true)
+				);
+			// @formatter:on
+			return http.build();
 		}
 
 	}
@@ -350,9 +372,18 @@ UserDetailsService userDetailsService() {
 
 		@Bean
 		SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-			return http.formLogin((login) -> login.loginPage("/custom-login-page"))
-				.webAuthn((webauthn) -> webauthn.disableDefaultRegistrationPage(true))
-				.build();
+			// @formatter:off
+			http
+					.formLogin((login) -> login
+						.loginPage("/custom-login-page")
+					)
+					.webAuthn((authn) -> authn
+						.rpId("spring.io")
+						.rpName("spring")
+						.disableDefaultRegistrationPage(true)
+					);
+			// @formatter:on
+			return http.build();
 		}
 
 	}