From e6b5be900ae27c4aa59bbf6db6c5f85ff0c0fc1e Mon Sep 17 00:00:00 2001 From: Madhura Bhave Date: Tue, 23 Nov 2021 14:01:52 -0800 Subject: [PATCH] Make ErrorPageSecurityFilter Servlet 3.1 compatible Restore Servlet 3.1 compatibly by implementing `Filter` rather than extending the 4.0 `HttpFilter` type. Fixes gh-28790 --- .../filter/ErrorPageSecurityFilter.java | 30 ++++++++++++------- 1 file changed, 20 insertions(+), 10 deletions(-) diff --git a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/servlet/filter/ErrorPageSecurityFilter.java b/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/servlet/filter/ErrorPageSecurityFilter.java index f1c132309f60..1140efc8de18 100644 --- a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/servlet/filter/ErrorPageSecurityFilter.java +++ b/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/servlet/filter/ErrorPageSecurityFilter.java @@ -19,10 +19,12 @@ import java.io.IOException; import javax.servlet.DispatcherType; +import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.RequestDispatcher; import javax.servlet.ServletException; -import javax.servlet.http.HttpFilter; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -33,14 +35,14 @@ import org.springframework.security.web.access.WebInvocationPrivilegeEvaluator; /** - * {@link HttpFilter} that intercepts error dispatches to ensure authorized access to the + * {@link Filter} that intercepts error dispatches to ensure authorized access to the * error page. * * @author Madhura Bhave * @author Andy Wilkinson * @since 2.6.0 */ -public class ErrorPageSecurityFilter extends HttpFilter { +public class ErrorPageSecurityFilter implements Filter { private static final WebInvocationPrivilegeEvaluator ALWAYS = new AlwaysAllowWebInvocationPrivilegeEvaluator(); @@ -53,18 +55,26 @@ public ErrorPageSecurityFilter(ApplicationContext context) { } @Override - public void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain) + public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { - if (DispatcherType.ERROR.equals(request.getDispatcherType())) { - Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); - if (!getPrivilegeEvaluator().isAllowed(request.getRequestURI(), authentication)) { - sendError(request, response); - return; - } + doFilter((HttpServletRequest) request, (HttpServletResponse) response, chain); + } + + private void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain) + throws IOException, ServletException { + if (DispatcherType.ERROR.equals(request.getDispatcherType()) && !isAllowed(request)) { + sendError(request, response); + return; } chain.doFilter(request, response); } + private boolean isAllowed(HttpServletRequest request) { + String uri = request.getRequestURI(); + Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); + return getPrivilegeEvaluator().isAllowed(uri, authentication); + } + private WebInvocationPrivilegeEvaluator getPrivilegeEvaluator() { WebInvocationPrivilegeEvaluator privilegeEvaluator = this.privilegeEvaluator; if (privilegeEvaluator == null) {