From e7ff2cf358e82ac62e5e6cbfb2e7f05357107e3e Mon Sep 17 00:00:00 2001
From: Madhura Bhave <bhavem@vmware.com>
Date: Tue, 23 Nov 2021 13:00:01 -0800
Subject: [PATCH] Guard ErrorPageSecurityFilter configuration with
 ConditionalOnClass

Update `ErrorPageSecurityFilterConfiguration` to guard against the case
where `spring-security-core` is on the classpath but
`spring-security-web` is not.

Fixes gh-28774
---
 .../ErrorPageSecurityFilterConfiguration.java        |  2 ++
 .../servlet/SecurityAutoConfigurationTests.java      | 12 ++++++++++++
 2 files changed, 14 insertions(+)

diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/ErrorPageSecurityFilterConfiguration.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/ErrorPageSecurityFilterConfiguration.java
index 3800f36fff83..6d303239425a 100644
--- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/ErrorPageSecurityFilterConfiguration.java
+++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/ErrorPageSecurityFilterConfiguration.java
@@ -21,6 +21,7 @@
 import javax.servlet.DispatcherType;
 
 import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.boot.web.servlet.FilterRegistrationBean;
 import org.springframework.boot.web.servlet.filter.ErrorPageSecurityFilter;
@@ -35,6 +36,7 @@
  * @author Madhura Bhave
  */
 @Configuration(proxyBeanMethods = false)
+@ConditionalOnClass(WebInvocationPrivilegeEvaluator.class)
 @ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)
 class ErrorPageSecurityFilterConfiguration {
 
diff --git a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/servlet/SecurityAutoConfigurationTests.java b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/servlet/SecurityAutoConfigurationTests.java
index 1cf5e9728ae6..fefae03f9329 100644
--- a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/servlet/SecurityAutoConfigurationTests.java
+++ b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/servlet/SecurityAutoConfigurationTests.java
@@ -242,6 +242,18 @@ void filterRegistrationBeanForErrorPageSecurityInterceptor() {
 				}));
 	}
 
+	@Test
+	void filterForErrorPageSecurityInterceptorWhenWebInvocationPrivilegeEvaluatorNotPresent() {
+		this.contextRunner.withClassLoader(new FilteredClassLoader("org.springframework.security.config"))
+				.run((context) -> assertThat(context).doesNotHaveBean("errorPageSecurityFilter"));
+	}
+
+	@Test
+	void filterForErrorPageSecurityInterceptorConditionalOnClass() {
+		this.contextRunner.withClassLoader(new FilteredClassLoader("org.springframework.security.web"))
+				.run((context) -> assertThat(context).doesNotHaveBean("errorPageSecurityFilter"));
+	}
+
 	@Configuration(proxyBeanMethods = false)
 	@TestAutoConfigurationPackage(City.class)
 	static class EntityConfiguration {