Render reactive default UIs using lightweight templates

Author: Kehrlann

web/src/main/java/org/springframework/security/web/server/ui/HtmlTemplates.java

@@ -0,0 +1,108 @@
+/*
+ * Copyright 2002-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.server.ui;
+
+import java.util.HashMap;
+import java.util.Map;
+import java.util.regex.Pattern;
+import java.util.stream.Collectors;
+
+import org.springframework.util.StringUtils;
+import org.springframework.web.util.HtmlUtils;
+
+/**
+ * Render HTML templates using string substitution. Intended for internal use. Variables
+ * can be templated using double curly-braces: {@code {{name}}}.
+ *
+ * @author Daniel Garnier-Moiroux
+ * @since 6.4
+ * @see org.springframework.security.web.authentication.ui.HtmlTemplates
+ */
+final class HtmlTemplates {
+
+	private HtmlTemplates() {
+	}
+
+	static Builder fromTemplate(String template) {
+		return new Builder(template);
+	}
+
+	static final class Builder {
+
+		private final String template;
+
+		private final Map<String, String> values = new HashMap<>();
+
+		private Builder(String template) {
+			this.template = template;
+		}
+
+		/**
+		 * HTML-escape, and inject value {@code value} in every {@code {{key}}}
+		 * placeholder.
+		 * @param key the placeholder name
+		 * @param value the value to inject
+		 * @return this instance for further templating
+		 */
+		Builder withValue(String key, String value) {
+			this.values.put(key, HtmlUtils.htmlEscape(value));
+			return this;
+		}
+
+		/**
+		 * Inject value {@code value} in every {@code {{key}}} placeholder without
+		 * HTML-escaping. Useful for injecting "sub-templates".
+		 * @param key the placeholder name
+		 * @param value the value to inject
+		 * @return this instance for further templating
+		 */
+		Builder withRawHtml(String key, String value) {
+			if (!value.isEmpty() && value.charAt(value.length() - 1) == '\n') {
+				value = value.substring(0, value.length() - 1);
+			}
+			this.values.put(key, value);
+			return this;
+		}
+
+		/**
+		 * Render the template. All placeholders MUST have a corresponding value. If a
+		 * placeholder does not have a corresponding value, throws
+		 * {@link IllegalStateException}.
+		 * @return the rendered template
+		 */
+		String render() {
+			String template = this.template;
+			for (String key : this.values.keySet()) {
+				String pattern = Pattern.quote("{{" + key + "}}");
+				template = template.replaceAll(pattern, this.values.get(key));
+			}
+
+			String unusedPlaceholders = Pattern.compile("\\{\\{([a-zA-Z0-9]+)}}")
+				.matcher(template)
+				.results()
+				.map((result) -> result.group(1))
+				.collect(Collectors.joining(", "));
+			if (StringUtils.hasLength(unusedPlaceholders)) {
+				throw new IllegalStateException("Unused placeholders in template: [%s]".formatted(unusedPlaceholders));
+			}
+
+			return template;
+		}
+
+	}
+
+}

web/src/main/java/org/springframework/security/web/server/ui/LoginPageGeneratingWebFilter.java

@@ -19,6 +19,7 @@
 import java.nio.charset.Charset;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.stream.Collectors;
 
 import reactor.core.publisher.Mono;
 
@@ -37,7 +38,6 @@
 import org.springframework.web.server.ServerWebExchange;
 import org.springframework.web.server.WebFilter;
 import org.springframework.web.server.WebFilterChain;
-import org.springframework.web.util.HtmlUtils;
 
 /**
  * Generates a default log in page used for authenticating users.
@@ -89,80 +89,61 @@ private Mono<DataBuffer> createBuffer(ServerWebExchange exchange) {
 	private byte[] createPage(ServerWebExchange exchange, String csrfTokenHtmlInput) {
 		MultiValueMap<String, String> queryParams = exchange.getRequest().getQueryParams();
 		String contextPath = exchange.getRequest().getPath().contextPath().value();
-		StringBuilder page = new StringBuilder();
-		page.append("<!DOCTYPE html>\n");
-		page.append("<html lang=\"en\">\n");
-		page.append("  <head>\n");
-		page.append("    <meta charset=\"utf-8\">\n");
-		page.append("    <meta name=\"viewport\" content=\"width=device-width, initial-scale=1, shrink-to-fit=no\">\n");
-		page.append("    <meta name=\"description\" content=\"\">\n");
-		page.append("    <meta name=\"author\" content=\"\">\n");
-		page.append("    <title>Please sign in</title>\n");
-		page.append(CssUtils.getCssStyleBlock().indent(4));
-		page.append("  </head>\n");
-		page.append("  <body>\n");
-		page.append("     <div class=\"content\">\n");
-		page.append(formLogin(queryParams, contextPath, csrfTokenHtmlInput));
-		page.append(oauth2LoginLinks(queryParams, contextPath, this.oauth2AuthenticationUrlToClientName));
-		page.append("    </div>\n");
-		page.append("  </body>\n");
-		page.append("</html>");
-		return page.toString().getBytes(Charset.defaultCharset());
+
+		return HtmlTemplates.fromTemplate(LOGIN_PAGE_TEMPLATE)
+			.withRawHtml("cssStyle", CssUtils.getCssStyleBlock().indent(4))
+			.withRawHtml("formLogin", formLogin(queryParams, contextPath, csrfTokenHtmlInput))
+			.withRawHtml("oauth2Login", oauth2Login(queryParams, contextPath, this.oauth2AuthenticationUrlToClientName))
+			.render()
+			.getBytes(Charset.defaultCharset());
 	}
 
 	private String formLogin(MultiValueMap<String, String> queryParams, String contextPath, String csrfTokenHtmlInput) {
 		if (!this.formLoginEnabled) {
 			return "";
 		}
+
 		boolean isError = queryParams.containsKey("error");
 		boolean isLogoutSuccess = queryParams.containsKey("logout");
-		StringBuilder page = new StringBuilder();
-		page.append("      <form class=\"login-form\" method=\"post\" action=\"" + contextPath + "/login\">\n");
-		page.append("        <h2>Please sign in</h2>\n");
-		page.append(createError(isError));
-		page.append(createLogoutSuccess(isLogoutSuccess));
-		page.append("        <p>\n");
-		page.append("          <label for=\"username\" class=\"screenreader\">Username</label>\n");
-		page.append("          <input type=\"text\" id=\"username\" name=\"username\" "
-				+ "placeholder=\"Username\" required autofocus>\n");
-		page.append("        </p>\n" + "        <p>\n");
-		page.append("          <label for=\"password\" class=\"screenreader\">Password</label>\n");
-		page.append("          <input type=\"password\" id=\"password\" name=\"password\" "
-				+ "placeholder=\"Password\" required>\n");
-		page.append("        </p>\n");
-		page.append(csrfTokenHtmlInput);
-		page.append("        <button class=\"primary\" type=\"submit\">Sign in</button>\n");
-		page.append("      </form>\n");
-		return page.toString();
+
+		return HtmlTemplates.fromTemplate(LOGIN_FORM_TEMPLATE)
+			.withValue("loginUrl", contextPath + "/login")
+			.withRawHtml("errorMessage", createError(isError))
+			.withRawHtml("logoutMessage", createLogoutSuccess(isLogoutSuccess))
+			.withRawHtml("csrf", csrfTokenHtmlInput)
+			.render();
 	}
 
-	private static String oauth2LoginLinks(MultiValueMap<String, String> queryParams, String contextPath,
+	private static String oauth2Login(MultiValueMap<String, String> queryParams, String contextPath,
 			Map<String, String> oauth2AuthenticationUrlToClientName) {
 		if (oauth2AuthenticationUrlToClientName.isEmpty()) {
 			return "";
 		}
 		boolean isError = queryParams.containsKey("error");
-		StringBuilder sb = new StringBuilder();
-		sb.append("<div class=\"content\"><h2>Login with OAuth 2.0</h2>");
-		sb.append(createError(isError));
-		sb.append("<table class=\"table table-striped\">\n");
-		for (Map.Entry<String, String> clientAuthenticationUrlToClientName : oauth2AuthenticationUrlToClientName
-			.entrySet()) {
-			sb.append(" <tr><td>");
-			String url = clientAuthenticationUrlToClientName.getKey();
-			sb.append("<a href=\"").append(contextPath).append(url).append("\">");
-			String clientName = HtmlUtils.htmlEscape(clientAuthenticationUrlToClientName.getValue());
-			sb.append(clientName);
-			sb.append("</a>");
-			sb.append("</td></tr>\n");
-		}
-		sb.append("</table></div>\n");
-		return sb.toString();
+
+		String oauth2Rows = oauth2AuthenticationUrlToClientName.entrySet()
+			.stream()
+			.map((urlToName) -> oauth2LoginLink(contextPath, urlToName.getKey(), urlToName.getValue()))
+			.collect(Collectors.joining("\n"))
+			.indent(2);
+		return HtmlTemplates.fromTemplate(OAUTH2_LOGIN_TEMPLATE)
+			.withRawHtml("errorMessage", createError(isError))
+			.withRawHtml("oauth2Rows", oauth2Rows)
+			.render();
+	}
+
+	private static String oauth2LoginLink(String contextPath, String url, String clientName) {
+		return HtmlTemplates.fromTemplate(OAUTH2_ROW_TEMPLATE)
+			.withValue("url", contextPath + url)
+			.withValue("clientName", clientName)
+			.render();
 	}
 
 	private static String csrfToken(CsrfToken token) {
-		return "          <input type=\"hidden\" name=\"" + token.getParameterName() + "\" value=\"" + token.getToken()
-				+ "\">\n";
+		return HtmlTemplates.fromTemplate(CSRF_INPUT_TEMPLATE)
+			.withValue("name", token.getParameterName())
+			.withValue("value", token.getToken())
+			.render();
 	}
 
 	private static String createError(boolean isError) {
@@ -174,4 +155,53 @@ private static String createLogoutSuccess(boolean isLogoutSuccess) {
 				: "";
 	}
 
+	private static final String LOGIN_PAGE_TEMPLATE = """
+			<!DOCTYPE html>
+			<html lang="en">
+			  <head>
+			    <meta charset="utf-8">
+			    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
+			    <meta name="description" content="">
+			    <meta name="author" content="">
+			    <title>Please sign in</title>
+			{{cssStyle}}
+			  </head>
+			  <body>
+			    <div class="content">
+			{{formLogin}}
+			{{oauth2Login}}
+			    </div>
+			  </body>
+			</html>""";
+
+	private static final String LOGIN_FORM_TEMPLATE = """
+			      <form class="login-form" method="post" action="{{loginUrl}}">
+			        <h2>Please sign in</h2>
+			{{errorMessage}}{{logoutMessage}}
+			        <p>
+			          <label for="username" class="screenreader">Username</label>
+			          <input type="text" id="username" name="username" placeholder="Username" required autofocus>
+			        </p>
+			        <p>
+			          <label for="password" class="screenreader">Password</label>
+			          <input type="password" id="password" name="password" placeholder="Password" required>
+			        </p>
+			{{csrf}}
+			        <button type="submit" class="primary">Sign in</button>
+			      </form>""";
+
+	private static final String CSRF_INPUT_TEMPLATE = """
+			<input name="{{name}}" type="hidden" value="{{value}}" />
+			""";
+
+	private static final String OAUTH2_LOGIN_TEMPLATE = """
+			<h2>Login with OAuth 2.0</h2>
+			{{errorMessage}}
+			<table class="table table-striped">
+			{{oauth2Rows}}
+			</table>""";
+
+	private static final String OAUTH2_ROW_TEMPLATE = """
+			<tr><td><a href="{{url}}">{{clientName}}</a></td></tr>""";
+
 }

web/src/main/java/org/springframework/security/web/server/ui/LogoutPageGeneratingWebFilter.java

@@ -70,33 +70,45 @@ private Mono<DataBuffer> createBuffer(ServerWebExchange exchange) {
 	}
 
 	private static byte[] createPage(String csrfTokenHtmlInput, String contextPath) {
-		StringBuilder page = new StringBuilder();
-		page.append("<!DOCTYPE html>\n");
-		page.append("<html lang=\"en\">\n");
-		page.append("  <head>\n");
-		page.append("    <meta charset=\"utf-8\">\n");
-		page.append("    <meta name=\"viewport\" content=\"width=device-width, initial-scale=1, shrink-to-fit=no\">\n");
-		page.append("    <meta name=\"description\" content=\"\">\n");
-		page.append("    <meta name=\"author\" content=\"\">\n");
-		page.append("    <title>Confirm Log Out?</title>\n");
-		page.append(CssUtils.getCssStyleBlock().indent(4));
-		page.append("  </head>\n");
-		page.append("  <body>\n");
-		page.append("     <div class=\"content\">\n");
-		page.append("      <form class=\"logout-form\" method=\"post\" action=\"" + contextPath + "/logout\">\n");
-		page.append("        <h2>Are you sure you want to log out?</h2>\n");
-		page.append(csrfTokenHtmlInput);
-		page.append("        <button class=\"primary\" type=\"submit\">Log Out</button>\n");
-		page.append("      </form>\n");
-		page.append("    </div>\n");
-		page.append("  </body>\n");
-		page.append("</html>");
-		return page.toString().getBytes(Charset.defaultCharset());
+		return HtmlTemplates.fromTemplate(LOGOUT_PAGE_TEMPLATE)
+			.withRawHtml("cssStyle", CssUtils.getCssStyleBlock().indent(4))
+			.withValue("contextPath", contextPath)
+			.withRawHtml("csrf", csrfTokenHtmlInput.indent(8))
+			.render()
+			.getBytes(Charset.defaultCharset());
 	}
 
 	private static String csrfToken(CsrfToken token) {
-		return "          <input type=\"hidden\" name=\"" + token.getParameterName() + "\" value=\"" + token.getToken()
-				+ "\">\n";
+		return HtmlTemplates.fromTemplate(CSRF_INPUT_TEMPLATE)
+			.withValue("name", token.getParameterName())
+			.withValue("value", token.getToken())
+			.render();
 	}
 
+	private static final String LOGOUT_PAGE_TEMPLATE = """
+			<!DOCTYPE html>
+			<html lang="en">
+			  <head>
+			    <meta charset="utf-8">
+			    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
+			    <meta name="description" content="">
+			    <meta name="author" content="">
+			    <title>Confirm Log Out?</title>
+			{{cssStyle}}
+			  </head>
+			  <body>
+			    <div class="content">
+			      <form class="logout-form" method="post" action="{{contextPath}}/logout">
+			        <h2>Are you sure you want to log out?</h2>
+			{{csrf}}
+			        <button class="primary" type="submit">Log Out</button>
+			      </form>
+			    </div>
+			  </body>
+			</html>""";
+
+	private static final String CSRF_INPUT_TEMPLATE = """
+			<input name="{{name}}" type="hidden" value="{{value}}" />
+			""";
+
 }