Luke Taylor
15 years ago
2 changed files with 97 additions and 0 deletions
@ -0,0 +1,65 @@
@@ -0,0 +1,65 @@
|
||||
package org.springframework.security.integration; |
||||
|
||||
import static org.junit.Assert.assertEquals; |
||||
|
||||
import org.junit.Test; |
||||
import org.junit.runner.RunWith; |
||||
import org.springframework.beans.factory.annotation.Autowired; |
||||
import org.springframework.mock.web.MockFilterChain; |
||||
import org.springframework.mock.web.MockHttpServletRequest; |
||||
import org.springframework.mock.web.MockHttpServletResponse; |
||||
import org.springframework.mock.web.MockHttpSession; |
||||
import org.springframework.security.authentication.TestingAuthenticationToken; |
||||
import org.springframework.security.core.context.SecurityContextHolder; |
||||
import org.springframework.security.web.FilterChainProxy; |
||||
import org.springframework.security.web.context.HttpSessionSecurityContextRepository; |
||||
import org.springframework.test.context.ContextConfiguration; |
||||
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; |
||||
|
||||
import javax.servlet.http.HttpSession; |
||||
|
||||
@ContextConfiguration(locations={"/http-path-param-stripping-app-context.xml"}) |
||||
@RunWith(SpringJUnit4ClassRunner.class) |
||||
public class HttpPathParameterStrippingTests { |
||||
|
||||
@Autowired |
||||
private FilterChainProxy fcp; |
||||
|
||||
@Test |
||||
public void securedFilterChainCannotBeBypassedByAddingPathParameters() throws Exception { |
||||
MockHttpServletRequest request = new MockHttpServletRequest(); |
||||
request.setPathInfo("/secured;x=y/admin.html"); |
||||
request.setSession(createAuthenticatedSession("ROLE_USER")); |
||||
MockHttpServletResponse response = new MockHttpServletResponse(); |
||||
fcp.doFilter(request, response, new MockFilterChain()); |
||||
assertEquals(403, response.getStatus()); |
||||
} |
||||
|
||||
@Test |
||||
public void adminFilePatternCannotBeBypassedByAddingPathParameters() throws Exception { |
||||
MockHttpServletRequest request = new MockHttpServletRequest(); |
||||
request.setServletPath("/secured/admin.html;x=user.html"); |
||||
request.setSession(createAuthenticatedSession("ROLE_USER")); |
||||
MockHttpServletResponse response = new MockHttpServletResponse(); |
||||
fcp.doFilter(request, response, new MockFilterChain()); |
||||
assertEquals(403, response.getStatus()); |
||||
|
||||
// Try with pathInfo
|
||||
request = new MockHttpServletRequest(); |
||||
request.setServletPath("/secured"); |
||||
request.setPathInfo("/admin.html;x=user.html"); |
||||
request.setSession(createAuthenticatedSession("ROLE_USER")); |
||||
response = new MockHttpServletResponse(); |
||||
fcp.doFilter(request, response, new MockFilterChain()); |
||||
assertEquals(403, response.getStatus()); |
||||
} |
||||
|
||||
public HttpSession createAuthenticatedSession(String... roles) { |
||||
MockHttpSession session = new MockHttpSession(); |
||||
SecurityContextHolder.getContext().setAuthentication(new TestingAuthenticationToken("bob", "bobspassword", roles)); |
||||
session.setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, SecurityContextHolder.getContext()); |
||||
SecurityContextHolder.clearContext(); |
||||
return session; |
||||
} |
||||
|
||||
} |
||||
@ -0,0 +1,32 @@
@@ -0,0 +1,32 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?> |
||||
|
||||
<!-- |
||||
- |
||||
--> |
||||
|
||||
<b:beans xmlns="http://www.springframework.org/schema/security" |
||||
xmlns:b="http://www.springframework.org/schema/beans" |
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" |
||||
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd |
||||
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> |
||||
|
||||
<http pattern="/secured/**"> |
||||
<intercept-url pattern="/secured/*user.html" access="ROLE_USER" /> |
||||
<intercept-url pattern="/secured/admin.html" access="ROLE_ADMIN" /> |
||||
<intercept-url pattern="/secured/user/**" access="ROLE_USER" /> |
||||
<intercept-url pattern="/secured/admin/*" access="ROLE_ADMIN" /> |
||||
<intercept-url pattern="/**" access="ROLE_NO_ACCESS" /> |
||||
<form-login /> |
||||
</http> |
||||
|
||||
<http pattern="/**" security="none" /> |
||||
|
||||
<authentication-manager alias="authenticationManager"> |
||||
<authentication-provider> |
||||
<user-service id="userService"> |
||||
<user name="notused" password="notused" authorities="ROLE_0,ROLE_1"/> |
||||
</user-service> |
||||
</authentication-provider> |
||||
</authentication-manager> |
||||
|
||||
</b:beans> |
||||
Loading…
Reference in new issue