Eleftheria Stein
7 years ago
2 changed files with 138 additions and 78 deletions
@ -1,78 +0,0 @@
@@ -1,78 +0,0 @@
|
||||
/* |
||||
* Copyright 2002-2013 the original author or authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* https://www.apache.org/licenses/LICENSE-2.0 |
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
*/ |
||||
package org.springframework.security.config.annotation.web.configurers |
||||
|
||||
import org.springframework.context.annotation.Configuration |
||||
import org.springframework.security.config.annotation.AnyObjectPostProcessor |
||||
import org.springframework.security.config.annotation.BaseSpringSpec |
||||
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder |
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity |
||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity |
||||
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter |
||||
import org.springframework.security.web.access.channel.ChannelDecisionManagerImpl |
||||
import org.springframework.security.web.access.channel.ChannelProcessingFilter |
||||
import org.springframework.security.web.access.channel.InsecureChannelProcessor |
||||
import org.springframework.security.web.access.channel.SecureChannelProcessor |
||||
|
||||
/** |
||||
* |
||||
* @author Rob Winch |
||||
*/ |
||||
class ChannelSecurityConfigurerTests extends BaseSpringSpec { |
||||
|
||||
def "requiresChannel ObjectPostProcessor"() { |
||||
setup: "initialize the AUTH_FILTER as a mock" |
||||
AnyObjectPostProcessor objectPostProcessor = Mock() |
||||
when: |
||||
HttpSecurity http = new HttpSecurity(objectPostProcessor, authenticationBldr, [:]) |
||||
http |
||||
.requiresChannel() |
||||
.anyRequest().requiresSecure() |
||||
.and() |
||||
.build() |
||||
|
||||
then: "InsecureChannelProcessor is registered with LifecycleManager" |
||||
1 * objectPostProcessor.postProcess(_ as InsecureChannelProcessor) >> {InsecureChannelProcessor o -> o} |
||||
and: "SecureChannelProcessor is registered with LifecycleManager" |
||||
1 * objectPostProcessor.postProcess(_ as SecureChannelProcessor) >> {SecureChannelProcessor o -> o} |
||||
and: "ChannelDecisionManagerImpl is registered with LifecycleManager" |
||||
1 * objectPostProcessor.postProcess(_ as ChannelDecisionManagerImpl) >> {ChannelDecisionManagerImpl o -> o} |
||||
and: "ChannelProcessingFilter is registered with LifecycleManager" |
||||
1 * objectPostProcessor.postProcess(_ as ChannelProcessingFilter) >> {ChannelProcessingFilter o -> o} |
||||
} |
||||
|
||||
def "invoke requiresChannel twice does not override"() { |
||||
setup: |
||||
loadConfig(DuplicateInvocationsDoesNotOverrideConfig) |
||||
when: |
||||
springSecurityFilterChain.doFilter(request,response,chain) |
||||
then: |
||||
response.redirectedUrl == "https://localhost" |
||||
} |
||||
|
||||
@EnableWebSecurity |
||||
static class DuplicateInvocationsDoesNotOverrideConfig extends WebSecurityConfigurerAdapter { |
||||
|
||||
@Override |
||||
protected void configure(HttpSecurity http) throws Exception { |
||||
http |
||||
.requiresChannel() |
||||
.anyRequest().requiresSecure() |
||||
.and() |
||||
.requiresChannel() |
||||
} |
||||
} |
||||
} |
||||
@ -0,0 +1,138 @@
@@ -0,0 +1,138 @@
|
||||
/* |
||||
* Copyright 2002-2019 the original author or authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
*/ |
||||
|
||||
package org.springframework.security.config.annotation.web.configurers; |
||||
|
||||
import org.junit.Rule; |
||||
import org.junit.Test; |
||||
import org.springframework.beans.factory.annotation.Autowired; |
||||
import org.springframework.context.annotation.Bean; |
||||
import org.springframework.security.config.annotation.ObjectPostProcessor; |
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity; |
||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; |
||||
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; |
||||
import org.springframework.security.config.test.SpringTestRule; |
||||
import org.springframework.security.web.access.channel.ChannelDecisionManagerImpl; |
||||
import org.springframework.security.web.access.channel.ChannelProcessingFilter; |
||||
import org.springframework.security.web.access.channel.InsecureChannelProcessor; |
||||
import org.springframework.security.web.access.channel.SecureChannelProcessor; |
||||
import org.springframework.test.web.servlet.MockMvc; |
||||
|
||||
import static org.mockito.ArgumentMatchers.any; |
||||
import static org.mockito.Mockito.spy; |
||||
import static org.mockito.Mockito.verify; |
||||
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; |
||||
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl; |
||||
|
||||
/** |
||||
* Tests for {@link ChannelSecurityConfigurer} |
||||
* |
||||
* @author Rob Winch |
||||
* @author Eleftheria Stein |
||||
*/ |
||||
public class ChannelSecurityConfigurerTests { |
||||
|
||||
@Rule |
||||
public final SpringTestRule spring = new SpringTestRule(); |
||||
|
||||
@Autowired |
||||
MockMvc mvc; |
||||
|
||||
@Test |
||||
public void configureWhenRegisteringObjectPostProcessorThenInvokedOnInsecureChannelProcessor() { |
||||
ObjectPostProcessorConfig.objectPostProcessor = spy(ReflectingObjectPostProcessor.class); |
||||
this.spring.register(ObjectPostProcessorConfig.class).autowire(); |
||||
|
||||
verify(ObjectPostProcessorConfig.objectPostProcessor) |
||||
.postProcess(any(InsecureChannelProcessor.class)); |
||||
} |
||||
|
||||
@Test |
||||
public void configureWhenRegisteringObjectPostProcessorThenInvokedOnSecureChannelProcessor() { |
||||
ObjectPostProcessorConfig.objectPostProcessor = spy(ReflectingObjectPostProcessor.class); |
||||
this.spring.register(ObjectPostProcessorConfig.class).autowire(); |
||||
|
||||
verify(ObjectPostProcessorConfig.objectPostProcessor) |
||||
.postProcess(any(SecureChannelProcessor.class)); |
||||
} |
||||
|
||||
@Test |
||||
public void configureWhenRegisteringObjectPostProcessorThenInvokedOnChannelDecisionManagerImpl() { |
||||
ObjectPostProcessorConfig.objectPostProcessor = spy(ReflectingObjectPostProcessor.class); |
||||
this.spring.register(ObjectPostProcessorConfig.class).autowire(); |
||||
|
||||
verify(ObjectPostProcessorConfig.objectPostProcessor) |
||||
.postProcess(any(ChannelDecisionManagerImpl.class)); |
||||
} |
||||
|
||||
@Test |
||||
public void configureWhenRegisteringObjectPostProcessorThenInvokedOnChannelProcessingFilter() { |
||||
ObjectPostProcessorConfig.objectPostProcessor = spy(ReflectingObjectPostProcessor.class); |
||||
this.spring.register(ObjectPostProcessorConfig.class).autowire(); |
||||
|
||||
verify(ObjectPostProcessorConfig.objectPostProcessor) |
||||
.postProcess(any(ChannelProcessingFilter.class)); |
||||
} |
||||
|
||||
@EnableWebSecurity |
||||
static class ObjectPostProcessorConfig extends WebSecurityConfigurerAdapter { |
||||
static ObjectPostProcessor<Object> objectPostProcessor; |
||||
|
||||
@Override |
||||
protected void configure(HttpSecurity http) throws Exception { |
||||
// @formatter:off
|
||||
http |
||||
.requiresChannel() |
||||
.anyRequest().requiresSecure(); |
||||
// @formatter:on
|
||||
} |
||||
|
||||
@Bean |
||||
static ObjectPostProcessor<Object> objectPostProcessor() { |
||||
return objectPostProcessor; |
||||
} |
||||
} |
||||
|
||||
static class ReflectingObjectPostProcessor implements ObjectPostProcessor<Object> { |
||||
@Override |
||||
public <O> O postProcess(O object) { |
||||
return object; |
||||
} |
||||
} |
||||
|
||||
@Test |
||||
public void requiresChannelWhenInvokesTwiceThenUsesOriginalRequiresSecure() throws Exception { |
||||
this.spring.register(DuplicateInvocationsDoesNotOverrideConfig.class).autowire(); |
||||
|
||||
mvc.perform(get("/")) |
||||
.andExpect(redirectedUrl("https://localhost/")); |
||||
} |
||||
|
||||
@EnableWebSecurity |
||||
static class DuplicateInvocationsDoesNotOverrideConfig extends WebSecurityConfigurerAdapter { |
||||
|
||||
@Override |
||||
protected void configure(HttpSecurity http) throws Exception { |
||||
// @formatter:off
|
||||
http |
||||
.requiresChannel() |
||||
.anyRequest().requiresSecure() |
||||
.and() |
||||
.requiresChannel(); |
||||
// @formatter:on
|
||||
} |
||||
} |
||||
} |
||||
Loading…
Reference in new issue