diff --git a/web/src/test/java/org/springframework/security/web/access/expression/ExpressionBasedFilterInvocationSecurityMetadataSourceTests.java b/web/src/test/java/org/springframework/security/web/access/expression/ExpressionBasedFilterInvocationSecurityMetadataSourceTests.java new file mode 100644 index 0000000000..e005ce53f3 --- /dev/null +++ b/web/src/test/java/org/springframework/security/web/access/expression/ExpressionBasedFilterInvocationSecurityMetadataSourceTests.java @@ -0,0 +1,44 @@ +package org.springframework.security.web.access.expression; + + +import static org.junit.Assert.*; + +import org.junit.Test; +import org.springframework.security.access.ConfigAttribute; +import org.springframework.security.access.SecurityConfig; +import org.springframework.security.web.FilterInvocation; +import org.springframework.security.web.util.AnyRequestMatcher; +import org.springframework.security.web.util.RequestMatcher; + +import java.util.Collection; +import java.util.LinkedHashMap; + +/** + * @author Luke Taylor + */ +public class ExpressionBasedFilterInvocationSecurityMetadataSourceTests { + + @Test + public void expectedAttributeIsReturned() { + final String expression = "hasRole('X')"; + LinkedHashMap> requestMap = new LinkedHashMap>(); + requestMap.put(new AnyRequestMatcher(), SecurityConfig.createList(expression)); + ExpressionBasedFilterInvocationSecurityMetadataSource mds = + new ExpressionBasedFilterInvocationSecurityMetadataSource(requestMap, new DefaultWebSecurityExpressionHandler()); + assertEquals(1, mds.getAllConfigAttributes().size()); + Collection attrs = mds.getAttributes(new FilterInvocation("/path", "GET")); + assertEquals(1, attrs.size()); + WebExpressionConfigAttribute attribute = (WebExpressionConfigAttribute) attrs.toArray()[0]; + assertNull(attribute.getAttribute()); + assertEquals(expression, attribute.getAuthorizeExpression().getExpressionString()); + assertEquals(expression, attribute.toString()); + } + + @Test(expected=IllegalArgumentException.class) + public void invalidExpressionIsRejected() throws Exception { + LinkedHashMap> requestMap = new LinkedHashMap>(); + requestMap.put(new AnyRequestMatcher(), SecurityConfig.createList("hasRole('X'")); + ExpressionBasedFilterInvocationSecurityMetadataSource mds = + new ExpressionBasedFilterInvocationSecurityMetadataSource(requestMap, new DefaultWebSecurityExpressionHandler()); + } +} diff --git a/web/src/test/java/org/springframework/security/web/access/expression/WebExpressionVoterTests.java b/web/src/test/java/org/springframework/security/web/access/expression/WebExpressionVoterTests.java new file mode 100644 index 0000000000..7f8e6c86f4 --- /dev/null +++ b/web/src/test/java/org/springframework/security/web/access/expression/WebExpressionVoterTests.java @@ -0,0 +1,66 @@ +package org.springframework.security.web.access.expression; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.when; + +import org.aopalliance.intercept.MethodInvocation; +import org.junit.Test; +import org.springframework.expression.EvaluationContext; +import org.springframework.expression.Expression; +import org.springframework.security.access.AccessDecisionVoter; +import org.springframework.security.access.SecurityConfig; +import org.springframework.security.access.expression.SecurityExpressionHandler; +import org.springframework.security.authentication.TestingAuthenticationToken; +import org.springframework.security.core.Authentication; +import org.springframework.security.web.FilterInvocation; + +import java.util.ArrayList; + +/** + * @author Luke Taylor + */ +@SuppressWarnings({"unchecked"}) +public class WebExpressionVoterTests { + private Authentication user = new TestingAuthenticationToken("user","pass", "X"); + + @Test + public void supportsWebConfigAttributeAndFilterInvocation() throws Exception { + WebExpressionVoter voter = new WebExpressionVoter(); + assertTrue(voter.supports(new WebExpressionConfigAttribute(mock(Expression.class)))); + assertTrue(voter.supports(FilterInvocation.class)); + assertFalse(voter.supports(MethodInvocation.class)); + + } + + @Test + public void abstainsIfNoAttributeFound() { + WebExpressionVoter voter = new WebExpressionVoter(); + assertEquals(AccessDecisionVoter.ACCESS_ABSTAIN, + voter.vote(user, new FilterInvocation("/path", "GET"), SecurityConfig.createList("A", "B", "C"))); + } + + @Test + public void grantsAccessIfExpressionIsTrueDeniesIfFalse() { + WebExpressionVoter voter = new WebExpressionVoter(); + Expression ex = mock(Expression.class); + WebExpressionConfigAttribute weca = new WebExpressionConfigAttribute(ex); + EvaluationContext ctx = mock(EvaluationContext.class); + SecurityExpressionHandler eh = mock(SecurityExpressionHandler.class); + FilterInvocation fi = new FilterInvocation("/path", "GET"); + voter.setExpressionHandler(eh); + when(eh.createEvaluationContext(user, fi)).thenReturn(ctx); + when(ex.getValue(ctx, Boolean.class)).thenReturn(Boolean.TRUE).thenReturn(Boolean.FALSE); + ArrayList attributes = new ArrayList(); + attributes.addAll(SecurityConfig.createList("A","B","C")); + attributes.add(weca); + + assertEquals(AccessDecisionVoter.ACCESS_GRANTED, voter.vote(user, fi, attributes)); + + // Second time false + assertEquals(AccessDecisionVoter.ACCESS_DENIED, voter.vote(user, fi, attributes)); + } + +} diff --git a/web/src/test/java/org/springframework/security/web/access/intercept/DefaultFilterInvocationSecurityMetadataSourceTests.java b/web/src/test/java/org/springframework/security/web/access/intercept/DefaultFilterInvocationSecurityMetadataSourceTests.java index fe526e8ce4..d419f6db0d 100644 --- a/web/src/test/java/org/springframework/security/web/access/intercept/DefaultFilterInvocationSecurityMetadataSourceTests.java +++ b/web/src/test/java/org/springframework/security/web/access/intercept/DefaultFilterInvocationSecurityMetadataSourceTests.java @@ -33,8 +33,7 @@ import org.springframework.security.web.util.AntPathRequestMatcher; import org.springframework.security.web.util.RequestMatcher; /** - * Tests parts of {@link DefaultFilterInvocationSecurityMetadataSource} not tested by {@link - * FilterInvocationDefinitionSourceEditorTests}. + * Tests {@link DefaultFilterInvocationSecurityMetadataSource}. * * @author Ben Alex */