diff --git a/config/src/test/groovy/org/springframework/security/config/http/MiscHttpConfigTests.groovy b/config/src/test/groovy/org/springframework/security/config/http/MiscHttpConfigTests.groovy index befef784a3..69e624183c 100644 --- a/config/src/test/groovy/org/springframework/security/config/http/MiscHttpConfigTests.groovy +++ b/config/src/test/groovy/org/springframework/security/config/http/MiscHttpConfigTests.groovy @@ -136,17 +136,17 @@ class MiscHttpConfigTests extends AbstractHttpConfigTests { } def debugFilterHandlesMissingAndEmptyFilterChains() { - when: - xml.debug() - xml.http(pattern: '/unprotected', security: 'none') - createAppContext() - then: - Filter debugFilter = appContext.getBean(BeanIds.SPRING_SECURITY_FILTER_CHAIN); - MockHttpServletRequest request = new MockHttpServletRequest() - request.setServletPath("/unprotected"); - debugFilter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain()); - request.setServletPath("/nomatch"); - debugFilter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain()); + when: + xml.debug() + xml.http(pattern: '/unprotected', security: 'none') + createAppContext() + then: + Filter debugFilter = appContext.getBean(BeanIds.SPRING_SECURITY_FILTER_CHAIN); + MockHttpServletRequest request = new MockHttpServletRequest() + request.setServletPath("/unprotected"); + debugFilter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain()); + request.setServletPath("/nomatch"); + debugFilter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain()); } def regexPathsWorkCorrectly() { @@ -254,39 +254,39 @@ class MiscHttpConfigTests extends AbstractHttpConfigTests { attrs.contains(new SecurityConfig("ROLE_B")) } - def httpMethodMatchIsSupportedForRequiresChannel() { - httpAutoConfig { - 'intercept-url'(pattern: '/anyurl') - 'intercept-url'(pattern: '/anyurl', 'method':'GET',access: 'ROLE_ADMIN', 'requires-channel': 'https') - } - createAppContext() - - def fids = getFilter(ChannelProcessingFilter).getSecurityMetadataSource(); - def attrs = fids.getAttributes(createFilterinvocation("/anyurl", "GET")); - def attrsPost = fids.getAttributes(createFilterinvocation("/anyurl", "POST")); - - expect: - attrs.size() == 1 - attrs.contains(new SecurityConfig("REQUIRES_SECURE_CHANNEL")) - attrsPost == null - } - - def httpMethodMatchIsSupportedForRequiresChannelAny() { - httpAutoConfig { - 'intercept-url'(pattern: '/**') - 'intercept-url'(pattern: '/**', 'method':'GET',access: 'ROLE_ADMIN', 'requires-channel': 'https') - } - createAppContext() - - def fids = getFilter(ChannelProcessingFilter).getSecurityMetadataSource(); - def attrs = fids.getAttributes(createFilterinvocation("/anyurl", "GET")); - def attrsPost = fids.getAttributes(createFilterinvocation("/anyurl", "POST")); - - expect: - attrs.size() == 1 - attrs.contains(new SecurityConfig("REQUIRES_SECURE_CHANNEL")) - attrsPost == null - } + def httpMethodMatchIsSupportedForRequiresChannel() { + httpAutoConfig { + 'intercept-url'(pattern: '/anyurl') + 'intercept-url'(pattern: '/anyurl', 'method':'GET',access: 'ROLE_ADMIN', 'requires-channel': 'https') + } + createAppContext() + + def fids = getFilter(ChannelProcessingFilter).getSecurityMetadataSource(); + def attrs = fids.getAttributes(createFilterinvocation("/anyurl", "GET")); + def attrsPost = fids.getAttributes(createFilterinvocation("/anyurl", "POST")); + + expect: + attrs.size() == 1 + attrs.contains(new SecurityConfig("REQUIRES_SECURE_CHANNEL")) + attrsPost == null + } + + def httpMethodMatchIsSupportedForRequiresChannelAny() { + httpAutoConfig { + 'intercept-url'(pattern: '/**') + 'intercept-url'(pattern: '/**', 'method':'GET',access: 'ROLE_ADMIN', 'requires-channel': 'https') + } + createAppContext() + + def fids = getFilter(ChannelProcessingFilter).getSecurityMetadataSource(); + def attrs = fids.getAttributes(createFilterinvocation("/anyurl", "GET")); + def attrsPost = fids.getAttributes(createFilterinvocation("/anyurl", "POST")); + + expect: + attrs.size() == 1 + attrs.contains(new SecurityConfig("REQUIRES_SECURE_CHANNEL")) + attrsPost == null + } def oncePerRequestAttributeIsSupported() { xml.http('once-per-request': 'false') { @@ -498,7 +498,7 @@ class MiscHttpConfigTests extends AbstractHttpConfigTests { createAppContext() def fis = getFilter(FilterSecurityInterceptor) def fids = fis.securityMetadataSource - Collection attrs = fids.getAttributes(createFilterinvocation("/someurl", null)); + Collection attrs = fids.getAttributes(createFilterinvocation("/someUrl", null)); expect: attrs.size() == 1 @@ -716,7 +716,7 @@ class MiscHttpConfigTests extends AbstractHttpConfigTests { def httpFirewallInjectionIsSupported() { xml.'http-firewall'(ref: 'fw') xml.http() { - 'form-login'() + 'form-login'() } bean('fw', DefaultHttpFirewall) createAppContext() diff --git a/config/src/test/groovy/org/springframework/security/config/http/PlaceHolderAndELConfigTests.groovy b/config/src/test/groovy/org/springframework/security/config/http/PlaceHolderAndELConfigTests.groovy index b7e3f92319..13db6f1724 100644 --- a/config/src/test/groovy/org/springframework/security/config/http/PlaceHolderAndELConfigTests.groovy +++ b/config/src/test/groovy/org/springframework/security/config/http/PlaceHolderAndELConfigTests.groovy @@ -39,7 +39,7 @@ class PlaceHolderAndELConfigTests extends AbstractHttpConfigTests { // SEC-1201 def interceptUrlsAndFormLoginSupportPropertyPlaceholders() { - System.setProperty("secure.Url", "/Secure"); + System.setProperty("secure.Url", "/secure"); System.setProperty("secure.role", "ROLE_A"); System.setProperty("login.page", "/loginPage"); System.setProperty("default.target", "/defaultTarget"); @@ -60,7 +60,7 @@ class PlaceHolderAndELConfigTests extends AbstractHttpConfigTests { // SEC-1309 def interceptUrlsAndFormLoginSupportEL() { - System.setProperty("secure.url", "/Secure"); + System.setProperty("secure.url", "/secure"); System.setProperty("secure.role", "ROLE_A"); System.setProperty("login.page", "/loginPage"); System.setProperty("default.target", "/defaultTarget"); diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeRequestsTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeRequestsTests.java index 8233d78d00..ec8808caf9 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeRequestsTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeRequestsTests.java @@ -40,6 +40,7 @@ import org.springframework.security.core.context.SecurityContext; import org.springframework.security.core.context.SecurityContextImpl; import org.springframework.security.web.FilterChainProxy; import org.springframework.security.web.context.HttpSessionSecurityContextRepository; +import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.web.context.support.AnnotationConfigWebApplicationContext; import static org.assertj.core.api.Assertions.assertThat; @@ -151,7 +152,7 @@ public class AuthorizeRequestsTests { // @formatter:off http .authorizeRequests() - .antMatchers("/user/{user}").access("#user == 'user'") + .requestMatchers(new AntPathRequestMatcher("/user/{user}", null, false)).access("#user == 'user'") .anyRequest().denyAll(); // @formatter:on } @@ -192,7 +193,7 @@ public class AuthorizeRequestsTests { // @formatter:off http .authorizeRequests() - .antMatchers("/user/{userName}").access("#userName == 'user'") + .requestMatchers(new AntPathRequestMatcher("/user/{userName}", null, false)).access("#userName == 'user'") .anyRequest().denyAll(); // @formatter:on } diff --git a/web/src/main/java/org/springframework/security/web/util/matcher/AntPathRequestMatcher.java b/web/src/main/java/org/springframework/security/web/util/matcher/AntPathRequestMatcher.java index f9c7d6de50..17536b892e 100644 --- a/web/src/main/java/org/springframework/security/web/util/matcher/AntPathRequestMatcher.java +++ b/web/src/main/java/org/springframework/security/web/util/matcher/AntPathRequestMatcher.java @@ -80,7 +80,7 @@ public final class AntPathRequestMatcher implements RequestMatcher { * the incoming request doesn't have the same method. */ public AntPathRequestMatcher(String pattern, String httpMethod) { - this(pattern, httpMethod, false); + this(pattern, httpMethod, true); } /** diff --git a/web/src/test/java/org/springframework/security/web/access/intercept/DefaultFilterInvocationSecurityMetadataSourceTests.java b/web/src/test/java/org/springframework/security/web/access/intercept/DefaultFilterInvocationSecurityMetadataSourceTests.java index 150f476f16..7726e90087 100644 --- a/web/src/test/java/org/springframework/security/web/access/intercept/DefaultFilterInvocationSecurityMetadataSourceTests.java +++ b/web/src/test/java/org/springframework/security/web/access/intercept/DefaultFilterInvocationSecurityMetadataSourceTests.java @@ -16,15 +16,13 @@ package org.springframework.security.web.access.intercept; -import static org.assertj.core.api.Assertions.*; -import static org.mockito.Mockito.mock; - import java.util.Collection; import java.util.LinkedHashMap; import javax.servlet.FilterChain; import org.junit.Test; + import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletResponse; import org.springframework.security.access.ConfigAttribute; @@ -33,6 +31,9 @@ import org.springframework.security.web.FilterInvocation; import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; +import static org.assertj.core.api.Assertions.assertThat; +import static org.mockito.Mockito.mock; + /** * Tests {@link DefaultFilterInvocationSecurityMetadataSource}. * @@ -46,18 +47,18 @@ public class DefaultFilterInvocationSecurityMetadataSourceTests { // ======================================================================================================== private void createFids(String pattern, String method) { LinkedHashMap> requestMap = new LinkedHashMap>(); - requestMap.put(new AntPathRequestMatcher(pattern, method), def); - fids = new DefaultFilterInvocationSecurityMetadataSource(requestMap); + requestMap.put(new AntPathRequestMatcher(pattern, method), this.def); + this.fids = new DefaultFilterInvocationSecurityMetadataSource(requestMap); } @Test public void lookupNotRequiringExactMatchSucceedsIfNotMatching() { createFids("/secure/super/**", null); - FilterInvocation fi = createFilterInvocation("/SeCuRE/super/somefile.html", null, + FilterInvocation fi = createFilterInvocation("/secure/super/somefile.html", null, null, null); - assertThat(fids.getAttributes(fi)).isEqualTo(def); + assertThat(this.fids.getAttributes(fi)).isEqualTo(this.def); } /** @@ -66,13 +67,13 @@ public class DefaultFilterInvocationSecurityMetadataSourceTests { */ @Test public void lookupNotRequiringExactMatchSucceedsIfSecureUrlPathContainsUpperCase() { - createFids("/SeCuRE/super/**", null); + createFids("/secure/super/**", null); FilterInvocation fi = createFilterInvocation("/secure", "/super/somefile.html", null, null); - Collection response = fids.getAttributes(fi); - assertThat(response).isEqualTo(def); + Collection response = this.fids.getAttributes(fi); + assertThat(response).isEqualTo(this.def); } @Test @@ -82,8 +83,8 @@ public class DefaultFilterInvocationSecurityMetadataSourceTests { FilterInvocation fi = createFilterInvocation("/SeCurE/super/somefile.html", null, null, null); - Collection response = fids.getAttributes(fi); - assertThat(response).isEqualTo(def); + Collection response = this.fids.getAttributes(fi); + assertThat(response).isEqualTo(this.def); } @Test @@ -93,8 +94,9 @@ public class DefaultFilterInvocationSecurityMetadataSourceTests { FilterInvocation fi = createFilterInvocation("/someAdminPage.html", null, "a=/test", null); - Collection response = fids.getAttributes(fi); - assertThat(response); // see SEC-161 (it should truncate after ? sign).isEqualTo(def) + Collection response = this.fids.getAttributes(fi); + assertThat(response); // see SEC-161 (it should truncate after ? + // sign).isEqualTo(def) } @Test(expected = IllegalArgumentException.class) @@ -107,8 +109,8 @@ public class DefaultFilterInvocationSecurityMetadataSourceTests { createFids("/somepage**", "GET"); FilterInvocation fi = createFilterInvocation("/somepage", null, null, "GET"); - Collection attrs = fids.getAttributes(fi); - assertThat(attrs).isEqualTo(def); + Collection attrs = this.fids.getAttributes(fi); + assertThat(attrs).isEqualTo(this.def); } @Test @@ -116,8 +118,8 @@ public class DefaultFilterInvocationSecurityMetadataSourceTests { createFids("/somepage**", null); FilterInvocation fi = createFilterInvocation("/somepage", null, null, "GET"); - Collection attrs = fids.getAttributes(fi); - assertThat(attrs).isEqualTo(def); + Collection attrs = this.fids.getAttributes(fi); + assertThat(attrs).isEqualTo(this.def); } @Test @@ -125,7 +127,7 @@ public class DefaultFilterInvocationSecurityMetadataSourceTests { createFids("/somepage**", "GET"); FilterInvocation fi = createFilterInvocation("/somepage", null, null, "POST"); - Collection attrs = fids.getAttributes(fi); + Collection attrs = this.fids.getAttributes(fi); assertThat(attrs).isNull(); } @@ -138,10 +140,10 @@ public class DefaultFilterInvocationSecurityMetadataSourceTests { requestMap.put(new AntPathRequestMatcher("/user/**", null), userAttrs); requestMap.put(new AntPathRequestMatcher("/teller/**", "GET"), SecurityConfig.createList("B")); - fids = new DefaultFilterInvocationSecurityMetadataSource(requestMap); + this.fids = new DefaultFilterInvocationSecurityMetadataSource(requestMap); FilterInvocation fi = createFilterInvocation("/user", null, null, "GET"); - Collection attrs = fids.getAttributes(fi); + Collection attrs = this.fids.getAttributes(fi); assertThat(attrs).isEqualTo(userAttrs); } @@ -155,13 +157,13 @@ public class DefaultFilterInvocationSecurityMetadataSourceTests { FilterInvocation fi = createFilterInvocation("/someAdminPage.html", null, null, null); - Collection response = fids.getAttributes(fi); - assertThat(response).isEqualTo(def); + Collection response = this.fids.getAttributes(fi); + assertThat(response).isEqualTo(this.def); fi = createFilterInvocation("/someAdminPage.html", null, "?", null); - response = fids.getAttributes(fi); - assertThat(response).isEqualTo(def); + response = this.fids.getAttributes(fi); + assertThat(response).isEqualTo(this.def); } private FilterInvocation createFilterInvocation(String servletPath, String pathInfo, diff --git a/web/src/test/java/org/springframework/security/web/util/matcher/AntPathRequestMatcherTests.java b/web/src/test/java/org/springframework/security/web/util/matcher/AntPathRequestMatcherTests.java index 950f18c313..edbb1c9f21 100644 --- a/web/src/test/java/org/springframework/security/web/util/matcher/AntPathRequestMatcherTests.java +++ b/web/src/test/java/org/springframework/security/web/util/matcher/AntPathRequestMatcherTests.java @@ -52,7 +52,8 @@ public class AntPathRequestMatcherTests { @Test public void trailingWildcardMatchesCorrectly() { - AntPathRequestMatcher matcher = new AntPathRequestMatcher("/blah/blAh/**"); + AntPathRequestMatcher matcher = new AntPathRequestMatcher("/blah/blAh/**", null, + false); assertThat(matcher.matches(createRequest("/BLAH/blah"))).isTrue(); assertThat(matcher.matches(createRequest("/blah/bleh"))).isFalse(); assertThat(matcher.matches(createRequest("/blah/blah/"))).isTrue(); @@ -64,11 +65,11 @@ public class AntPathRequestMatcherTests { request.setPathInfo("blah/bleh"); assertThat(matcher.matches(request)).isTrue(); - matcher = new AntPathRequestMatcher("/bl?h/blAh/**"); + matcher = new AntPathRequestMatcher("/bl?h/blAh/**", null, false); assertThat(matcher.matches(createRequest("/BLAH/Blah/aaa/"))).isTrue(); assertThat(matcher.matches(createRequest("/bleh/Blah"))).isTrue(); - matcher = new AntPathRequestMatcher("/blAh/**/blah/**"); + matcher = new AntPathRequestMatcher("/blAh/**/blah/**", null, false); assertThat(matcher.matches(createRequest("/blah/blah"))).isTrue(); assertThat(matcher.matches(createRequest("/blah/bleh"))).isFalse(); assertThat(matcher.matches(createRequest("/blah/aaa/blah/bbb"))).isTrue(); @@ -76,7 +77,8 @@ public class AntPathRequestMatcherTests { @Test public void trailingWildcardWithVariableMatchesCorrectly() { - AntPathRequestMatcher matcher = new AntPathRequestMatcher("/{id}/blAh/**"); + AntPathRequestMatcher matcher = new AntPathRequestMatcher("/{id}/blAh/**", null, + false); assertThat(matcher.matches(createRequest("/1234/blah"))).isTrue(); assertThat(matcher.matches(createRequest("/4567/bleh"))).isFalse(); assertThat(matcher.matches(createRequest("/paskos/blah/"))).isTrue(); @@ -210,7 +212,7 @@ public class AntPathRequestMatcherTests { @Test public void postProcessVariableNameCaseInsensitive() { - AntPathRequestMatcher matcher = new AntPathRequestMatcher("/**"); + AntPathRequestMatcher matcher = new AntPathRequestMatcher("/**", null, false); String variableName = "userName"; assertThat(matcher.postProcessVariableName(variableName)) .isEqualTo(variableName.toLowerCase());