GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Use ServletContext in AuthorizationManagerWebInvocationPrivilegeEvaluator 

Closes gh-10908
5.5.x
Marcus Da Coregio 4 years ago
parent
44508df940
commit
9792e2a0fa
2 changed files with 27 additions and 4 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 16
      web/src/main/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluator.java
  2. 15
      web/src/test/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluatorTests.java

16
web/src/main/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluator.java
Unescape View File

@ -1,5 +1,5 @@ @@ -1,5 +1,5 @@
/*
* Copyright 2002-2021 the original author or authors.
* Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -16,6 +16,7 @@ @@ -16,6 +16,7 @@
package org.springframework.security.web.access;
import javax.servlet.ServletContext;
import javax.servlet.http.HttpServletRequest;
import org.springframework.security.authorization.AuthorizationDecision;
@ -23,6 +24,7 @@ import org.springframework.security.authorization.AuthorizationManager; @@ -23,6 +24,7 @@ import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.FilterInvocation;
import org.springframework.util.Assert;
import org.springframework.web.context.ServletContextAware;
/**
* An implementation of {@link WebInvocationPrivilegeEvaluator} which delegates the checks
@ -31,10 +33,13 @@ import org.springframework.util.Assert; @@ -31,10 +33,13 @@ import org.springframework.util.Assert;
* @author Marcus Da Coregio
* @since 5.5.5
*/
public final class AuthorizationManagerWebInvocationPrivilegeEvaluator implements WebInvocationPrivilegeEvaluator {
public final class AuthorizationManagerWebInvocationPrivilegeEvaluator
implements WebInvocationPrivilegeEvaluator, ServletContextAware {
private final AuthorizationManager<HttpServletRequest> authorizationManager;
private ServletContext servletContext;
public AuthorizationManagerWebInvocationPrivilegeEvaluator(
AuthorizationManager<HttpServletRequest> authorizationManager) {
Assert.notNull(authorizationManager, "authorizationManager cannot be null");
@ -48,10 +53,15 @@ public final class AuthorizationManagerWebInvocationPrivilegeEvaluator implement @@ -48,10 +53,15 @@ public final class AuthorizationManagerWebInvocationPrivilegeEvaluator implement
@Override
public boolean isAllowed(String contextPath, String uri, String method, Authentication authentication) {
FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method);
FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method, this.servletContext);
AuthorizationDecision decision = this.authorizationManager.check(() -> authentication,
filterInvocation.getHttpRequest());
return decision == null || decision.isGranted();
}
@Override
public void setServletContext(ServletContext servletContext) {
this.servletContext = servletContext;
}
}

15
web/src/test/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluatorTests.java
Unescape View File

@ -1,5 +1,5 @@ @@ -1,5 +1,5 @@
/*
* Copyright 2002-2021 the original author or authors.
* Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -16,14 +16,17 @@ @@ -16,14 +16,17 @@
package org.springframework.security.web.access;
import javax.servlet.ServletContext;
import javax.servlet.http.HttpServletRequest;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.ArgumentCaptor;
import org.mockito.InjectMocks;
import org.mockito.Mock;
import org.mockito.junit.MockitoJUnitRunner;
import org.springframework.mock.web.MockServletContext;
import org.springframework.security.authentication.TestAuthentication;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationManager;
@ -72,4 +75,14 @@ public class AuthorizationManagerWebInvocationPrivilegeEvaluatorTests { @@ -72,4 +75,14 @@ public class AuthorizationManagerWebInvocationPrivilegeEvaluatorTests {
assertThat(allowed).isTrue();
}
@Test
public void isAllowedWhenServletContextExistsThenFilterInvocationHasServletContext() {
ServletContext servletContext = new MockServletContext();
this.privilegeEvaluator.setServletContext(servletContext);
this.privilegeEvaluator.isAllowed("/test", TestAuthentication.authenticatedUser());
ArgumentCaptor<HttpServletRequest> captor = ArgumentCaptor.forClass(HttpServletRequest.class);
verify(this.authorizationManager).check(any(), captor.capture());
assertThat(captor.getValue().getServletContext()).isSameAs(servletContext);
}
}

Write Preview
Loading…
Cancel
Save