GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Add hasAnyRole and hasAnyAuthority to authorizeRequests in Kotlin DSL 

Closes gh-8892
pull/8962/head
koishikawa11 6 years ago committed by GitHub
parent
5142d39079
commit
be6d2f117e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 160 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 24
      config/src/main/kotlin/org/springframework/security/config/web/servlet/AuthorizeRequestsDsl.kt
  2. 136
      config/src/test/kotlin/org/springframework/security/config/web/servlet/AuthorizeRequestsDslTests.kt

24
config/src/main/kotlin/org/springframework/security/config/web/servlet/AuthorizeRequestsDsl.kt
Unescape View File

@ -153,6 +153,18 @@ class AuthorizeRequestsDsl : AbstractRequestMatcherDsl() { @@ -153,6 +153,18 @@ class AuthorizeRequestsDsl : AbstractRequestMatcherDsl() {
*/
fun hasAuthority(authority: String) = "hasAuthority('$authority')"
/**
* Specify that URLs requires any of a number authorities.
*
* @param authorities the authorities to require (i.e. ROLE_USER, ROLE_ADMIN, etc).
* @return the SpEL expression "hasAnyAuthority" with the given authorities as a
* parameter
*/
fun hasAnyAuthority(vararg authorities: String): String {
val anyAuthorities = authorities.joinToString("','")
return "hasAnyAuthority('$anyAuthorities')"
}
/**
* Specify that URLs require a particular role.
*
@ -162,6 +174,18 @@ class AuthorizeRequestsDsl : AbstractRequestMatcherDsl() { @@ -162,6 +174,18 @@ class AuthorizeRequestsDsl : AbstractRequestMatcherDsl() {
*/
fun hasRole(role: String) = "hasRole('$role')"
/**
* Specify that URLs requires any of a number roles.
*
* @param roles the roles to require (i.e. USER, ADMIN, etc).
* @return the SpEL expression "hasAnyRole" with the given roles as a
* parameter
*/
fun hasAnyRole(vararg roles: String): String {
val anyRoles = roles.joinToString("','")
return "hasAnyRole('$anyRoles')"
}
/**
* Specify that URLs are allowed by anyone.
*/

136
config/src/test/kotlin/org/springframework/security/config/web/servlet/AuthorizeRequestsDslTests.kt
Unescape View File

@ -267,6 +267,142 @@ class AuthorizeRequestsDslTests { @@ -267,6 +267,142 @@ class AuthorizeRequestsDslTests {
}
}
@Test
fun `request when user has some allowed roles then responds with OK`() {
this.spring.register(HasAnyRoleConfig::class.java).autowire()
this.mockMvc.get("/") {
with(httpBasic("user", "password"))
}.andExpect {
status { isOk }
}
this.mockMvc.get("/") {
with(httpBasic("admin", "password"))
}.andExpect {
status { isOk }
}
}
@Test
fun `request when user does not have any allowed roles then responds with forbidden`() {
this.spring.register(HasAnyRoleConfig::class.java).autowire()
this.mockMvc.get("/") {
with(httpBasic("other", "password"))
}.andExpect {
status { isForbidden }
}
}
@EnableWebSecurity
@EnableWebMvc
open class HasAnyRoleConfig : WebSecurityConfigurerAdapter() {
override fun configure(http: HttpSecurity) {
http {
authorizeRequests {
authorize("/**", hasAnyRole("ADMIN", "USER"))
}
httpBasic { }
}
}
@RestController
internal class PathController {
@GetMapping("/")
fun index() {
}
}
@Bean
override fun userDetailsService(): UserDetailsService {
val userDetails = User.withDefaultPasswordEncoder()
.username("user")
.password("password")
.roles("USER")
.build()
val admin1Details = User.withDefaultPasswordEncoder()
.username("admin")
.password("password")
.roles("ADMIN")
.build()
val admin2Details = User.withDefaultPasswordEncoder()
.username("other")
.password("password")
.roles("OTHER")
.build()
return InMemoryUserDetailsManager(userDetails, admin1Details, admin2Details)
}
}
@Test
fun `request when user has some allowed authorities then responds with OK`() {
this.spring.register(HasAnyAuthorityConfig::class.java).autowire()
this.mockMvc.get("/") {
with(httpBasic("user", "password"))
}.andExpect {
status { isOk }
}
this.mockMvc.get("/") {
with(httpBasic("admin", "password"))
}.andExpect {
status { isOk }
}
}
@Test
fun `request when user does not have any allowed authorities then responds with forbidden`() {
this.spring.register(HasAnyAuthorityConfig::class.java).autowire()
this.mockMvc.get("/") {
with(httpBasic("other", "password"))
}.andExpect {
status { isForbidden }
}
}
@EnableWebSecurity
@EnableWebMvc
open class HasAnyAuthorityConfig : WebSecurityConfigurerAdapter() {
override fun configure(http: HttpSecurity) {
http {
authorizeRequests {
authorize("/**", hasAnyAuthority("ROLE_ADMIN", "ROLE_USER"))
}
httpBasic { }
}
}
@RestController
internal class PathController {
@GetMapping("/")
fun index() {
}
}
@Bean
override fun userDetailsService(): UserDetailsService {
val userDetails = User.withDefaultPasswordEncoder()
.username("user")
.password("password")
.authorities("ROLE_USER")
.build()
val admin1Details = User.withDefaultPasswordEncoder()
.username("admin")
.password("password")
.authorities("ROLE_ADMIN")
.build()
val admin2Details = User.withDefaultPasswordEncoder()
.username("other")
.password("password")
.authorities("ROLE_OTHER")
.build()
return InMemoryUserDetailsManager(userDetails, admin1Details, admin2Details)
}
}
@Test
fun `request when secured by mvc with servlet path then responds based on servlet path`() {
this.spring.register(MvcMatcherServletPathConfig::class.java).autowire()

Write Preview
Loading…
Cancel
Save