GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

OPEN - issue SEC-913: SwitchUserProcessingFilter modifies the switchFailureUrl member variable on failure 

http://jira.springframework.org/browse/SEC-913. Applied patch as suggested (use sendRedirect method for failure URL).
2.0.x
Luke Taylor 18 years ago
parent
b4c63db680
commit
bf5896600e
2 changed files with 114 additions and 218 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 3
      core/src/main/java/org/springframework/security/ui/switchuser/SwitchUserProcessingFilter.java
  2. 329
      core/src/test/java/org/springframework/security/ui/switchuser/SwitchUserProcessingFilterTests.java

3
core/src/main/java/org/springframework/security/ui/switchuser/SwitchUserProcessingFilter.java
Unescape View File

@ -304,8 +304,7 @@ public class SwitchUserProcessingFilter extends SpringSecurityFilter implements @@ -304,8 +304,7 @@ public class SwitchUserProcessingFilter extends SpringSecurityFilter implements
logger.debug("Switch User failed", failed);
if (switchFailureUrl != null) {
switchFailureUrl = request.getContextPath() + switchFailureUrl;
response.sendRedirect(response.encodeRedirectURL(switchFailureUrl));
sendRedirect(request, response, switchFailureUrl);
} else {
response.getWriter().print("Switch user failed: " + failed.getMessage());
response.flushBuffer();

329
core/src/test/java/org/springframework/security/ui/switchuser/SwitchUserProcessingFilterTests.java
Unescape View File

@ -15,8 +15,18 @@ @@ -15,8 +15,18 @@
package org.springframework.security.ui.switchuser;
import junit.framework.TestCase;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertTrue;
import java.util.ArrayList;
import java.util.List;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.AccountExpiredException;
import org.springframework.security.Authentication;
import org.springframework.security.AuthenticationException;
@ -24,48 +34,34 @@ import org.springframework.security.CredentialsExpiredException; @@ -24,48 +34,34 @@ import org.springframework.security.CredentialsExpiredException;
import org.springframework.security.DisabledException;
import org.springframework.security.GrantedAuthority;
import org.springframework.security.GrantedAuthorityImpl;
import org.springframework.security.context.SecurityContextHolder;
import org.springframework.security.providers.UsernamePasswordAuthenticationToken;
import org.springframework.security.userdetails.User;
import org.springframework.security.userdetails.UserDetails;
import org.springframework.security.userdetails.UserDetailsService;
import org.springframework.security.userdetails.UsernameNotFoundException;
import org.springframework.security.util.FieldUtils;
import org.springframework.security.util.MockFilterChain;
import org.springframework.dao.DataAccessException;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import java.util.List;
import java.util.ArrayList;
/**
* Tests {@link org.springframework.security.ui.switchuser.SwitchUserProcessingFilter}.
*
* @author Mark St.Godard
* @author Luke Taylor
* @version $Id$
*/
public class SwitchUserProcessingFilterTests extends TestCase {
//~ Constructors ===================================================================================================
public SwitchUserProcessingFilterTests() {
}
public class SwitchUserProcessingFilterTests {
public SwitchUserProcessingFilterTests(String arg0) {
super(arg0);
@Before
public void authenticateCurrentUser() {
UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken("dano", "hawaii50");
SecurityContextHolder.getContext().setAuthentication(auth);
}
//~ Methods ========================================================================================================
protected void tearDown() throws Exception {
SecurityContextHolder.clearContext();
@After
public void clearContext() {
SecurityContextHolder.clearContext();
}
private MockHttpServletRequest createMockSwitchRequest() {
@ -76,181 +72,122 @@ public class SwitchUserProcessingFilterTests extends TestCase { @@ -76,181 +72,122 @@ public class SwitchUserProcessingFilterTests extends TestCase {
return request;
}
public void testAttemptSwitchToUnknownUser() throws Exception {
// set current user
UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken("dano", "hawaii50");
SecurityContextHolder.getContext().setAuthentication(auth);
private Authentication switchToUser(String name) {
MockHttpServletRequest request = new MockHttpServletRequest();
request.addParameter(SwitchUserProcessingFilter.SPRING_SECURITY_SWITCH_USERNAME_KEY, "user-that-doesnt-exist");
request.addParameter(SwitchUserProcessingFilter.SPRING_SECURITY_SWITCH_USERNAME_KEY, name);
SwitchUserProcessingFilter filter = new SwitchUserProcessingFilter();
filter.setUserDetailsService(new MockAuthenticationDaoUserJackLord());
filter.setUserDetailsService(new MockUserDetailsService());
try {
Authentication result = filter.attemptSwitchUser(request);
fail("Should not be able to switch to unknown user");
} catch (UsernameNotFoundException expected) {}
return filter.attemptSwitchUser(request);
}
public void testAttemptSwitchToUserThatIsDisabled() throws Exception {
// set current user
UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken("dano", "hawaii50");
SecurityContextHolder.getContext().setAuthentication(auth);
MockHttpServletRequest request = new MockHttpServletRequest();
// this user is disabled
request.addParameter(SwitchUserProcessingFilter.SPRING_SECURITY_SWITCH_USERNAME_KEY, "mcgarrett");
@Test
public void requiresExitUserMatchesCorrectly() {
SwitchUserProcessingFilter filter = new SwitchUserProcessingFilter();
filter.setUserDetailsService(new MockAuthenticationDaoUserJackLord());
try {
Authentication result = filter.attemptSwitchUser(request);
fail("Should not be able to switch to disabled user");
} catch (DisabledException expected) {
// user should be disabled
}
}
public void testAttemptSwitchToUserWithAccountExpired() throws Exception {
// set current user
UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken("dano", "hawaii50");
SecurityContextHolder.getContext().setAuthentication(auth);
filter.setExitUserUrl("/j_spring_security_my_exit_user");
MockHttpServletRequest request = new MockHttpServletRequest();
request.setRequestURI("/j_spring_security_my_exit_user");
// this user is disabled
request.addParameter(SwitchUserProcessingFilter.SPRING_SECURITY_SWITCH_USERNAME_KEY, "wofat");
SwitchUserProcessingFilter filter = new SwitchUserProcessingFilter();
filter.setUserDetailsService(new MockAuthenticationDaoUserJackLord());
try {
Authentication result = filter.attemptSwitchUser(request);
fail("Should not be able to switch to user with expired account");
} catch (AccountExpiredException expected) {
// expected user account expired
}
assertTrue(filter.requiresExitUser(request));
}
public void testAttemptSwitchToUserWithExpiredCredentials() throws Exception {
// set current user
UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken("dano", "hawaii50");
SecurityContextHolder.getContext().setAuthentication(auth);
@Test
public void requiresSwitchMatchesCorrectly() {
SwitchUserProcessingFilter filter = new SwitchUserProcessingFilter();
filter.setSwitchUserUrl("/j_spring_security_my_switch_user");
MockHttpServletRequest request = new MockHttpServletRequest();
request.setRequestURI("/j_spring_security_my_switch_user");
assertTrue(filter.requiresSwitchUser(request));
}
@Test(expected=UsernameNotFoundException.class)
public void attemptSwitchToUnknownUserFails() throws Exception {
// this user is disabled
request.addParameter(SwitchUserProcessingFilter.SPRING_SECURITY_SWITCH_USERNAME_KEY, "steve");
MockHttpServletRequest request = new MockHttpServletRequest();
request.addParameter(SwitchUserProcessingFilter.SPRING_SECURITY_SWITCH_USERNAME_KEY, "user-that-doesnt-exist");
SwitchUserProcessingFilter filter = new SwitchUserProcessingFilter();
filter.setUserDetailsService(new MockAuthenticationDaoUserJackLord());
try {
Authentication result = filter.attemptSwitchUser(request);
fail("Should not be able to switch to user with expired account");
} catch (CredentialsExpiredException expected) {
// user credentials expired
}
filter.setUserDetailsService(new MockUserDetailsService());
filter.attemptSwitchUser(request);
}
public void testAttemptSwitchUser() throws Exception {
// set current user
UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken("dano", "hawaii50");
SecurityContextHolder.getContext().setAuthentication(auth);
MockHttpServletRequest request = new MockHttpServletRequest();
request.addParameter(SwitchUserProcessingFilter.SPRING_SECURITY_SWITCH_USERNAME_KEY, "jacklord");
@Test(expected=DisabledException.class)
public void attemptSwitchToUserThatIsDisabledFails() throws Exception {
switchToUser("mcgarrett");
}
SwitchUserProcessingFilter filter = new SwitchUserProcessingFilter();
filter.setUserDetailsService(new MockAuthenticationDaoUserJackLord());
@Test(expected=AccountExpiredException.class)
public void attemptSwitchToUserWithAccountExpiredFails() throws Exception {
switchToUser("wofat");
}
Authentication result = filter.attemptSwitchUser(request);
assertTrue(result != null);
@Test(expected=CredentialsExpiredException.class)
public void attemptSwitchToUserWithExpiredCredentialsFails() throws Exception {
switchToUser("steve");
}
public void testSwitchToLockedAccountCausesRedirectToSwitchFailureUrl() throws Exception {
UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken("dano", "hawaii50");
SecurityContextHolder.getContext().setAuthentication(auth);
@Test(expected=UsernameNotFoundException.class)
public void switchUserWithNullUsernameThrowsException() throws Exception {
switchToUser(null);
}
@Test
public void attemptSwitchUserIsSuccessfulWithValidUser() throws Exception {
assertNotNull(switchToUser("jacklord"));
}
MockHttpServletRequest request = createMockSwitchRequest();
@Test
public void switchToLockedAccountCausesRedirectToSwitchFailureUrl() throws Exception {
MockHttpServletRequest request = new MockHttpServletRequest();
request.setRequestURI("/j_spring_security_switch_user");
request.addParameter(SwitchUserProcessingFilter.SPRING_SECURITY_SWITCH_USERNAME_KEY, "mcgarrett");
MockHttpServletResponse response = new MockHttpServletResponse();
SwitchUserProcessingFilter filter = new SwitchUserProcessingFilter();
filter.setUserDetailsService(new MockAuthenticationDaoUserJackLord());
filter.setUserDetailsService(new MockUserDetailsService());
// Check it with no url set
// Check it with no url set (should get a text response)
filter.doFilterHttp(request, response, new MockFilterChain(false));
assertEquals("Switch user failed: User is disabled", response.getContentAsString());
// Now check for the redirect
request.setContextPath("/mywebapp");
request.setRequestURI("/mywebapp/j_spring_security_switch_user");
filter.setSwitchFailureUrl("/switchfailed");
response = new MockHttpServletResponse();
filter.doFilterHttp(request, response, new MockFilterChain(false));
assertEquals("/switchfailed", response.getRedirectedUrl());
}
public void testIfSwitchUserWithNullUsernameThrowsException() throws Exception {
// set current user
UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken("dano", "hawaii50");
SecurityContextHolder.getContext().setAuthentication(auth);
MockHttpServletRequest request = new MockHttpServletRequest();
String username = null;
request.addParameter(SwitchUserProcessingFilter.SPRING_SECURITY_SWITCH_USERNAME_KEY, username);
filter.doFilterHttp(request, response, new MockFilterChain(true));
SwitchUserProcessingFilter filter = new SwitchUserProcessingFilter();
filter.setUserDetailsService(new MockAuthenticationDaoUserJackLord());
Authentication result = null ;
try {
result = filter.attemptSwitchUser(request);
fail("UsernameNotFoundException should have been thrown");
} catch (UsernameNotFoundException e) {
}
assertFalse(result != null);
assertEquals("/mywebapp/switchfailed", response.getRedirectedUrl());
assertEquals("/switchfailed", FieldUtils.getFieldValue(filter, "switchFailureUrl"));
}
public void testBadConfigMissingAuthenticationDao() {
@Test(expected=IllegalArgumentException.class)
public void configMissingUserDetailsServiceFails() throws Exception {
SwitchUserProcessingFilter filter = new SwitchUserProcessingFilter();
filter.setSwitchUserUrl("/j_spring_security_switch_user");
filter.setExitUserUrl("/j_spring_security_exit_user");
filter.setTargetUrl("/main.jsp");
try {
filter.afterPropertiesSet();
fail("Expect to fail due to missing 'authenticationDao'");
} catch (Exception expected) {
// expected exception
}
filter.afterPropertiesSet();
}
public void testBadConfigMissingTargetUrl() {
@Test(expected=IllegalArgumentException.class)
public void testBadConfigMissingTargetUrl() throws Exception {
SwitchUserProcessingFilter filter = new SwitchUserProcessingFilter();
filter.setUserDetailsService(new MockAuthenticationDaoUserJackLord());
filter.setUserDetailsService(new MockUserDetailsService());
filter.setSwitchUserUrl("/j_spring_security_switch_user");
filter.setExitUserUrl("/j_spring_security_exit_user");
try {
filter.afterPropertiesSet();
fail("Expect to fail due to missing 'targetUrl'");
} catch (Exception expected) {
// expected exception
}
filter.afterPropertiesSet();
}
public void testDefaultProcessesFilterUrlWithPathParameter() {
@Test
public void defaultProcessesFilterUrlMatchesUrlWithPathParameter() {
MockHttpServletRequest request = createMockSwitchRequest();
SwitchUserProcessingFilter filter = new SwitchUserProcessingFilter();
filter.setSwitchUserUrl("/j_spring_security_switch_user");
@ -259,7 +196,8 @@ public class SwitchUserProcessingFilterTests extends TestCase { @@ -259,7 +196,8 @@ public class SwitchUserProcessingFilterTests extends TestCase {
assertTrue(filter.requiresSwitchUser(request));
}
public void testExitRequestUserJackLordToDano() throws Exception {
@Test
public void exitUserJackLordToDanoSucceeds() throws Exception {
// original user
GrantedAuthority[] auths = {new GrantedAuthorityImpl("ROLE_ONE"), new GrantedAuthorityImpl("ROLE_TWO")};
UsernamePasswordAuthenticationToken source = new UsernamePasswordAuthenticationToken("dano", "hawaii50", auths);
@ -274,23 +212,17 @@ public class SwitchUserProcessingFilterTests extends TestCase { @@ -274,23 +212,17 @@ public class SwitchUserProcessingFilterTests extends TestCase {
SecurityContextHolder.getContext().setAuthentication(admin);
// http request
MockHttpServletRequest request = createMockSwitchRequest();
request.setRequestURI("/j_spring_security_exit_user");
// http response
MockHttpServletResponse response = new MockHttpServletResponse();
// setup filter
SwitchUserProcessingFilter filter = new SwitchUserProcessingFilter();
filter.setUserDetailsService(new MockAuthenticationDaoUserJackLord());
filter.setUserDetailsService(new MockUserDetailsService());
filter.setExitUserUrl("/j_spring_security_exit_user");
filter.setTargetUrl("/webapp/someOtherUrl");
MockFilterChain chain = new MockFilterChain(true);
// run 'exit'
filter.doFilter(request, response, chain);
filter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain(false));
// check current user, should be back to original user (dano)
Authentication targetAuth = SecurityContextHolder.getContext().getAuthentication();
@ -298,56 +230,44 @@ public class SwitchUserProcessingFilterTests extends TestCase { @@ -298,56 +230,44 @@ public class SwitchUserProcessingFilterTests extends TestCase {
assertEquals("dano", targetAuth.getPrincipal());
}
public void testExitUserWithNoCurrentUser() throws Exception {
@Test(expected=AuthenticationException.class)
public void exitUserWithNoCurrentUserFails() throws Exception {
// no current user in secure context
SecurityContextHolder.getContext().setAuthentication(null);
SecurityContextHolder.clearContext();
// http request
MockHttpServletRequest request = createMockSwitchRequest();
request.setRequestURI("/j_spring_security_exit_user");
// http response
MockHttpServletResponse response = new MockHttpServletResponse();
// setup filter
SwitchUserProcessingFilter filter = new SwitchUserProcessingFilter();
filter.setUserDetailsService(new MockAuthenticationDaoUserJackLord());
filter.setUserDetailsService(new MockUserDetailsService());
filter.setExitUserUrl("/j_spring_security_exit_user");
MockFilterChain chain = new MockFilterChain(true);
// run 'exit', expect fail due to no current user
try {
filter.doFilter(request, response, chain);
fail("Cannot exit from a user with no current user set!");
} catch (AuthenticationException expected) {}
filter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain(false));
}
public void testRedirectToTargetUrl() throws Exception {
// set current user
UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken("dano", "hawaii50");
SecurityContextHolder.getContext().setAuthentication(auth);
@Test
public void redirectToTargetUrlIsCorrect() throws Exception {
MockHttpServletRequest request = createMockSwitchRequest();
request.setContextPath("/webapp");
request.addParameter(SwitchUserProcessingFilter.SPRING_SECURITY_SWITCH_USERNAME_KEY, "jacklord");
request.setRequestURI("/webapp/j_spring_security_switch_user");
MockHttpServletResponse response = new MockHttpServletResponse();
MockFilterChain chain = new MockFilterChain(true);
SwitchUserProcessingFilter filter = new SwitchUserProcessingFilter();
filter.setSwitchUserUrl("/j_spring_security_switch_user");
filter.setTargetUrl("/someOtherUrl");
filter.setUserDetailsService(new MockAuthenticationDaoUserJackLord());
filter.setUserDetailsService(new MockUserDetailsService());
filter.doFilter(request, response, chain);
filter.doFilter(request, response, new MockFilterChain(false));
assertEquals("/webapp/someOtherUrl", response.getRedirectedUrl());
}
public void testRedirectOmitsContextPathIfUseRelativeContextSet() throws Exception {
@Test
public void redirectOmitsContextPathIfUseRelativeContextSet() throws Exception {
// set current user
UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken("dano", "hawaii50");
SecurityContextHolder.getContext().setAuthentication(auth);
@ -358,42 +278,19 @@ public class SwitchUserProcessingFilterTests extends TestCase { @@ -358,42 +278,19 @@ public class SwitchUserProcessingFilterTests extends TestCase {
request.setRequestURI("/webapp/j_spring_security_switch_user");
MockHttpServletResponse response = new MockHttpServletResponse();
MockFilterChain chain = new MockFilterChain(true);
SwitchUserProcessingFilter filter = new SwitchUserProcessingFilter();
filter.setSwitchUserUrl("/j_spring_security_switch_user");
filter.setTargetUrl("/someOtherUrl");
filter.setUserDetailsService(new MockAuthenticationDaoUserJackLord());
filter.setUserDetailsService(new MockUserDetailsService());
filter.setUseRelativeContext(true);
filter.doFilter(request, response, chain);
filter.doFilter(request, response, new MockFilterChain(false));
assertEquals("/someOtherUrl", response.getRedirectedUrl());
}
public void testRequiresExitUser() {
// filter
SwitchUserProcessingFilter filter = new SwitchUserProcessingFilter();
filter.setExitUserUrl("/j_spring_security_exit_user");
// request
MockHttpServletRequest request = new MockHttpServletRequest();
request.setRequestURI("/j_spring_security_exit_user");
assertTrue(filter.requiresExitUser(request));
}
public void testRequiresSwitch() {
// filter
SwitchUserProcessingFilter filter = new SwitchUserProcessingFilter();
filter.setSwitchUserUrl("/j_spring_security_switch_user");
// request
MockHttpServletRequest request = createMockSwitchRequest();
assertTrue(filter.requiresSwitchUser(request));
}
@Test
public void testSwitchRequestFromDanoToJackLord() throws Exception {
// set current user
UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken("dano", "hawaii50");
@ -409,7 +306,7 @@ public class SwitchUserProcessingFilterTests extends TestCase { @@ -409,7 +306,7 @@ public class SwitchUserProcessingFilterTests extends TestCase {
// setup filter
SwitchUserProcessingFilter filter = new SwitchUserProcessingFilter();
filter.setUserDetailsService(new MockAuthenticationDaoUserJackLord());
filter.setUserDetailsService(new MockUserDetailsService());
filter.setSwitchUserUrl("/j_spring_security_switch_user");
filter.setTargetUrl("/webapp/someOtherUrl");
@ -425,7 +322,8 @@ public class SwitchUserProcessingFilterTests extends TestCase { @@ -425,7 +322,8 @@ public class SwitchUserProcessingFilterTests extends TestCase {
assertEquals("jacklord", ((User) targetAuth.getPrincipal()).getUsername());
}
public void testModificationOfAuthoritiesWorks() {
@Test
public void modificationOfAuthoritiesWorks() {
UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken("dano", "hawaii50");
SecurityContextHolder.getContext().setAuthentication(auth);
@ -433,7 +331,7 @@ public class SwitchUserProcessingFilterTests extends TestCase { @@ -433,7 +331,7 @@ public class SwitchUserProcessingFilterTests extends TestCase {
request.addParameter(SwitchUserProcessingFilter.SPRING_SECURITY_SWITCH_USERNAME_KEY, "jacklord");
SwitchUserProcessingFilter filter = new SwitchUserProcessingFilter();
filter.setUserDetailsService(new MockAuthenticationDaoUserJackLord());
filter.setUserDetailsService(new MockUserDetailsService());
filter.setSwitchUserAuthorityChanger(new SwitchUserAuthorityChanger() {
public List modifyGrantedAuthorities(UserDetails targetUser, Authentication currentAuthentication, List authoritiesToBeGranted) {
List auths = new ArrayList();
@ -451,11 +349,10 @@ public class SwitchUserProcessingFilterTests extends TestCase { @@ -451,11 +349,10 @@ public class SwitchUserProcessingFilterTests extends TestCase {
//~ Inner Classes ==================================================================================================
private class MockAuthenticationDaoUserJackLord implements UserDetailsService {
private class MockUserDetailsService implements UserDetailsService {
private String password = "hawaii50";
public UserDetails loadUserByUsername(String username)
throws UsernameNotFoundException, DataAccessException {
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
// jacklord, dano (active)
// mcgarrett (disabled)
// wofat (account expired)

Write Preview
Loading…
Cancel
Save