|
|
|
|
@ -15,13 +15,12 @@
@@ -15,13 +15,12 @@
|
|
|
|
|
*/ |
|
|
|
|
package org.springframework.security.config.annotation.web.configurers; |
|
|
|
|
|
|
|
|
|
import static org.assertj.core.api.Assertions.assertThat; |
|
|
|
|
|
|
|
|
|
import javax.servlet.http.HttpServletResponse; |
|
|
|
|
|
|
|
|
|
import org.junit.After; |
|
|
|
|
import org.junit.Before; |
|
|
|
|
import org.junit.Test; |
|
|
|
|
|
|
|
|
|
import org.springframework.beans.factory.annotation.Autowired; |
|
|
|
|
import org.springframework.context.annotation.Configuration; |
|
|
|
|
import org.springframework.http.HttpMethod; |
|
|
|
|
@ -35,6 +34,8 @@ import org.springframework.security.config.annotation.web.configuration.WebSecur
@@ -35,6 +34,8 @@ import org.springframework.security.config.annotation.web.configuration.WebSecur
|
|
|
|
|
import org.springframework.security.web.FilterChainProxy; |
|
|
|
|
import org.springframework.web.context.support.AnnotationConfigWebApplicationContext; |
|
|
|
|
|
|
|
|
|
import static org.assertj.core.api.Assertions.assertThat; |
|
|
|
|
|
|
|
|
|
/** |
|
|
|
|
* @author Rob Winch |
|
|
|
|
* |
|
|
|
|
@ -51,15 +52,16 @@ public class AuthorizeRequestsTests {
@@ -51,15 +52,16 @@ public class AuthorizeRequestsTests {
|
|
|
|
|
|
|
|
|
|
@Before |
|
|
|
|
public void setup() { |
|
|
|
|
request = new MockHttpServletRequest(); |
|
|
|
|
response = new MockHttpServletResponse(); |
|
|
|
|
chain = new MockFilterChain(); |
|
|
|
|
this.request = new MockHttpServletRequest(); |
|
|
|
|
this.request.setMethod("GET"); |
|
|
|
|
this.response = new MockHttpServletResponse(); |
|
|
|
|
this.chain = new MockFilterChain(); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
@After |
|
|
|
|
public void cleanup() { |
|
|
|
|
if(context != null) { |
|
|
|
|
context.close(); |
|
|
|
|
if (this.context != null) { |
|
|
|
|
this.context.close(); |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
@ -67,34 +69,80 @@ public class AuthorizeRequestsTests {
@@ -67,34 +69,80 @@ public class AuthorizeRequestsTests {
|
|
|
|
|
@Test |
|
|
|
|
public void antMatchersMethodAndNoPatterns() throws Exception { |
|
|
|
|
loadConfig(AntMatchersNoPatternsConfig.class); |
|
|
|
|
request.setMethod("POST"); |
|
|
|
|
this.request.setMethod("POST"); |
|
|
|
|
|
|
|
|
|
springSecurityFilterChain.doFilter(request, response, chain); |
|
|
|
|
this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain); |
|
|
|
|
|
|
|
|
|
assertThat(response.getStatus()).isEqualTo(HttpServletResponse.SC_FORBIDDEN); |
|
|
|
|
assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_FORBIDDEN); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
@EnableWebSecurity |
|
|
|
|
@Configuration |
|
|
|
|
static class AntMatchersNoPatternsConfig extends WebSecurityConfigurerAdapter { |
|
|
|
|
@Override |
|
|
|
|
protected void configure(HttpSecurity http) throws Exception { |
|
|
|
|
// @formatter:off
|
|
|
|
|
http |
|
|
|
|
.authorizeRequests() |
|
|
|
|
.antMatchers(HttpMethod.POST).denyAll(); |
|
|
|
|
// @formatter:on
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
@Override |
|
|
|
|
protected void configure(AuthenticationManagerBuilder auth) throws Exception { |
|
|
|
|
// @formatter:off
|
|
|
|
|
auth |
|
|
|
|
.inMemoryAuthentication(); |
|
|
|
|
// @formatter:on
|
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
// SEC-2256
|
|
|
|
|
@Test |
|
|
|
|
public void antMatchersPathVariables() throws Exception { |
|
|
|
|
loadConfig(AntPatchersPathVariables.class); |
|
|
|
|
|
|
|
|
|
this.request.setServletPath("/user/user"); |
|
|
|
|
|
|
|
|
|
this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain); |
|
|
|
|
|
|
|
|
|
assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_OK); |
|
|
|
|
|
|
|
|
|
this.setup(); |
|
|
|
|
this.request.setServletPath("/user/deny"); |
|
|
|
|
|
|
|
|
|
this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain); |
|
|
|
|
|
|
|
|
|
assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_FORBIDDEN); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
@EnableWebSecurity |
|
|
|
|
@Configuration |
|
|
|
|
static class AntPatchersPathVariables extends WebSecurityConfigurerAdapter { |
|
|
|
|
@Override |
|
|
|
|
protected void configure(HttpSecurity http) throws Exception { |
|
|
|
|
// @formatter:off
|
|
|
|
|
http |
|
|
|
|
.authorizeRequests() |
|
|
|
|
.antMatchers("/user/{user}").access("#user == 'user'") |
|
|
|
|
.anyRequest().denyAll(); |
|
|
|
|
// @formatter:on
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
@Override |
|
|
|
|
protected void configure(AuthenticationManagerBuilder auth) throws Exception { |
|
|
|
|
// @formatter:off
|
|
|
|
|
auth |
|
|
|
|
.inMemoryAuthentication(); |
|
|
|
|
// @formatter:on
|
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
public void loadConfig(Class<?>... configs) { |
|
|
|
|
context = new AnnotationConfigWebApplicationContext(); |
|
|
|
|
context.register(configs); |
|
|
|
|
context.refresh(); |
|
|
|
|
this.context = new AnnotationConfigWebApplicationContext(); |
|
|
|
|
this.context.register(configs); |
|
|
|
|
this.context.refresh(); |
|
|
|
|
|
|
|
|
|
context.getAutowireCapableBeanFactory().autowireBean(this); |
|
|
|
|
this.context.getAutowireCapableBeanFactory().autowireBean(this); |
|
|
|
|
} |
|
|
|
|
} |
Rob Winch
10 years ago