SEC-418: Changed interface SwitchAuthorityChanger to return List rather than expecting modification of passed in List of authorities.

18 years ago · e63fa0f610
3 changed files with 34 additions and 4 deletions
--- a/core/src/main/java/org/springframework/security/ui/switchuser/SwitchUserAuthorityChanger.java
+++ b/core/src/main/java/org/springframework/security/ui/switchuser/SwitchUserAuthorityChanger.java
@ -25,6 +25,8 @@ public interface SwitchUserAuthorityChanger {
				@@ -25,6 +25,8 @@ public interface SwitchUserAuthorityChanger {
     * @param currentAuthentication the current Authentication of the principal performing the switching
     * @param authoritiesToBeGranted all {@link GrantedAuthority} instances to be granted to the user,
     * excluding the special "switch user" authority that is used internally (guaranteed never null)
+     *
+     * @return the modified list of granted authorities.
     */
-    void modifyGrantedAuthorities(UserDetails targetUser, Authentication currentAuthentication, List authoritiesToBeGranted);
+    List modifyGrantedAuthorities(UserDetails targetUser, Authentication currentAuthentication, List authoritiesToBeGranted);
 }
--- a/core/src/main/java/org/springframework/security/ui/switchuser/SwitchUserProcessingFilter.java
+++ b/core/src/main/java/org/springframework/security/ui/switchuser/SwitchUserProcessingFilter.java
@ -25,6 +25,7 @@ import org.springframework.security.DisabledException;
				@@ -25,6 +25,7 @@ import org.springframework.security.DisabledException;
 import org.springframework.security.GrantedAuthority;
 import org.springframework.security.LockedException;
 import org.springframework.security.util.RedirectUtils;
+import org.springframework.security.util.AuthorityUtils;

 import org.springframework.security.context.SecurityContextHolder;

@ -283,15 +284,15 @@ public class SwitchUserProcessingFilter extends SpringSecurityFilter implements
				@@ -283,15 +284,15 @@ public class SwitchUserProcessingFilter extends SpringSecurityFilter implements

        // Allow subclasses to change the authorities to be granted
        if (switchUserAuthorityChanger != null) {
-            switchUserAuthorityChanger.modifyGrantedAuthorities(targetUser, currentAuth, orig);
+            orig = switchUserAuthorityChanger.modifyGrantedAuthorities(targetUser, currentAuth, orig);
        }

        // add the new switch user authority
        List newAuths = new ArrayList(orig);
        newAuths.add(switchAuthority);

-        GrantedAuthority[] authorities = {};
-        authorities = (GrantedAuthority[]) newAuths.toArray(authorities);
+        GrantedAuthority[] authorities =
+                (GrantedAuthority[]) newAuths.toArray(new GrantedAuthority[newAuths.size()]);

        // create the new authentication token
        targetUserRequest = new UsernamePasswordAuthenticationToken(targetUser, targetUser.getPassword(), authorities);
--- a/core/src/test/java/org/springframework/security/ui/switchuser/SwitchUserProcessingFilterTests.java
+++ b/core/src/test/java/org/springframework/security/ui/switchuser/SwitchUserProcessingFilterTests.java
@ -41,6 +41,9 @@ import org.springframework.dao.DataAccessException;
				@@ -41,6 +41,9 @@ import org.springframework.dao.DataAccessException;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;

+import java.util.List;
+import java.util.ArrayList;
+

 /**
 * Tests {@link org.springframework.security.ui.switchuser.SwitchUserProcessingFilter}.
@ -400,6 +403,30 @@ public class SwitchUserProcessingFilterTests extends TestCase {
				@@ -400,6 +403,30 @@ public class SwitchUserProcessingFilterTests extends TestCase {
        assertEquals("jacklord", ((User) targetAuth.getPrincipal()).getUsername());
    }

+    public void testModificationOfAuthoritiesWorks() {
+        UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken("dano", "hawaii50");
+        SecurityContextHolder.getContext().setAuthentication(auth);
+
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        request.addParameter(SwitchUserProcessingFilter.SPRING_SECURITY_SWITCH_USERNAME_KEY, "jacklord");
+
+        SwitchUserProcessingFilter filter = new SwitchUserProcessingFilter();
+        filter.setUserDetailsService(new MockAuthenticationDaoUserJackLord());
+        filter.setSwitchUserAuthorityChanger(new SwitchUserAuthorityChanger() {
+            public List modifyGrantedAuthorities(UserDetails targetUser, Authentication currentAuthentication, List authoritiesToBeGranted) {
+                List auths = new ArrayList();
+                auths.add(new GrantedAuthorityImpl("ROLE_NEW"));
+                return auths;
+            }
+        });
+
+        Authentication result = filter.attemptSwitchUser(request);
+        assertTrue(result != null);
+        assertEquals(2, result.getAuthorities().length);
+        assertEquals("ROLE_NEW", result.getAuthorities()[0].getAuthority());
+    }
+
+
    //~ Inner Classes ==================================================================================================

    private class MockAuthenticationDaoUserJackLord implements UserDetailsService {