|
|
@@ -16,14 +16,8 @@
|
|
|
|
|
|
package org.springframework.security.web.authentication.www;
|
|
|
|
|
|
-import static org.assertj.core.api.Assertions.assertThat;
|
|
|
-import static org.mockito.Mockito.mock;
|
|
|
-import static org.mockito.Mockito.times;
|
|
|
-import static org.mockito.Mockito.verify;
|
|
|
-
|
|
|
import java.io.IOException;
|
|
|
import java.util.Map;
|
|
|
-
|
|
|
import javax.servlet.Filter;
|
|
|
import javax.servlet.FilterChain;
|
|
|
import javax.servlet.ServletException;
|
|
|
@@ -34,6 +28,7 @@ import org.apache.commons.codec.digest.DigestUtils;
|
|
|
import org.junit.After;
|
|
|
import org.junit.Before;
|
|
|
import org.junit.Test;
|
|
|
+
|
|
|
import org.springframework.mock.web.MockHttpServletRequest;
|
|
|
import org.springframework.mock.web.MockHttpServletResponse;
|
|
|
import org.springframework.security.authentication.TestingAuthenticationToken;
|
|
|
@@ -47,6 +42,11 @@ import org.springframework.security.core.userdetails.UsernameNotFoundException;
|
|
|
import org.springframework.security.core.userdetails.cache.NullUserCache;
|
|
|
import org.springframework.util.StringUtils;
|
|
|
|
|
|
+import static org.assertj.core.api.Assertions.assertThat;
|
|
|
+import static org.mockito.Mockito.mock;
|
|
|
+import static org.mockito.Mockito.times;
|
|
|
+import static org.mockito.Mockito.verify;
|
|
|
+
|
|
|
/**
|
|
|
* Tests {@link DigestAuthenticationFilter}.
|
|
|
*
|
|
|
@@ -110,8 +110,12 @@ public class DigestAuthenticationFilterTests {
|
|
|
}
|
|
|
|
|
|
private static String generateNonce(int validitySeconds) {
|
|
|
+ return generateNonce(validitySeconds, KEY);
|
|
|
+ }
|
|
|
+
|
|
|
+ private static String generateNonce(int validitySeconds, String key) {
|
|
|
long expiryTime = System.currentTimeMillis() + (validitySeconds * 1000);
|
|
|
- String signatureValue = DigestUtils.md5Hex(expiryTime + ":" + KEY);
|
|
|
+ String signatureValue = DigestUtils.md5Hex(expiryTime + ":" + key);
|
|
|
String nonceValue = expiryTime + ":" + signatureValue;
|
|
|
|
|
|
return new String(Base64.encodeBase64(nonceValue.getBytes()));
|
|
|
@@ -172,6 +176,22 @@ public class DigestAuthenticationFilterTests {
|
|
|
assertThat(headerMap.get("stale")).isEqualTo("true");
|
|
|
}
|
|
|
|
|
|
+ @Test
|
|
|
+ public void doFilterWhenNonceHasBadKeyThenGeneratesError() throws Exception {
|
|
|
+ String badNonce = generateNonce(60, "badkey");
|
|
|
+ String responseDigest = DigestAuthUtils.generateDigest(false, USERNAME, REALM,
|
|
|
+ PASSWORD, "GET", REQUEST_URI, QOP, badNonce, NC, CNONCE);
|
|
|
+
|
|
|
+ request.addHeader("Authorization", createAuthorizationHeader(USERNAME, REALM,
|
|
|
+ badNonce, REQUEST_URI, responseDigest, QOP, NC, CNONCE));
|
|
|
+
|
|
|
+ MockHttpServletResponse response =
|
|
|
+ executeFilterInContainerSimulator(filter, request, false);
|
|
|
+
|
|
|
+ assertThat(response.getStatus()).isEqualTo(401);
|
|
|
+ assertThat(SecurityContextHolder.getContext().getAuthentication()).isNull();
|
|
|
+ }
|
|
|
+
|
|
|
@Test
|
|
|
public void testFilterIgnoresRequestsContainingNoAuthorizationHeader()
|
|
|
throws Exception {
|
Josh Cummings