AbstractSecurityWebApplicationInitializerTests groovy->java

Issue gh-4939

web/src/test/groovy/org/springframework/security/web/context/AbstractSecurityWebApplicationInitializerTests.groovy

@@ -1,308 +0,0 @@
-/*
- * Copyright 2002-2013 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.springframework.security.web.context;
-
-import javax.servlet.DispatcherType
-import javax.servlet.Filter
-import javax.servlet.FilterRegistration
-import javax.servlet.ServletContext
-import javax.servlet.SessionTrackingMode
-
-import org.springframework.context.annotation.Configuration
-import org.springframework.security.web.session.HttpSessionEventPublisher
-import org.springframework.web.context.ContextLoaderListener
-import org.springframework.web.filter.DelegatingFilterProxy
-
-import spock.lang.Specification
-
-/**
- * @author Rob Winch
- *
- */
-class AbstractSecurityWebApplicationInitializerTests extends Specification {
-	def DEFAULT_DISPATCH = EnumSet.of(DispatcherType.REQUEST, DispatcherType.ERROR, DispatcherType.ASYNC)
-
-	def defaults() {
-		setup:
-			ServletContext context = Mock()
-			FilterRegistration.Dynamic registration = Mock()
-		when:
-			new AbstractSecurityWebApplicationInitializer(){}.onStartup(context)
-		then:
-			1 * context.addFilter("springSecurityFilterChain", {DelegatingFilterProxy f -> f.targetBeanName == "springSecurityFilterChain" && f.contextAttribute == null}) >> registration
-			1 * registration.addMappingForUrlPatterns(DEFAULT_DISPATCH, false, "/*");
-			1 * registration.setAsyncSupported(true)
-			0 * context.addListener(_)
-	}
-
-	def "defaults with ContextLoaderListener"() {
-		setup:
-			ServletContext context = Mock()
-			FilterRegistration.Dynamic registration = Mock()
-		when:
-			new AbstractSecurityWebApplicationInitializer(MyRootConfiguration){}.onStartup(context)
-		then:
-			1 * context.addFilter("springSecurityFilterChain", {DelegatingFilterProxy f -> f.targetBeanName == "springSecurityFilterChain" && f.contextAttribute == null}) >> registration
-			1 * registration.addMappingForUrlPatterns(DEFAULT_DISPATCH, false, "/*");
-			1 * registration.setAsyncSupported(true)
-			1 * context.addListener(_ as ContextLoaderListener)
-	}
-
-	@Configuration
-	static class MyRootConfiguration {}
-
-	def "enableHttpSessionEventPublisher() = true"() {
-		setup:
-			ServletContext context = Mock()
-			FilterRegistration.Dynamic registration = Mock()
-		when:
-			new AbstractSecurityWebApplicationInitializer(){
-				protected boolean enableHttpSessionEventPublisher() {
-					return true;
-				}
-			}.onStartup(context)
-		then:
-			1 * context.addFilter("springSecurityFilterChain", {DelegatingFilterProxy f -> f.targetBeanName == "springSecurityFilterChain" && f.contextAttribute == null}) >> registration
-			1 * registration.addMappingForUrlPatterns(DEFAULT_DISPATCH, false, "/*");
-			1 * registration.setAsyncSupported(true)
-			1 * context.addListener(HttpSessionEventPublisher.class.name)
-	}
-
-	def "custom getSecurityDispatcherTypes()"() {
-		setup:
-			ServletContext context = Mock()
-			FilterRegistration.Dynamic registration = Mock()
-		when:
-			new AbstractSecurityWebApplicationInitializer(){
-				protected EnumSet<DispatcherType> getSecurityDispatcherTypes() {
-					return EnumSet.of(DispatcherType.REQUEST, DispatcherType.ERROR, DispatcherType.FORWARD);
-				}
-			}.onStartup(context)
-		then:
-			1 * context.addFilter("springSecurityFilterChain", {DelegatingFilterProxy f -> f.targetBeanName == "springSecurityFilterChain" && f.contextAttribute == null}) >> registration
-			1 * registration.addMappingForUrlPatterns(EnumSet.of(DispatcherType.REQUEST, DispatcherType.ERROR, DispatcherType.FORWARD), false, "/*");
-			1 * registration.setAsyncSupported(true)
-			0 * context.addListener(_)
-	}
-
-	def "custom getDispatcherWebApplicationContextSuffix"() {
-		setup:
-			ServletContext context = Mock()
-			FilterRegistration.Dynamic registration = Mock()
-		when:
-			new AbstractSecurityWebApplicationInitializer(){
-				protected String getDispatcherWebApplicationContextSuffix() {
-					return "dispatcher"
-				}
-			}.onStartup(context)
-		then:
-			1 * context.addFilter("springSecurityFilterChain", {DelegatingFilterProxy f -> f.targetBeanName == "springSecurityFilterChain" && f.contextAttribute == "org.springframework.web.servlet.FrameworkServlet.CONTEXT.dispatcher"}) >> registration
-			1 * registration.addMappingForUrlPatterns(DEFAULT_DISPATCH, false, "/*");
-			1 * registration.setAsyncSupported(true)
-			0 * context.addListener(_)
-	}
-
-	def "springSecurityFilterChain already registered"() {
-		setup:
-			ServletContext context = Mock()
-			FilterRegistration.Dynamic registration = Mock()
-		when:
-			new AbstractSecurityWebApplicationInitializer(){}.onStartup(context)
-		then:
-			1 * context.addFilter("springSecurityFilterChain", {DelegatingFilterProxy f -> f.targetBeanName == "springSecurityFilterChain" && f.contextAttribute == null}) >> null
-			IllegalStateException success = thrown()
-			success.message == "Duplicate Filter registration for 'springSecurityFilterChain'. Check to ensure the Filter is only configured once."
-	}
-
-	def "insertFilters"() {
-		setup:
-			Filter filter1 = Mock()
-			Filter filter2 = Mock()
-			ServletContext context = Mock()
-			FilterRegistration.Dynamic registration = Mock()
-		when:
-			new AbstractSecurityWebApplicationInitializer(){
-				protected void afterSpringSecurityFilterChain(ServletContext servletContext) {
-					insertFilters(context, filter1, filter2);
-				}
-			}.onStartup(context)
-		then:
-			1 * context.addFilter("springSecurityFilterChain", {DelegatingFilterProxy f -> f.targetBeanName == "springSecurityFilterChain" && f.contextAttribute == null}) >> registration
-			3 * registration.addMappingForUrlPatterns(DEFAULT_DISPATCH, false, "/*");
-			3 * registration.setAsyncSupported(true)
-			0 * context.addListener(_)
-			1 * context.addFilter(_, filter1) >> registration
-			1 * context.addFilter(_, filter2) >> registration
-	}
-
-	def "insertFilters already registered"() {
-		setup:
-			Filter filter1 = Mock()
-			ServletContext context = Mock()
-			FilterRegistration.Dynamic registration = Mock()
-		when:
-			new AbstractSecurityWebApplicationInitializer(){
-				protected void afterSpringSecurityFilterChain(ServletContext servletContext) {
-					insertFilters(context, filter1);
-				}
-			}.onStartup(context)
-		then:
-			1 * context.addFilter("springSecurityFilterChain", {DelegatingFilterProxy f -> f.targetBeanName == "springSecurityFilterChain" && f.contextAttribute == null}) >> registration
-			1 * registration.addMappingForUrlPatterns(DEFAULT_DISPATCH, false, "/*");
-			1 * context.addFilter(_, filter1) >> null
-			IllegalStateException success = thrown()
-			success.message == "Duplicate Filter registration for 'filter'. Check to ensure the Filter is only configured once."
-	}
-
-	def "insertFilters no filters"() {
-		setup:
-			ServletContext context = Mock()
-			FilterRegistration.Dynamic registration = Mock()
-		when:
-			new AbstractSecurityWebApplicationInitializer(){
-				protected void afterSpringSecurityFilterChain(ServletContext servletContext) {
-					insertFilters(context);
-				}
-			}.onStartup(context)
-		then:
-			1 * context.addFilter("springSecurityFilterChain", {DelegatingFilterProxy f -> f.targetBeanName == "springSecurityFilterChain" && f.contextAttribute == null}) >> registration
-			IllegalArgumentException success = thrown()
-			success.message == "filters cannot be null or empty"
-	}
-
-	def "insertFilters filters with null"() {
-		setup:
-			Filter filter1 = Mock()
-			ServletContext context = Mock()
-			FilterRegistration.Dynamic registration = Mock()
-		when:
-			new AbstractSecurityWebApplicationInitializer(){
-				protected void afterSpringSecurityFilterChain(ServletContext servletContext) {
-					insertFilters(context,  filter1, null);
-				}
-			}.onStartup(context)
-		then:
-			2 * context.addFilter(_, _) >> registration
-			IllegalArgumentException success = thrown()
-			success.message == "filters cannot contain null values. Got [Mock for type 'Filter' named 'filter1', null]"
-	}
-
-	def "appendFilters"() {
-		setup:
-			Filter filter1 = Mock()
-			Filter filter2 = Mock()
-			ServletContext context = Mock()
-			FilterRegistration.Dynamic registration = Mock()
-		when:
-			new AbstractSecurityWebApplicationInitializer(){
-				protected void afterSpringSecurityFilterChain(ServletContext servletContext) {
-					appendFilters(context,filter1, filter2);
-				}
-			}.onStartup(context)
-		then:
-			1 * context.addFilter("springSecurityFilterChain", {DelegatingFilterProxy f -> f.targetBeanName == "springSecurityFilterChain" && f.contextAttribute == null}) >> registration
-			1 * registration.addMappingForUrlPatterns(DEFAULT_DISPATCH, false, "/*");
-			2 * registration.addMappingForUrlPatterns(DEFAULT_DISPATCH, true, "/*");
-			3 * registration.setAsyncSupported(true)
-			0 * context.addListener(_)
-			1 * context.addFilter(_, filter1) >> registration
-			1 * context.addFilter(_, filter2) >> registration
-	}
-
-	def "appendFilters already registered"() {
-		setup:
-			Filter filter1 = Mock()
-			ServletContext context = Mock()
-			FilterRegistration.Dynamic registration = Mock()
-		when:
-			new AbstractSecurityWebApplicationInitializer(){
-				protected void afterSpringSecurityFilterChain(ServletContext servletContext) {
-					appendFilters(context, filter1);
-				}
-			}.onStartup(context)
-		then:
-			1 * context.addFilter("springSecurityFilterChain", {DelegatingFilterProxy f -> f.targetBeanName == "springSecurityFilterChain" && f.contextAttribute == null}) >> registration
-			1 * registration.addMappingForUrlPatterns(DEFAULT_DISPATCH, false, "/*");
-			1 * context.addFilter(_, filter1) >> null
-			IllegalStateException success = thrown()
-			success.message == "Duplicate Filter registration for 'filter'. Check to ensure the Filter is only configured once."
-	}
-
-	def "appendFilters no filters"() {
-		setup:
-			ServletContext context = Mock()
-			FilterRegistration.Dynamic registration = Mock()
-		when:
-			new AbstractSecurityWebApplicationInitializer(){
-				protected void afterSpringSecurityFilterChain(ServletContext servletContext) {
-					appendFilters(context);
-				}
-			}.onStartup(context)
-		then:
-			1 * context.addFilter("springSecurityFilterChain", {DelegatingFilterProxy f -> f.targetBeanName == "springSecurityFilterChain" && f.contextAttribute == null}) >> registration
-			IllegalArgumentException success = thrown()
-			success.message == "filters cannot be null or empty"
-	}
-
-	def "sessionTrackingModes defaults"() {
-		setup:
-			ServletContext context = Mock()
-			FilterRegistration.Dynamic registration = Mock()
-		when:
-			new AbstractSecurityWebApplicationInitializer(){ }.onStartup(context)
-		then:
-			1 * context.addFilter("springSecurityFilterChain", {DelegatingFilterProxy f -> f.targetBeanName == "springSecurityFilterChain" && f.contextAttribute == null}) >> registration
-			1 * context.setSessionTrackingModes({Set<SessionTrackingMode> modes -> modes.size() == 1 && modes.containsAll([SessionTrackingMode.COOKIE]) })
-	}
-
-	def "sessionTrackingModes override"() {
-		setup:
-			ServletContext context = Mock()
-			FilterRegistration.Dynamic registration = Mock()
-		when:
-			new AbstractSecurityWebApplicationInitializer(){
-				@Override
-				public Set<SessionTrackingMode> getSessionTrackingModes() {
-					return [SessionTrackingMode.SSL]
-				}
-			}.onStartup(context)
-		then:
-			1 * context.addFilter("springSecurityFilterChain", {DelegatingFilterProxy f -> f.targetBeanName == "springSecurityFilterChain" && f.contextAttribute == null}) >> registration
-			1 * context.setSessionTrackingModes({Set<SessionTrackingMode> modes -> modes.size() == 1 && modes.containsAll([SessionTrackingMode.SSL]) })
-	}
-
-	def "appendFilters filters with null"() {
-		setup:
-			Filter filter1 = Mock()
-			ServletContext context = Mock()
-			FilterRegistration.Dynamic registration = Mock()
-		when:
-			new AbstractSecurityWebApplicationInitializer(){
-				protected void afterSpringSecurityFilterChain(ServletContext servletContext) {
-					appendFilters(context,  filter1, null);
-				}
-			}.onStartup(context)
-		then:
-			2 * context.addFilter(_, _) >> registration
-			IllegalArgumentException success = thrown()
-			success.message == "filters cannot contain null values. Got [Mock for type 'Filter' named 'filter1', null]"
-	}
-
-	def "DEFAULT_FILTER_NAME == springSecurityFilterChain"() {
-		expect:
-			AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME == "springSecurityFilterChain"
-	}
-}

web/src/test/java/org/springframework/security/web/context/AbstractSecurityWebApplicationInitializerTests.java

@@ -0,0 +1,447 @@
+/*
+ * Copyright 2002-2013 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.web.context;
+
+import java.util.Collections;
+import java.util.EnumSet;
+import java.util.EventListener;
+import java.util.HashSet;
+import java.util.Set;
+import javax.servlet.DispatcherType;
+import javax.servlet.Filter;
+import javax.servlet.FilterRegistration;
+import javax.servlet.ServletContext;
+import javax.servlet.SessionTrackingMode;
+
+import org.junit.Test;
+import org.mockito.ArgumentCaptor;
+
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.web.session.HttpSessionEventPublisher;
+import org.springframework.web.context.ContextLoaderListener;
+import org.springframework.web.filter.DelegatingFilterProxy;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatCode;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.doNothing;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
+import static org.powermock.api.mockito.PowerMockito.when;
+
+/**
+ * @author Rob Winch
+ * @author Josh Cummings
+ */
+public class AbstractSecurityWebApplicationInitializerTests {
+	private static final EnumSet<DispatcherType> DEFAULT_DISPATCH =
+			EnumSet.of(DispatcherType.REQUEST, DispatcherType.ERROR, DispatcherType.ASYNC);
+
+	@Test
+	public void onStartupWhenDefaultContextThenRegistersSpringSecurityFilterChain() {
+		ServletContext context = mock(ServletContext.class);
+		FilterRegistration.Dynamic registration = mock(FilterRegistration.Dynamic.class);
+
+		ArgumentCaptor<DelegatingFilterProxy> proxyCaptor = ArgumentCaptor.forClass(DelegatingFilterProxy.class);
+		when(context.addFilter(eq("springSecurityFilterChain"), proxyCaptor.capture()))
+				.thenReturn(registration);
+
+		new AbstractSecurityWebApplicationInitializer() {}.onStartup(context);
+
+		assertProxyDefaults(proxyCaptor.getValue());
+
+		verify(registration).addMappingForUrlPatterns(DEFAULT_DISPATCH, false, "/*");
+		verify(registration).setAsyncSupported(true);
+		verifyNoAddListener(context);
+	}
+
+	@Test
+	public void onStartupWhenConfigurationClassThenAddsContextLoaderListener() {
+		ServletContext context = mock(ServletContext.class);
+		FilterRegistration.Dynamic registration = mock(FilterRegistration.Dynamic.class);
+
+		ArgumentCaptor<DelegatingFilterProxy> proxyCaptor = ArgumentCaptor.forClass(DelegatingFilterProxy.class);
+
+		when(context.addFilter(eq("springSecurityFilterChain"), proxyCaptor.capture()))
+				.thenReturn(registration);
+
+		new AbstractSecurityWebApplicationInitializer(MyRootConfiguration.class) {}.onStartup(context);
+
+		assertProxyDefaults(proxyCaptor.getValue());
+
+		verify(registration).addMappingForUrlPatterns(DEFAULT_DISPATCH, false, "/*");
+		verify(registration).setAsyncSupported(true);
+		verify(context).addListener(any(ContextLoaderListener.class));
+	}
+
+	@Configuration
+	static class MyRootConfiguration {}
+
+	@Test
+	public void onStartupWhenEnableHttpSessionEventPublisherIsTrueThenAddsHttpSessionEventPublisher() {
+		ServletContext context = mock(ServletContext.class);
+		FilterRegistration.Dynamic registration = mock(FilterRegistration.Dynamic.class);
+
+		ArgumentCaptor<DelegatingFilterProxy> proxyCaptor = ArgumentCaptor.forClass(DelegatingFilterProxy.class);
+
+		when(context.addFilter(eq("springSecurityFilterChain"), proxyCaptor.capture()))
+				.thenReturn(registration);
+
+		new AbstractSecurityWebApplicationInitializer() {
+			protected boolean enableHttpSessionEventPublisher() {
+				return true;
+			}
+		}.onStartup(context);
+
+		assertProxyDefaults(proxyCaptor.getValue());
+
+		verify(registration).addMappingForUrlPatterns(DEFAULT_DISPATCH, false, "/*");
+		verify(registration).setAsyncSupported(true);
+		verify(context).addListener(HttpSessionEventPublisher.class.getName());
+	}
+
+	@Test
+	public void onStartupWhenCustomSecurityDispatcherTypesThenUses() {
+		ServletContext context = mock(ServletContext.class);
+		FilterRegistration.Dynamic registration = mock(FilterRegistration.Dynamic.class);
+
+		ArgumentCaptor<DelegatingFilterProxy> proxyCaptor = ArgumentCaptor.forClass(DelegatingFilterProxy.class);
+
+		when(context.addFilter(eq("springSecurityFilterChain"), proxyCaptor.capture()))
+				.thenReturn(registration);
+
+		new AbstractSecurityWebApplicationInitializer() {
+			protected EnumSet<DispatcherType> getSecurityDispatcherTypes() {
+				return EnumSet.of(DispatcherType.REQUEST, DispatcherType.ERROR, DispatcherType.FORWARD);
+			}
+		}.onStartup(context);
+
+		assertProxyDefaults(proxyCaptor.getValue());
+
+		verify(registration).addMappingForUrlPatterns(EnumSet.of(DispatcherType.REQUEST, DispatcherType.ERROR, DispatcherType.FORWARD), false, "/*");
+		verify(registration).setAsyncSupported(true);
+		verifyNoAddListener(context);
+	}
+
+	@Test
+	public void onStartupWhenCustomDispatcherWebApplicationContextSuffixThenUses() {
+		ServletContext context = mock(ServletContext.class);
+		FilterRegistration.Dynamic registration = mock(FilterRegistration.Dynamic.class);
+
+		ArgumentCaptor<DelegatingFilterProxy> proxyCaptor = ArgumentCaptor.forClass(DelegatingFilterProxy.class);
+
+		when(context.addFilter(eq("springSecurityFilterChain"), proxyCaptor.capture()))
+				.thenReturn(registration);
+
+		new AbstractSecurityWebApplicationInitializer() {
+			protected String getDispatcherWebApplicationContextSuffix() {
+				return "dispatcher";
+			}
+		}.onStartup(context);
+
+		DelegatingFilterProxy proxy = proxyCaptor.getValue();
+		assertThat(proxy.getContextAttribute())
+				.isEqualTo("org.springframework.web.servlet.FrameworkServlet.CONTEXT.dispatcher");
+		assertThat(proxy).hasFieldOrPropertyWithValue("targetBeanName", "springSecurityFilterChain");
+
+		verify(registration).addMappingForUrlPatterns(DEFAULT_DISPATCH, false, "/*");
+		verify(registration).setAsyncSupported(true);
+		verifyNoAddListener(context);
+	}
+
+	@Test
+	public void onStartupWhenSpringSecurityFilterChainAlreadyRegisteredThenException() {
+		ServletContext context = mock(ServletContext.class);
+
+		assertThatCode(() ->
+			new AbstractSecurityWebApplicationInitializer() {}.onStartup(context))
+			.isInstanceOf(IllegalStateException.class)
+			.hasMessage("Duplicate Filter registration for 'springSecurityFilterChain'. " +
+					"Check to ensure the Filter is only configured once.");
+	}
+
+	@Test
+	public void onStartupWhenInsertFiltersThenInserted() {
+		Filter filter1 = mock(Filter.class);
+		Filter filter2 = mock(Filter.class);
+		ServletContext context = mock(ServletContext.class);
+		FilterRegistration.Dynamic registration = mock(FilterRegistration.Dynamic.class);
+
+		ArgumentCaptor<DelegatingFilterProxy> proxyCaptor = ArgumentCaptor.forClass(DelegatingFilterProxy.class);
+
+		when(context.addFilter(eq("springSecurityFilterChain"), proxyCaptor.capture()))
+				.thenReturn(registration);
+		when(context.addFilter(anyString(), eq(filter1))).thenReturn(registration);
+		when(context.addFilter(anyString(), eq(filter2))).thenReturn(registration);
+
+		new AbstractSecurityWebApplicationInitializer() {
+			protected void afterSpringSecurityFilterChain(ServletContext servletContext) {
+				insertFilters(context, filter1, filter2);
+			}
+		}.onStartup(context);
+
+		assertProxyDefaults(proxyCaptor.getValue());
+
+		verify(registration, times(3)).addMappingForUrlPatterns(DEFAULT_DISPATCH, false, "/*");
+		verify(registration, times(3)).setAsyncSupported(true);
+		verifyNoAddListener(context);
+		verify(context).addFilter(anyString(), eq(filter1));
+		verify(context).addFilter(anyString(), eq(filter2));
+	}
+
+	@Test
+	public void onStartupWhenDuplicateFilterInsertedThenException() {
+		Filter filter1 = mock(Filter.class);
+		ServletContext context = mock(ServletContext.class);
+		FilterRegistration.Dynamic registration = mock(FilterRegistration.Dynamic.class);
+
+		ArgumentCaptor<DelegatingFilterProxy> proxyCaptor = ArgumentCaptor.forClass(DelegatingFilterProxy.class);
+
+		when(context.addFilter(eq("springSecurityFilterChain"), proxyCaptor.capture()))
+				.thenReturn(registration);
+
+		assertThatCode(() ->
+			new AbstractSecurityWebApplicationInitializer() {
+				protected void afterSpringSecurityFilterChain(ServletContext servletContext) {
+					insertFilters(context, filter1);
+				}
+			}.onStartup(context))
+				.isInstanceOf(IllegalStateException.class)
+				.hasMessage("Duplicate Filter registration for 'object'. " +
+								"Check to ensure the Filter is only configured once.");
+
+		assertProxyDefaults(proxyCaptor.getValue());
+
+		verify(registration).addMappingForUrlPatterns(DEFAULT_DISPATCH, false, "/*");
+		verify(context).addFilter(anyString(), eq(filter1));
+	}
+
+	@Test
+	public void onStartupWhenInsertFiltersEmptyThenException() {
+		ServletContext context = mock(ServletContext.class);
+		FilterRegistration.Dynamic registration = mock(FilterRegistration.Dynamic.class);
+
+		ArgumentCaptor<DelegatingFilterProxy> proxyCaptor = ArgumentCaptor.forClass(DelegatingFilterProxy.class);
+
+		when(context.addFilter(eq("springSecurityFilterChain"), proxyCaptor.capture()))
+				.thenReturn(registration);
+
+		assertThatCode(() ->
+			new AbstractSecurityWebApplicationInitializer() {
+				protected void afterSpringSecurityFilterChain(ServletContext servletContext) {
+					insertFilters(context);
+				}
+			}.onStartup(context))
+				.isInstanceOf(IllegalArgumentException.class)
+				.hasMessage("filters cannot be null or empty");
+
+		assertProxyDefaults(proxyCaptor.getValue());
+	}
+
+	@Test
+	public void onStartupWhenNullFilterInsertedThenException() {
+		Filter filter = mock(Filter.class);
+		ServletContext context = mock(ServletContext.class);
+		FilterRegistration.Dynamic registration = mock(FilterRegistration.Dynamic.class);
+
+		ArgumentCaptor<DelegatingFilterProxy> proxyCaptor = ArgumentCaptor.forClass(DelegatingFilterProxy.class);
+
+		when(context.addFilter(eq("springSecurityFilterChain"), proxyCaptor.capture()))
+				.thenReturn(registration);
+		when(context.addFilter(anyString(), eq(filter))).thenReturn(registration);
+
+		assertThatCode(() ->
+				new AbstractSecurityWebApplicationInitializer() {
+					protected void afterSpringSecurityFilterChain(ServletContext servletContext) {
+						insertFilters(context, filter, null);
+					}
+				}.onStartup(context))
+				.isInstanceOf(IllegalArgumentException.class)
+				.hasMessageContaining("filters cannot contain null values");
+
+		verify(context, times(2)).addFilter(anyString(), any(Filter.class));
+	}
+
+	@Test
+	public void onStartupWhenAppendFiltersThenAppended() {
+		Filter filter1 = mock(Filter.class);
+		Filter filter2 = mock(Filter.class);
+		ServletContext context = mock(ServletContext.class);
+		FilterRegistration.Dynamic registration = mock(FilterRegistration.Dynamic.class);
+
+		ArgumentCaptor<DelegatingFilterProxy> proxyCaptor = ArgumentCaptor.forClass(DelegatingFilterProxy.class);
+
+		when(context.addFilter(eq("springSecurityFilterChain"), proxyCaptor.capture()))
+				.thenReturn(registration);
+		when(context.addFilter(anyString(), eq(filter1))).thenReturn(registration);
+		when(context.addFilter(anyString(), eq(filter2))).thenReturn(registration);
+
+		new AbstractSecurityWebApplicationInitializer() {
+			protected void afterSpringSecurityFilterChain(ServletContext servletContext) {
+				appendFilters(context, filter1, filter2);
+			}
+		}.onStartup(context);
+
+		verify(registration, times(1)).addMappingForUrlPatterns(DEFAULT_DISPATCH, false, "/*");
+		verify(registration, times(2)).addMappingForUrlPatterns(DEFAULT_DISPATCH, true, "/*");
+		verify(registration, times(3)).setAsyncSupported(true);
+		verifyNoAddListener(context);
+		verify(context, times(3)).addFilter(anyString(), any(Filter.class));
+	}
+
+	@Test
+	public void onStartupWhenDuplicateFilterAppendedThenException() {
+		Filter filter1 = mock(Filter.class);
+		ServletContext context = mock(ServletContext.class);
+		FilterRegistration.Dynamic registration = mock(FilterRegistration.Dynamic.class);
+
+		ArgumentCaptor<DelegatingFilterProxy> proxyCaptor = ArgumentCaptor.forClass(DelegatingFilterProxy.class);
+
+		when(context.addFilter(eq("springSecurityFilterChain"), proxyCaptor.capture()))
+				.thenReturn(registration);
+
+		assertThatCode(() ->
+				new AbstractSecurityWebApplicationInitializer() {
+					protected void afterSpringSecurityFilterChain(ServletContext servletContext) {
+						appendFilters(context, filter1);
+					}
+				}.onStartup(context))
+				.isInstanceOf(IllegalStateException.class)
+				.hasMessage("Duplicate Filter registration for 'object'. " +
+						"Check to ensure the Filter is only configured once.");
+
+		assertProxyDefaults(proxyCaptor.getValue());
+
+		verify(registration).addMappingForUrlPatterns(DEFAULT_DISPATCH, false, "/*");
+		verify(context).addFilter(anyString(), eq(filter1));
+	}
+
+
+	@Test
+	public void onStartupWhenAppendFiltersEmptyThenException() {
+		ServletContext context = mock(ServletContext.class);
+		FilterRegistration.Dynamic registration = mock(FilterRegistration.Dynamic.class);
+
+		ArgumentCaptor<DelegatingFilterProxy> proxyCaptor = ArgumentCaptor.forClass(DelegatingFilterProxy.class);
+
+		when(context.addFilter(eq("springSecurityFilterChain"), proxyCaptor.capture()))
+				.thenReturn(registration);
+
+		assertThatCode(() ->
+				new AbstractSecurityWebApplicationInitializer() {
+					protected void afterSpringSecurityFilterChain(ServletContext servletContext) {
+						appendFilters(context);
+					}
+				}.onStartup(context))
+				.isInstanceOf(IllegalArgumentException.class)
+				.hasMessage("filters cannot be null or empty");
+
+		assertProxyDefaults(proxyCaptor.getValue());
+	}
+
+	@Test
+	public void onStartupWhenNullFilterAppendedThenException() {
+		Filter filter = mock(Filter.class);
+		ServletContext context = mock(ServletContext.class);
+		FilterRegistration.Dynamic registration = mock(FilterRegistration.Dynamic.class);
+
+		ArgumentCaptor<DelegatingFilterProxy> proxyCaptor = ArgumentCaptor.forClass(DelegatingFilterProxy.class);
+
+		when(context.addFilter(eq("springSecurityFilterChain"), proxyCaptor.capture()))
+				.thenReturn(registration);
+		when(context.addFilter(anyString(), eq(filter))).thenReturn(registration);
+
+		assertThatCode(() ->
+				new AbstractSecurityWebApplicationInitializer() {
+					protected void afterSpringSecurityFilterChain(ServletContext servletContext) {
+						appendFilters(context, filter, null);
+					}
+				}.onStartup(context))
+				.isInstanceOf(IllegalArgumentException.class)
+				.hasMessageContaining("filters cannot contain null values");
+
+		verify(context, times(2)).addFilter(anyString(), any(Filter.class));
+	}
+
+	@Test
+	public void onStartupWhenDefaultsThenSessionTrackingModes() {
+		ServletContext context = mock(ServletContext.class);
+		FilterRegistration.Dynamic registration = mock(FilterRegistration.Dynamic.class);
+
+		ArgumentCaptor<DelegatingFilterProxy> proxyCaptor = ArgumentCaptor.forClass(DelegatingFilterProxy.class);
+		when(context.addFilter(eq("springSecurityFilterChain"), proxyCaptor.capture()))
+				.thenReturn(registration);
+
+		ArgumentCaptor<Set<SessionTrackingMode>> modesCaptor = ArgumentCaptor
+				.forClass(new HashSet<SessionTrackingMode>(){}.getClass());
+		doNothing().when(context).setSessionTrackingModes(modesCaptor.capture());
+
+		new AbstractSecurityWebApplicationInitializer() { }.onStartup(context);
+
+		assertProxyDefaults(proxyCaptor.getValue());
+
+		Set<SessionTrackingMode> modes = modesCaptor.getValue();
+		assertThat(modes).hasSize(1);
+		assertThat(modes).containsExactly(SessionTrackingMode.COOKIE);
+	}
+
+	@Test
+	public void onStartupWhenSessionTrackingModesConfiguredThenUsed() {
+		ServletContext context = mock(ServletContext.class);
+		FilterRegistration.Dynamic registration = mock(FilterRegistration.Dynamic.class);
+
+		ArgumentCaptor<DelegatingFilterProxy> proxyCaptor = ArgumentCaptor.forClass(DelegatingFilterProxy.class);
+		when(context.addFilter(eq("springSecurityFilterChain"), proxyCaptor.capture()))
+				.thenReturn(registration);
+
+		ArgumentCaptor<Set<SessionTrackingMode>> modesCaptor = ArgumentCaptor
+				.forClass(new HashSet<SessionTrackingMode>(){}.getClass());
+		doNothing().when(context).setSessionTrackingModes(modesCaptor.capture());
+
+		new AbstractSecurityWebApplicationInitializer() {
+			@Override
+			public Set<SessionTrackingMode> getSessionTrackingModes() {
+				return Collections.singleton(SessionTrackingMode.SSL);
+			}
+		}.onStartup(context);
+
+		assertProxyDefaults(proxyCaptor.getValue());
+
+		Set<SessionTrackingMode> modes = modesCaptor.getValue();
+		assertThat(modes).hasSize(1);
+		assertThat(modes).containsExactly(SessionTrackingMode.SSL);
+	}
+
+	@Test
+	public void defaultFilterNameEqualsSpringSecurityFilterChain() {
+		assertThat(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME)
+				.isEqualTo("springSecurityFilterChain");
+	}
+
+	private static void verifyNoAddListener(ServletContext context) {
+		verify(context, times(0)).addListener(anyString());
+		verify(context, times(0)).addListener(any(EventListener.class));
+		verify(context, times(0)).addListener(any(Class.class));
+	}
+
+	private static void assertProxyDefaults(DelegatingFilterProxy proxy) {
+		assertThat(proxy.getContextAttribute()).isNull();
+		assertThat(proxy).hasFieldOrPropertyWithValue("targetBeanName", "springSecurityFilterChain");
+	}
+}