Home Explore Help
Register Sign In
github
/
spring-security
mirror of https://github.com/spring-projects/spring-security
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

Use ServletContext in AuthorizationManagerWebInvocationPrivilegeEvaluator

Closes gh-10908
Marcus Da Coregio 3 years ago
parent
6e45a376cd
commit
c67632225d
2 changed files with 27 additions and 4 deletions
Unified View Show Diff Stats
  1. 13 3
      web/src/main/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluator.java
  2. 14 1
      web/src/test/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluatorTests.java

+ 13 - 3
web/src/main/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluator.java
View File 

@@ -1,5 +1,5 @@
 
 /*
 
 /*
 
- * Copyright 2002-2021 the original author or authors.
 
+ * Copyright 2002-2022 the original author or authors.
 
  *
 
  *
 
  * Licensed under the Apache License, Version 2.0 (the "License");
 
  * Licensed under the Apache License, Version 2.0 (the "License");
 
  * you may not use this file except in compliance with the License.
 
  * you may not use this file except in compliance with the License.
 
@@ -16,6 +16,7 @@
 
 
 
 package org.springframework.security.web.access;
 
 package org.springframework.security.web.access;
 
 
 
+import javax.servlet.ServletContext;
 
 import javax.servlet.http.HttpServletRequest;
 
 import javax.servlet.http.HttpServletRequest;
 
 
 
 import org.springframework.security.authorization.AuthorizationDecision;
 
 import org.springframework.security.authorization.AuthorizationDecision;
 
@@ -23,6 +24,7 @@ import org.springframework.security.authorization.AuthorizationManager;
 
 import org.springframework.security.core.Authentication;
 
 import org.springframework.security.core.Authentication;
 
 import org.springframework.security.web.FilterInvocation;
 
 import org.springframework.security.web.FilterInvocation;
 
 import org.springframework.util.Assert;
 
 import org.springframework.util.Assert;
 
+import org.springframework.web.context.ServletContextAware;
 
 
 
 /**
 
 /**
 
  * An implementation of {@link WebInvocationPrivilegeEvaluator} which delegates the checks
 
  * An implementation of {@link WebInvocationPrivilegeEvaluator} which delegates the checks
 
@@ -31,10 +33,13 @@ import org.springframework.util.Assert;
 
  * @author Marcus Da Coregio
 
  * @author Marcus Da Coregio
 
  * @since 5.5.5
 
  * @since 5.5.5
 
  */
 
  */
 
-public final class AuthorizationManagerWebInvocationPrivilegeEvaluator implements WebInvocationPrivilegeEvaluator {
 
+public final class AuthorizationManagerWebInvocationPrivilegeEvaluator
 
+		implements WebInvocationPrivilegeEvaluator, ServletContextAware {
 
 
 
 	private final AuthorizationManager<HttpServletRequest> authorizationManager;
 
 	private final AuthorizationManager<HttpServletRequest> authorizationManager;
 
 
 
+	private ServletContext servletContext;
 
+
 
 	public AuthorizationManagerWebInvocationPrivilegeEvaluator(
 
 	public AuthorizationManagerWebInvocationPrivilegeEvaluator(
 
 			AuthorizationManager<HttpServletRequest> authorizationManager) {
 
 			AuthorizationManager<HttpServletRequest> authorizationManager) {
 
 		Assert.notNull(authorizationManager, "authorizationManager cannot be null");
 
 		Assert.notNull(authorizationManager, "authorizationManager cannot be null");
 
@@ -48,10 +53,15 @@ public final class AuthorizationManagerWebInvocationPrivilegeEvaluator implement
 
 
 
 	@Override
 
 	@Override
 
 	public boolean isAllowed(String contextPath, String uri, String method, Authentication authentication) {
 
 	public boolean isAllowed(String contextPath, String uri, String method, Authentication authentication) {
 
-		FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method);
 
+		FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method, this.servletContext);
 
 		AuthorizationDecision decision = this.authorizationManager.check(() -> authentication,
 
 		AuthorizationDecision decision = this.authorizationManager.check(() -> authentication,
 
 				filterInvocation.getHttpRequest());
 
 				filterInvocation.getHttpRequest());
 
 		return decision == null || decision.isGranted();
 
 		return decision == null || decision.isGranted();
 
 	}
 
 	}
 
 
 
+	@Override
 
+	public void setServletContext(ServletContext servletContext) {
 
+		this.servletContext = servletContext;
 
+	}
 
+
 
 }
 
 }

+ 14 - 1
web/src/test/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluatorTests.java
View File 

@@ -1,5 +1,5 @@
 
 /*
 
 /*
 
- * Copyright 2002-2021 the original author or authors.
 
+ * Copyright 2002-2022 the original author or authors.
 
  *
 
  *
 
  * Licensed under the Apache License, Version 2.0 (the "License");
 
  * Licensed under the Apache License, Version 2.0 (the "License");
 
  * you may not use this file except in compliance with the License.
 
  * you may not use this file except in compliance with the License.
 
@@ -16,14 +16,17 @@
 
 
 
 package org.springframework.security.web.access;
 
 package org.springframework.security.web.access;
 
 
 
+import javax.servlet.ServletContext;
 
 import javax.servlet.http.HttpServletRequest;
 
 import javax.servlet.http.HttpServletRequest;
 
 
 
 import org.junit.jupiter.api.Test;
 
 import org.junit.jupiter.api.Test;
 
 import org.junit.jupiter.api.extension.ExtendWith;
 
 import org.junit.jupiter.api.extension.ExtendWith;
 
+import org.mockito.ArgumentCaptor;
 
 import org.mockito.InjectMocks;
 
 import org.mockito.InjectMocks;
 
 import org.mockito.Mock;
 
 import org.mockito.Mock;
 
 import org.mockito.junit.jupiter.MockitoExtension;
 
 import org.mockito.junit.jupiter.MockitoExtension;
 
 
 
+import org.springframework.mock.web.MockServletContext;
 
 import org.springframework.security.authentication.TestAuthentication;
 
 import org.springframework.security.authentication.TestAuthentication;
 
 import org.springframework.security.authorization.AuthorizationDecision;
 
 import org.springframework.security.authorization.AuthorizationDecision;
 
 import org.springframework.security.authorization.AuthorizationManager;
 
 import org.springframework.security.authorization.AuthorizationManager;
 
@@ -72,4 +75,14 @@ class AuthorizationManagerWebInvocationPrivilegeEvaluatorTests {
 
 		assertThat(allowed).isTrue();
 
 		assertThat(allowed).isTrue();
 
 	}
 
 	}
 
 
 
+	@Test
 
+	void isAllowedWhenServletContextExistsThenFilterInvocationHasServletContext() {
 
+		ServletContext servletContext = new MockServletContext();
 
+		this.privilegeEvaluator.setServletContext(servletContext);
 
+		this.privilegeEvaluator.isAllowed("/test", TestAuthentication.authenticatedUser());
 
+		ArgumentCaptor<HttpServletRequest> captor = ArgumentCaptor.forClass(HttpServletRequest.class);
 
+		verify(this.authorizationManager).check(any(), captor.capture());
 
+		assertThat(captor.getValue().getServletContext()).isSameAs(servletContext);
 
+	}
 
+
 
 }
 
 }