|
|
@@ -15,13 +15,12 @@
|
|
|
*/
|
|
|
package org.springframework.security.config.annotation.web.configurers;
|
|
|
|
|
|
-import static org.assertj.core.api.Assertions.assertThat;
|
|
|
-
|
|
|
import javax.servlet.http.HttpServletResponse;
|
|
|
|
|
|
import org.junit.After;
|
|
|
import org.junit.Before;
|
|
|
import org.junit.Test;
|
|
|
+
|
|
|
import org.springframework.beans.factory.annotation.Autowired;
|
|
|
import org.springframework.context.annotation.Configuration;
|
|
|
import org.springframework.http.HttpMethod;
|
|
|
@@ -35,6 +34,8 @@ import org.springframework.security.config.annotation.web.configuration.WebSecur
|
|
|
import org.springframework.security.web.FilterChainProxy;
|
|
|
import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
|
|
|
|
|
|
+import static org.assertj.core.api.Assertions.assertThat;
|
|
|
+
|
|
|
/**
|
|
|
* @author Rob Winch
|
|
|
*
|
|
|
@@ -51,15 +52,16 @@ public class AuthorizeRequestsTests {
|
|
|
|
|
|
@Before
|
|
|
public void setup() {
|
|
|
- request = new MockHttpServletRequest();
|
|
|
- response = new MockHttpServletResponse();
|
|
|
- chain = new MockFilterChain();
|
|
|
+ this.request = new MockHttpServletRequest();
|
|
|
+ this.request.setMethod("GET");
|
|
|
+ this.response = new MockHttpServletResponse();
|
|
|
+ this.chain = new MockFilterChain();
|
|
|
}
|
|
|
|
|
|
@After
|
|
|
public void cleanup() {
|
|
|
- if(context != null) {
|
|
|
- context.close();
|
|
|
+ if (this.context != null) {
|
|
|
+ this.context.close();
|
|
|
}
|
|
|
}
|
|
|
|
|
|
@@ -67,34 +69,80 @@ public class AuthorizeRequestsTests {
|
|
|
@Test
|
|
|
public void antMatchersMethodAndNoPatterns() throws Exception {
|
|
|
loadConfig(AntMatchersNoPatternsConfig.class);
|
|
|
- request.setMethod("POST");
|
|
|
+ this.request.setMethod("POST");
|
|
|
|
|
|
- springSecurityFilterChain.doFilter(request, response, chain);
|
|
|
+ this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
|
|
|
|
|
|
- assertThat(response.getStatus()).isEqualTo(HttpServletResponse.SC_FORBIDDEN);
|
|
|
+ assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_FORBIDDEN);
|
|
|
}
|
|
|
|
|
|
@EnableWebSecurity
|
|
|
@Configuration
|
|
|
static class AntMatchersNoPatternsConfig extends WebSecurityConfigurerAdapter {
|
|
|
+ @Override
|
|
|
protected void configure(HttpSecurity http) throws Exception {
|
|
|
+ // @formatter:off
|
|
|
http
|
|
|
.authorizeRequests()
|
|
|
.antMatchers(HttpMethod.POST).denyAll();
|
|
|
+ // @formatter:on
|
|
|
+ }
|
|
|
+
|
|
|
+ @Override
|
|
|
+ protected void configure(AuthenticationManagerBuilder auth) throws Exception {
|
|
|
+ // @formatter:off
|
|
|
+ auth
|
|
|
+ .inMemoryAuthentication();
|
|
|
+ // @formatter:on
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ // SEC-2256
|
|
|
+ @Test
|
|
|
+ public void antMatchersPathVariables() throws Exception {
|
|
|
+ loadConfig(AntPatchersPathVariables.class);
|
|
|
+
|
|
|
+ this.request.setServletPath("/user/user");
|
|
|
+
|
|
|
+ this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
|
|
|
+
|
|
|
+ assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_OK);
|
|
|
+
|
|
|
+ this.setup();
|
|
|
+ this.request.setServletPath("/user/deny");
|
|
|
+
|
|
|
+ this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
|
|
|
+
|
|
|
+ assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_FORBIDDEN);
|
|
|
+ }
|
|
|
+
|
|
|
+ @EnableWebSecurity
|
|
|
+ @Configuration
|
|
|
+ static class AntPatchersPathVariables extends WebSecurityConfigurerAdapter {
|
|
|
+ @Override
|
|
|
+ protected void configure(HttpSecurity http) throws Exception {
|
|
|
+ // @formatter:off
|
|
|
+ http
|
|
|
+ .authorizeRequests()
|
|
|
+ .antMatchers("/user/{user}").access("#user == 'user'")
|
|
|
+ .anyRequest().denyAll();
|
|
|
+ // @formatter:on
|
|
|
}
|
|
|
|
|
|
@Override
|
|
|
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
|
|
|
+ // @formatter:off
|
|
|
auth
|
|
|
.inMemoryAuthentication();
|
|
|
+ // @formatter:on
|
|
|
}
|
|
|
}
|
|
|
|
|
|
public void loadConfig(Class<?>... configs) {
|
|
|
- context = new AnnotationConfigWebApplicationContext();
|
|
|
- context.register(configs);
|
|
|
- context.refresh();
|
|
|
+ this.context = new AnnotationConfigWebApplicationContext();
|
|
|
+ this.context.register(configs);
|
|
|
+ this.context.refresh();
|
|
|
|
|
|
- context.getAutowireCapableBeanFactory().autowireBean(this);
|
|
|
+ this.context.getAutowireCapableBeanFactory().autowireBean(this);
|
|
|
}
|
|
|
}
|
Rob Winch