Home Explore Help
Register Sign In
github
/
spring-security
mirror of https://github.com/spring-projects/spring-security
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

SEC-2705: DefaultMessageSecurityExpressionHandler populates AuthenticationTrustResolver

Rob Winch 10 years ago
parent
3b8f7fdd67
commit
ff95a34b1f
2 changed files with 91 additions and 1 deletions
Split View Show Diff Stats
  1. 13 1
      messaging/src/main/java/org/springframework/security/messaging/access/expression/DefaultMessageSecurityExpressionHandler.java
  2. 78 0
      messaging/src/test/java/org/springframework/security/messaging/access/expression/DefaultMessageSecurityExpressionHandlerTests.java

+ 13 - 1
messaging/src/main/java/org/springframework/security/messaging/access/expression/DefaultMessageSecurityExpressionHandler.java
View File 

@@ -19,7 +19,10 @@ import org.springframework.messaging.Message;
 
 import org.springframework.security.access.expression.AbstractSecurityExpressionHandler;
 
 import org.springframework.security.access.expression.SecurityExpressionHandler;
 
 import org.springframework.security.access.expression.SecurityExpressionOperations;
 
+import org.springframework.security.authentication.AuthenticationTrustResolver;
 
+import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
 
 import org.springframework.security.core.Authentication;
 
+import org.springframework.util.Assert;
 
 
 /**
 
  * The default implementation of {@link SecurityExpressionHandler} which uses a {@link MessageSecurityExpressionRoot}.
 
@@ -31,8 +34,17 @@ import org.springframework.security.core.Authentication;
 
  */
 
 public class DefaultMessageSecurityExpressionHandler<T> extends AbstractSecurityExpressionHandler<Message<T>> {
 
 
+    private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
 
+
 
     @Override
 
     protected SecurityExpressionOperations createSecurityExpressionRoot(Authentication authentication, Message<T> invocation) {
 
-        return new MessageSecurityExpressionRoot(authentication,invocation);
 
+        MessageSecurityExpressionRoot root = new MessageSecurityExpressionRoot(authentication,invocation);
 
+        root.setTrustResolver(trustResolver);
 
+        return root;
 
+    }
 
+
 
+    public void setTrustResolver(AuthenticationTrustResolver trustResolver) {
 
+        Assert.notNull(trustResolver,"trustResolver cannot be null");
 
+        this.trustResolver = trustResolver;
 
     }
 
 }

+ 78 - 0
messaging/src/test/java/org/springframework/security/messaging/access/expression/DefaultMessageSecurityExpressionHandlerTests.java
View File 

@@ -0,0 +1,78 @@
 
+/*
 
+ * Copyright 2002-2013 the original author or authors.
 
+ *
 
+ * Licensed under the Apache License, Version 2.0 (the "License");
 
+ * you may not use this file except in compliance with the License.
 
+ * You may obtain a copy of the License at
 
+ *
 
+ *      http://www.apache.org/licenses/LICENSE-2.0
 
+ *
 
+ * Unless required by applicable law or agreed to in writing, software
 
+ * distributed under the License is distributed on an "AS IS" BASIS,
 
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 
+ * See the License for the specific language governing permissions and
 
+ * limitations under the License.
 
+ */
 
+package org.springframework.security.messaging.access.expression;
 
+
 
+import static org.fest.assertions.Assertions.*;
 
+import static org.mockito.Mockito.*;
 
+
 
+import org.junit.Before;
 
+import org.junit.Test;
 
+import org.junit.runner.RunWith;
 
+import org.mockito.Mock;
 
+import org.mockito.runners.MockitoJUnitRunner;
 
+import org.springframework.expression.EvaluationContext;
 
+import org.springframework.expression.Expression;
 
+import org.springframework.messaging.Message;
 
+import org.springframework.messaging.support.GenericMessage;
 
+import org.springframework.security.access.expression.ExpressionUtils;
 
+import org.springframework.security.authentication.AnonymousAuthenticationToken;
 
+import org.springframework.security.authentication.AuthenticationTrustResolver;
 
+import org.springframework.security.core.Authentication;
 
+import org.springframework.security.core.authority.AuthorityUtils;
 
+
 
+@RunWith(MockitoJUnitRunner.class)
 
+public class DefaultMessageSecurityExpressionHandlerTests {
 
+    @Mock
 
+    AuthenticationTrustResolver trustResolver;
 
+
 
+    DefaultMessageSecurityExpressionHandler<Object> handler;
 
+
 
+    Message<Object> message;
 
+
 
+    Authentication authentication;
 
+
 
+    @Before
 
+    public void setup() {
 
+        handler = new DefaultMessageSecurityExpressionHandler<Object>();
 
+
 
+        message = new GenericMessage<Object>("");
 
+        authentication = new AnonymousAuthenticationToken("key", "anonymous", AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
 
+    }
 
+
 
+    // SEC-2705
 
+    @Test
 
+    public void trustResolverPopulated() {
 
+        EvaluationContext context = handler.createEvaluationContext(authentication, message);
 
+        Expression expression = handler.getExpressionParser().parseExpression("authenticated");
 
+
 
+        assertThat(ExpressionUtils.evaluateAsBoolean(expression, context)).isFalse();
 
+    }
 
+
 
+    @Test(expected = IllegalArgumentException.class)
 
+    public void trustResolverNull() {
 
+        handler.setTrustResolver(null);
 
+    }
 
+
 
+    @Test
 
+    public void trustResolverCustom() {
 
+        handler.setTrustResolver(trustResolver);
 
+        EvaluationContext context = handler.createEvaluationContext(authentication, message);
 
+        Expression expression = handler.getExpressionParser().parseExpression("authenticated");
 
+        when(trustResolver.isAnonymous(authentication)).thenReturn(false);
 
+
 
+        assertThat(ExpressionUtils.evaluateAsBoolean(expression, context)).isTrue();
 
+    }
 
+}