SEC-2962: SecurityContextHolderAwareRequestFilter default rolePrefix
This commit is contained in:
Rob Winch
parent
38e2e23b86
commit
09acc2b7a5
|
|
@ -17,17 +17,27 @@ package org.springframework.security.config.annotation.web.configurers
|
|||
|
||||
import groovy.transform.CompileStatic
|
||||
|
||||
import org.springframework.context.annotation.Configuration
|
||||
import org.springframework.security.authentication.AuthenticationTrustResolver;
|
||||
import javax.servlet.ServletException
|
||||
import javax.servlet.ServletRequest
|
||||
import javax.servlet.ServletResponse
|
||||
|
||||
import org.springframework.mock.web.MockFilterChain
|
||||
import org.springframework.mock.web.MockHttpServletRequest
|
||||
import org.springframework.mock.web.MockHttpServletResponse
|
||||
import org.springframework.security.authentication.AuthenticationTrustResolver
|
||||
import org.springframework.security.authentication.TestingAuthenticationToken
|
||||
import org.springframework.security.config.annotation.AnyObjectPostProcessor
|
||||
import org.springframework.security.config.annotation.BaseSpringSpec
|
||||
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity
|
||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
|
||||
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
|
||||
import org.springframework.security.core.context.SecurityContext
|
||||
import org.springframework.security.core.context.SecurityContextHolder
|
||||
import org.springframework.security.web.AuthenticationEntryPoint
|
||||
import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
|
||||
import org.springframework.security.web.csrf.CsrfLogoutHandler;
|
||||
import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler
|
||||
import org.springframework.security.web.context.HttpSessionSecurityContextRepository
|
||||
import org.springframework.security.web.csrf.CsrfLogoutHandler
|
||||
import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter
|
||||
|
||||
/**
|
||||
|
|
@ -64,6 +74,28 @@ class ServletApiConfigurerTests extends BaseSpringSpec {
|
|||
filter.logoutHandlers.collect { it.class } == [CsrfLogoutHandler, SecurityContextLogoutHandler]
|
||||
}
|
||||
|
||||
|
||||
def 'SEC-2926: Role Prefix is set'() {
|
||||
setup:
|
||||
loadConfig(ServletApiConfig)
|
||||
MockFilterChain chain = new MockFilterChain() {
|
||||
public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException {
|
||||
assert request.isUserInRole("USER")
|
||||
|
||||
super.doFilter(request,response)
|
||||
}
|
||||
}
|
||||
MockHttpServletRequest request = new MockHttpServletRequest(method:'GET')
|
||||
SecurityContext context = SecurityContextHolder.createEmptyContext()
|
||||
context.setAuthentication(new TestingAuthenticationToken("user", "pass", "ROLE_USER"))
|
||||
request.getSession().setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, context)
|
||||
|
||||
when:
|
||||
springSecurityFilterChain.doFilter(request, new MockHttpServletResponse(), chain)
|
||||
then:
|
||||
chain.request != null
|
||||
}
|
||||
|
||||
@CompileStatic
|
||||
@EnableWebSecurity
|
||||
static class ServletApiConfig extends WebSecurityConfigurerAdapter {
|
||||
|
|
|
|||
|
|
@ -17,26 +17,27 @@ package org.springframework.security.config.http
|
|||
|
||||
import static org.springframework.security.config.ConfigTestUtils.AUTH_PROVIDER_XML
|
||||
|
||||
import org.springframework.beans.factory.parsing.BeanDefinitionParsingException
|
||||
import org.springframework.security.TestDataSource
|
||||
import org.springframework.security.authentication.ProviderManager
|
||||
import org.springframework.security.authentication.RememberMeAuthenticationProvider
|
||||
import org.springframework.security.config.ldap.ContextSourceSettingPostProcessor;
|
||||
import org.springframework.security.core.userdetails.MockUserDetailsService
|
||||
import org.springframework.security.util.FieldUtils
|
||||
import java.io.IOException;
|
||||
|
||||
import javax.servlet.ServletException;
|
||||
import javax.servlet.ServletRequest;
|
||||
import javax.servlet.ServletResponse;
|
||||
import javax.servlet.http.HttpServletRequest
|
||||
import javax.servlet.http.HttpServletResponse
|
||||
|
||||
import org.springframework.mock.web.MockFilterChain
|
||||
import org.springframework.mock.web.MockHttpServletRequest
|
||||
import org.springframework.mock.web.MockHttpServletResponse
|
||||
import org.springframework.security.authentication.TestingAuthenticationToken
|
||||
import org.springframework.security.core.context.SecurityContext
|
||||
import org.springframework.security.core.context.SecurityContextHolder
|
||||
import org.springframework.security.web.access.ExceptionTranslationFilter
|
||||
import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler
|
||||
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
|
||||
import org.springframework.security.web.authentication.logout.CookieClearingLogoutHandler;
|
||||
import org.springframework.security.web.authentication.logout.LogoutFilter
|
||||
import org.springframework.security.web.authentication.logout.CookieClearingLogoutHandler
|
||||
import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler
|
||||
import org.springframework.security.web.authentication.rememberme.InMemoryTokenRepositoryImpl
|
||||
import org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl
|
||||
import org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices
|
||||
import org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter
|
||||
import org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices
|
||||
import org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint;
|
||||
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
|
||||
import org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint
|
||||
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter
|
||||
import org.springframework.security.web.context.HttpSessionSecurityContextRepository
|
||||
import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter
|
||||
|
||||
/**
|
||||
|
|
@ -142,4 +143,29 @@ class SecurityContextHolderAwareRequestConfigTests extends AbstractHttpConfigTes
|
|||
securityContextAwareFilter.logoutHandlers[1].class == CookieClearingLogoutHandler
|
||||
securityContextAwareFilter.logoutHandlers[1].cookiesToClear == ['JSESSIONID']
|
||||
}
|
||||
|
||||
def 'SEC-2926: Role Prefix is set'() {
|
||||
setup:
|
||||
httpAutoConfig () {
|
||||
|
||||
}
|
||||
createAppContext(AUTH_PROVIDER_XML)
|
||||
|
||||
MockFilterChain chain = new MockFilterChain() {
|
||||
public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException {
|
||||
assert request.isUserInRole("USER")
|
||||
|
||||
super.doFilter(request,response)
|
||||
}
|
||||
}
|
||||
MockHttpServletRequest request = new MockHttpServletRequest(method:'GET')
|
||||
SecurityContext context = SecurityContextHolder.createEmptyContext()
|
||||
context.setAuthentication(new TestingAuthenticationToken("user", "pass", "ROLE_USER"))
|
||||
request.getSession().setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, context)
|
||||
|
||||
when:
|
||||
springSecurityFilterChain.doFilter(request, new MockHttpServletResponse(), chain)
|
||||
then:
|
||||
chain.request != null
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -76,7 +76,7 @@ public class SecurityContextHolderAwareRequestFilter extends GenericFilterBean {
|
|||
// ~ Instance fields
|
||||
// ================================================================================================
|
||||
|
||||
private String rolePrefix;
|
||||
private String rolePrefix = "ROLE_";
|
||||
|
||||
private HttpServletRequestFactory requestFactory;
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue