SEC-1584: Additional integration tests.
This commit is contained in:
parent
7d97adc687
commit
0fd2c48dfb
|
@ -0,0 +1,65 @@
|
|||
package org.springframework.security.integration;
|
||||
|
||||
import static org.junit.Assert.assertEquals;
|
||||
|
||||
import org.junit.Test;
|
||||
import org.junit.runner.RunWith;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.mock.web.MockFilterChain;
|
||||
import org.springframework.mock.web.MockHttpServletRequest;
|
||||
import org.springframework.mock.web.MockHttpServletResponse;
|
||||
import org.springframework.mock.web.MockHttpSession;
|
||||
import org.springframework.security.authentication.TestingAuthenticationToken;
|
||||
import org.springframework.security.core.context.SecurityContextHolder;
|
||||
import org.springframework.security.web.FilterChainProxy;
|
||||
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
|
||||
import org.springframework.test.context.ContextConfiguration;
|
||||
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
|
||||
|
||||
import javax.servlet.http.HttpSession;
|
||||
|
||||
@ContextConfiguration(locations={"/http-path-param-stripping-app-context.xml"})
|
||||
@RunWith(SpringJUnit4ClassRunner.class)
|
||||
public class HttpPathParameterStrippingTests {
|
||||
|
||||
@Autowired
|
||||
private FilterChainProxy fcp;
|
||||
|
||||
@Test
|
||||
public void securedFilterChainCannotBeBypassedByAddingPathParameters() throws Exception {
|
||||
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||
request.setPathInfo("/secured;x=y/admin.html");
|
||||
request.setSession(createAuthenticatedSession("ROLE_USER"));
|
||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
fcp.doFilter(request, response, new MockFilterChain());
|
||||
assertEquals(403, response.getStatus());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void adminFilePatternCannotBeBypassedByAddingPathParameters() throws Exception {
|
||||
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||
request.setServletPath("/secured/admin.html;x=user.html");
|
||||
request.setSession(createAuthenticatedSession("ROLE_USER"));
|
||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
fcp.doFilter(request, response, new MockFilterChain());
|
||||
assertEquals(403, response.getStatus());
|
||||
|
||||
// Try with pathInfo
|
||||
request = new MockHttpServletRequest();
|
||||
request.setServletPath("/secured");
|
||||
request.setPathInfo("/admin.html;x=user.html");
|
||||
request.setSession(createAuthenticatedSession("ROLE_USER"));
|
||||
response = new MockHttpServletResponse();
|
||||
fcp.doFilter(request, response, new MockFilterChain());
|
||||
assertEquals(403, response.getStatus());
|
||||
}
|
||||
|
||||
public HttpSession createAuthenticatedSession(String... roles) {
|
||||
MockHttpSession session = new MockHttpSession();
|
||||
SecurityContextHolder.getContext().setAuthentication(new TestingAuthenticationToken("bob", "bobspassword", roles));
|
||||
session.setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, SecurityContextHolder.getContext());
|
||||
SecurityContextHolder.clearContext();
|
||||
return session;
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,32 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
|
||||
<!--
|
||||
-
|
||||
-->
|
||||
|
||||
<b:beans xmlns="http://www.springframework.org/schema/security"
|
||||
xmlns:b="http://www.springframework.org/schema/beans"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
|
||||
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
|
||||
|
||||
<http pattern="/secured/**">
|
||||
<intercept-url pattern="/secured/*user.html" access="ROLE_USER" />
|
||||
<intercept-url pattern="/secured/admin.html" access="ROLE_ADMIN" />
|
||||
<intercept-url pattern="/secured/user/**" access="ROLE_USER" />
|
||||
<intercept-url pattern="/secured/admin/*" access="ROLE_ADMIN" />
|
||||
<intercept-url pattern="/**" access="ROLE_NO_ACCESS" />
|
||||
<form-login />
|
||||
</http>
|
||||
|
||||
<http pattern="/**" security="none" />
|
||||
|
||||
<authentication-manager alias="authenticationManager">
|
||||
<authentication-provider>
|
||||
<user-service id="userService">
|
||||
<user name="notused" password="notused" authorities="ROLE_0,ROLE_1"/>
|
||||
</user-service>
|
||||
</authentication-provider>
|
||||
</authentication-manager>
|
||||
|
||||
</b:beans>
|
Loading…
Reference in New Issue