Add ExpressionUrlAuthorizationCOnfigurer tests

- Demo custom expression root
- Demo @Bean in expression example
This commit is contained in:
Rob Winch 2014-01-23 11:17:04 -06:00
parent add3aae6ef
commit 1f833b0d6b
2 changed files with 158 additions and 0 deletions

View File

@ -18,16 +18,23 @@ package org.springframework.security.config.annotation.web.configurers;
import java.util.Arrays;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.access.AccessDecisionVoter;
import org.springframework.security.access.expression.SecurityExpressionHandler;
import org.springframework.security.access.expression.SecurityExpressionOperations;
import org.springframework.security.access.vote.AffirmativeBased;
import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.FilterInvocation;
import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
import org.springframework.security.web.access.expression.WebExpressionVoter;
import org.springframework.security.web.access.expression.WebSecurityExpressionRoot;
/**
*
@ -60,4 +67,90 @@ public class ExpressionUrlAuthorizationConfigurerConfigs {
.formLogin();
}
}
@EnableWebSecurity
@Configuration
static class UseBeansInExpressions extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password("password").roles("USER");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers("/user/**").hasRole("USER")
.antMatchers("/allow/**").access("@permission.check(authentication,'user')")
.anyRequest().access("@permission.check(authentication,'admin')");
}
@Bean
public Checker permission() {
return new Checker();
}
static class Checker {
public boolean check(Authentication authentication, String customArg) {
return authentication.getName().contains(customArg);
}
}
}
@EnableWebSecurity
@Configuration
static class CustomExpressionRootConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password("password").roles("USER");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.expressionHandler(expressionHandler())
.antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers("/user/**").hasRole("USER")
.antMatchers("/allow/**").access("check('user')")
.anyRequest().access("check('admin')");
}
@Bean
public CustomExpressionHandler expressionHandler() {
return new CustomExpressionHandler();
}
static class CustomExpressionHandler extends DefaultWebSecurityExpressionHandler {
@Override
protected SecurityExpressionOperations createSecurityExpressionRoot(
Authentication authentication, FilterInvocation fi) {
WebSecurityExpressionRoot root = new CustomExpressionRoot(authentication, fi);
root.setPermissionEvaluator(getPermissionEvaluator());
root.setTrustResolver(new AuthenticationTrustResolverImpl());
root.setRoleHierarchy(getRoleHierarchy());
return root;
}
}
static class CustomExpressionRoot extends WebSecurityExpressionRoot {
public CustomExpressionRoot(Authentication a, FilterInvocation fi) {
super(a, fi);
}
public boolean check(String customArg) {
Authentication auth = this.getAuthentication();
return auth.getName().contains(customArg);
}
}
}
}

View File

@ -31,6 +31,7 @@ import org.springframework.security.config.annotation.authentication.builders.Au
import org.springframework.security.config.annotation.web.builders.HttpSecurity
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurerConfigs.CustomExpressionRootConfig;
import org.springframework.security.core.authority.AuthorityUtils
import org.springframework.security.web.access.intercept.FilterSecurityInterceptor
@ -475,4 +476,68 @@ public class ExpressionUrlAuthorizationConfigurerTests extends BaseSpringSpec {
then:
1 * al.onApplicationEvent(_ as AuthorizedEvent)
}
def "Use @permission.check in access"() {
setup:
loadConfig(UseBeansInExpressions)
when: "invoke standard expression that denies access"
login()
request.servletPath = "/admin/1"
springSecurityFilterChain.doFilter(request, response, chain)
then: "standard expression works - get forbidden"
response.status == HttpServletResponse.SC_FORBIDDEN
when: "invoke standard expression that allows access"
super.setup()
login()
request.servletPath = "/user/1"
springSecurityFilterChain.doFilter(request, response, chain)
then: "standard expression works - get ok"
response.status == HttpServletResponse.SC_OK
when: "invoke custom bean as expression that allows access"
super.setup()
login()
request.servletPath = "/allow/1"
springSecurityFilterChain.doFilter(request, response, chain)
then: "custom bean expression allows access"
response.status == HttpServletResponse.SC_OK
when: "invoke custom bean as expression that denies access"
super.setup()
login()
request.servletPath = "/deny/1"
springSecurityFilterChain.doFilter(request, response, chain)
then: "custom bean expression denies access"
response.status == HttpServletResponse.SC_FORBIDDEN
}
def "Use custom expressionroot in access"() {
setup:
loadConfig(CustomExpressionRootConfig)
when: "invoke standard expression that denies access"
login()
request.servletPath = "/admin/1"
springSecurityFilterChain.doFilter(request, response, chain)
then: "standard expression works - get forbidden"
response.status == HttpServletResponse.SC_FORBIDDEN
when: "invoke standard expression that allows access"
super.setup()
login()
request.servletPath = "/user/1"
springSecurityFilterChain.doFilter(request, response, chain)
then: "standard expression works - get ok"
response.status == HttpServletResponse.SC_OK
when: "invoke custom bean as expression that allows access"
super.setup()
login()
request.servletPath = "/allow/1"
springSecurityFilterChain.doFilter(request, response, chain)
then: "custom bean expression allows access"
response.status == HttpServletResponse.SC_OK
when: "invoke custom bean as expression that denies access"
super.setup()
login()
request.servletPath = "/deny/1"
springSecurityFilterChain.doFilter(request, response, chain)
then: "custom bean expression denies access"
response.status == HttpServletResponse.SC_FORBIDDEN
}
}