diff --git a/web/src/test/java/org/springframework/security/web/authentication/www/DigestAuthenticationFilterTests.java b/web/src/test/java/org/springframework/security/web/authentication/www/DigestAuthenticationFilterTests.java index 758233afc4..3ac9c115c3 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/www/DigestAuthenticationFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/www/DigestAuthenticationFilterTests.java @@ -16,14 +16,8 @@ package org.springframework.security.web.authentication.www; -import static org.assertj.core.api.Assertions.assertThat; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.times; -import static org.mockito.Mockito.verify; - import java.io.IOException; import java.util.Map; - import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.ServletException; @@ -34,6 +28,7 @@ import org.apache.commons.codec.digest.DigestUtils; import org.junit.After; import org.junit.Before; import org.junit.Test; + import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletResponse; import org.springframework.security.authentication.TestingAuthenticationToken; @@ -47,6 +42,11 @@ import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.security.core.userdetails.cache.NullUserCache; import org.springframework.util.StringUtils; +import static org.assertj.core.api.Assertions.assertThat; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.times; +import static org.mockito.Mockito.verify; + /** * Tests {@link DigestAuthenticationFilter}. * @@ -110,8 +110,12 @@ public class DigestAuthenticationFilterTests { } private static String generateNonce(int validitySeconds) { + return generateNonce(validitySeconds, KEY); + } + + private static String generateNonce(int validitySeconds, String key) { long expiryTime = System.currentTimeMillis() + (validitySeconds * 1000); - String signatureValue = DigestUtils.md5Hex(expiryTime + ":" + KEY); + String signatureValue = DigestUtils.md5Hex(expiryTime + ":" + key); String nonceValue = expiryTime + ":" + signatureValue; return new String(Base64.encodeBase64(nonceValue.getBytes())); @@ -172,6 +176,22 @@ public class DigestAuthenticationFilterTests { assertThat(headerMap.get("stale")).isEqualTo("true"); } + @Test + public void doFilterWhenNonceHasBadKeyThenGeneratesError() throws Exception { + String badNonce = generateNonce(60, "badkey"); + String responseDigest = DigestAuthUtils.generateDigest(false, USERNAME, REALM, + PASSWORD, "GET", REQUEST_URI, QOP, badNonce, NC, CNONCE); + + request.addHeader("Authorization", createAuthorizationHeader(USERNAME, REALM, + badNonce, REQUEST_URI, responseDigest, QOP, NC, CNONCE)); + + MockHttpServletResponse response = + executeFilterInContainerSimulator(filter, request, false); + + assertThat(response.getStatus()).isEqualTo(401); + assertThat(SecurityContextHolder.getContext().getAuthentication()).isNull(); + } + @Test public void testFilterIgnoresRequestsContainingNoAuthorizationHeader() throws Exception {