Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-05-31 01:02:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

Improved DigestAuthenticationFilter Test Coverage

Browse Source 
Issue: gh-5462
This commit is contained in:
Josh Cummings 2019-04-13 20:26:14 -06:00
parent d88c2c19f0
commit 20a7bc4785
No known key found for this signature in database
GPG Key ID: 49EF60DD7FF83443
1 changed files with 27 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
web/src/test/java/org/springframework/security/web/authentication/www/DigestAuthenticationFilterTests.java
View File

@ -16,14 +16,8 @@
package org.springframework.security.web.authentication.www; package org.springframework.security.web.authentication.www;
import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.times;
import static org.mockito.Mockito.verify;
import java.io.IOException; import java.io.IOException;
import java.util.Map; import java.util.Map;
import javax.servlet.Filter; import javax.servlet.Filter;
import javax.servlet.FilterChain; import javax.servlet.FilterChain;
import javax.servlet.ServletException; import javax.servlet.ServletException;
@ -34,6 +28,7 @@ import org.apache.commons.codec.digest.DigestUtils;
import org.junit.After; import org.junit.After;
import org.junit.Before; import org.junit.Before;
import org.junit.Test; import org.junit.Test;
import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse; import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.authentication.TestingAuthenticationToken; import org.springframework.security.authentication.TestingAuthenticationToken;
@ -47,6 +42,11 @@ import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.core.userdetails.cache.NullUserCache; import org.springframework.security.core.userdetails.cache.NullUserCache;
import org.springframework.util.StringUtils; import org.springframework.util.StringUtils;
import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.times;
import static org.mockito.Mockito.verify;
/** /**
* Tests {@link DigestAuthenticationFilter}. * Tests {@link DigestAuthenticationFilter}.
* *
@ -110,8 +110,12 @@ public class DigestAuthenticationFilterTests {
} }
private static String generateNonce(int validitySeconds) { private static String generateNonce(int validitySeconds) {
return generateNonce(validitySeconds, KEY);
}
private static String generateNonce(int validitySeconds, String key) {
long expiryTime = System.currentTimeMillis() + (validitySeconds * 1000); long expiryTime = System.currentTimeMillis() + (validitySeconds * 1000);
String signatureValue = DigestUtils.md5Hex(expiryTime + ":" + KEY); String signatureValue = DigestUtils.md5Hex(expiryTime + ":" + key);
String nonceValue = expiryTime + ":" + signatureValue; String nonceValue = expiryTime + ":" + signatureValue;
return new String(Base64.encodeBase64(nonceValue.getBytes())); return new String(Base64.encodeBase64(nonceValue.getBytes()));
@ -172,6 +176,22 @@ public class DigestAuthenticationFilterTests {
assertThat(headerMap.get("stale")).isEqualTo("true"); assertThat(headerMap.get("stale")).isEqualTo("true");
} }
@Test
public void doFilterWhenNonceHasBadKeyThenGeneratesError() throws Exception {
String badNonce = generateNonce(60, "badkey");
String responseDigest = DigestAuthUtils.generateDigest(false, USERNAME, REALM,
PASSWORD, "GET", REQUEST_URI, QOP, badNonce, NC, CNONCE);
request.addHeader("Authorization", createAuthorizationHeader(USERNAME, REALM,
badNonce, REQUEST_URI, responseDigest, QOP, NC, CNONCE));
MockHttpServletResponse response =
executeFilterInContainerSimulator(filter, request, false);
assertThat(response.getStatus()).isEqualTo(401);
assertThat(SecurityContextHolder.getContext().getAuthentication()).isNull();
}
@Test @Test
public void testFilterIgnoresRequestsContainingNoAuthorizationHeader() public void testFilterIgnoresRequestsContainingNoAuthorizationHeader()
throws Exception { throws Exception {