mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-07-12 13:23:29 +00:00
Add Config Tests for AuthenticationPrincipal Templates
Issue gh-15286
This commit is contained in:
Josh Cummings
parent
e40c98e6d7
commit
2b33f6f04a
@ -305,7 +305,7 @@ public final class WebSocketMessageBrokerSecurityBeanDefinitionParser implements
|
||||
|
||||
private static final String CUSTOM_ARG_RESOLVERS_PROP = "customArgumentResolvers";
|
||||
|
||||
private static final String TEMPLATE_EXPRESSION_BEAN_ID = "templateDefaults";
|
||||
private static final String TEMPLATE_EXPRESSION_BEAN_ID = "annotationExpressionTemplateDefaults";
|
||||
|
||||
private final String inboundSecurityInterceptorId;
|
||||
|
||||
@ -333,7 +333,7 @@ public final class WebSocketMessageBrokerSecurityBeanDefinitionParser implements
|
||||
AuthenticationPrincipalArgumentResolver.class);
|
||||
if (registry.containsBeanDefinition(TEMPLATE_EXPRESSION_BEAN_ID)) {
|
||||
beanDefinition.getPropertyValues()
|
||||
.add(TEMPLATE_EXPRESSION_BEAN_ID, new RuntimeBeanReference(TEMPLATE_EXPRESSION_BEAN_ID));
|
||||
.add("templateDefaults", new RuntimeBeanReference(TEMPLATE_EXPRESSION_BEAN_ID));
|
||||
}
|
||||
argResolvers.add(beanDefinition);
|
||||
bd.getPropertyValues().add(CUSTOM_ARG_RESOLVERS_PROP, argResolvers);
|
||||
|
||||
@ -16,6 +16,11 @@
|
||||
|
||||
package org.springframework.security.config.annotation.web.configuration;
|
||||
|
||||
import java.lang.annotation.ElementType;
|
||||
import java.lang.annotation.Retention;
|
||||
import java.lang.annotation.RetentionPolicy;
|
||||
import java.lang.annotation.Target;
|
||||
|
||||
import org.junit.jupiter.api.AfterEach;
|
||||
import org.junit.jupiter.api.BeforeEach;
|
||||
import org.junit.jupiter.api.Test;
|
||||
@ -26,6 +31,7 @@ import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.security.authentication.TestingAuthenticationToken;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.annotation.AnnotationTemplateExpressionDefaults;
|
||||
import org.springframework.security.core.annotation.AuthenticationPrincipal;
|
||||
import org.springframework.security.core.authority.AuthorityUtils;
|
||||
import org.springframework.security.core.context.SecurityContextHolder;
|
||||
@ -39,12 +45,15 @@ import org.springframework.test.web.servlet.MockMvc;
|
||||
import org.springframework.test.web.servlet.ResultMatcher;
|
||||
import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder;
|
||||
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
|
||||
import org.springframework.web.bind.annotation.GetMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.context.WebApplicationContext;
|
||||
import org.springframework.web.servlet.ModelAndView;
|
||||
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
|
||||
|
||||
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
|
||||
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
|
||||
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.model;
|
||||
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.view;
|
||||
|
||||
@ -97,10 +106,28 @@ public class WebMvcSecurityConfigurationTests {
|
||||
this.mockMvc.perform(request).andExpect(assertResult(csrfToken));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void metaAnnotationWhenTemplateDefaultsBeanThenResolvesExpression() throws Exception {
|
||||
this.mockMvc.perform(get("/hi")).andExpect(content().string("Hi, Stranger!"));
|
||||
Authentication harold = new TestingAuthenticationToken("harold", "password",
|
||||
AuthorityUtils.createAuthorityList("ROLE_USER"));
|
||||
SecurityContextHolder.getContext().setAuthentication(harold);
|
||||
this.mockMvc.perform(get("/hi")).andExpect(content().string("Hi, Harold!"));
|
||||
}
|
||||
|
||||
private ResultMatcher assertResult(Object expected) {
|
||||
return model().attribute("result", expected);
|
||||
}
|
||||
|
||||
@Retention(RetentionPolicy.RUNTIME)
|
||||
@Target(ElementType.PARAMETER)
|
||||
@AuthenticationPrincipal(expression = "#this.equals('{value}')")
|
||||
@interface IsUser {
|
||||
|
||||
String value() default "user";
|
||||
|
||||
}
|
||||
|
||||
@Controller
|
||||
static class TestController {
|
||||
|
||||
@ -120,6 +147,17 @@ public class WebMvcSecurityConfigurationTests {
|
||||
return new ModelAndView("view", "result", token);
|
||||
}
|
||||
|
||||
@GetMapping("/hi")
|
||||
@ResponseBody
|
||||
String ifUser(@IsUser("harold") boolean isHarold) {
|
||||
if (isHarold) {
|
||||
return "Hi, Harold!";
|
||||
}
|
||||
else {
|
||||
return "Hi, Stranger!";
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@Configuration
|
||||
@ -132,6 +170,11 @@ public class WebMvcSecurityConfigurationTests {
|
||||
return new TestController();
|
||||
}
|
||||
|
||||
@Bean
|
||||
AnnotationTemplateExpressionDefaults templateExpressionDefaults() {
|
||||
return new AnnotationTemplateExpressionDefaults();
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@ -16,6 +16,10 @@
|
||||
|
||||
package org.springframework.security.config.annotation.web.reactive;
|
||||
|
||||
import java.lang.annotation.ElementType;
|
||||
import java.lang.annotation.Retention;
|
||||
import java.lang.annotation.RetentionPolicy;
|
||||
import java.lang.annotation.Target;
|
||||
import java.net.URI;
|
||||
|
||||
import org.junit.jupiter.api.Test;
|
||||
@ -26,6 +30,7 @@ import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.context.ApplicationContext;
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.security.authentication.TestingAuthenticationToken;
|
||||
import org.springframework.security.authentication.password.CompromisedPasswordDecision;
|
||||
import org.springframework.security.authentication.password.CompromisedPasswordException;
|
||||
import org.springframework.security.authentication.password.ReactiveCompromisedPasswordChecker;
|
||||
@ -34,8 +39,12 @@ import org.springframework.security.config.test.SpringTestContext;
|
||||
import org.springframework.security.config.test.SpringTestContextExtension;
|
||||
import org.springframework.security.config.users.ReactiveAuthenticationTestConfiguration;
|
||||
import org.springframework.security.config.web.server.ServerHttpSecurity;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.annotation.AnnotationTemplateExpressionDefaults;
|
||||
import org.springframework.security.core.annotation.AuthenticationPrincipal;
|
||||
import org.springframework.security.core.userdetails.MapReactiveUserDetailsService;
|
||||
import org.springframework.security.core.userdetails.PasswordEncodedUser;
|
||||
import org.springframework.security.core.userdetails.ReactiveUserDetailsService;
|
||||
import org.springframework.security.core.userdetails.User;
|
||||
import org.springframework.security.core.userdetails.UserDetails;
|
||||
import org.springframework.security.web.server.DefaultServerRedirectStrategy;
|
||||
@ -43,12 +52,16 @@ import org.springframework.security.web.server.SecurityWebFilterChain;
|
||||
import org.springframework.test.web.reactive.server.WebTestClient;
|
||||
import org.springframework.util.LinkedMultiValueMap;
|
||||
import org.springframework.util.MultiValueMap;
|
||||
import org.springframework.web.bind.annotation.GetMapping;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
import org.springframework.web.reactive.config.EnableWebFlux;
|
||||
import org.springframework.web.reactive.function.BodyInserters;
|
||||
import org.springframework.web.server.adapter.WebHttpHandlerBuilder;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.springframework.security.test.web.reactive.server.SecurityMockServerConfigurers.csrf;
|
||||
import static org.springframework.security.test.web.reactive.server.SecurityMockServerConfigurers.mockAuthentication;
|
||||
import static org.springframework.security.test.web.reactive.server.SecurityMockServerConfigurers.springSecurity;
|
||||
|
||||
/**
|
||||
* Tests for {@link ServerHttpSecurityConfiguration}.
|
||||
@ -67,7 +80,10 @@ public class ServerHttpSecurityConfigurationTests {
|
||||
if (!context.containsBean(WebHttpHandlerBuilder.WEB_HANDLER_BEAN_NAME)) {
|
||||
return;
|
||||
}
|
||||
this.webClient = WebTestClient.bindToApplicationContext(context).configureClient().build();
|
||||
this.webClient = WebTestClient.bindToApplicationContext(context)
|
||||
.apply(springSecurity())
|
||||
.configureClient()
|
||||
.build();
|
||||
}
|
||||
|
||||
@Test
|
||||
@ -146,6 +162,27 @@ public class ServerHttpSecurityConfigurationTests {
|
||||
// @formatter:on
|
||||
}
|
||||
|
||||
@Test
|
||||
public void metaAnnotationWhenTemplateDefaultsBeanThenResolvesExpression() throws Exception {
|
||||
this.spring.register(MetaAnnotationPlaceholderConfig.class).autowire();
|
||||
Authentication user = new TestingAuthenticationToken("user", "password", "ROLE_USER");
|
||||
this.webClient.mutateWith(mockAuthentication(user))
|
||||
.get()
|
||||
.uri("/hi")
|
||||
.exchange()
|
||||
.expectStatus()
|
||||
.isOk()
|
||||
.expectBody(String.class)
|
||||
.isEqualTo("Hi, Stranger!");
|
||||
Authentication harold = new TestingAuthenticationToken("harold", "password", "ROLE_USER");
|
||||
this.webClient.mutateWith(mockAuthentication(harold))
|
||||
.get()
|
||||
.uri("/hi")
|
||||
.exchange()
|
||||
.expectBody(String.class)
|
||||
.isEqualTo("Hi, Harold!");
|
||||
}
|
||||
|
||||
@Configuration
|
||||
static class SubclassConfig extends ServerHttpSecurityConfiguration {
|
||||
|
||||
@ -237,4 +274,61 @@ public class ServerHttpSecurityConfigurationTests {
|
||||
|
||||
}
|
||||
|
||||
@Retention(RetentionPolicy.RUNTIME)
|
||||
@Target(ElementType.PARAMETER)
|
||||
@AuthenticationPrincipal(expression = "#this.equals('{value}')")
|
||||
@interface IsUser {
|
||||
|
||||
String value() default "user";
|
||||
|
||||
}
|
||||
|
||||
@RestController
|
||||
static class TestController {
|
||||
|
||||
@GetMapping("/hi")
|
||||
String ifUser(@IsUser("harold") boolean isHarold) {
|
||||
if (isHarold) {
|
||||
return "Hi, Harold!";
|
||||
}
|
||||
else {
|
||||
return "Hi, Stranger!";
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@Configuration
|
||||
@EnableWebFlux
|
||||
@EnableWebFluxSecurity
|
||||
static class MetaAnnotationPlaceholderConfig {
|
||||
|
||||
@Bean
|
||||
SecurityWebFilterChain filterChain(ServerHttpSecurity http) {
|
||||
// @formatter:off
|
||||
http
|
||||
.authorizeExchange((authorize) -> authorize.anyExchange().authenticated())
|
||||
.httpBasic(Customizer.withDefaults());
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
}
|
||||
|
||||
@Bean
|
||||
ReactiveUserDetailsService userDetailsService() {
|
||||
return new MapReactiveUserDetailsService(
|
||||
User.withUsername("user").password("password").authorities("app").build());
|
||||
}
|
||||
|
||||
@Bean
|
||||
TestController testController() {
|
||||
return new TestController();
|
||||
}
|
||||
|
||||
@Bean
|
||||
AnnotationTemplateExpressionDefaults templateExpressionDefaults() {
|
||||
return new AnnotationTemplateExpressionDefaults();
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@ -16,6 +16,10 @@
|
||||
|
||||
package org.springframework.security.config.annotation.web.socket;
|
||||
|
||||
import java.lang.annotation.ElementType;
|
||||
import java.lang.annotation.Retention;
|
||||
import java.lang.annotation.RetentionPolicy;
|
||||
import java.lang.annotation.Target;
|
||||
import java.util.HashMap;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
@ -59,6 +63,7 @@ import org.springframework.security.authorization.AuthorizationManager;
|
||||
import org.springframework.security.config.annotation.SecurityContextChangedListenerConfig;
|
||||
import org.springframework.security.config.annotation.web.messaging.MessageSecurityMetadataSourceRegistry;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.annotation.AnnotationTemplateExpressionDefaults;
|
||||
import org.springframework.security.core.annotation.AuthenticationPrincipal;
|
||||
import org.springframework.security.core.authority.AuthorityUtils;
|
||||
import org.springframework.security.core.context.SecurityContextHolderStrategy;
|
||||
@ -164,6 +169,17 @@ public class WebSocketMessageBrokerSecurityConfigurationTests {
|
||||
.isEqualTo((String) this.messageUser.getPrincipal());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void sendMessageWhenMetaAnnotationThenParsesExpression() {
|
||||
loadConfig(NoInboundSecurityConfig.class);
|
||||
this.messageUser = new TestingAuthenticationToken("harold", "password", "ROLE_USER");
|
||||
clientInboundChannel().send(message("/permitAll/hi"));
|
||||
assertThat(this.context.getBean(MyController.class).message).isEqualTo("Hi, Harold!");
|
||||
this.messageUser = new TestingAuthenticationToken("user", "password", "ROLE_USER");
|
||||
clientInboundChannel().send(message("/permitAll/hi"));
|
||||
assertThat(this.context.getBean(MyController.class).message).isEqualTo("Hi, Stranger!");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void addsCsrfProtectionWhenNoAuthorization() {
|
||||
loadConfig(NoInboundSecurityConfig.class);
|
||||
@ -365,15 +381,6 @@ public class WebSocketMessageBrokerSecurityConfigurationTests {
|
||||
clientInboundChannel().send(message("/anonymous"));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void sendMessageWhenAnonymousConfiguredAndLoggedInUserThenAccessDeniedException() {
|
||||
loadConfig(WebSocketSecurityConfig.class);
|
||||
assertThatExceptionOfType(MessageDeliveryException.class)
|
||||
.isThrownBy(() -> clientInboundChannel().send(message("/anonymous")))
|
||||
.withCauseInstanceOf(AccessDeniedException.class);
|
||||
|
||||
}
|
||||
|
||||
private void assertHandshake(HttpServletRequest request) {
|
||||
TestHandshakeHandler handshakeHandler = this.context.getBean(TestHandshakeHandler.class);
|
||||
assertThatCsrfToken(handshakeHandler.attributes.get(CsrfToken.class.getName())).isEqualTo(this.token);
|
||||
@ -585,6 +592,15 @@ public class WebSocketMessageBrokerSecurityConfigurationTests {
|
||||
|
||||
}
|
||||
|
||||
@Retention(RetentionPolicy.RUNTIME)
|
||||
@Target(ElementType.PARAMETER)
|
||||
@AuthenticationPrincipal(expression = "#this.equals('{value}')")
|
||||
@interface IsUser {
|
||||
|
||||
String value() default "user";
|
||||
|
||||
}
|
||||
|
||||
@Controller
|
||||
static class MyController {
|
||||
|
||||
@ -592,6 +608,8 @@ public class WebSocketMessageBrokerSecurityConfigurationTests {
|
||||
|
||||
MyCustomArgument myCustomArgument;
|
||||
|
||||
String message;
|
||||
|
||||
@MessageMapping("/authentication")
|
||||
void authentication(@AuthenticationPrincipal String un) {
|
||||
this.authenticationPrincipal = un;
|
||||
@ -602,6 +620,11 @@ public class WebSocketMessageBrokerSecurityConfigurationTests {
|
||||
this.myCustomArgument = myCustomArgument;
|
||||
}
|
||||
|
||||
@MessageMapping("/hi")
|
||||
void sayHello(@IsUser("harold") boolean isHarold) {
|
||||
this.message = isHarold ? "Hi, Harold!" : "Hi, Stranger!";
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
static class MyCustomArgument {
|
||||
@ -735,6 +758,11 @@ public class WebSocketMessageBrokerSecurityConfigurationTests {
|
||||
return new MyController();
|
||||
}
|
||||
|
||||
@Bean
|
||||
AnnotationTemplateExpressionDefaults templateExpressionDefaults() {
|
||||
return new AnnotationTemplateExpressionDefaults();
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@Configuration
|
||||
|
||||
@ -16,6 +16,10 @@
|
||||
|
||||
package org.springframework.security.config.websocket;
|
||||
|
||||
import java.lang.annotation.ElementType;
|
||||
import java.lang.annotation.Retention;
|
||||
import java.lang.annotation.RetentionPolicy;
|
||||
import java.lang.annotation.Target;
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
import java.util.function.Supplier;
|
||||
@ -47,6 +51,7 @@ import org.springframework.messaging.support.ChannelInterceptor;
|
||||
import org.springframework.messaging.support.GenericMessage;
|
||||
import org.springframework.security.access.AccessDeniedException;
|
||||
import org.springframework.security.access.expression.SecurityExpressionOperations;
|
||||
import org.springframework.security.authentication.TestingAuthenticationToken;
|
||||
import org.springframework.security.authorization.AuthorizationDecision;
|
||||
import org.springframework.security.authorization.AuthorizationManager;
|
||||
import org.springframework.security.config.test.SpringTestContext;
|
||||
@ -55,6 +60,7 @@ import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.annotation.AuthenticationPrincipal;
|
||||
import org.springframework.security.core.context.SecurityContextHolder;
|
||||
import org.springframework.security.core.context.SecurityContextHolderStrategy;
|
||||
import org.springframework.security.core.context.SecurityContextImpl;
|
||||
import org.springframework.security.messaging.access.expression.DefaultMessageSecurityExpressionHandler;
|
||||
import org.springframework.security.messaging.access.expression.MessageSecurityExpressionRoot;
|
||||
import org.springframework.security.test.context.annotation.SecurityTestExecutionListeners;
|
||||
@ -376,6 +382,24 @@ public class WebSocketMessageBrokerConfigTests {
|
||||
assertThat(this.messageController.username).isEqualTo("anonymous");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void sendMessageWhenMetaAnnotationThenAuthenticationPrincipalResolved() {
|
||||
this.spring.configLocations(xml("SyncConfig")).autowire();
|
||||
Authentication harold = new TestingAuthenticationToken("harold", "password", "ROLE_USER");
|
||||
try {
|
||||
getSecurityContextHolderStrategy().setContext(new SecurityContextImpl(harold));
|
||||
this.clientInboundChannel.send(message("/hi"));
|
||||
assertThat(this.spring.getContext().getBean(MessageController.class).message).isEqualTo("Hi, Harold!");
|
||||
Authentication user = new TestingAuthenticationToken("user", "password", "ROLE_USER");
|
||||
getSecurityContextHolderStrategy().setContext(new SecurityContextImpl(user));
|
||||
this.clientInboundChannel.send(message("/hi"));
|
||||
assertThat(this.spring.getContext().getBean(MessageController.class).message).isEqualTo("Hi, Stranger!");
|
||||
}
|
||||
finally {
|
||||
getSecurityContextHolderStrategy().clearContext();
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void requestWhenConnectMessageThenUsesCsrfTokenHandshakeInterceptor() throws Exception {
|
||||
this.spring.configLocations(xml("SyncConfig")).autowire();
|
||||
@ -553,16 +577,32 @@ public class WebSocketMessageBrokerConfigTests {
|
||||
|
||||
}
|
||||
|
||||
@Retention(RetentionPolicy.RUNTIME)
|
||||
@Target(ElementType.PARAMETER)
|
||||
@AuthenticationPrincipal(expression = "#this.equals('{value}')")
|
||||
@interface IsUser {
|
||||
|
||||
String value() default "user";
|
||||
|
||||
}
|
||||
|
||||
@Controller
|
||||
static class MessageController {
|
||||
|
||||
String username;
|
||||
|
||||
String message;
|
||||
|
||||
@MessageMapping("/message")
|
||||
void authentication(@AuthenticationPrincipal String username) {
|
||||
this.username = username;
|
||||
}
|
||||
|
||||
@MessageMapping("/hi")
|
||||
void sayHello(@IsUser("harold") boolean isHarold) {
|
||||
this.message = isHarold ? "Hi, Harold!" : "Hi, Stranger!";
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@Controller
|
||||
|
||||
@ -28,4 +28,5 @@
|
||||
<intercept-message pattern="/**" access="permitAll"/>
|
||||
</websocket-message-broker>
|
||||
|
||||
<b:bean name="annotationExpressionTemplateDefaults" class="org.springframework.security.core.annotation.AnnotationTemplateExpressionDefaults"/>
|
||||
</b:beans>
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user