Add Config Tests for AuthenticationPrincipal Templates

Issue gh-15286
2025-07-13 05:43:29 +00:00 · 2024-08-09 18:27:59 -06:00 · 2024-08-09 18:27:59 -06:00 · 2b33f6f04a
commit 2b33f6f04a
parent e40c98e6d7
6 changed files with 218 additions and 12 deletions
--- a/config/src/main/java/org/springframework/security/config/websocket/WebSocketMessageBrokerSecurityBeanDefinitionParser.java
+++ b/config/src/main/java/org/springframework/security/config/websocket/WebSocketMessageBrokerSecurityBeanDefinitionParser.java
@ -305,7 +305,7 @@ public final class WebSocketMessageBrokerSecurityBeanDefinitionParser implements
 		private static final String CUSTOM_ARG_RESOLVERS_PROP = "customArgumentResolvers";
-		private static final String TEMPLATE_EXPRESSION_BEAN_ID = "templateDefaults";
+		private static final String TEMPLATE_EXPRESSION_BEAN_ID = "annotationExpressionTemplateDefaults";
 		private final String inboundSecurityInterceptorId;
@ -333,7 +333,7 @@ public final class WebSocketMessageBrokerSecurityBeanDefinitionParser implements
 							AuthenticationPrincipalArgumentResolver.class);
 					if (registry.containsBeanDefinition(TEMPLATE_EXPRESSION_BEAN_ID)) {
 						beanDefinition.getPropertyValues()
-							.add(TEMPLATE_EXPRESSION_BEAN_ID, new RuntimeBeanReference(TEMPLATE_EXPRESSION_BEAN_ID));
+							.add("templateDefaults", new RuntimeBeanReference(TEMPLATE_EXPRESSION_BEAN_ID));
 					}
 					argResolvers.add(beanDefinition);
 					bd.getPropertyValues().add(CUSTOM_ARG_RESOLVERS_PROP, argResolvers);
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/WebMvcSecurityConfigurationTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/WebMvcSecurityConfigurationTests.java
@ -16,6 +16,11 @@
 package org.springframework.security.config.annotation.web.configuration;
 import java.lang.annotation.ElementType;
 import java.lang.annotation.Retention;
 import java.lang.annotation.RetentionPolicy;
 import java.lang.annotation.Target;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
@ -26,6 +31,7 @@ import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.annotation.AnnotationTemplateExpressionDefaults;
 import org.springframework.security.core.annotation.AuthenticationPrincipal;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.context.SecurityContextHolder;
@ -39,12 +45,15 @@ import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.ResultMatcher;
 import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.context.WebApplicationContext;
 import org.springframework.web.servlet.ModelAndView;
 import org.springframework.web.servlet.config.annotation.EnableWebMvc;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.model;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.view;
@ -97,10 +106,28 @@ public class WebMvcSecurityConfigurationTests {
 		this.mockMvc.perform(request).andExpect(assertResult(csrfToken));
 	}
 	@Test
 	public void metaAnnotationWhenTemplateDefaultsBeanThenResolvesExpression() throws Exception {
 		this.mockMvc.perform(get("/hi")).andExpect(content().string("Hi, Stranger!"));
 		Authentication harold = new TestingAuthenticationToken("harold", "password",
 				AuthorityUtils.createAuthorityList("ROLE_USER"));
 		SecurityContextHolder.getContext().setAuthentication(harold);
 		this.mockMvc.perform(get("/hi")).andExpect(content().string("Hi, Harold!"));
 	}
 	private ResultMatcher assertResult(Object expected) {
 		return model().attribute("result", expected);
 	}
 	@Retention(RetentionPolicy.RUNTIME)
 	@Target(ElementType.PARAMETER)
 	@AuthenticationPrincipal(expression = "#this.equals('{value}')")
 	@interface IsUser {
 		String value() default "user";
 	}
 	@Controller
 	static class TestController {
@ -120,6 +147,17 @@ public class WebMvcSecurityConfigurationTests {
 			return new ModelAndView("view", "result", token);
 		}
 		@GetMapping("/hi")
 		@ResponseBody
 		String ifUser(@IsUser("harold") boolean isHarold) {
 			if (isHarold) {
 				return "Hi, Harold!";
 			}
 			else {
 				return "Hi, Stranger!";
 			}
 		}
 	}
 	@Configuration
@ -132,6 +170,11 @@ public class WebMvcSecurityConfigurationTests {
 			return new TestController();
 		}
 		@Bean
 		AnnotationTemplateExpressionDefaults templateExpressionDefaults() {
 			return new AnnotationTemplateExpressionDefaults();
 		}
 	}
 }
--- a/config/src/test/java/org/springframework/security/config/annotation/web/reactive/ServerHttpSecurityConfigurationTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/reactive/ServerHttpSecurityConfigurationTests.java
@ -16,6 +16,10 @@
 package org.springframework.security.config.annotation.web.reactive;
 import java.lang.annotation.ElementType;
 import java.lang.annotation.Retention;
 import java.lang.annotation.RetentionPolicy;
 import java.lang.annotation.Target;
 import java.net.URI;
 import org.junit.jupiter.api.Test;
@ -26,6 +30,7 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.authentication.password.CompromisedPasswordDecision;
 import org.springframework.security.authentication.password.CompromisedPasswordException;
 import org.springframework.security.authentication.password.ReactiveCompromisedPasswordChecker;
@ -34,8 +39,12 @@ import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
 import org.springframework.security.config.users.ReactiveAuthenticationTestConfiguration;
 import org.springframework.security.config.web.server.ServerHttpSecurity;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.annotation.AnnotationTemplateExpressionDefaults;
 import org.springframework.security.core.annotation.AuthenticationPrincipal;
 import org.springframework.security.core.userdetails.MapReactiveUserDetailsService;
 import org.springframework.security.core.userdetails.PasswordEncodedUser;
 import org.springframework.security.core.userdetails.ReactiveUserDetailsService;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.web.server.DefaultServerRedirectStrategy;
@ -43,12 +52,16 @@ import org.springframework.security.web.server.SecurityWebFilterChain;
 import org.springframework.test.web.reactive.server.WebTestClient;
 import org.springframework.util.LinkedMultiValueMap;
 import org.springframework.util.MultiValueMap;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.reactive.config.EnableWebFlux;
 import org.springframework.web.reactive.function.BodyInserters;
 import org.springframework.web.server.adapter.WebHttpHandlerBuilder;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.springframework.security.test.web.reactive.server.SecurityMockServerConfigurers.csrf;
 import static org.springframework.security.test.web.reactive.server.SecurityMockServerConfigurers.mockAuthentication;
 import static org.springframework.security.test.web.reactive.server.SecurityMockServerConfigurers.springSecurity;
 /**
 * Tests for {@link ServerHttpSecurityConfiguration}.
@ -67,7 +80,10 @@ public class ServerHttpSecurityConfigurationTests {
 		if (!context.containsBean(WebHttpHandlerBuilder.WEB_HANDLER_BEAN_NAME)) {
 			return;
 		}
-		this.webClient = WebTestClient.bindToApplicationContext(context).configureClient().build();
+		this.webClient = WebTestClient.bindToApplicationContext(context)
 			.apply(springSecurity())
 			.configureClient()
 			.build();
 	}
 	@Test
@ -146,6 +162,27 @@ public class ServerHttpSecurityConfigurationTests {
 		// @formatter:on
 	}
 	@Test
 	public void metaAnnotationWhenTemplateDefaultsBeanThenResolvesExpression() throws Exception {
 		this.spring.register(MetaAnnotationPlaceholderConfig.class).autowire();
 		Authentication user = new TestingAuthenticationToken("user", "password", "ROLE_USER");
 		this.webClient.mutateWith(mockAuthentication(user))
 			.get()
 			.uri("/hi")
 			.exchange()
 			.expectStatus()
 			.isOk()
 			.expectBody(String.class)
 			.isEqualTo("Hi, Stranger!");
 		Authentication harold = new TestingAuthenticationToken("harold", "password", "ROLE_USER");
 		this.webClient.mutateWith(mockAuthentication(harold))
 			.get()
 			.uri("/hi")
 			.exchange()
 			.expectBody(String.class)
 			.isEqualTo("Hi, Harold!");
 	}
 	@Configuration
 	static class SubclassConfig extends ServerHttpSecurityConfiguration {
@ -237,4 +274,61 @@ public class ServerHttpSecurityConfigurationTests {
 	}
 	@Retention(RetentionPolicy.RUNTIME)
 	@Target(ElementType.PARAMETER)
 	@AuthenticationPrincipal(expression = "#this.equals('{value}')")
 	@interface IsUser {
 		String value() default "user";
 	}
 	@RestController
 	static class TestController {
 		@GetMapping("/hi")
 		String ifUser(@IsUser("harold") boolean isHarold) {
 			if (isHarold) {
 				return "Hi, Harold!";
 			}
 			else {
 				return "Hi, Stranger!";
 			}
 		}
 	}
 	@Configuration
 	@EnableWebFlux
 	@EnableWebFluxSecurity
 	static class MetaAnnotationPlaceholderConfig {
 		@Bean
 		SecurityWebFilterChain filterChain(ServerHttpSecurity http) {
 			// @formatter:off
 			http
 				.authorizeExchange((authorize) -> authorize.anyExchange().authenticated())
 				.httpBasic(Customizer.withDefaults());
 			// @formatter:on
 			return http.build();
 		}
 		@Bean
 		ReactiveUserDetailsService userDetailsService() {
 			return new MapReactiveUserDetailsService(
 					User.withUsername("user").password("password").authorities("app").build());
 		}
 		@Bean
 		TestController testController() {
 			return new TestController();
 		}
 		@Bean
 		AnnotationTemplateExpressionDefaults templateExpressionDefaults() {
 			return new AnnotationTemplateExpressionDefaults();
 		}
 	}
 }
--- a/config/src/test/java/org/springframework/security/config/annotation/web/socket/WebSocketMessageBrokerSecurityConfigurationTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/socket/WebSocketMessageBrokerSecurityConfigurationTests.java
@ -16,6 +16,10 @@
 package org.springframework.security.config.annotation.web.socket;
 import java.lang.annotation.ElementType;
 import java.lang.annotation.Retention;
 import java.lang.annotation.RetentionPolicy;
 import java.lang.annotation.Target;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@ -59,6 +63,7 @@ import org.springframework.security.authorization.AuthorizationManager;
 import org.springframework.security.config.annotation.SecurityContextChangedListenerConfig;
 import org.springframework.security.config.annotation.web.messaging.MessageSecurityMetadataSourceRegistry;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.annotation.AnnotationTemplateExpressionDefaults;
 import org.springframework.security.core.annotation.AuthenticationPrincipal;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.context.SecurityContextHolderStrategy;
@ -164,6 +169,17 @@ public class WebSocketMessageBrokerSecurityConfigurationTests {
 			.isEqualTo((String) this.messageUser.getPrincipal());
 	}
 	@Test
 	public void sendMessageWhenMetaAnnotationThenParsesExpression() {
 		loadConfig(NoInboundSecurityConfig.class);
 		this.messageUser = new TestingAuthenticationToken("harold", "password", "ROLE_USER");
 		clientInboundChannel().send(message("/permitAll/hi"));
 		assertThat(this.context.getBean(MyController.class).message).isEqualTo("Hi, Harold!");
 		this.messageUser = new TestingAuthenticationToken("user", "password", "ROLE_USER");
 		clientInboundChannel().send(message("/permitAll/hi"));
 		assertThat(this.context.getBean(MyController.class).message).isEqualTo("Hi, Stranger!");
 	}
 	@Test
 	public void addsCsrfProtectionWhenNoAuthorization() {
 		loadConfig(NoInboundSecurityConfig.class);
@ -365,15 +381,6 @@ public class WebSocketMessageBrokerSecurityConfigurationTests {
 		clientInboundChannel().send(message("/anonymous"));
 	}
 	@Test
 	public void sendMessageWhenAnonymousConfiguredAndLoggedInUserThenAccessDeniedException() {
 		loadConfig(WebSocketSecurityConfig.class);
 		assertThatExceptionOfType(MessageDeliveryException.class)
 			.isThrownBy(() -> clientInboundChannel().send(message("/anonymous")))
 			.withCauseInstanceOf(AccessDeniedException.class);
 	}
 	private void assertHandshake(HttpServletRequest request) {
 		TestHandshakeHandler handshakeHandler = this.context.getBean(TestHandshakeHandler.class);
 		assertThatCsrfToken(handshakeHandler.attributes.get(CsrfToken.class.getName())).isEqualTo(this.token);
@ -585,6 +592,15 @@ public class WebSocketMessageBrokerSecurityConfigurationTests {
 	}
 	@Retention(RetentionPolicy.RUNTIME)
 	@Target(ElementType.PARAMETER)
 	@AuthenticationPrincipal(expression = "#this.equals('{value}')")
 	@interface IsUser {
 		String value() default "user";
 	}
 	@Controller
 	static class MyController {
@ -592,6 +608,8 @@ public class WebSocketMessageBrokerSecurityConfigurationTests {
 		MyCustomArgument myCustomArgument;
 		String message;
 		@MessageMapping("/authentication")
 		void authentication(@AuthenticationPrincipal String un) {
 			this.authenticationPrincipal = un;
@ -602,6 +620,11 @@ public class WebSocketMessageBrokerSecurityConfigurationTests {
 			this.myCustomArgument = myCustomArgument;
 		}
 		@MessageMapping("/hi")
 		void sayHello(@IsUser("harold") boolean isHarold) {
 			this.message = isHarold ? "Hi, Harold!" : "Hi, Stranger!";
 		}
 	}
 	static class MyCustomArgument {
@ -735,6 +758,11 @@ public class WebSocketMessageBrokerSecurityConfigurationTests {
 			return new MyController();
 		}
 		@Bean
 		AnnotationTemplateExpressionDefaults templateExpressionDefaults() {
 			return new AnnotationTemplateExpressionDefaults();
 		}
 	}
 	@Configuration
--- a/config/src/test/java/org/springframework/security/config/websocket/WebSocketMessageBrokerConfigTests.java
+++ b/config/src/test/java/org/springframework/security/config/websocket/WebSocketMessageBrokerConfigTests.java
@ -16,6 +16,10 @@
 package org.springframework.security.config.websocket;
 import java.lang.annotation.ElementType;
 import java.lang.annotation.Retention;
 import java.lang.annotation.RetentionPolicy;
 import java.lang.annotation.Target;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.function.Supplier;
@ -47,6 +51,7 @@ import org.springframework.messaging.support.ChannelInterceptor;
 import org.springframework.messaging.support.GenericMessage;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.expression.SecurityExpressionOperations;
 import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.authorization.AuthorizationDecision;
 import org.springframework.security.authorization.AuthorizationManager;
 import org.springframework.security.config.test.SpringTestContext;
@ -55,6 +60,7 @@ import org.springframework.security.core.Authentication;
 import org.springframework.security.core.annotation.AuthenticationPrincipal;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.context.SecurityContextHolderStrategy;
 import org.springframework.security.core.context.SecurityContextImpl;
 import org.springframework.security.messaging.access.expression.DefaultMessageSecurityExpressionHandler;
 import org.springframework.security.messaging.access.expression.MessageSecurityExpressionRoot;
 import org.springframework.security.test.context.annotation.SecurityTestExecutionListeners;
@ -376,6 +382,24 @@ public class WebSocketMessageBrokerConfigTests {
 		assertThat(this.messageController.username).isEqualTo("anonymous");
 	}
 	@Test
 	public void sendMessageWhenMetaAnnotationThenAuthenticationPrincipalResolved() {
 		this.spring.configLocations(xml("SyncConfig")).autowire();
 		Authentication harold = new TestingAuthenticationToken("harold", "password", "ROLE_USER");
 		try {
 			getSecurityContextHolderStrategy().setContext(new SecurityContextImpl(harold));
 			this.clientInboundChannel.send(message("/hi"));
 			assertThat(this.spring.getContext().getBean(MessageController.class).message).isEqualTo("Hi, Harold!");
 			Authentication user = new TestingAuthenticationToken("user", "password", "ROLE_USER");
 			getSecurityContextHolderStrategy().setContext(new SecurityContextImpl(user));
 			this.clientInboundChannel.send(message("/hi"));
 			assertThat(this.spring.getContext().getBean(MessageController.class).message).isEqualTo("Hi, Stranger!");
 		}
 		finally {
 			getSecurityContextHolderStrategy().clearContext();
 		}
 	}
 	@Test
 	public void requestWhenConnectMessageThenUsesCsrfTokenHandshakeInterceptor() throws Exception {
 		this.spring.configLocations(xml("SyncConfig")).autowire();
@ -553,16 +577,32 @@ public class WebSocketMessageBrokerConfigTests {
 	}
 	@Retention(RetentionPolicy.RUNTIME)
 	@Target(ElementType.PARAMETER)
 	@AuthenticationPrincipal(expression = "#this.equals('{value}')")
 	@interface IsUser {
 		String value() default "user";
 	}
 	@Controller
 	static class MessageController {
 		String username;
 		String message;
 		@MessageMapping("/message")
 		void authentication(@AuthenticationPrincipal String username) {
 			this.username = username;
 		}
 		@MessageMapping("/hi")
 		void sayHello(@IsUser("harold") boolean isHarold) {
 			this.message = isHarold ? "Hi, Harold!" : "Hi, Stranger!";
 		}
 	}
 	@Controller
--- a/config/src/test/resources/org/springframework/security/config/websocket/WebSocketMessageBrokerConfigTests-SyncConfig.xml
+++ b/config/src/test/resources/org/springframework/security/config/websocket/WebSocketMessageBrokerConfigTests-SyncConfig.xml
@ -28,4 +28,5 @@
 		<intercept-message pattern="/**" access="permitAll"/>
 	</websocket-message-broker>
 	<b:bean name="annotationExpressionTemplateDefaults" class="org.springframework.security.core.annotation.AnnotationTemplateExpressionDefaults"/>
 </b:beans>