From 2e98b84494b1a486794ef35fc3c044662108661b Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Sun, 8 Aug 2010 17:49:06 +0100 Subject: [PATCH] SEC-1430: internalize session key for SavedRequest. This should be accessed using the RequestCache interface if required. Additional refactoring of related tests which were still in AbstractAuthenticationProcessingFilterTests for historical reasons, but should be in their respective success/failure handler test classes. --- .../security/web/WebAttributes.java | 1 - .../web/access/AccessDeniedHandlerImpl.java | 6 +- .../SessionFixationProtectionStrategy.java | 79 ++++-- .../web/savedrequest/DefaultSavedRequest.java | 5 - .../savedrequest/HttpSessionRequestCache.java | 8 +- .../ExceptionTranslationFilterTests.java | 6 +- ...ctAuthenticationProcessingFilterTests.java | 237 ++++-------------- ...pingAuthenticationFailureHandlerTests.java | 11 + ...eUrlAuthenticationFailureHandlerTests.java | 1 + ...eUrlAuthenticationSuccessHandlerTests.java | 46 +++- .../HttpSessionRequestCacheTests.java | 3 +- .../RequestCacheAwareFilterTests.java | 5 +- ...ultSessionAuthenticationStrategyTests.java | 6 +- 13 files changed, 178 insertions(+), 236 deletions(-) create mode 100644 web/src/test/java/org/springframework/security/web/authentication/ExceptionMappingAuthenticationFailureHandlerTests.java diff --git a/web/src/main/java/org/springframework/security/web/WebAttributes.java b/web/src/main/java/org/springframework/security/web/WebAttributes.java index 3072e7ba57..aff2008f5e 100644 --- a/web/src/main/java/org/springframework/security/web/WebAttributes.java +++ b/web/src/main/java/org/springframework/security/web/WebAttributes.java @@ -10,5 +10,4 @@ public final class WebAttributes { public static final String ACCESS_DENIED_403 = "SPRING_SECURITY_403_EXCEPTION"; public static final String AUTHENTICATION_EXCEPTION = "SPRING_SECURITY_LAST_EXCEPTION"; public static final String LAST_USERNAME = "SPRING_SECURITY_LAST_USERNAME"; - public static final String SAVED_REQUEST = "SPRING_SECURITY_SAVED_REQUEST_KEY"; } diff --git a/web/src/main/java/org/springframework/security/web/access/AccessDeniedHandlerImpl.java b/web/src/main/java/org/springframework/security/web/access/AccessDeniedHandlerImpl.java index b77c250592..7395a68a0c 100644 --- a/web/src/main/java/org/springframework/security/web/access/AccessDeniedHandlerImpl.java +++ b/web/src/main/java/org/springframework/security/web/access/AccessDeniedHandlerImpl.java @@ -42,11 +42,7 @@ import org.springframework.security.web.WebAttributes; */ public class AccessDeniedHandlerImpl implements AccessDeniedHandler { //~ Static fields/initializers ===================================================================================== - /** - * @deprecated Use the value in {@link WebAttributes} directly. - */ - @Deprecated - public static final String SPRING_SECURITY_ACCESS_DENIED_EXCEPTION_KEY = WebAttributes.ACCESS_DENIED_403; + protected static final Log logger = LogFactory.getLog(AccessDeniedHandlerImpl.class); //~ Instance fields ================================================================================================ diff --git a/web/src/main/java/org/springframework/security/web/authentication/session/SessionFixationProtectionStrategy.java b/web/src/main/java/org/springframework/security/web/authentication/session/SessionFixationProtectionStrategy.java index 9beb1ce0b6..4095d4940f 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/session/SessionFixationProtectionStrategy.java +++ b/web/src/main/java/org/springframework/security/web/authentication/session/SessionFixationProtectionStrategy.java @@ -14,21 +14,21 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.springframework.security.core.Authentication; import org.springframework.security.web.WebAttributes; +import org.springframework.util.Assert; /** * The default implementation of {@link SessionAuthenticationStrategy}. *

* Creates a new session for the newly authenticated user if they already have a session (as a defence against - * session-fixation protection attacks), and copies their - * session attributes across to the new session (can be disabled by setting migrateSessionAttributes to - * false). + * session-fixation protection attacks), and copies their session attributes across to the new session + * (can be disabled by setting {@code migrateSessionAttributes} to {@code false}). *

* This approach will only be effective if your servlet container always assigns a new session Id when a session is * invalidated and a new session created by calling {@link HttpServletRequest#getSession()}. *

- * If concurrent session control is in use, then a SessionRegistry must be injected. + * If concurrent session control is in use, then a {@code SessionRegistry} must be injected. *

- *

Issues with HttpSessionBindingListener

+ *

Issues with {@code HttpSessionBindingListener}

*

* The migration of existing attributes to the newly-created session may cause problems if any of the objects * implement the {@code HttpSessionBindingListener} interface in a way which makes assumptions about the life-cycle of @@ -56,11 +56,11 @@ public class SessionFixationProtectionStrategy implements SessionAuthenticationS * In the case where the attributes will not be migrated, this field allows a list of named attributes * which should not be discarded. */ - private List retainedAttributes = Arrays.asList(WebAttributes.SAVED_REQUEST); + private List retainedAttributes = null; /** - * If set to true, a session will always be created, even if one didn't exist at the start of the request. - * Defaults to false. + * If set to {@code true}, a session will always be created, even if one didn't exist at the start of the request. + * Defaults to {@code false}. */ private boolean alwaysCreateSession; @@ -68,12 +68,12 @@ public class SessionFixationProtectionStrategy implements SessionAuthenticationS * Called when a user is newly authenticated. *

* If a session already exists, and matches the session Id from the client, a new session will be created, and the - * session attributes copied to it (if migrateSessionAttributes is set). + * session attributes copied to it (if {@code migrateSessionAttributes} is set). * The sessionRegistry will be updated with the new session information. If the client's requested session Id is * invalid, nothing will be done, since there is no need to change the session Id if it doesn't match the current * session. *

- * If there is no session, no action is taken unless the alwaysCreateSession property is set, in which + * If there is no session, no action is taken unless the {@code alwaysCreateSession} property is set, in which * case a session will be created if one doesn't already exist. */ public void onAuthentication(Authentication authentication, HttpServletRequest request, HttpServletResponse response) { @@ -97,7 +97,7 @@ public class SessionFixationProtectionStrategy implements SessionAuthenticationS "and" : "without") + " migrating attributes."); } - HashMap attributesToMigrate = createMigratedAttributeMap(session); + Map attributesToMigrate = extractAttributes(session); session.invalidate(); session = request.getSession(true); // we now have a new session @@ -111,12 +111,9 @@ public class SessionFixationProtectionStrategy implements SessionAuthenticationS " not be adequately protected against session-fixation attacks"); } - // Copy attributes to new session - if (attributesToMigrate != null) { - for (Map.Entry entry : attributesToMigrate.entrySet()) { - session.setAttribute(entry.getKey(), entry.getValue()); - } - } + transferAttributes(attributesToMigrate, session); + + onSessionChange(originalSessionId, session, authentication); } } @@ -131,17 +128,47 @@ public class SessionFixationProtectionStrategy implements SessionAuthenticationS protected void onSessionChange(String originalSessionId, HttpSession newSession, Authentication auth) { } + /** + * Called to extract the existing attributes from the session, prior to invalidating it. If + * {@code migrateAttributes} is set to {@code false}, only Spring Security attributes will be retained. + * All application attributes will be discarded. + *

+ * You can override this method to control exactly what is transferred to the new session. + * + * @param session the session from which the attributes should be extracted + * @return the map of session attributes which should be transferred to the new session + */ + protected Map extractAttributes(HttpSession session) { + return createMigratedAttributeMap(session); + } + + /** + * @param attributes the attributes which were extracted from the original session by {@code extractAttributes} + * @param newSession the newly created session + */ + private void transferAttributes(Map attributes, HttpSession newSession) { + if (attributes != null) { + for (Map.Entry entry : attributes.entrySet()) { + newSession.setAttribute(entry.getKey(), entry.getValue()); + } + } + } + @SuppressWarnings("unchecked") private HashMap createMigratedAttributeMap(HttpSession session) { HashMap attributesToMigrate = null; - if (migrateSessionAttributes) { + if (migrateSessionAttributes || retainedAttributes == null) { attributesToMigrate = new HashMap(); Enumeration enumer = session.getAttributeNames(); while (enumer.hasMoreElements()) { String key = (String) enumer.nextElement(); + if (!migrateSessionAttributes && !key.startsWith("SPRING_SECURITY_")) { + // Only retain Spring Security attributes + continue; + } attributesToMigrate.put(key, session.getAttribute(key)); } } else { @@ -160,11 +187,27 @@ public class SessionFixationProtectionStrategy implements SessionAuthenticationS return attributesToMigrate; } + /** + * Defines whether attributes should be migrated to a new session or not. Has no effect if you + * override the {@code extractAttributes} method. + *

+ * Attributes used by Spring Security (to store cached requests, for example) will still be retained by default, + * even if you set this value to {@code false}. + * + * @param migrateSessionAttributes whether the attributes from the session should be transferred to the new, + * authenticated session. + */ public void setMigrateSessionAttributes(boolean migrateSessionAttributes) { this.migrateSessionAttributes = migrateSessionAttributes; } + /** + * @deprecated Override the {@code extractAttributes} method instead + */ + @Deprecated public void setRetainedAttributes(List retainedAttributes) { + logger.warn("Retained attributes is deprecated. Override the extractAttributes() method instead."); + Assert.notNull(retainedAttributes); this.retainedAttributes = retainedAttributes; } diff --git a/web/src/main/java/org/springframework/security/web/savedrequest/DefaultSavedRequest.java b/web/src/main/java/org/springframework/security/web/savedrequest/DefaultSavedRequest.java index df4c922527..6e4878e671 100644 --- a/web/src/main/java/org/springframework/security/web/savedrequest/DefaultSavedRequest.java +++ b/web/src/main/java/org/springframework/security/web/savedrequest/DefaultSavedRequest.java @@ -52,11 +52,6 @@ public class DefaultSavedRequest implements SavedRequest { //~ Static fields/initializers ===================================================================================== protected static final Log logger = LogFactory.getLog(DefaultSavedRequest.class); - /** - * @deprecated Use the value in {@link WebAttributes} directly. - */ - @Deprecated - public static final String SPRING_SECURITY_SAVED_REQUEST_KEY = WebAttributes.SAVED_REQUEST; private static final String HEADER_IF_NONE_MATCH = "If-None-Match"; diff --git a/web/src/main/java/org/springframework/security/web/savedrequest/HttpSessionRequestCache.java b/web/src/main/java/org/springframework/security/web/savedrequest/HttpSessionRequestCache.java index e8f1e244ad..1a2b15d2af 100644 --- a/web/src/main/java/org/springframework/security/web/savedrequest/HttpSessionRequestCache.java +++ b/web/src/main/java/org/springframework/security/web/savedrequest/HttpSessionRequestCache.java @@ -8,7 +8,6 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.springframework.security.web.PortResolver; import org.springframework.security.web.PortResolverImpl; -import org.springframework.security.web.WebAttributes; import org.springframework.security.web.util.AnyRequestMatcher; import org.springframework.security.web.util.RequestMatcher; @@ -21,6 +20,7 @@ import org.springframework.security.web.util.RequestMatcher; * @since 3.0 */ public class HttpSessionRequestCache implements RequestCache { + static final String SAVED_REQUEST = "SPRING_SECURITY_SAVED_REQUEST"; protected final Log logger = LogFactory.getLog(this.getClass()); private PortResolver portResolver = new PortResolverImpl(); @@ -37,7 +37,7 @@ public class HttpSessionRequestCache implements RequestCache { if (createSessionAllowed || request.getSession(false) != null) { // Store the HTTP request itself. Used by AbstractAuthenticationProcessingFilter // for redirection after successful authentication (SEC-29) - request.getSession().setAttribute(WebAttributes.SAVED_REQUEST, savedRequest); + request.getSession().setAttribute(SAVED_REQUEST, savedRequest); logger.debug("DefaultSavedRequest added to Session: " + savedRequest); } } else { @@ -49,7 +49,7 @@ public class HttpSessionRequestCache implements RequestCache { HttpSession session = currentRequest.getSession(false); if (session != null) { - return (DefaultSavedRequest) session.getAttribute(WebAttributes.SAVED_REQUEST); + return (DefaultSavedRequest) session.getAttribute(SAVED_REQUEST); } return null; @@ -60,7 +60,7 @@ public class HttpSessionRequestCache implements RequestCache { if (session != null) { logger.debug("Removing DefaultSavedRequest from session if present"); - session.removeAttribute(WebAttributes.SAVED_REQUEST); + session.removeAttribute(SAVED_REQUEST); } } diff --git a/web/src/test/java/org/springframework/security/web/access/ExceptionTranslationFilterTests.java b/web/src/test/java/org/springframework/security/web/access/ExceptionTranslationFilterTests.java index db86dd86c7..13501d9112 100644 --- a/web/src/test/java/org/springframework/security/web/access/ExceptionTranslationFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/access/ExceptionTranslationFilterTests.java @@ -44,6 +44,7 @@ import org.springframework.security.web.AuthenticationEntryPoint; import org.springframework.security.web.WebAttributes; import org.springframework.security.web.savedrequest.HttpSessionRequestCache; import org.springframework.security.web.savedrequest.DefaultSavedRequest; +import org.springframework.security.web.savedrequest.SavedRequest; import org.springframework.security.web.util.ThrowableAnalyzer; /** @@ -66,9 +67,10 @@ public class ExceptionTranslationFilterTests { return null; } - DefaultSavedRequest savedRequest = (DefaultSavedRequest) session.getAttribute(WebAttributes.SAVED_REQUEST); + HttpSessionRequestCache rc = new HttpSessionRequestCache(); + SavedRequest sr = rc.getRequest(request, new MockHttpServletResponse()); - return savedRequest.getRedirectUrl(); + return sr.getRedirectUrl(); } @Test diff --git a/web/src/test/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilterTests.java b/web/src/test/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilterTests.java index 5591470b37..693a24d1cb 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilterTests.java @@ -16,20 +16,7 @@ package org.springframework.security.web.authentication; import static org.junit.Assert.*; -import static org.mockito.Mockito.mock; - -import java.io.IOException; -import java.util.Properties; - -import javax.servlet.Filter; -import javax.servlet.FilterChain; -import javax.servlet.FilterConfig; -import javax.servlet.ServletException; -import javax.servlet.ServletRequest; -import javax.servlet.ServletResponse; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import javax.servlet.http.HttpSession; +import static org.mockito.Mockito.*; import org.junit.After; import org.junit.Before; @@ -37,7 +24,6 @@ import org.junit.Test; import org.springframework.mock.web.MockFilterConfig; import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletResponse; -import org.springframework.security.authentication.AccountExpiredException; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.BadCredentialsException; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; @@ -45,10 +31,17 @@ import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.authority.AuthorityUtils; import org.springframework.security.core.context.SecurityContextHolder; -import org.springframework.security.web.PortResolverImpl; import org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices; import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy; -import org.springframework.security.web.savedrequest.DefaultSavedRequest; + +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; +import java.io.IOException; /** @@ -63,7 +56,7 @@ public class AbstractAuthenticationProcessingFilterTests { SimpleUrlAuthenticationFailureHandler failureHandler; //~ Methods ======================================================================================================== - private MockHttpServletRequest createMockRequest() { + private MockHttpServletRequest createMockAuthenticationRequest() { MockHttpServletRequest request = new MockHttpServletRequest(); request.setServletPath("/j_mock_post"); @@ -75,34 +68,6 @@ public class AbstractAuthenticationProcessingFilterTests { return request; } - private void executeFilterInContainerSimulator(FilterConfig filterConfig, Filter filter, ServletRequest request, - ServletResponse response, FilterChain filterChain) throws ServletException, IOException { - filter.init(filterConfig); - filter.doFilter(request, response, filterChain); - filter.destroy(); - } - - private DefaultSavedRequest makeSavedRequestForUrl() { - MockHttpServletRequest request = createMockRequest(); - request.setMethod("GET"); - request.setServletPath("/some_protected_file.html"); - request.setScheme("http"); - request.setServerName("www.example.com"); - request.setRequestURI("/mycontext/some_protected_file.html"); - - return new DefaultSavedRequest(request, new PortResolverImpl()); - } - -// private DefaultSavedRequest makePostSavedRequestForUrl() { -// MockHttpServletRequest request = createMockRequest(); -// request.setServletPath("/some_protected_file.html"); -// request.setScheme("http"); -// request.setServerName("www.example.com"); -// request.setRequestURI("/mycontext/post/some_protected_file.html"); -// request.setMethod("POST"); -// -// return new DefaultSavedRequest(request, new PortResolverImpl()); -// } @Before public void setUp() throws Exception { @@ -120,7 +85,7 @@ public class AbstractAuthenticationProcessingFilterTests { @Test public void testDefaultProcessesFilterUrlMatchesWithPathParameter() { - MockHttpServletRequest request = createMockRequest(); + MockHttpServletRequest request = createMockAuthenticationRequest(); MockHttpServletResponse response = new MockHttpServletResponse(); MockAuthenticationFilter filter = new MockAuthenticationFilter(); filter.setFilterProcessesUrl("/j_spring_security_check"); @@ -129,48 +94,10 @@ public class AbstractAuthenticationProcessingFilterTests { assertTrue(filter.requiresAuthentication(request, response)); } - @Test - public void testFailedAuthenticationRedirectsAppropriately() throws Exception { - // Setup our HTTP request - MockHttpServletRequest request = createMockRequest(); - - // Setup our filter configuration - MockFilterConfig config = new MockFilterConfig(null, null); - - // Setup our expectation that the filter chain will not be invoked, as we redirect to authenticationFailureUrl - MockFilterChain chain = new MockFilterChain(false); - MockHttpServletResponse response = new MockHttpServletResponse(); - - // Setup our test object, to deny access - MockAuthenticationFilter filter = new MockAuthenticationFilter(false); - filter.setAuthenticationFailureHandler(failureHandler); - - // Test - executeFilterInContainerSimulator(config, filter, request, response, chain); - - assertEquals("/mycontext/failed.jsp", response.getRedirectedUrl()); - assertNull(SecurityContextHolder.getContext().getAuthentication()); - - //Prepare again, this time using the exception mapping - filter = new MockAuthenticationFilter(new AccountExpiredException("You're account is expired")); - ExceptionMappingAuthenticationFailureHandler failureHandler = new ExceptionMappingAuthenticationFailureHandler(); - filter.setAuthenticationFailureHandler(failureHandler); - Properties exceptionMappings = new Properties(); - exceptionMappings.setProperty(AccountExpiredException.class.getName(), "/accountExpired.jsp"); - failureHandler.setExceptionMappings(exceptionMappings); - response = new MockHttpServletResponse(); - - // Test - executeFilterInContainerSimulator(config, filter, request, response, chain); - - assertEquals("/mycontext/accountExpired.jsp", response.getRedirectedUrl()); - assertNull(SecurityContextHolder.getContext().getAuthentication()); - } - @Test public void testFilterProcessesUrlVariationsRespected() throws Exception { // Setup our HTTP request - MockHttpServletRequest request = createMockRequest(); + MockHttpServletRequest request = createMockAuthenticationRequest(); request.setServletPath("/j_OTHER_LOCATION"); request.setRequestURI("/mycontext/j_OTHER_LOCATION"); @@ -187,7 +114,7 @@ public class AbstractAuthenticationProcessingFilterTests { filter.setAuthenticationSuccessHandler(successHandler); // Test - executeFilterInContainerSimulator(config, filter, request, response, chain); + filter.doFilter(request, response, chain); assertEquals("/mycontext/logged_in.jsp", response.getRedirectedUrl()); assertNotNull(SecurityContextHolder.getContext().getAuthentication()); assertEquals("test", SecurityContextHolder.getContext().getAuthentication().getPrincipal().toString()); @@ -210,7 +137,7 @@ public class AbstractAuthenticationProcessingFilterTests { @Test public void testIgnoresAnyServletPathOtherThanFilterProcessesUrl() throws Exception { // Setup our HTTP request - MockHttpServletRequest request = createMockRequest(); + MockHttpServletRequest request = createMockAuthenticationRequest(); request.setServletPath("/some.file.html"); request.setRequestURI("/mycontext/some.file.html"); @@ -225,13 +152,13 @@ public class AbstractAuthenticationProcessingFilterTests { MockAuthenticationFilter filter = new MockAuthenticationFilter(false); // Test - executeFilterInContainerSimulator(config, filter, request, response, chain); + filter.doFilter(request, response, chain); } @Test public void testNormalOperationWithDefaultFilterProcessesUrl() throws Exception { // Setup our HTTP request - MockHttpServletRequest request = createMockRequest(); + MockHttpServletRequest request = createMockAuthenticationRequest(); HttpSession sessionPreAuth = request.getSession(); // Setup our filter configuration @@ -252,7 +179,7 @@ public class AbstractAuthenticationProcessingFilterTests { filter.afterPropertiesSet(); // Test - executeFilterInContainerSimulator(config, filter, request, response, chain); + filter.doFilter(request, response, chain); assertEquals("/mycontext/logged_in.jsp", response.getRedirectedUrl()); assertNotNull(SecurityContextHolder.getContext().getAuthentication()); assertEquals("test", SecurityContextHolder.getContext().getAuthentication().getPrincipal().toString()); @@ -295,7 +222,7 @@ public class AbstractAuthenticationProcessingFilterTests { @Test public void testSuccessLoginThenFailureLoginResultsInSessionLosingToken() throws Exception { // Setup our HTTP request - MockHttpServletRequest request = createMockRequest(); + MockHttpServletRequest request = createMockAuthenticationRequest(); // Setup our filter configuration MockFilterConfig config = new MockFilterConfig(null, null); @@ -310,7 +237,7 @@ public class AbstractAuthenticationProcessingFilterTests { filter.setAuthenticationSuccessHandler(successHandler); // Test - executeFilterInContainerSimulator(config, filter, request, response, chain); + filter.doFilter(request, response, chain); assertEquals("/mycontext/logged_in.jsp", response.getRedirectedUrl()); assertNotNull(SecurityContextHolder.getContext().getAuthentication()); assertEquals("test", SecurityContextHolder.getContext().getAuthentication().getPrincipal().toString()); @@ -327,16 +254,14 @@ public class AbstractAuthenticationProcessingFilterTests { filter.setAuthenticationFailureHandler(failureHandler); // Test - executeFilterInContainerSimulator(config, filter, request, response, chain); + filter.doFilter(request, response, chain); assertNull(SecurityContextHolder.getContext().getAuthentication()); } @Test - public void testSuccessfulAuthenticationButWithAlwaysUseDefaultTargetUrlCausesRedirectToDefaultTargetUrl() - throws Exception { + public void testSuccessfulAuthenticationInvokesSuccessHandlerAndSetsContext() throws Exception { // Setup our HTTP request - MockHttpServletRequest request = createMockRequest(); - request.getSession().setAttribute(DefaultSavedRequest.SPRING_SECURITY_SAVED_REQUEST_KEY, makeSavedRequestForUrl()); + MockHttpServletRequest request = createMockAuthenticationRequest(); // Setup our filter configuration MockFilterConfig config = new MockFilterConfig(null, null); @@ -348,59 +273,42 @@ public class AbstractAuthenticationProcessingFilterTests { // Setup our test object, to grant access MockAuthenticationFilter filter = new MockAuthenticationFilter(true); filter.setFilterProcessesUrl("/j_mock_post"); - successHandler.setDefaultTargetUrl("/foobar"); - successHandler.setAlwaysUseDefaultTargetUrl(true); + AuthenticationSuccessHandler successHandler = mock(AuthenticationSuccessHandler.class); filter.setAuthenticationSuccessHandler(successHandler); // Test - executeFilterInContainerSimulator(config, filter, request, response, chain); - assertEquals("/mycontext/foobar", response.getRedirectedUrl()); + filter.doFilter(request, response, chain); + + verify(successHandler).onAuthenticationSuccess(any(HttpServletRequest.class), any(HttpServletResponse.class), + any(Authentication.class)); + assertNotNull(SecurityContextHolder.getContext().getAuthentication()); } @Test - public void testSuccessfulAuthenticationCausesRedirectToSessionSpecifiedUrl() throws Exception { + public void testFailedAuthenticationInvokesFailureHandler() throws Exception { // Setup our HTTP request - MockHttpServletRequest request = createMockRequest(); - request.getSession().setAttribute(DefaultSavedRequest.SPRING_SECURITY_SAVED_REQUEST_KEY, makeSavedRequestForUrl()); + MockHttpServletRequest request = createMockAuthenticationRequest(); // Setup our filter configuration MockFilterConfig config = new MockFilterConfig(null, null); - // Setup our expectation that the filter chain will be invoked, as we want to go to the location requested in the session - MockFilterChain chain = new MockFilterChain(true); + // Setup our expectation that the filter chain will not be invoked, as we redirect to authenticationFailureUrl + MockFilterChain chain = new MockFilterChain(false); MockHttpServletResponse response = new MockHttpServletResponse(); - // Setup our test object, to grant access - MockAuthenticationFilter filter = new MockAuthenticationFilter(true); - filter.setFilterProcessesUrl("/j_mock_post"); + // Setup our test object, to deny access + MockAuthenticationFilter filter = new MockAuthenticationFilter(false); + AuthenticationFailureHandler failureHandler = mock(AuthenticationFailureHandler.class); + filter.setAuthenticationFailureHandler(failureHandler); // Test - executeFilterInContainerSimulator(config, filter, request, response, chain); - assertEquals(makeSavedRequestForUrl().getRedirectUrl(), response.getRedirectedUrl()); - assertNotNull(SecurityContextHolder.getContext().getAuthentication()); - } + filter.doFilter(request, response, chain); - /** - * SEC-297 fix. - */ - @Test - public void testFullDefaultTargetUrlDoesNotHaveContextPathPrepended() throws Exception { - MockHttpServletRequest request = createMockRequest(); - MockFilterConfig config = new MockFilterConfig(null, null); + verify(failureHandler).onAuthenticationFailure(any(HttpServletRequest.class), any(HttpServletResponse.class), + any(AuthenticationException.class)); - MockFilterChain chain = new MockFilterChain(true); - MockHttpServletResponse response = new MockHttpServletResponse(); - - // Setup our test object, to grant access - MockAuthenticationFilter filter = new MockAuthenticationFilter(true); - successHandler.setDefaultTargetUrl("https://monkeymachine.co.uk/"); - successHandler.setAlwaysUseDefaultTargetUrl(true); - filter.setAuthenticationSuccessHandler(successHandler); - - executeFilterInContainerSimulator(config, filter, request, response, chain); - assertEquals("https://monkeymachine.co.uk/", response.getRedirectedUrl()); - assertNotNull(SecurityContextHolder.getContext().getAuthentication()); + assertNull(SecurityContextHolder.getContext().getAuthentication()); } /** @@ -408,7 +316,7 @@ public class AbstractAuthenticationProcessingFilterTests { */ @Test public void testNoSessionIsCreatedIfAllowSessionCreationIsFalse() throws Exception { - MockHttpServletRequest request = createMockRequest(); + MockHttpServletRequest request = createMockAuthenticationRequest(); MockFilterConfig config = new MockFilterConfig(null, null); MockFilterChain chain = new MockFilterChain(true); @@ -418,10 +326,8 @@ public class AbstractAuthenticationProcessingFilterTests { MockAuthenticationFilter filter = new MockAuthenticationFilter(false); failureHandler.setAllowSessionCreation(false); filter.setAuthenticationFailureHandler(failureHandler); - successHandler.setDefaultTargetUrl("http://monkeymachine.co.uk/"); - filter.setAuthenticationSuccessHandler(successHandler); - executeFilterInContainerSimulator(config, filter, request, response, chain); + filter.doFilter(request, response, chain); assertNull(request.getSession(false)); } @@ -431,7 +337,7 @@ public class AbstractAuthenticationProcessingFilterTests { */ @Test public void testLoginErrorWithNoFailureUrlSendsUnauthorizedStatus() throws Exception { - MockHttpServletRequest request = createMockRequest(); + MockHttpServletRequest request = createMockAuthenticationRequest(); MockFilterConfig config = new MockFilterConfig(null, null); MockFilterChain chain = new MockFilterChain(true); @@ -441,57 +347,11 @@ public class AbstractAuthenticationProcessingFilterTests { successHandler.setDefaultTargetUrl("http://monkeymachine.co.uk/"); filter.setAuthenticationSuccessHandler(successHandler); - executeFilterInContainerSimulator(config, filter, request, response, chain); + filter.doFilter(request, response, chain); assertEquals(HttpServletResponse.SC_UNAUTHORIZED, response.getStatus()); } - /** - * SEC-462 - */ - @Test - public void testServerSideRedirectForwardsToFailureUrl() throws Exception { - MockHttpServletRequest request = createMockRequest(); - - MockFilterConfig config = new MockFilterConfig(null, null); - MockFilterChain chain = new MockFilterChain(true); - MockHttpServletResponse response = new MockHttpServletResponse(); - - MockAuthenticationFilter filter = new MockAuthenticationFilter(false); - successHandler.setDefaultTargetUrl("http://monkeymachine.co.uk/"); - filter.setAuthenticationSuccessHandler(successHandler); - filter.setAuthenticationFailureHandler(failureHandler); - failureHandler.setUseForward(true); - failureHandler.setDefaultFailureUrl("/error"); - - executeFilterInContainerSimulator(config, filter, request, response, chain); - - assertEquals("/error", response.getForwardedUrl()); - } - - /** - * SEC-213 - */ - @Test - public void testTargetUrlParameterIsUsedIfPresent() throws Exception { - MockHttpServletRequest request = createMockRequest(); - request.setParameter("targetUrl", "/target"); - - MockFilterConfig config = new MockFilterConfig(null, null); - MockFilterChain chain = new MockFilterChain(true); - MockHttpServletResponse response = new MockHttpServletResponse(); - - MockAuthenticationFilter filter = new MockAuthenticationFilter(true); - filter.setAuthenticationSuccessHandler(successHandler); - successHandler.setDefaultTargetUrl("http://monkeymachine.co.uk/"); - successHandler.setTargetUrlParameter("targetUrl"); - filter.setAuthenticationFailureHandler(failureHandler); - - executeFilterInContainerSimulator(config, filter, request, response, chain); - - assertEquals("/mycontext/target", response.getRedirectedUrl()); - } - //~ Inner Classes ================================================================================================== @@ -506,13 +366,6 @@ public class AbstractAuthenticationProcessingFilterTests { this.exceptionToThrow = new BadCredentialsException("Mock requested to do so"); } - public MockAuthenticationFilter(AuthenticationException exceptionToThrow) { - this(); - setRememberMeServices(new NullRememberMeServices()); - this.grantAccess = false; - this.exceptionToThrow = exceptionToThrow; - } - private MockAuthenticationFilter() { super("/j_mock_post"); } diff --git a/web/src/test/java/org/springframework/security/web/authentication/ExceptionMappingAuthenticationFailureHandlerTests.java b/web/src/test/java/org/springframework/security/web/authentication/ExceptionMappingAuthenticationFailureHandlerTests.java new file mode 100644 index 0000000000..14419ebb98 --- /dev/null +++ b/web/src/test/java/org/springframework/security/web/authentication/ExceptionMappingAuthenticationFailureHandlerTests.java @@ -0,0 +1,11 @@ +package org.springframework.security.web.authentication; + +/** + * Created by IntelliJ IDEA. + * User: luke + * Date: Aug 8, 2010 + * Time: 5:13:18 PM + * To change this template use File | Settings | File Templates. + */ +public class ExceptionMappingAuthenticationFailureHandlerTests { +} diff --git a/web/src/test/java/org/springframework/security/web/authentication/SimpleUrlAuthenticationFailureHandlerTests.java b/web/src/test/java/org/springframework/security/web/authentication/SimpleUrlAuthenticationFailureHandlerTests.java index 95ab3c211a..d46ddc19b2 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/SimpleUrlAuthenticationFailureHandlerTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/SimpleUrlAuthenticationFailureHandlerTests.java @@ -55,6 +55,7 @@ public class SimpleUrlAuthenticationFailureHandlerTests { assertNull(request.getSession(false)); } + // SEC-462 @Test public void responseIsForwardedIfUseForwardIsTrue() throws Exception { SimpleUrlAuthenticationFailureHandler afh = new SimpleUrlAuthenticationFailureHandler("/target"); diff --git a/web/src/test/java/org/springframework/security/web/authentication/SimpleUrlAuthenticationSuccessHandlerTests.java b/web/src/test/java/org/springframework/security/web/authentication/SimpleUrlAuthenticationSuccessHandlerTests.java index c9b6bfbae2..b7e1cfa572 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/SimpleUrlAuthenticationSuccessHandlerTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/SimpleUrlAuthenticationSuccessHandlerTests.java @@ -1,6 +1,7 @@ package org.springframework.security.web.authentication; -import static org.junit.Assert.*; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertNull; import static org.mockito.Mockito.*; import org.junit.Test; @@ -13,6 +14,17 @@ import org.springframework.security.core.Authentication; * @author Luke Taylor */ public class SimpleUrlAuthenticationSuccessHandlerTests { + @Test + public void defaultTargetUrlIsUsedIfNoOtherInformationSet() throws Exception { + SimpleUrlAuthenticationSuccessHandler ash = new SimpleUrlAuthenticationSuccessHandler(); + + MockHttpServletRequest request = new MockHttpServletRequest(); + MockHttpServletResponse response = new MockHttpServletResponse(); + + ash.onAuthenticationSuccess(request, response, mock(Authentication.class)); + + assertEquals("/", response.getRedirectedUrl()); + } // SEC-1428 @Test @@ -26,4 +38,36 @@ public class SimpleUrlAuthenticationSuccessHandlerTests { assertNull(response.getRedirectedUrl()); } + /** + * SEC-213 + */ + @Test + public void targetUrlParameterIsUsedIfPresent() throws Exception { + SimpleUrlAuthenticationSuccessHandler ash = new SimpleUrlAuthenticationSuccessHandler("/defaultTarget"); + ash.setTargetUrlParameter("targetUrl"); + MockHttpServletRequest request = new MockHttpServletRequest(); + MockHttpServletResponse response = new MockHttpServletResponse(); + + request.setParameter("targetUrl", "/target"); + + ash.onAuthenticationSuccess(request, response, mock(Authentication.class)); + + assertEquals("/target", response.getRedirectedUrl()); + } + + /** + * SEC-297 fix. + */ + @Test + public void absoluteDefaultTargetUrlDoesNotHaveContextPathPrepended() throws Exception { + SimpleUrlAuthenticationSuccessHandler ash = new SimpleUrlAuthenticationSuccessHandler(); + ash.setDefaultTargetUrl("https://monkeymachine.co.uk/"); + MockHttpServletRequest request = new MockHttpServletRequest(); + MockHttpServletResponse response = new MockHttpServletResponse(); + + ash.onAuthenticationSuccess(request, response, mock(Authentication.class)); + + assertEquals("https://monkeymachine.co.uk/", response.getRedirectedUrl()); + } + } diff --git a/web/src/test/java/org/springframework/security/web/savedrequest/HttpSessionRequestCacheTests.java b/web/src/test/java/org/springframework/security/web/savedrequest/HttpSessionRequestCacheTests.java index 1ab94861aa..5572d2ba44 100644 --- a/web/src/test/java/org/springframework/security/web/savedrequest/HttpSessionRequestCacheTests.java +++ b/web/src/test/java/org/springframework/security/web/savedrequest/HttpSessionRequestCacheTests.java @@ -7,7 +7,6 @@ import javax.servlet.http.HttpServletRequest; import org.junit.Test; import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletResponse; -import org.springframework.security.web.WebAttributes; import org.springframework.security.web.util.RequestMatcher; /** @@ -24,7 +23,7 @@ public class HttpSessionRequestCacheTests { MockHttpServletRequest request = new MockHttpServletRequest("GET", "/destination"); MockHttpServletResponse response = new MockHttpServletResponse(); cache.saveRequest(request, response); - assertNotNull(request.getSession().getAttribute(WebAttributes.SAVED_REQUEST)); + assertNotNull(request.getSession().getAttribute(HttpSessionRequestCache.SAVED_REQUEST)); assertNotNull(cache.getRequest(request, response)); MockHttpServletRequest newRequest = new MockHttpServletRequest("POST", "/destination"); diff --git a/web/src/test/java/org/springframework/security/web/savedrequest/RequestCacheAwareFilterTests.java b/web/src/test/java/org/springframework/security/web/savedrequest/RequestCacheAwareFilterTests.java index 89502cdefc..f7faa7dd43 100644 --- a/web/src/test/java/org/springframework/security/web/savedrequest/RequestCacheAwareFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/savedrequest/RequestCacheAwareFilterTests.java @@ -6,7 +6,6 @@ import org.junit.Test; import org.springframework.mock.web.MockFilterChain; import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletResponse; -import org.springframework.security.web.WebAttributes; public class RequestCacheAwareFilterTests { @@ -18,9 +17,9 @@ public class RequestCacheAwareFilterTests { MockHttpServletRequest request = new MockHttpServletRequest("POST", "/destination"); MockHttpServletResponse response = new MockHttpServletResponse(); cache.saveRequest(request, response); - assertNotNull(request.getSession().getAttribute(WebAttributes.SAVED_REQUEST)); + assertNotNull(request.getSession().getAttribute(HttpSessionRequestCache.SAVED_REQUEST)); filter.doFilter(request, response, new MockFilterChain()); - assertNull(request.getSession().getAttribute(WebAttributes.SAVED_REQUEST)); + assertNull(request.getSession().getAttribute(HttpSessionRequestCache.SAVED_REQUEST)); } } diff --git a/web/src/test/java/org/springframework/security/web/session/DefaultSessionAuthenticationStrategyTests.java b/web/src/test/java/org/springframework/security/web/session/DefaultSessionAuthenticationStrategyTests.java index 59e7bb1136..63ccc73176 100644 --- a/web/src/test/java/org/springframework/security/web/session/DefaultSessionAuthenticationStrategyTests.java +++ b/web/src/test/java/org/springframework/security/web/session/DefaultSessionAuthenticationStrategyTests.java @@ -10,8 +10,8 @@ import org.junit.Test; import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletResponse; import org.springframework.security.core.Authentication; -import org.springframework.security.web.WebAttributes; import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy; +import org.springframework.security.web.savedrequest.HttpSessionRequestCache; /** * @@ -48,12 +48,12 @@ public class DefaultSessionAuthenticationStrategyTests { HttpServletRequest request = new MockHttpServletRequest(); HttpSession session = request.getSession(); session.setAttribute("blah", "blah"); - session.setAttribute(WebAttributes.SAVED_REQUEST, "DefaultSavedRequest"); + session.setAttribute("SPRING_SECURITY_SAVED_REQUEST_KEY", "DefaultSavedRequest"); strategy.onAuthentication(mock(Authentication.class), request, new MockHttpServletResponse()); assertNull(request.getSession().getAttribute("blah")); - assertNotNull(request.getSession().getAttribute(WebAttributes.SAVED_REQUEST)); + assertNotNull(request.getSession().getAttribute("SPRING_SECURITY_SAVED_REQUEST_KEY")); } @Test