MultiHttpBlockConfigTests groovy->java

Note that originally there were five tests in the groovy test, however
the last one, multipleAuthenticationManagersWorks, turned out to be a
duplicate after creating the test
requestWhenUsingMutuallyExclusiveHttpElementsThenIsRoutedAccordingly

As such, the new file contains just four tests.

Issue: gh-4939
This commit is contained in:
Josh Cummings 2018-07-19 14:44:21 -06:00
parent 7e52fe67f4
commit 39e336136f
No known key found for this signature in database
GPG Key ID: 49EF60DD7FF83443
6 changed files with 270 additions and 133 deletions

@ -1,133 +0,0 @@
package org.springframework.security.config.http
import static org.mockito.Mockito.*
import org.powermock.api.mockito.internal.verification.VerifyNoMoreInteractions;
import org.springframework.beans.factory.parsing.BeanDefinitionParsingException
import org.springframework.mock.web.MockFilterChain;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.config.BeanIds
import org.springframework.security.core.Authentication;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.web.FilterChainProxy
import org.junit.Assert
import org.springframework.beans.factory.BeanCreationException
import org.springframework.security.web.SecurityFilterChain
/**
* Tests scenarios with multiple <http> elements.
*
* @author Luke Taylor
*/
class MultiHttpBlockConfigTests extends AbstractHttpConfigTests {
def multipleHttpElementsAreSupported () {
when: "Two <http> elements are used"
xml.http(pattern: '/stateless/**', 'create-session': 'stateless') {
'http-basic'()
}
xml.http(pattern: '/stateful/**') {
'form-login'()
}
createAppContext()
FilterChainProxy fcp = appContext.getBean(BeanIds.FILTER_CHAIN_PROXY)
def filterChains = fcp.getFilterChains();
then:
filterChains.size() == 2
filterChains[0].requestMatcher.pattern == '/stateless/**'
}
def duplicateHttpElementsAreRejected () {
when: "Two <http> elements are used"
xml.http('create-session': 'stateless') {
'http-basic'()
}
xml.http() {
'form-login'()
}
createAppContext()
then:
BeanCreationException e = thrown()
e.cause instanceof IllegalArgumentException
}
def duplicatePatternsAreRejected () {
when: "Two <http> elements with the same pattern are used"
xml.http(pattern: '/stateless/**', 'create-session': 'stateless') {
'http-basic'()
}
xml.http(pattern: '/stateless/**') {
'form-login'()
}
createAppContext()
then:
BeanCreationException e = thrown()
e.cause instanceof IllegalArgumentException
}
def 'SEC-1937: http@authentication-manager-ref and multi authentication-mananager'() {
setup:
xml.http('authentication-manager-ref' : 'authManager', 'pattern' : '/first/**') {
'form-login'('login-processing-url': '/first/login')
csrf(disabled:true)
}
xml.http('authentication-manager-ref' : 'authManager2') {
'form-login'()
csrf(disabled:true)
}
mockBean(UserDetailsService,'uds')
mockBean(UserDetailsService,'uds2')
createAppContext("""
<authentication-manager id="authManager">
<authentication-provider user-service-ref="uds" />
</authentication-manager>
<authentication-manager id="authManager2">
<authentication-provider user-service-ref="uds2" />
</authentication-manager>
""")
UserDetailsService uds = appContext.getBean('uds')
UserDetailsService uds2 = appContext.getBean('uds2')
when:
MockHttpServletRequest request = new MockHttpServletRequest("GET", "")
MockHttpServletResponse response = new MockHttpServletResponse()
MockFilterChain chain = new MockFilterChain()
request.servletPath = "/first/login"
request.requestURI = "/first/login"
request.method = 'POST'
springSecurityFilterChain.doFilter(request,response,chain)
then:
verify(uds).loadUserByUsername(anyString()) || true
verifyZeroInteractions(uds2) || true
when:
MockHttpServletRequest request2 = new MockHttpServletRequest("GET", "")
MockHttpServletResponse response2 = new MockHttpServletResponse()
MockFilterChain chain2 = new MockFilterChain()
request2.servletPath = "/login"
request2.requestURI = "/login"
request2.method = 'POST'
springSecurityFilterChain.doFilter(request2,response2,chain2)
then:
verify(uds2).loadUserByUsername(anyString()) || true
verifyNoMoreInteractions(uds) || true
}
def multipleAuthenticationManagersWorks () {
xml.http(name: 'basic', pattern: '/basic/**', ) {
'http-basic'()
}
xml.http(pattern: '/form/**') {
'form-login'()
}
createAppContext()
FilterChainProxy fcp = appContext.getBean(BeanIds.FILTER_CHAIN_PROXY)
SecurityFilterChain basicChain = fcp.filterChains[0];
expect:
Assert.assertSame (basicChain, appContext.getBean('basic'))
}
}

@ -0,0 +1,116 @@
/*
* Copyright 2002-2018 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.config.http;
import org.junit.Rule;
import org.junit.Test;
import org.springframework.beans.factory.BeanCreationException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.config.test.SpringTestRule;
import org.springframework.stereotype.Controller;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.web.bind.annotation.GetMapping;
import static org.assertj.core.api.Assertions.assertThatCode;
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.httpBasic;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
/**
* Tests scenarios with multiple &lt;http&gt; elements.
*
* @author Luke Taylor
*/
public class MultiHttpBlockConfigTests {
private static final String CONFIG_LOCATION_PREFIX =
"classpath:org/springframework/security/config/http/MultiHttpBlockConfigTests";
@Autowired
MockMvc mvc;
@Rule
public final SpringTestRule spring = new SpringTestRule();
@Test
public void requestWhenUsingMutuallyExclusiveHttpElementsThenIsRoutedAccordingly()
throws Exception {
this.spring.configLocations(this.xml("DistinctHttpElements")).autowire();
this.mvc.perform(MockMvcRequestBuilders.get("/first")
.with(httpBasic("user", "password")))
.andExpect(status().isOk());
this.mvc.perform(post("/second/login")
.param("username", "user")
.param("password", "password")
.with(csrf()))
.andExpect(status().isFound())
.andExpect(redirectedUrl("/"));
}
@Test
public void configureWhenUsingDuplicateHttpElementsThenThrowsWiringException() {
assertThatCode(() -> this.spring.configLocations(this.xml("IdenticalHttpElements")).autowire())
.isInstanceOf(BeanCreationException.class)
.hasCauseInstanceOf(IllegalArgumentException.class);
}
@Test
public void configureWhenUsingIndenticallyPatternedHttpElementsThenThrowsWiringException() {
assertThatCode(() -> this.spring.configLocations(this.xml("IdenticallyPatternedHttpElements")).autowire())
.isInstanceOf(BeanCreationException.class)
.hasCauseInstanceOf(IllegalArgumentException.class);
}
/**
* SEC-1937
*/
@Test
public void requestWhenTargettingAuthenticationManagersToCorrespondingHttpElementsThenAuthenticationProceeds()
throws Exception {
this.spring.configLocations(this.xml("Sec1937")).autowire();
this.mvc.perform(get("/first")
.with(httpBasic("first", "password"))
.with(csrf()))
.andExpect(status().isOk());
this.mvc.perform(post("/second/login")
.param("username", "second")
.param("password", "password")
.with(csrf()))
.andExpect(redirectedUrl("/"));
}
@Controller
static class BasicController {
@GetMapping("/first")
public String first() {
return "ok";
}
}
private String xml(String configName) {
return CONFIG_LOCATION_PREFIX + "-" + configName + ".xml";
}
}

@ -0,0 +1,36 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
~ Copyright 2002-2018 the original author or authors.
~
~ Licensed under the Apache License, Version 2.0 (the "License");
~ you may not use this file except in compliance with the License.
~ You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing, software
~ distributed under the License is distributed on an "AS IS" BASIS,
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
~ See the License for the specific language governing permissions and
~ limitations under the License.
-->
<b:beans xmlns:b="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<http pattern="/first/**" create-session="stateless">
<http-basic/>
</http>
<http pattern="/second/**">
<form-login login-processing-url="/second/login"/>
</http>
<b:bean name="basicController" class="org.springframework.security.config.http.MultiHttpBlockConfigTests.BasicController"/>
<b:import resource="userservice.xml"/>
</b:beans>

@ -0,0 +1,34 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
~ Copyright 2002-2018 the original author or authors.
~
~ Licensed under the Apache License, Version 2.0 (the "License");
~ you may not use this file except in compliance with the License.
~ You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing, software
~ distributed under the License is distributed on an "AS IS" BASIS,
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
~ See the License for the specific language governing permissions and
~ limitations under the License.
-->
<b:beans xmlns:b="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<http create-session="stateless">
<http-basic/>
</http>
<http>
<form-login/>
</http>
<b:import resource="userservice.xml"/>
</b:beans>

@ -0,0 +1,34 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
~ Copyright 2002-2018 the original author or authors.
~
~ Licensed under the Apache License, Version 2.0 (the "License");
~ you may not use this file except in compliance with the License.
~ You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing, software
~ distributed under the License is distributed on an "AS IS" BASIS,
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
~ See the License for the specific language governing permissions and
~ limitations under the License.
-->
<b:beans xmlns:b="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<http pattern="/first/**" create-session="stateless">
<http-basic/>
</http>
<http pattern="/first/**">
<form-login/>
</http>
<b:import resource="userservice.xml"/>
</b:beans>

@ -0,0 +1,50 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
~ Copyright 2002-2018 the original author or authors.
~
~ Licensed under the Apache License, Version 2.0 (the "License");
~ you may not use this file except in compliance with the License.
~ You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing, software
~ distributed under the License is distributed on an "AS IS" BASIS,
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
~ See the License for the specific language governing permissions and
~ limitations under the License.
-->
<b:beans xmlns:b="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<http authentication-manager-ref="firstAuthenticationManager" pattern="/first/**" create-session="stateless">
<http-basic/>
</http>
<http authentication-manager-ref="secondAuthenticationManager" pattern="/second/**">
<form-login login-processing-url="/second/login"/>
</http>
<b:bean name="basicController" class="org.springframework.security.config.http.MultiHttpBlockConfigTests.BasicController"/>
<authentication-manager id="firstAuthenticationManager">
<authentication-provider>
<user-service>
<user name="first" password="{noop}password" authorities="ROLE_USER"/>
</user-service>
</authentication-provider>
</authentication-manager>
<authentication-manager id="secondAuthenticationManager">
<authentication-provider>
<user-service>
<user name="second" password="{noop}password" authorities="ROLE_USER"/>
</user-service>
</authentication-provider>
</authentication-manager>
</b:beans>