SEC-1055: Converted interfaces and methods using ServletRequest/Response to HttpServletRequest/Response where appropriate.

This commit is contained in:
Luke Taylor 2008-12-10 13:48:25 +00:00
parent acfcac4594
commit 3f40604b82
21 changed files with 317 additions and 401 deletions

View File

@ -18,8 +18,7 @@ package org.springframework.security.ui.cas;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.jasig.cas.client.util.CommonUtils;
@ -66,7 +65,7 @@ public class CasProcessingFilterEntryPoint implements AuthenticationEntryPoint,
Assert.notNull(this.serviceProperties, "serviceProperties must be specified");
}
public void commence(final ServletRequest servletRequest, final ServletResponse servletResponse,
public void commence(final HttpServletRequest servletRequest, final HttpServletResponse servletResponse,
final AuthenticationException authenticationException) throws IOException, ServletException {
final HttpServletResponse response = (HttpServletResponse) servletResponse;

View File

@ -27,9 +27,10 @@ import javax.servlet.http.HttpServletResponse;
/**
* Holds objects associated with a HTTP filter.<P>Guarantees the request and response are instances of
* <code>HttpServletRequest</code> and <code>HttpServletResponse</code>, and that there are no <code>null</code>
* objects.</p>
* <P>Required so that security system classes can obtain access to the filter environment, as well as the request
* and response.</p>
* objects.
* <p>
* Required so that security system classes can obtain access to the filter environment, as well as the request
* and response.
*
* @author Ben Alex
* @author colin sampaleanu
@ -39,8 +40,8 @@ public class FilterInvocation {
//~ Instance fields ================================================================================================
private FilterChain chain;
private ServletRequest request;
private ServletResponse response;
private HttpServletRequest request;
private HttpServletResponse response;
//~ Constructors ===================================================================================================
@ -49,16 +50,8 @@ public class FilterInvocation {
throw new IllegalArgumentException("Cannot pass null values to constructor");
}
if (!(request instanceof HttpServletRequest)) {
throw new IllegalArgumentException("Can only process HttpServletRequest");
}
if (!(response instanceof HttpServletResponse)) {
throw new IllegalArgumentException("Can only process HttpServletResponse");
}
this.request = request;
this.response = response;
this.request = (HttpServletRequest) request;
this.response = (HttpServletResponse) response;
this.chain = chain;
}
@ -69,8 +62,10 @@ public class FilterInvocation {
}
/**
* Indicates the URL that the user agent used for this request.<P>The returned URL does <b>not</b> reflect
* the port number determined from a {@link org.springframework.security.util.PortResolver}.</p>
* Indicates the URL that the user agent used for this request.
* <p>
* The returned URL does <b>not</b> reflect the port number determined from a
* {@link org.springframework.security.util.PortResolver}.
*
* @return the full URL of this request
*/
@ -79,17 +74,13 @@ public class FilterInvocation {
}
public HttpServletRequest getHttpRequest() {
return (HttpServletRequest) request;
return request;
}
public HttpServletResponse getHttpResponse() {
return (HttpServletResponse) response;
}
public ServletRequest getRequest() {
return request;
}
/**
* Obtains the web application-specific fragment of the URL.
*
@ -99,8 +90,12 @@ public class FilterInvocation {
return UrlUtils.getRequestUrl(this);
}
public ServletResponse getResponse() {
return response;
public HttpServletRequest getRequest() {
return getHttpRequest();
}
public HttpServletResponse getResponse() {
return getHttpResponse();
}
public String toString() {

View File

@ -32,10 +32,12 @@ import javax.servlet.ServletResponse;
/**
* Performs security handling of HTTP resources via a filter implementation.<p>The
* <code>ObjectDefinitionSource</code> required by this security interceptor is of type {@link
* FilterInvocationDefinitionSource}.</p>
* <p>Refer to {@link AbstractSecurityInterceptor} for details on the workflow.</p>
* Performs security handling of HTTP resources via a filter implementation.
* <p>
* The <code>ObjectDefinitionSource</code> required by this security interceptor is of type {@link
* FilterInvocationDefinitionSource}.
* <p>
* Refer to {@link AbstractSecurityInterceptor} for details on the workflow.</p>
*
* @author Ben Alex
* @version $Id$
@ -78,7 +80,7 @@ public class FilterSecurityInterceptor extends AbstractSecurityInterceptor imple
* @throws ServletException if the filter chain fails
*/
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
throws IOException, ServletException {
FilterInvocation fi = new FilterInvocation(request, response, chain);
invoke(fi);
}
@ -93,7 +95,7 @@ public class FilterSecurityInterceptor extends AbstractSecurityInterceptor imple
public void invoke(FilterInvocation fi) throws IOException, ServletException {
if ((fi.getRequest() != null) && (fi.getRequest().getAttribute(FILTER_APPLIED) != null)
&& observeOncePerRequest) {
&& observeOncePerRequest) {
// filter already applied to this request and user wants us to observce
// once-per-request handling, so don't re-do security checking
fi.getChain().doFilter(fi.getRequest(), fi.getResponse());

View File

@ -9,8 +9,6 @@ import org.springframework.util.Assert;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@ -42,7 +40,7 @@ public abstract class AbstractRetryEntryPoint implements ChannelEntryPoint {
//~ Methods ========================================================================================================
public void commence(ServletRequest req, ServletResponse res) throws IOException, ServletException {
public void commence(HttpServletRequest req, HttpServletResponse res) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
String pathInfo = request.getPathInfo();

View File

@ -18,19 +18,17 @@ package org.springframework.security.securechannel;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/**
* May be used by a {@link ChannelProcessor} to launch a web channel.
*
* <P>
* <code>ChannelProcessor</code>s can elect to launch a new web channel
* directly, or they can delegate to another class. The
* <code>ChannelEntryPoint</code> is a pluggable interface to assist
* <code>ChannelProcessor</code>s in performing this delegation.
* </p>
* <p>
* <code>ChannelProcessor</code>s can elect to launch a new web channel directly, or they can delegate to another class.
* The <code>ChannelEntryPoint</code> is a pluggable interface to assist <code>ChannelProcessor</code>s in performing
* this delegation.
*
* @author Ben Alex
* @version $Id$
@ -39,16 +37,14 @@ public interface ChannelEntryPoint {
//~ Methods ========================================================================================================
/**
* Commences a secure channel.<P>Implementations should modify the headers on the
* <code>ServletResponse</code> as necessary to commence the user agent using the implementation's supported
* channel type.</p>
* Commences a secure channel.
* <p>
* Implementations should modify the headers on the <code>ServletResponse</code> as necessary to commence the user
* agent using the implementation's supported channel type.
*
* @param request that a <code>ChannelProcessor</code> has rejected
* @param response so that the user agent can begin using a new channel
*
* @throws IOException DOCUMENT ME!
* @throws ServletException DOCUMENT ME!
*/
void commence(ServletRequest request, ServletResponse response)
throws IOException, ServletException;
void commence(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException;
}

View File

@ -20,8 +20,8 @@ import org.springframework.security.AccessDeniedException;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/**
@ -44,6 +44,6 @@ public interface AccessDeniedHandler {
* @throws IOException in the event of an IOException
* @throws ServletException in the event of a ServletException
*/
void handle(ServletRequest request, ServletResponse response, AccessDeniedException accessDeniedException)
void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException)
throws IOException, ServletException;
}

View File

@ -15,28 +15,27 @@
package org.springframework.security.ui;
import org.springframework.security.AccessDeniedException;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import java.io.IOException;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.security.AccessDeniedException;
/**
* Base implementation of {@link AccessDeniedHandler}.<p>This implementation sends a 403 (SC_FORBIDDEN) HTTP error
* code. In addition, if a {@link #errorPage} is defined, the implementation will perform a request dispatcher
* "forward" to the specified error page view. Being a "forward", the <code>SecurityContextHolder</code> will remain
* Base implementation of {@link AccessDeniedHandler}.
* <p>
* This implementation sends a 403 (SC_FORBIDDEN) HTTP error code. In addition, if an {@link #errorPage} is defined,
* the implementation will perform a request dispatcher "forward" to the specified error page view.
* Being a "forward", the <code>SecurityContextHolder</code> will remain
* populated. This is of benefit if the view (or a tag library or macro) wishes to access the
* <code>SecurityContextHolder</code>. The request scope will also be populated with the exception itself, available
* from the key {@link #SPRING_SECURITY_ACCESS_DENIED_EXCEPTION_KEY}.</p>
* from the key {@link #SPRING_SECURITY_ACCESS_DENIED_EXCEPTION_KEY}.
*
* @author Ben Alex
* @version $Id$
@ -53,7 +52,7 @@ public class AccessDeniedHandlerImpl implements AccessDeniedHandler {
//~ Methods ========================================================================================================
public void handle(ServletRequest request, ServletResponse response, AccessDeniedException accessDeniedException)
public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException)
throws IOException, ServletException {
if (!response.isCommitted()) {
if (errorPage != null) {
@ -61,15 +60,13 @@ public class AccessDeniedHandlerImpl implements AccessDeniedHandler {
request.setAttribute(SPRING_SECURITY_ACCESS_DENIED_EXCEPTION_KEY, accessDeniedException);
// Set the 403 status code.
HttpServletResponse resp = (HttpServletResponse) response;
resp.setStatus(HttpServletResponse.SC_FORBIDDEN);
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
// forward to error page.
RequestDispatcher dispatcher = request.getRequestDispatcher(errorPage);
dispatcher.forward(request, response);
} else {
HttpServletResponse resp = (HttpServletResponse) response;
resp.sendError(HttpServletResponse.SC_FORBIDDEN, accessDeniedException.getMessage());
response.sendError(HttpServletResponse.SC_FORBIDDEN, accessDeniedException.getMessage());
}
}
}

View File

@ -20,13 +20,12 @@ import org.springframework.security.AuthenticationException;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/**
* Used by {@link ExceptionTranslationFilter} to commence an authentication
* scheme.
* Used by {@link ExceptionTranslationFilter} to commence an authentication scheme.
*
* @author Ben Alex
* @version $Id$
@ -39,16 +38,16 @@ public interface AuthenticationEntryPoint {
* <p>
* <code>ExceptionTranslationFilter</code> will populate the <code>HttpSession</code> attribute named
* <code>AbstractProcessingFilter.SPRING_SECURITY_SAVED_REQUEST_KEY</code> with the requested target URL before
* calling this method.</p>
*
* <p>Implementations should modify the headers on the <code>ServletResponse</code> as necessary to
* commence the authentication process.</p>
* calling this method.
* <p>
* Implementations should modify the headers on the <code>ServletResponse</code> as necessary to
* commence the authentication process.
*
* @param request that resulted in an <code>AuthenticationException</code>
* @param response so that the user agent can begin authentication
* @param authException that caused the invocation
*
*/
void commence(ServletRequest request, ServletResponse response, AuthenticationException authException)
void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException)
throws IOException, ServletException;
}

View File

@ -35,8 +35,6 @@ import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@ -139,7 +137,7 @@ public class ExceptionTranslationFilter extends SpringSecurityFilter implements
return portResolver;
}
private void handleException(ServletRequest request, ServletResponse response, FilterChain chain,
private void handleException(HttpServletRequest request, HttpServletResponse response, FilterChain chain,
SpringSecurityException exception) throws IOException, ServletException {
if (exception instanceof AuthenticationException) {
if (logger.isDebugEnabled()) {
@ -188,7 +186,7 @@ public class ExceptionTranslationFilter extends SpringSecurityFilter implements
return createSessionAllowed;
}
protected void sendStartAuthentication(ServletRequest request, ServletResponse response, FilterChain chain,
protected void sendStartAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain,
AuthenticationException reason) throws ServletException, IOException {
HttpServletRequest httpRequest = (HttpServletRequest) request;

View File

@ -31,6 +31,7 @@ public abstract class FilterChainOrder {
public static final int AUTHENTICATION_PROCESSING_FILTER = FILTER_CHAIN_FIRST + INTERVAL * i++;
public static final int OPENID_PROCESSING_FILTER = FILTER_CHAIN_FIRST + INTERVAL * i++;
public static final int LOGIN_PAGE_FILTER = FILTER_CHAIN_FIRST + INTERVAL * i++;
public static final int DIGEST_PROCESSING_FILTER = FILTER_CHAIN_FIRST + INTERVAL * i++;
public static final int BASIC_PROCESSING_FILTER = FILTER_CHAIN_FIRST + INTERVAL * i++;
public static final int SERVLET_API_SUPPORT_FILTER = FILTER_CHAIN_FIRST + INTERVAL * i++;
public static final int REMEMBER_ME_FILTER = FILTER_CHAIN_FIRST + INTERVAL * i++;

View File

@ -24,7 +24,7 @@ import java.io.IOException;
*/
public abstract class SpringSecurityFilter implements Filter, Ordered {
protected final Log logger = LogFactory.getLog(this.getClass());
/**
* Does nothing. We use IoC container lifecycle services instead.
*
@ -41,15 +41,6 @@ public abstract class SpringSecurityFilter implements Filter, Ordered {
}
public final void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
// Do we really need the checks on the types in practice ?
if (!(request instanceof HttpServletRequest)) {
throw new ServletException("Can only process HttpServletRequest");
}
if (!(response instanceof HttpServletResponse)) {
throw new ServletException("Can only process HttpServletResponse");
}
doFilterHttp((HttpServletRequest)request, (HttpServletResponse)response, chain);
}
@ -58,4 +49,4 @@ public abstract class SpringSecurityFilter implements Filter, Ordered {
public String toString() {
return getClass().getName() + "[ order=" + getOrder() + "; ]";
}
}
}

View File

@ -18,8 +18,7 @@ package org.springframework.security.ui.basicauth;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.AuthenticationException;
@ -32,7 +31,7 @@ import org.springframework.util.Assert;
* Used by the <code>SecurityEnforcementFilter</code> to commence authentication via the {@link
* BasicProcessingFilter}.<P>Once a user agent is authenticated using BASIC authentication, logout requires that
* the browser be closed or an unauthorized (401) header be sent. The simplest way of achieving the latter is to call
* the {@link #commence(ServletRequest, ServletResponse, AuthenticationException)} method below. This will indicate to
* the {@link #commence(HttpServletRequest, HttpServletResponse, AuthenticationException)} method below. This will indicate to
* the browser its credentials are no longer authorized, causing it to prompt the user to login again.</p>
*
* @author Ben Alex
@ -49,7 +48,7 @@ public class BasicProcessingFilterEntryPoint implements AuthenticationEntryPoint
Assert.hasText(realmName, "realmName must be specified");
}
public void commence(ServletRequest request, ServletResponse response, AuthenticationException authException)
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException)
throws IOException, ServletException {
HttpServletResponse httpResponse = (HttpServletResponse) response;
httpResponse.addHeader("WWW-Authenticate", "Basic realm=\"" + realmName + "\"");

View File

@ -20,11 +20,9 @@ import java.util.Map;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.codec.digest.DigestUtils;
@ -43,6 +41,8 @@ import org.springframework.security.providers.UsernamePasswordAuthenticationToke
import org.springframework.security.providers.dao.UserCache;
import org.springframework.security.providers.dao.cache.NullUserCache;
import org.springframework.security.ui.AuthenticationDetailsSource;
import org.springframework.security.ui.FilterChainOrder;
import org.springframework.security.ui.SpringSecurityFilter;
import org.springframework.security.ui.WebAuthenticationDetailsSource;
import org.springframework.security.userdetails.UserDetails;
import org.springframework.security.userdetails.UserDetailsService;
@ -78,7 +78,7 @@ import org.springframework.util.StringUtils;
* than Basic authentication. Please see RFC 2617 section 4 for a full discussion on the advantages of Digest
* authentication over Basic authentication, including commentary on the limitations that it still imposes.
*/
public class DigestProcessingFilter implements Filter, InitializingBean, MessageSourceAware {
public class DigestProcessingFilter extends SpringSecurityFilter implements Filter, InitializingBean, MessageSourceAware {
//~ Static fields/initializers =====================================================================================
private static final Log logger = LogFactory.getLog(DigestProcessingFilter.class);
@ -99,15 +99,9 @@ public class DigestProcessingFilter implements Filter, InitializingBean, Message
Assert.notNull(authenticationEntryPoint, "A DigestProcessingFilterEntryPoint is required");
}
public void destroy() {
}
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
public void doFilterHttp(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest httpRequest = (HttpServletRequest) request;
String header = httpRequest.getHeader("Authorization");
String header = request.getHeader("Authorization");
if (logger.isDebugEnabled()) {
logger.debug("Authorization header received from user agent: " + header);
@ -322,7 +316,7 @@ public class DigestProcessingFilter implements Filter, InitializingBean, Message
return a1Md5;
}
private void fail(ServletRequest request, ServletResponse response, AuthenticationException failed)
private void fail(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed)
throws IOException, ServletException {
SecurityContextHolder.getContext().setAuthentication(null);
@ -394,9 +388,6 @@ public class DigestProcessingFilter implements Filter, InitializingBean, Message
return userDetailsService;
}
public void init(FilterConfig ignored) throws ServletException {
}
public void setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource) {
Assert.notNull(authenticationDetailsSource, "AuthenticationDetailsSource required");
this.authenticationDetailsSource = authenticationDetailsSource;
@ -421,4 +412,8 @@ public class DigestProcessingFilter implements Filter, InitializingBean, Message
public void setUserDetailsService(UserDetailsService userDetailsService) {
this.userDetailsService = userDetailsService;
}
public int getOrder() {
return FilterChainOrder.DIGEST_PROCESSING_FILTER;
}
}

View File

@ -18,8 +18,7 @@ package org.springframework.security.ui.digestauth;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.AuthenticationException;
@ -75,7 +74,7 @@ public class DigestProcessingFilterEntryPoint implements AuthenticationEntryPoin
}
}
public void commence(ServletRequest request, ServletResponse response, AuthenticationException authException)
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException)
throws IOException, ServletException {
HttpServletResponse httpResponse = (HttpServletResponse) response;

View File

@ -6,8 +6,7 @@ import org.springframework.security.ui.AuthenticationEntryPoint;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
@ -46,7 +45,7 @@ public class PreAuthenticatedProcessingFilterEntryPoint implements Authenticatio
/**
* Always returns a 403 error code to the client.
*/
public void commence(ServletRequest request, ServletResponse response, AuthenticationException arg2) throws IOException,
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException arg2) throws IOException,
ServletException {
if (logger.isDebugEnabled()) {
logger.debug("Pre-authenticated entry point called. Rejecting access");

View File

@ -36,8 +36,6 @@ import java.io.IOException;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@ -103,7 +101,7 @@ public class AuthenticationProcessingFilterEntryPoint implements AuthenticationE
/**
* Performs the redirect (or forward) to the login form URL.
*/
public void commence(ServletRequest request, ServletResponse response, AuthenticationException authException)
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException)
throws IOException, ServletException {
HttpServletRequest httpRequest = (HttpServletRequest) request;

View File

@ -92,7 +92,7 @@ public class FilterToBeanProxy implements Filter {
}
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
throws IOException, ServletException {
if (!initialized) {
doInit();
}

View File

@ -18,8 +18,6 @@ package org.springframework.security;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@ -39,15 +37,14 @@ public class MockAuthenticationEntryPoint implements AuthenticationEntryPoint {
//~ Constructors ===================================================================================================
public MockAuthenticationEntryPoint(String url) {
public MockAuthenticationEntryPoint(String url) {
this.url = url;
}
//~ Methods ========================================================================================================
public void commence(ServletRequest request, ServletResponse response,
AuthenticationException authenticationException)
throws IOException, ServletException {
((HttpServletResponse) response).sendRedirect(((HttpServletRequest) request).getContextPath() + url);
public void commence(HttpServletRequest request, HttpServletResponse response,
AuthenticationException authenticationException) throws IOException, ServletException {
response.sendRedirect(request.getContextPath() + url);
}
}

View File

@ -157,26 +157,6 @@ public class ChannelProcessingFilterTests extends TestCase {
assertTrue(true);
}
public void testDoFilterWithNonHttpServletRequestDetected() throws Exception {
ChannelProcessingFilter filter = new ChannelProcessingFilter();
try {
filter.doFilter(null, new MockHttpServletResponse(), new MockFilterChain());
fail("Should have thrown ServletException");
} catch (ServletException expected) {
}
}
public void testDoFilterWithNonHttpServletResponseDetected() throws Exception {
ChannelProcessingFilter filter = new ChannelProcessingFilter();
try {
filter.doFilter(new MockHttpServletRequest(null, null), null, new MockFilterChain());
fail("Should have thrown ServletException");
} catch (ServletException expected) {
}
}
public void testGetterSetters() throws Exception {
ChannelProcessingFilter filter = new ChannelProcessingFilter();
filter.setChannelDecisionManager(new MockChannelDecisionManager(false, "MOCK"));

View File

@ -27,6 +27,7 @@ import org.springframework.security.MockPortResolver;
import org.springframework.security.context.SecurityContextHolder;
import org.springframework.security.providers.anonymous.AnonymousAuthenticationToken;
import org.springframework.security.util.AuthorityUtils;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
@ -46,296 +47,270 @@ import javax.servlet.ServletResponse;
* benalex $
*/
public class ExceptionTranslationFilterTests extends TestCase {
//~ Methods ========================================================================================================
//~ Methods ========================================================================================================
protected void tearDown() throws Exception {
super.tearDown();
SecurityContextHolder.clearContext();
}
protected void tearDown() throws Exception {
super.tearDown();
SecurityContextHolder.clearContext();
}
public void testAccessDeniedWhenAnonymous() throws Exception {
// Setup our HTTP request
MockHttpServletRequest request = new MockHttpServletRequest();
request.setServletPath("/secure/page.html");
request.setServerPort(80);
request.setScheme("http");
request.setServerName("www.example.com");
request.setContextPath("/mycontext");
request.setRequestURI("/mycontext/secure/page.html");
public void testAccessDeniedWhenAnonymous() throws Exception {
// Setup our HTTP request
MockHttpServletRequest request = new MockHttpServletRequest();
request.setServletPath("/secure/page.html");
request.setServerPort(80);
request.setScheme("http");
request.setServerName("www.example.com");
request.setContextPath("/mycontext");
request.setRequestURI("/mycontext/secure/page.html");
// Setup the FilterChain to thrown an access denied exception
MockFilterChain chain = new MockFilterChain(true, false, false, false);
// Setup the FilterChain to thrown an access denied exception
MockFilterChain chain = new MockFilterChain(true, false, false, false);
// Setup SecurityContextHolder, as filter needs to check if user is
// anonymous
SecurityContextHolder.getContext().setAuthentication(
new AnonymousAuthenticationToken("ignored", "ignored",
new GrantedAuthority[] { new GrantedAuthorityImpl("IGNORED") }));
// Setup SecurityContextHolder, as filter needs to check if user is
// anonymous
SecurityContextHolder.getContext().setAuthentication(
new AnonymousAuthenticationToken("ignored", "ignored", AuthorityUtils.createAuthorityList("IGNORED")));
// Test
ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
filter.setAuthenticationEntryPoint(new MockAuthenticationEntryPoint("/login.jsp"));
// Test
ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
filter.setAuthenticationEntryPoint(new MockAuthenticationEntryPoint("/login.jsp"));
MockHttpServletResponse response = new MockHttpServletResponse();
filter.doFilter(request, response, chain);
assertEquals("/mycontext/login.jsp", response.getRedirectedUrl());
assertEquals("http://www.example.com/mycontext/secure/page.html", AbstractProcessingFilter
.obtainFullSavedRequestUrl(request));
}
MockHttpServletResponse response = new MockHttpServletResponse();
filter.doFilter(request, response, chain);
assertEquals("/mycontext/login.jsp", response.getRedirectedUrl());
assertEquals("http://www.example.com/mycontext/secure/page.html", AbstractProcessingFilter
.obtainFullSavedRequestUrl(request));
}
public void testAccessDeniedWhenNonAnonymous() throws Exception {
// Setup our HTTP request
MockHttpServletRequest request = new MockHttpServletRequest();
request.setServletPath("/secure/page.html");
public void testAccessDeniedWhenNonAnonymous() throws Exception {
// Setup our HTTP request
MockHttpServletRequest request = new MockHttpServletRequest();
request.setServletPath("/secure/page.html");
// Setup the FilterChain to thrown an access denied exception
MockFilterChain chain = new MockFilterChain(true, false, false, false);
// Setup the FilterChain to thrown an access denied exception
MockFilterChain chain = new MockFilterChain(true, false, false, false);
// Setup SecurityContextHolder, as filter needs to check if user is
// anonymous
SecurityContextHolder.getContext().setAuthentication(null);
// Setup SecurityContextHolder, as filter needs to check if user is
// anonymous
SecurityContextHolder.getContext().setAuthentication(null);
// Setup a new AccessDeniedHandlerImpl that will do a "forward"
AccessDeniedHandlerImpl adh = new AccessDeniedHandlerImpl();
adh.setErrorPage("/error.jsp");
// Setup a new AccessDeniedHandlerImpl that will do a "forward"
AccessDeniedHandlerImpl adh = new AccessDeniedHandlerImpl();
adh.setErrorPage("/error.jsp");
// Test
ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
filter.setAuthenticationEntryPoint(new MockAuthenticationEntryPoint("/login.jsp"));
filter.setAccessDeniedHandler(adh);
// Test
ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
filter.setAuthenticationEntryPoint(new MockAuthenticationEntryPoint("/login.jsp"));
filter.setAccessDeniedHandler(adh);
MockHttpServletResponse response = new MockHttpServletResponse();
filter.doFilter(request, response, chain);
assertEquals(403, response.getStatus());
assertEquals(AccessDeniedException.class, request.getAttribute(
AccessDeniedHandlerImpl.SPRING_SECURITY_ACCESS_DENIED_EXCEPTION_KEY).getClass());
}
MockHttpServletResponse response = new MockHttpServletResponse();
filter.doFilter(request, response, chain);
assertEquals(403, response.getStatus());
assertEquals(AccessDeniedException.class, request.getAttribute(
AccessDeniedHandlerImpl.SPRING_SECURITY_ACCESS_DENIED_EXCEPTION_KEY).getClass());
}
public void testDoFilterWithNonHttpServletRequestDetected() throws Exception {
ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
public void testGettersSetters() {
ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
try {
filter.doFilter(null, new MockHttpServletResponse(), new MockFilterChain(false, false, false, false));
fail("Should have thrown ServletException");
}
catch (ServletException expected) {
assertEquals("Can only process HttpServletRequest", expected.getMessage());
}
}
filter.setAuthenticationEntryPoint(new MockAuthenticationEntryPoint("/login.jsp"));
assertTrue(filter.getAuthenticationEntryPoint() != null);
public void testDoFilterWithNonHttpServletResponseDetected() throws Exception {
ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
filter.setPortResolver(new MockPortResolver(80, 443));
assertTrue(filter.getPortResolver() != null);
}
try {
filter.doFilter(new MockHttpServletRequest(null, null), null, new MockFilterChain(false, false, false,
false));
fail("Should have thrown ServletException");
}
catch (ServletException expected) {
assertEquals("Can only process HttpServletResponse", expected.getMessage());
}
}
public void testRedirectedToLoginFormAndSessionShowsOriginalTargetWhenAuthenticationException() throws Exception {
// Setup our HTTP request
MockHttpServletRequest request = new MockHttpServletRequest();
request.setServletPath("/secure/page.html");
request.setServerPort(80);
request.setScheme("http");
request.setServerName("www.example.com");
request.setContextPath("/mycontext");
request.setRequestURI("/mycontext/secure/page.html");
public void testGettersSetters() {
ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
// Setup the FilterChain to thrown an authentication failure exception
MockFilterChain chain = new MockFilterChain(false, true, false, false);
filter.setAuthenticationEntryPoint(new MockAuthenticationEntryPoint("/login.jsp"));
assertTrue(filter.getAuthenticationEntryPoint() != null);
// Test
ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
filter.setAuthenticationEntryPoint(new MockAuthenticationEntryPoint("/login.jsp"));
filter.setPortResolver(new MockPortResolver(80, 443));
/*
* Disabled the call to afterPropertiesSet as it requires
* applicationContext to be injected before it is invoked. We do not
* have this filter configured in IOC for this test hence no
* ApplicationContext
*/
// filter.afterPropertiesSet();
MockHttpServletResponse response = new MockHttpServletResponse();
filter.doFilter(request, response, chain);
assertEquals("/mycontext/login.jsp", response.getRedirectedUrl());
assertEquals("http://www.example.com/mycontext/secure/page.html", AbstractProcessingFilter
.obtainFullSavedRequestUrl(request));
}
filter.setPortResolver(new MockPortResolver(80, 443));
assertTrue(filter.getPortResolver() != null);
}
public void testRedirectedToLoginFormAndSessionShowsOriginalTargetWithExoticPortWhenAuthenticationException()
throws Exception {
// Setup our HTTP request
MockHttpServletRequest request = new MockHttpServletRequest();
request.setServletPath("/secure/page.html");
request.setServerPort(8080);
request.setScheme("http");
request.setServerName("www.example.com");
request.setContextPath("/mycontext");
request.setRequestURI("/mycontext/secure/page.html");
public void testRedirectedToLoginFormAndSessionShowsOriginalTargetWhenAuthenticationException() throws Exception {
// Setup our HTTP request
MockHttpServletRequest request = new MockHttpServletRequest();
request.setServletPath("/secure/page.html");
request.setServerPort(80);
request.setScheme("http");
request.setServerName("www.example.com");
request.setContextPath("/mycontext");
request.setRequestURI("/mycontext/secure/page.html");
// Setup the FilterChain to thrown an authentication failure exception
MockFilterChain chain = new MockFilterChain(false, true, false, false);
// Setup the FilterChain to thrown an authentication failure exception
MockFilterChain chain = new MockFilterChain(false, true, false, false);
// Test
ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
filter.setAuthenticationEntryPoint(new MockAuthenticationEntryPoint("/login.jsp"));
filter.setPortResolver(new MockPortResolver(8080, 8443));
/*
* Disabled the call to afterPropertiesSet as it requires
* applicationContext to be injected before it is invoked. We do not
* have this filter configured in IOC for this test hence no
* ApplicationContext
*/
// filter.afterPropertiesSet();
MockHttpServletResponse response = new MockHttpServletResponse();
filter.doFilter(request, response, chain);
assertEquals("/mycontext/login.jsp", response.getRedirectedUrl());
assertEquals("http://www.example.com:8080/mycontext/secure/page.html", AbstractProcessingFilter
.obtainFullSavedRequestUrl(request));
}
// Test
ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
filter.setAuthenticationEntryPoint(new MockAuthenticationEntryPoint("/login.jsp"));
filter.setPortResolver(new MockPortResolver(80, 443));
/*
* Disabled the call to afterPropertiesSet as it requires
* applicationContext to be injected before it is invoked. We do not
* have this filter configured in IOC for this test hence no
* ApplicationContext
*/
// filter.afterPropertiesSet();
MockHttpServletResponse response = new MockHttpServletResponse();
filter.doFilter(request, response, chain);
assertEquals("/mycontext/login.jsp", response.getRedirectedUrl());
assertEquals("http://www.example.com/mycontext/secure/page.html", AbstractProcessingFilter
.obtainFullSavedRequestUrl(request));
}
public void testStartupDetectsMissingAuthenticationEntryPoint() throws Exception {
ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
public void testRedirectedToLoginFormAndSessionShowsOriginalTargetWithExoticPortWhenAuthenticationException()
throws Exception {
// Setup our HTTP request
MockHttpServletRequest request = new MockHttpServletRequest();
request.setServletPath("/secure/page.html");
request.setServerPort(8080);
request.setScheme("http");
request.setServerName("www.example.com");
request.setContextPath("/mycontext");
request.setRequestURI("/mycontext/secure/page.html");
try {
filter.afterPropertiesSet();
fail("Should have thrown IllegalArgumentException");
}
catch (IllegalArgumentException expected) {
assertEquals("authenticationEntryPoint must be specified", expected.getMessage());
}
}
// Setup the FilterChain to thrown an authentication failure exception
MockFilterChain chain = new MockFilterChain(false, true, false, false);
public void testStartupDetectsMissingPortResolver() throws Exception {
ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
filter.setAuthenticationEntryPoint(new MockAuthenticationEntryPoint("/login.jsp"));
filter.setPortResolver(null);
// Test
ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
filter.setAuthenticationEntryPoint(new MockAuthenticationEntryPoint("/login.jsp"));
filter.setPortResolver(new MockPortResolver(8080, 8443));
/*
* Disabled the call to afterPropertiesSet as it requires
* applicationContext to be injected before it is invoked. We do not
* have this filter configured in IOC for this test hence no
* ApplicationContext
*/
// filter.afterPropertiesSet();
MockHttpServletResponse response = new MockHttpServletResponse();
filter.doFilter(request, response, chain);
assertEquals("/mycontext/login.jsp", response.getRedirectedUrl());
assertEquals("http://www.example.com:8080/mycontext/secure/page.html", AbstractProcessingFilter
.obtainFullSavedRequestUrl(request));
}
try {
filter.afterPropertiesSet();
fail("Should have thrown IllegalArgumentException");
}
catch (IllegalArgumentException expected) {
assertEquals("portResolver must be specified", expected.getMessage());
}
}
public void testStartupDetectsMissingAuthenticationEntryPoint() throws Exception {
ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
public void testSuccessfulAccessGrant() throws Exception {
// Setup our HTTP request
MockHttpServletRequest request = new MockHttpServletRequest();
request.setServletPath("/secure/page.html");
try {
filter.afterPropertiesSet();
fail("Should have thrown IllegalArgumentException");
}
catch (IllegalArgumentException expected) {
assertEquals("authenticationEntryPoint must be specified", expected.getMessage());
}
}
// Setup the FilterChain to thrown no exceptions
MockFilterChain chain = new MockFilterChain(false, false, false, false);
public void testStartupDetectsMissingPortResolver() throws Exception {
ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
filter.setAuthenticationEntryPoint(new MockAuthenticationEntryPoint("/login.jsp"));
filter.setPortResolver(null);
// Test
ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
filter.setAuthenticationEntryPoint(new MockAuthenticationEntryPoint("/login.jsp"));
try {
filter.afterPropertiesSet();
fail("Should have thrown IllegalArgumentException");
}
catch (IllegalArgumentException expected) {
assertEquals("portResolver must be specified", expected.getMessage());
}
}
MockHttpServletResponse response = new MockHttpServletResponse();
filter.doFilter(request, response, chain);
}
public void testSuccessfulAccessGrant() throws Exception {
// Setup our HTTP request
MockHttpServletRequest request = new MockHttpServletRequest();
request.setServletPath("/secure/page.html");
public void testSuccessfulStartupAndShutdownDown() throws Exception {
ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
// Setup the FilterChain to thrown no exceptions
MockFilterChain chain = new MockFilterChain(false, false, false, false);
filter.init(null);
filter.destroy();
assertTrue(true);
}
// Test
ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
filter.setAuthenticationEntryPoint(new MockAuthenticationEntryPoint("/login.jsp"));
public void testThrowIOException() throws Exception {
ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
MockHttpServletResponse response = new MockHttpServletResponse();
filter.doFilter(request, response, chain);
}
filter.setAuthenticationEntryPoint(new MockAuthenticationEntryPoint(""));
/*
* Disabled the call to afterPropertiesSet as it requires
* applicationContext to be injected before it is invoked. We do not
* have this filter configured in IOC for this test hence no
* ApplicationContext
*/
// filter.afterPropertiesSet();
try {
filter.doFilter(new MockHttpServletRequest(), new MockHttpServletResponse(), new MockFilterChain(false,
false, false, true));
fail("Should have thrown IOException");
}
catch (IOException e) {
assertNull("The IOException thrown should not have been wrapped", e.getCause());
}
}
public void testSuccessfulStartupAndShutdownDown() throws Exception {
ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
public void testThrowServletException() throws Exception {
ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
filter.init(null);
filter.destroy();
assertTrue(true);
}
filter.setAuthenticationEntryPoint(new MockAuthenticationEntryPoint(""));
/*
* Disabled the call to afterPropertiesSet as it requires
* applicationContext to be injected before it is invoked. We do not
* have this filter configured in IOC for this test hence no
* ApplicationContext
*/
// filter.afterPropertiesSet();
try {
filter.doFilter(new MockHttpServletRequest(), new MockHttpServletResponse(), new MockFilterChain(false,
false, true, false));
fail("Should have thrown ServletException");
}
catch (ServletException e) {
assertNull("The ServletException thrown should not have been wrapped", e.getCause());
}
}
public void testThrowIOException() throws Exception {
ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
// ~ Inner Classes =================================================================================================
filter.setAuthenticationEntryPoint(new MockAuthenticationEntryPoint(""));
/*
* Disabled the call to afterPropertiesSet as it requires
* applicationContext to be injected before it is invoked. We do not
* have this filter configured in IOC for this test hence no
* ApplicationContext
*/
// filter.afterPropertiesSet();
try {
filter.doFilter(new MockHttpServletRequest(), new MockHttpServletResponse(), new MockFilterChain(false,
false, false, true));
fail("Should have thrown IOException");
}
catch (IOException e) {
assertNull("The IOException thrown should not have been wrapped", e.getCause());
}
}
private class MockFilterChain implements FilterChain {
private boolean throwAccessDenied;
public void testThrowServletException() throws Exception {
ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
private boolean throwAuthenticationFailure;
filter.setAuthenticationEntryPoint(new MockAuthenticationEntryPoint(""));
/*
* Disabled the call to afterPropertiesSet as it requires
* applicationContext to be injected before it is invoked. We do not
* have this filter configured in IOC for this test hence no
* ApplicationContext
*/
// filter.afterPropertiesSet();
try {
filter.doFilter(new MockHttpServletRequest(), new MockHttpServletResponse(), new MockFilterChain(false,
false, true, false));
fail("Should have thrown ServletException");
}
catch (ServletException e) {
assertNull("The ServletException thrown should not have been wrapped", e.getCause());
}
}
private boolean throwIOException;
// ~ Inner Classes =================================================================================================
private boolean throwServletException;
private class MockFilterChain implements FilterChain {
private boolean throwAccessDenied;
public MockFilterChain(boolean throwAccessDenied, boolean throwAuthenticationFailure,
boolean throwServletException, boolean throwIOException) {
this.throwAccessDenied = throwAccessDenied;
this.throwAuthenticationFailure = throwAuthenticationFailure;
this.throwServletException = throwServletException;
this.throwIOException = throwIOException;
}
private boolean throwAuthenticationFailure;
public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException {
if (throwAccessDenied) {
throw new AccessDeniedException("As requested");
}
private boolean throwIOException;
if (throwAuthenticationFailure) {
throw new BadCredentialsException("As requested");
}
private boolean throwServletException;
if (throwServletException) {
throw new ServletException("As requested");
}
public MockFilterChain(boolean throwAccessDenied, boolean throwAuthenticationFailure,
boolean throwServletException, boolean throwIOException) {
this.throwAccessDenied = throwAccessDenied;
this.throwAuthenticationFailure = throwAuthenticationFailure;
this.throwServletException = throwServletException;
this.throwIOException = throwIOException;
}
public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException {
if (throwAccessDenied) {
throw new AccessDeniedException("As requested");
}
if (throwAuthenticationFailure) {
throw new BadCredentialsException("As requested");
}
if (throwServletException) {
throw new ServletException("As requested");
}
if (throwIOException) {
throw new IOException("As requested");
}
}
}
if (throwIOException) {
throw new IOException("As requested");
}
}
}
}

View File

@ -25,8 +25,6 @@ import org.springframework.util.Assert;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@ -83,7 +81,7 @@ public class NtlmProcessingFilterEntryPoint implements AuthenticationEntryPoint
* {@link NtlmType2MessageException}, or
* {@link AuthenticationException}
*/
public void commence(final ServletRequest request, final ServletResponse response, final AuthenticationException authException) throws IOException, ServletException {
public void commence(final HttpServletRequest request, final HttpServletResponse response, final AuthenticationException authException) throws IOException, ServletException {
final HttpServletResponse resp = (HttpServletResponse) response;
if (authException instanceof NtlmBaseException) {