Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Polish Logout Content Negotiation 

* Rename to DelegatingLogoutSuccessHandler for consistency
* Remove JavascriptOriginRequestMatcher in favor of
RequestHeaderRequestMatcher

Issue gh-3282
This commit is contained in:
Rob Winch 2016-04-19 12:00:06 -05:00
parent f0d1700ad6
commit 4093690322
6 changed files with 195 additions and 294 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
web/src/main/java/org/springframework/security/web/authentication/logout/DelegatingLogoutSuccessHandler.java Normal file
View File

@ -0,0 +1,77 @@
/*
* Copyright 2002-2016 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.web.authentication.logout;
import java.io.IOException;
import java.util.LinkedHashMap;
import java.util.Map;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.Assert;
/**
* Delegates to logout handlers based on matched request matchers
*
* @author Shazin Sadakath
* @author Rob Winch
* @since 4.1
*/
public class DelegatingLogoutSuccessHandler implements LogoutSuccessHandler {
private final LinkedHashMap<RequestMatcher, LogoutSuccessHandler> matcherToHandler;
private LogoutSuccessHandler defaultLogoutSuccessHandler;
public DelegatingLogoutSuccessHandler(
LinkedHashMap<RequestMatcher, LogoutSuccessHandler> matcherToHandler) {
Assert.notEmpty(matcherToHandler, "matcherToHandler cannot be null");
this.matcherToHandler = matcherToHandler;
}
@Override
public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) throws IOException, ServletException {
for (Map.Entry<RequestMatcher, LogoutSuccessHandler> entry : this.matcherToHandler
.entrySet()) {
RequestMatcher matcher = entry.getKey();
if (matcher.matches(request)) {
LogoutSuccessHandler handler = entry.getValue();
handler.onLogoutSuccess(request, response, authentication);
return;
}
}
if (this.defaultLogoutSuccessHandler != null) {
this.defaultLogoutSuccessHandler.onLogoutSuccess(request, response,
authentication);
}
}
/**
* Sets the default {@link LogoutSuccessHandler} if no other handlers available
*
* @param defaultLogoutSuccessHandler the defaultLogoutSuccessHandler to set
*/
public void setDefaultLogoutSuccessHandler(
LogoutSuccessHandler defaultLogoutSuccessHandler) {
this.defaultLogoutSuccessHandler = defaultLogoutSuccessHandler;
}
}

64
web/src/main/java/org/springframework/security/web/authentication/logout/RequestMatcherLogoutSuccessHandler.java
View File

@ -1,64 +0,0 @@
/*
* Copyright 2002-2016 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.web.authentication.logout;
import org.springframework.http.HttpStatus;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.util.matcher.JavascriptOriginRequestMatcher;
import org.springframework.security.web.util.matcher.NegatedRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.Assert;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.LinkedHashMap;
import java.util.Map;
/**
* Delegates to logout handlers based on matched request matchers
*
* @author Shazin Sadakath
*/
public class RequestMatcherLogoutSuccessHandler implements LogoutSuccessHandler {
private Map<RequestMatcher, LogoutSuccessHandler> requestMatcherLogoutSuccessHandlers = new LinkedHashMap();
public RequestMatcherLogoutSuccessHandler() {
requestMatcherLogoutSuccessHandlers.put(new JavascriptOriginRequestMatcher(), new HttpStatusReturningLogoutSuccessHandler(HttpStatus.NO_CONTENT));
requestMatcherLogoutSuccessHandlers.put(new NegatedRequestMatcher(new JavascriptOriginRequestMatcher()), new SimpleUrlLogoutSuccessHandler());
}
@Override
public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
for(Map.Entry<RequestMatcher, LogoutSuccessHandler> entry : requestMatcherLogoutSuccessHandlers.entrySet()) {
if(entry.getKey().matches(request)) {
entry.getValue().onLogoutSuccess(request, response, authentication);
break;
}
}
}
public Map<RequestMatcher, LogoutSuccessHandler> getRequestMatcherLogoutSuccessHandlers() {
return requestMatcherLogoutSuccessHandlers;
}
public void setRequestMatcherLogoutSuccessHandlers(Map<RequestMatcher, LogoutSuccessHandler> requestMatcherLogoutSuccessHandlers) {
Assert.notNull(requestMatcherLogoutSuccessHandlers, "must not be null");
this.requestMatcherLogoutSuccessHandlers = requestMatcherLogoutSuccessHandlers;
}
}

55
web/src/main/java/org/springframework/security/web/util/matcher/JavascriptOriginRequestMatcher.java
View File

@ -1,55 +0,0 @@
/*
* Copyright 2002-2016 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.web.util.matcher;
import javax.servlet.http.HttpServletRequest;
/**
* Decides whether the Request Originated from Javascript.
*
* @author Shazin Sadakath
*/
public class JavascriptOriginRequestMatcher implements RequestMatcher {
public static final String HTTP_X_REQUESTED_WITH = "HTTP_X_REQUESTED_WITH";
public static final String XML_HTTP_REQUEST = "XMLHttpRequest";
private String headerName = HTTP_X_REQUESTED_WITH;
private String headerValue = XML_HTTP_REQUEST;
@Override
public boolean matches(HttpServletRequest request) {
Object xHttpRequestedWith = request.getHeader(headerName);
return xHttpRequestedWith != null && xHttpRequestedWith.toString().equalsIgnoreCase(headerValue);
}
public String getHeaderName() {
return headerName;
}
public void setHeaderName(String headerName) {
this.headerName = headerName;
}
public String getHeaderValue() {
return headerValue;
}
public void setHeaderValue(String headerValue) {
this.headerValue = headerValue;
}
}

118
web/src/test/java/org/springframework/security/web/authentication/logout/DelegatingLogoutSuccessHandlerTests.java Normal file
View File

@ -0,0 +1,118 @@
/*
* Copyright 2002-2016 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.web.authentication.logout;
import java.util.LinkedHashMap;
import javax.servlet.http.HttpServletRequest;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.runners.MockitoJUnitRunner;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.util.matcher.RequestMatcher;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.verifyZeroInteractions;
import static org.mockito.Mockito.when;
/**
* DelegatingLogoutSuccessHandlerTests Tests
*
* @author Shazin Sadakath
* @author Rob Winch
*/
@RunWith(MockitoJUnitRunner.class)
public class DelegatingLogoutSuccessHandlerTests {
@Mock
RequestMatcher matcher;
@Mock
RequestMatcher matcher2;
@Mock
LogoutSuccessHandler handler;
@Mock
LogoutSuccessHandler handler2;
@Mock
LogoutSuccessHandler defaultHandler;
@Mock
HttpServletRequest request;
@Mock
MockHttpServletResponse response;
@Mock
Authentication authentication;
DelegatingLogoutSuccessHandler delegatingHandler;
@Before
public void setup() {
LinkedHashMap<RequestMatcher, LogoutSuccessHandler> matcherToHandler = new LinkedHashMap<RequestMatcher, LogoutSuccessHandler>();
matcherToHandler.put(this.matcher, this.handler);
matcherToHandler.put(this.matcher2, this.handler2);
this.delegatingHandler = new DelegatingLogoutSuccessHandler(matcherToHandler);
}
@Test
public void onLogoutSuccessFirstMatches() throws Exception {
this.delegatingHandler.setDefaultLogoutSuccessHandler(this.defaultHandler);
when(this.matcher.matches(this.request)).thenReturn(true);
this.delegatingHandler.onLogoutSuccess(this.request, this.response,
this.authentication);
verify(this.handler).onLogoutSuccess(this.request, this.response,
this.authentication);
verifyZeroInteractions(this.matcher2, this.handler2, this.defaultHandler);
}
@Test
public void onLogoutSuccessSecondMatches() throws Exception {
this.delegatingHandler.setDefaultLogoutSuccessHandler(this.defaultHandler);
when(this.matcher2.matches(this.request)).thenReturn(true);
this.delegatingHandler.onLogoutSuccess(this.request, this.response,
this.authentication);
verify(this.handler2).onLogoutSuccess(this.request, this.response,
this.authentication);
verifyZeroInteractions(this.handler, this.defaultHandler);
}
@Test
public void onLogoutSuccessDefault() throws Exception {
this.delegatingHandler.setDefaultLogoutSuccessHandler(this.defaultHandler);
this.delegatingHandler.onLogoutSuccess(this.request, this.response,
this.authentication);
verify(this.defaultHandler).onLogoutSuccess(this.request, this.response,
this.authentication);
verifyZeroInteractions(this.handler, this.handler2);
}
@Test
public void onLogoutSuccessNoMatchDefaultNull() throws Exception {
this.delegatingHandler.onLogoutSuccess(this.request, this.response,
this.authentication);
verifyZeroInteractions(this.handler, this.handler2, this.defaultHandler);
}
}

117
web/src/test/java/org/springframework/security/web/authentication/logout/RequestMatcherLogoutSuccessHandlerTests.java
View File

@ -1,117 +0,0 @@
/*
* Copyright 2002-2016 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.web.authentication.logout;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.runners.MockitoJUnitRunner;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.util.matcher.IpAddressMatcher;
import org.springframework.security.web.util.matcher.JavascriptOriginRequestMatcher;
import org.springframework.security.web.util.matcher.MediaTypeRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.web.accept.HeaderContentNegotiationStrategy;
import java.util.LinkedHashMap;
import java.util.Map;
import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.Mockito.mock;
/**
* RequestMatcherLogoutSuccessHandler Tests
*
* @author Shazin Sadakath
*/
@RunWith(MockitoJUnitRunner.class)
public class RequestMatcherLogoutSuccessHandlerTests {
private RequestMatcherLogoutSuccessHandler customLogoutSuccessHandler = new RequestMatcherLogoutSuccessHandler();
@Before
public void init() {
Map<RequestMatcher, LogoutSuccessHandler> requestMatcherLogoutSuccessHandlerMap = new LinkedHashMap();
requestMatcherLogoutSuccessHandlerMap.put(new IpAddressMatcher("192.168.1.5"), new SimpleUrlLogoutSuccessHandler());
requestMatcherLogoutSuccessHandlerMap.put(new MediaTypeRequestMatcher(new HeaderContentNegotiationStrategy(), MediaType.APPLICATION_JSON), new HttpStatusReturningLogoutSuccessHandler(HttpStatus.CREATED));
customLogoutSuccessHandler.setRequestMatcherLogoutSuccessHandlers(requestMatcherLogoutSuccessHandlerMap);
}
@Test
public void javascriptOriginRequest() throws Exception {
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletResponse response = new MockHttpServletResponse();
LogoutSuccessHandler logoutSuccessHandler = new RequestMatcherLogoutSuccessHandler();
request.addHeader(JavascriptOriginRequestMatcher.HTTP_X_REQUESTED_WITH, "XMLHttpRequest");
logoutSuccessHandler.onLogoutSuccess(request, response, mock(Authentication.class));
assertThat(response.getStatus()).isEqualTo(HttpStatus.NO_CONTENT.value());
}
@Test
public void nonJavascriptOriginRequest() throws Exception {
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletResponse response = new MockHttpServletResponse();
LogoutSuccessHandler logoutSuccessHandler = new RequestMatcherLogoutSuccessHandler();
logoutSuccessHandler.onLogoutSuccess(request, response, mock(Authentication.class));
assertThat(response.getStatus()).isEqualTo(HttpStatus.FOUND.value());
}
@Test
public void customRequestMatcherHandlerMap_IPAddress() throws Exception {
MockHttpServletRequest request = new MockHttpServletRequest();
request.setRemoteAddr("192.168.1.5");
MockHttpServletResponse response = new MockHttpServletResponse();
customLogoutSuccessHandler.onLogoutSuccess(request, response, mock(Authentication.class));
assertThat(response.getStatus()).isEqualTo(HttpStatus.FOUND.value());
}
@Test
public void customRequestMatcherHandlerMap_AcceptHeader() throws Exception {
MockHttpServletRequest request = new MockHttpServletRequest();
request.addHeader(HttpHeaders.ACCEPT, MediaType.APPLICATION_JSON_VALUE);
MockHttpServletResponse response = new MockHttpServletResponse();
customLogoutSuccessHandler.onLogoutSuccess(request, response, mock(Authentication.class));
assertThat(response.getStatus()).isEqualTo(HttpStatus.CREATED.value());
}
@Test
public void customRequestMatcherHandlerMap_IPAddressAndAcceptHeader() throws Exception {
MockHttpServletRequest request = new MockHttpServletRequest();
request.setRemoteAddr("192.168.1.5");
request.addHeader(HttpHeaders.ACCEPT, MediaType.APPLICATION_JSON_VALUE);
MockHttpServletResponse response = new MockHttpServletResponse();
customLogoutSuccessHandler.onLogoutSuccess(request, response, mock(Authentication.class));
// IPAddressRequestMatcher -> SimpleUrlLogoutSuccessHandler will be invoked first
assertThat(response.getStatus()).isEqualTo(HttpStatus.FOUND.value());
}
}

58
web/src/test/java/org/springframework/security/web/util/matcher/JavascriptOriginRequestMatcherTests.java
View File

@ -1,58 +0,0 @@
/*
* Copyright 2002-2016 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.web.util.matcher;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.runners.MockitoJUnitRunner;
import org.springframework.mock.web.MockHttpServletRequest;
import static org.assertj.core.api.Assertions.assertThat;
/**
* JavascriptOriginRequestMatcher Tests
*
* @author Shazin Sadakath
*/
@RunWith(MockitoJUnitRunner.class)
public class JavascriptOriginRequestMatcherTests {
private RequestMatcher matcher = new JavascriptOriginRequestMatcher();
@Test
public void javascriptOriginRequest() {
MockHttpServletRequest request = new MockHttpServletRequest();
request.addHeader(JavascriptOriginRequestMatcher.HTTP_X_REQUESTED_WITH, "XMLHttpRequest");
assertThat(matcher.matches(request)).isTrue();
}
@Test
public void nonJavascriptOriginRequest_EmptyHeader() {
MockHttpServletRequest request = new MockHttpServletRequest();
request.addHeader(JavascriptOriginRequestMatcher.HTTP_X_REQUESTED_WITH, "");
assertThat(matcher.matches(request)).isFalse();
}
@Test
public void nonJavascriptOriginRequest_NotSetHeader() {
MockHttpServletRequest request = new MockHttpServletRequest();
assertThat(matcher.matches(request)).isFalse();
}
}