From 4e4242d01096f268a1f293a94515545dc6f3c8f4 Mon Sep 17 00:00:00 2001
From: Luke Taylor <luke.taylor@springsource.com>
Date: Wed, 6 Jan 2010 22:23:01 +0000
Subject: [PATCH] SEC-1354: Added integration tests for combinations of
 @PreAuthorize and @Secured annotations.

---
 .../MultiAnnotationService.java               | 24 ++++++
 .../MultiAnnotationServiceImpl.java           | 17 ++++
 .../multiannotation/PreAuthorizeService.java  | 13 +++
 .../PreAuthorizeServiceImpl.java              |  9 ++
 .../multiannotation/SecuredService.java       | 12 +++
 .../multiannotation/SecuredServiceImpl.java   | 10 +++
 .../integration/MultiAnnotationTests.java     | 86 +++++++++++++++++++
 .../multi-sec-annotation-app-context.xml      | 26 ++++++
 8 files changed, 197 insertions(+)
 create mode 100644 itest/context/src/main/java/org/springframework/security/integration/multiannotation/MultiAnnotationService.java
 create mode 100644 itest/context/src/main/java/org/springframework/security/integration/multiannotation/MultiAnnotationServiceImpl.java
 create mode 100644 itest/context/src/main/java/org/springframework/security/integration/multiannotation/PreAuthorizeService.java
 create mode 100644 itest/context/src/main/java/org/springframework/security/integration/multiannotation/PreAuthorizeServiceImpl.java
 create mode 100644 itest/context/src/main/java/org/springframework/security/integration/multiannotation/SecuredService.java
 create mode 100644 itest/context/src/main/java/org/springframework/security/integration/multiannotation/SecuredServiceImpl.java
 create mode 100644 itest/context/src/test/java/org/springframework/security/integration/MultiAnnotationTests.java
 create mode 100755 itest/context/src/test/resources/multi-sec-annotation-app-context.xml

diff --git a/itest/context/src/main/java/org/springframework/security/integration/multiannotation/MultiAnnotationService.java b/itest/context/src/main/java/org/springframework/security/integration/multiannotation/MultiAnnotationService.java
new file mode 100644
index 0000000000..0abb3c1744
--- /dev/null
+++ b/itest/context/src/main/java/org/springframework/security/integration/multiannotation/MultiAnnotationService.java
@@ -0,0 +1,24 @@
+package org.springframework.security.integration.multiannotation;
+
+import org.springframework.security.access.annotation.Secured;
+import org.springframework.security.access.prepost.PreAuthorize;
+
+/**
+ * Allows testing mixing of different annotation types
+ *
+ * @author Luke Taylor
+ */
+public interface MultiAnnotationService {
+
+    @PreAuthorize("denyAll")
+    void preAuthorizeDenyAllMethod();
+
+    @PreAuthorize("hasRole('ROLE_A')")
+    void preAuthorizeHasRoleAMethod();
+
+    @Secured("IS_AUTHENTICATED_ANONYMOUSLY")
+    void securedAnonymousMethod();
+
+    @Secured("ROLE_A")
+    void securedRoleAMethod();
+}
diff --git a/itest/context/src/main/java/org/springframework/security/integration/multiannotation/MultiAnnotationServiceImpl.java b/itest/context/src/main/java/org/springframework/security/integration/multiannotation/MultiAnnotationServiceImpl.java
new file mode 100644
index 0000000000..e93122c45a
--- /dev/null
+++ b/itest/context/src/main/java/org/springframework/security/integration/multiannotation/MultiAnnotationServiceImpl.java
@@ -0,0 +1,17 @@
+package org.springframework.security.integration.multiannotation;
+
+public class MultiAnnotationServiceImpl implements MultiAnnotationService {
+
+    public void preAuthorizeDenyAllMethod() {
+    }
+
+    public void preAuthorizeHasRoleAMethod() {
+    }
+
+    public void securedAnonymousMethod() {
+    }
+
+    public void securedRoleAMethod() {
+    }
+
+}
diff --git a/itest/context/src/main/java/org/springframework/security/integration/multiannotation/PreAuthorizeService.java b/itest/context/src/main/java/org/springframework/security/integration/multiannotation/PreAuthorizeService.java
new file mode 100644
index 0000000000..b2cdc42ad7
--- /dev/null
+++ b/itest/context/src/main/java/org/springframework/security/integration/multiannotation/PreAuthorizeService.java
@@ -0,0 +1,13 @@
+package org.springframework.security.integration.multiannotation;
+
+import org.springframework.security.access.prepost.PreAuthorize;
+
+/**
+ *
+ * @author Luke Taylor
+ */
+public interface PreAuthorizeService {
+
+    @PreAuthorize("hasRole('ROLE_A')")
+    void preAuthorizedMethod();
+}
diff --git a/itest/context/src/main/java/org/springframework/security/integration/multiannotation/PreAuthorizeServiceImpl.java b/itest/context/src/main/java/org/springframework/security/integration/multiannotation/PreAuthorizeServiceImpl.java
new file mode 100644
index 0000000000..7cc42809eb
--- /dev/null
+++ b/itest/context/src/main/java/org/springframework/security/integration/multiannotation/PreAuthorizeServiceImpl.java
@@ -0,0 +1,9 @@
+package org.springframework.security.integration.multiannotation;
+
+/**
+ * @author Luke Taylor
+ */
+public class PreAuthorizeServiceImpl implements PreAuthorizeService {
+    public void preAuthorizedMethod() {
+    }
+}
diff --git a/itest/context/src/main/java/org/springframework/security/integration/multiannotation/SecuredService.java b/itest/context/src/main/java/org/springframework/security/integration/multiannotation/SecuredService.java
new file mode 100644
index 0000000000..5b35f3910d
--- /dev/null
+++ b/itest/context/src/main/java/org/springframework/security/integration/multiannotation/SecuredService.java
@@ -0,0 +1,12 @@
+package org.springframework.security.integration.multiannotation;
+
+import org.springframework.security.access.annotation.Secured;
+
+/**
+ *
+ * @author Luke Taylor
+ */
+public interface SecuredService {
+    @Secured("ROLE_A")
+    void securedMethod();
+}
diff --git a/itest/context/src/main/java/org/springframework/security/integration/multiannotation/SecuredServiceImpl.java b/itest/context/src/main/java/org/springframework/security/integration/multiannotation/SecuredServiceImpl.java
new file mode 100644
index 0000000000..33a65d3b89
--- /dev/null
+++ b/itest/context/src/main/java/org/springframework/security/integration/multiannotation/SecuredServiceImpl.java
@@ -0,0 +1,10 @@
+package org.springframework.security.integration.multiannotation;
+
+/**
+ *
+ * @author Luke Taylor
+ */
+public class SecuredServiceImpl implements SecuredService {
+    public void securedMethod() {
+    }
+}
diff --git a/itest/context/src/test/java/org/springframework/security/integration/MultiAnnotationTests.java b/itest/context/src/test/java/org/springframework/security/integration/MultiAnnotationTests.java
new file mode 100644
index 0000000000..f70d8b301a
--- /dev/null
+++ b/itest/context/src/test/java/org/springframework/security/integration/MultiAnnotationTests.java
@@ -0,0 +1,86 @@
+package org.springframework.security.integration;
+
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.authentication.TestingAuthenticationToken;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.integration.multiannotation.MultiAnnotationService;
+import org.springframework.security.integration.multiannotation.PreAuthorizeService;
+import org.springframework.security.integration.multiannotation.SecuredService;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+
+/**
+ * @author Luke Taylor
+ */
+@ContextConfiguration(locations={"/multi-sec-annotation-app-context.xml"})
+@RunWith(SpringJUnit4ClassRunner.class)
+public class MultiAnnotationTests {
+    private final TestingAuthenticationToken joe_a = new TestingAuthenticationToken("joe","pass","ROLE_A");
+    private final TestingAuthenticationToken joe_b = new TestingAuthenticationToken("joe","pass","ROLE_B");
+
+    @Autowired
+    MultiAnnotationService service;
+    @Autowired
+    PreAuthorizeService preService;
+    @Autowired
+    SecuredService secService;
+
+    @After
+    @Before
+    public void clearContext() {
+        SecurityContextHolder.clearContext();
+    }
+
+    @Test(expected=AccessDeniedException.class)
+    public void preAuthorizeDeniedIsDenied() {
+        SecurityContextHolder.getContext().setAuthentication(joe_a);
+        service.preAuthorizeDenyAllMethod();
+    }
+
+    @Test(expected=AccessDeniedException.class)
+    public void preAuthorizeRoleAIsDeniedIfRoleMissing() {
+        SecurityContextHolder.getContext().setAuthentication(joe_b);
+        service.preAuthorizeHasRoleAMethod();
+    }
+
+    @Test
+    public void preAuthorizeRoleAIsAllowedIfRolePresent() {
+        SecurityContextHolder.getContext().setAuthentication(joe_a);
+        service.preAuthorizeHasRoleAMethod();
+    }
+
+    @Test
+    public void securedAnonymousIsAllowed() {
+        SecurityContextHolder.getContext().setAuthentication(joe_a);
+        service.securedAnonymousMethod();
+    }
+
+    @Test(expected=AccessDeniedException.class)
+    public void securedRoleAIsDeniedIfRoleMissing() {
+        SecurityContextHolder.getContext().setAuthentication(joe_b);
+        service.securedRoleAMethod();
+    }
+
+    @Test
+    public void securedRoleAIsAllowedIfRolePresent() {
+        SecurityContextHolder.getContext().setAuthentication(joe_a);
+        service.securedRoleAMethod();
+    }
+
+    @Test(expected=AccessDeniedException.class)
+    public void preAuthorizedOnlyServiceDeniesIfRoleMissing() throws Exception {
+        SecurityContextHolder.getContext().setAuthentication(joe_b);
+        preService.preAuthorizedMethod();
+    }
+
+    @Test(expected=AccessDeniedException.class)
+    public void securedOnlyRoleAServiceDeniesIfRoleMissing() throws Exception {
+        SecurityContextHolder.getContext().setAuthentication(joe_b);
+        secService.securedMethod();
+    }
+}
diff --git a/itest/context/src/test/resources/multi-sec-annotation-app-context.xml b/itest/context/src/test/resources/multi-sec-annotation-app-context.xml
new file mode 100755
index 0000000000..1cbfbc2d2d
--- /dev/null
+++ b/itest/context/src/test/resources/multi-sec-annotation-app-context.xml
@@ -0,0 +1,26 @@
+<b:beans xmlns="http://www.springframework.org/schema/security"
+    xmlns:b="http://www.springframework.org/schema/beans"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:aop="http://www.springframework.org/schema/aop"
+    xmlns:tx="http://www.springframework.org/schema/tx"
+    xmlns:security="http://www.springframework.org/schema/security"
+    xsi:schemaLocation="
+        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
+        http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.0.xsd
+        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
+
+    <global-method-security pre-post-annotations="enabled" secured-annotations="enabled" />
+
+    <b:bean class="org.springframework.security.integration.multiannotation.MultiAnnotationServiceImpl"/>
+    <b:bean class="org.springframework.security.integration.multiannotation.PreAuthorizeServiceImpl"/>
+    <b:bean class="org.springframework.security.integration.multiannotation.SecuredServiceImpl"/>
+
+    <authentication-manager>
+        <authentication-provider>
+            <user-service>
+                <user name="bob" password="bobspassword" authorities="ROLE_A,ROLE_B"/>
+            </user-service>
+        </authentication-provider>
+    </authentication-manager>
+
+</b:beans>