SEC-1354: Added integration tests for combinations of @PreAuthorize and @Secured annotations.

itest/context/src/main/java/org/springframework/security/integration/multiannotation/MultiAnnotationService.java

@@ -0,0 +1,24 @@
+package org.springframework.security.integration.multiannotation;
+
+import org.springframework.security.access.annotation.Secured;
+import org.springframework.security.access.prepost.PreAuthorize;
+
+/**
+ * Allows testing mixing of different annotation types
+ *
+ * @author Luke Taylor
+ */
+public interface MultiAnnotationService {
+
+    @PreAuthorize("denyAll")
+    void preAuthorizeDenyAllMethod();
+
+    @PreAuthorize("hasRole('ROLE_A')")
+    void preAuthorizeHasRoleAMethod();
+
+    @Secured("IS_AUTHENTICATED_ANONYMOUSLY")
+    void securedAnonymousMethod();
+
+    @Secured("ROLE_A")
+    void securedRoleAMethod();
+}

itest/context/src/main/java/org/springframework/security/integration/multiannotation/MultiAnnotationServiceImpl.java

@@ -0,0 +1,17 @@
+package org.springframework.security.integration.multiannotation;
+
+public class MultiAnnotationServiceImpl implements MultiAnnotationService {
+
+    public void preAuthorizeDenyAllMethod() {
+    }
+
+    public void preAuthorizeHasRoleAMethod() {
+    }
+
+    public void securedAnonymousMethod() {
+    }
+
+    public void securedRoleAMethod() {
+    }
+
+}

itest/context/src/main/java/org/springframework/security/integration/multiannotation/PreAuthorizeService.java

@@ -0,0 +1,13 @@
+package org.springframework.security.integration.multiannotation;
+
+import org.springframework.security.access.prepost.PreAuthorize;
+
+/**
+ *
+ * @author Luke Taylor
+ */
+public interface PreAuthorizeService {
+
+    @PreAuthorize("hasRole('ROLE_A')")
+    void preAuthorizedMethod();
+}

itest/context/src/main/java/org/springframework/security/integration/multiannotation/PreAuthorizeServiceImpl.java

@@ -0,0 +1,9 @@
+package org.springframework.security.integration.multiannotation;
+
+/**
+ * @author Luke Taylor
+ */
+public class PreAuthorizeServiceImpl implements PreAuthorizeService {
+    public void preAuthorizedMethod() {
+    }
+}

itest/context/src/main/java/org/springframework/security/integration/multiannotation/SecuredService.java

@@ -0,0 +1,12 @@
+package org.springframework.security.integration.multiannotation;
+
+import org.springframework.security.access.annotation.Secured;
+
+/**
+ *
+ * @author Luke Taylor
+ */
+public interface SecuredService {
+    @Secured("ROLE_A")
+    void securedMethod();
+}

itest/context/src/main/java/org/springframework/security/integration/multiannotation/SecuredServiceImpl.java

@@ -0,0 +1,10 @@
+package org.springframework.security.integration.multiannotation;
+
+/**
+ *
+ * @author Luke Taylor
+ */
+public class SecuredServiceImpl implements SecuredService {
+    public void securedMethod() {
+    }
+}

itest/context/src/test/java/org/springframework/security/integration/MultiAnnotationTests.java

@@ -0,0 +1,86 @@
+package org.springframework.security.integration;
+
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.authentication.TestingAuthenticationToken;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.integration.multiannotation.MultiAnnotationService;
+import org.springframework.security.integration.multiannotation.PreAuthorizeService;
+import org.springframework.security.integration.multiannotation.SecuredService;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+
+/**
+ * @author Luke Taylor
+ */
+@ContextConfiguration(locations={"/multi-sec-annotation-app-context.xml"})
+@RunWith(SpringJUnit4ClassRunner.class)
+public class MultiAnnotationTests {
+    private final TestingAuthenticationToken joe_a = new TestingAuthenticationToken("joe","pass","ROLE_A");
+    private final TestingAuthenticationToken joe_b = new TestingAuthenticationToken("joe","pass","ROLE_B");
+
+    @Autowired
+    MultiAnnotationService service;
+    @Autowired
+    PreAuthorizeService preService;
+    @Autowired
+    SecuredService secService;
+
+    @After
+    @Before
+    public void clearContext() {
+        SecurityContextHolder.clearContext();
+    }
+
+    @Test(expected=AccessDeniedException.class)
+    public void preAuthorizeDeniedIsDenied() {
+        SecurityContextHolder.getContext().setAuthentication(joe_a);
+        service.preAuthorizeDenyAllMethod();
+    }
+
+    @Test(expected=AccessDeniedException.class)
+    public void preAuthorizeRoleAIsDeniedIfRoleMissing() {
+        SecurityContextHolder.getContext().setAuthentication(joe_b);
+        service.preAuthorizeHasRoleAMethod();
+    }
+
+    @Test
+    public void preAuthorizeRoleAIsAllowedIfRolePresent() {
+        SecurityContextHolder.getContext().setAuthentication(joe_a);
+        service.preAuthorizeHasRoleAMethod();
+    }
+
+    @Test
+    public void securedAnonymousIsAllowed() {
+        SecurityContextHolder.getContext().setAuthentication(joe_a);
+        service.securedAnonymousMethod();
+    }
+
+    @Test(expected=AccessDeniedException.class)
+    public void securedRoleAIsDeniedIfRoleMissing() {
+        SecurityContextHolder.getContext().setAuthentication(joe_b);
+        service.securedRoleAMethod();
+    }
+
+    @Test
+    public void securedRoleAIsAllowedIfRolePresent() {
+        SecurityContextHolder.getContext().setAuthentication(joe_a);
+        service.securedRoleAMethod();
+    }
+
+    @Test(expected=AccessDeniedException.class)
+    public void preAuthorizedOnlyServiceDeniesIfRoleMissing() throws Exception {
+        SecurityContextHolder.getContext().setAuthentication(joe_b);
+        preService.preAuthorizedMethod();
+    }
+
+    @Test(expected=AccessDeniedException.class)
+    public void securedOnlyRoleAServiceDeniesIfRoleMissing() throws Exception {
+        SecurityContextHolder.getContext().setAuthentication(joe_b);
+        secService.securedMethod();
+    }
+}

itest/context/src/test/resources/multi-sec-annotation-app-context.xml

@@ -0,0 +1,26 @@
+<b:beans xmlns="http://www.springframework.org/schema/security"
+    xmlns:b="http://www.springframework.org/schema/beans"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:aop="http://www.springframework.org/schema/aop"
+    xmlns:tx="http://www.springframework.org/schema/tx"
+    xmlns:security="http://www.springframework.org/schema/security"
+    xsi:schemaLocation="
+        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
+        http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.0.xsd
+        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
+
+    <global-method-security pre-post-annotations="enabled" secured-annotations="enabled" />
+
+    <b:bean class="org.springframework.security.integration.multiannotation.MultiAnnotationServiceImpl"/>
+    <b:bean class="org.springframework.security.integration.multiannotation.PreAuthorizeServiceImpl"/>
+    <b:bean class="org.springframework.security.integration.multiannotation.SecuredServiceImpl"/>
+
+    <authentication-manager>
+        <authentication-provider>
+            <user-service>
+                <user name="bob" password="bobspassword" authorities="ROLE_A,ROLE_B"/>
+            </user-service>
+        </authentication-provider>
+    </authentication-manager>
+
+</b:beans>