Rob Winch
Joe Grandja
parent
f363c62afd
commit
602bb457b8
|
|
@ -15,14 +15,14 @@
|
|||
*/
|
||||
package org.springframework.security.test.web.servlet.setup;
|
||||
|
||||
import javax.servlet.Filter;
|
||||
|
||||
import org.springframework.security.config.BeanIds;
|
||||
import org.springframework.test.web.servlet.request.RequestPostProcessor;
|
||||
import org.springframework.test.web.servlet.setup.ConfigurableMockMvcBuilder;
|
||||
import org.springframework.test.web.servlet.setup.MockMvcConfigurerAdapter;
|
||||
import org.springframework.web.context.WebApplicationContext;
|
||||
|
||||
import javax.servlet.Filter;
|
||||
|
||||
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.testSecurityContext;
|
||||
|
||||
/**
|
||||
|
|
@ -54,18 +54,20 @@ final class SecurityMockMvcConfigurer extends MockMvcConfigurerAdapter {
|
|||
public RequestPostProcessor beforeMockMvcCreated(
|
||||
ConfigurableMockMvcBuilder<?> builder, WebApplicationContext context) {
|
||||
String securityBeanId = BeanIds.SPRING_SECURITY_FILTER_CHAIN;
|
||||
if (springSecurityFilterChain == null && context.containsBean(securityBeanId)) {
|
||||
springSecurityFilterChain = context.getBean(securityBeanId, Filter.class);
|
||||
if (this.springSecurityFilterChain == null
|
||||
&& context.containsBean(securityBeanId)) {
|
||||
this.springSecurityFilterChain = context.getBean(securityBeanId,
|
||||
Filter.class);
|
||||
}
|
||||
|
||||
if (springSecurityFilterChain == null) {
|
||||
if (this.springSecurityFilterChain == null) {
|
||||
throw new IllegalStateException(
|
||||
"springSecurityFilterChain cannot be null. Ensure a Bean with the name "
|
||||
+ securityBeanId
|
||||
+ " implementing Filter is present or inject the Filter to be used.");
|
||||
}
|
||||
|
||||
builder.addFilters(springSecurityFilterChain);
|
||||
builder.addFilters(this.springSecurityFilterChain);
|
||||
|
||||
return testSecurityContext();
|
||||
}
|
||||
|
|
|
|||
|
|
@ -123,13 +123,14 @@ public abstract class WebTestUtils {
|
|||
Filter springSecurityFilterChain = null;
|
||||
try {
|
||||
springSecurityFilterChain = webApplicationContext.getBean(
|
||||
AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME, Filter.class);
|
||||
AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME,
|
||||
Filter.class);
|
||||
}
|
||||
catch (NoSuchBeanDefinitionException notFound) {
|
||||
return null;
|
||||
}
|
||||
List<Filter> filters = (List<Filter>) ReflectionTestUtils.invokeMethod(
|
||||
springSecurityFilterChain, "getFilters", request);
|
||||
List<Filter> filters = (List<Filter>) ReflectionTestUtils
|
||||
.invokeMethod(springSecurityFilterChain, "getFilters", request);
|
||||
if (filters == null) {
|
||||
return null;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -15,12 +15,6 @@
|
|||
*/
|
||||
package org.springframework.security.test.web.servlet.request;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
|
||||
import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity;
|
||||
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
|
||||
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
|
||||
|
||||
import java.io.IOException;
|
||||
|
||||
import javax.servlet.FilterChain;
|
||||
|
|
@ -52,6 +46,12 @@ import org.springframework.web.bind.annotation.RestController;
|
|||
import org.springframework.web.context.WebApplicationContext;
|
||||
import org.springframework.web.filter.OncePerRequestFilter;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
|
||||
import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity;
|
||||
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
|
||||
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
|
||||
|
||||
@RunWith(SpringJUnit4ClassRunner.class)
|
||||
@ContextConfiguration
|
||||
@WebAppConfiguration
|
||||
|
|
@ -63,52 +63,64 @@ public class SecurityMockMvcRequestPostProcessorsCsrfTests {
|
|||
|
||||
@Before
|
||||
public void setup() {
|
||||
mockMvc = MockMvcBuilders
|
||||
.webAppContextSetup(wac)
|
||||
.apply(springSecurity())
|
||||
// @formatter:off
|
||||
this.mockMvc = MockMvcBuilders
|
||||
.webAppContextSetup(this.wac)
|
||||
.apply(springSecurity())
|
||||
.build();
|
||||
// @formatter:on
|
||||
.build();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void csrfWithParam() throws Exception {
|
||||
mockMvc.perform(post("/").with(csrf()))
|
||||
// @formatter:off
|
||||
this.mockMvc.perform(post("/").with(csrf()))
|
||||
.andExpect(status().is2xxSuccessful())
|
||||
.andExpect(csrfAsParam());
|
||||
// @formatter:on
|
||||
}
|
||||
|
||||
@Test
|
||||
public void csrfWithHeader() throws Exception {
|
||||
mockMvc.perform(post("/").with(csrf().asHeader()))
|
||||
// @formatter:off
|
||||
this.mockMvc.perform(post("/").with(csrf().asHeader()))
|
||||
.andExpect(status().is2xxSuccessful())
|
||||
.andExpect(csrfAsHeader());
|
||||
// @formatter:on
|
||||
}
|
||||
|
||||
@Test
|
||||
public void csrfWithInvalidParam() throws Exception {
|
||||
mockMvc.perform(post("/").with(csrf().useInvalidToken()))
|
||||
.andExpect(status().isForbidden())
|
||||
.andExpect(csrfAsParam());
|
||||
// @formatter:off
|
||||
this.mockMvc.perform(post("/").with(csrf().useInvalidToken()))
|
||||
.andExpect(status().isForbidden())
|
||||
.andExpect(csrfAsParam());
|
||||
// @formatter:on
|
||||
}
|
||||
|
||||
@Test
|
||||
public void csrfWithInvalidHeader() throws Exception {
|
||||
mockMvc.perform(post("/").with(csrf().asHeader().useInvalidToken()))
|
||||
// @formatter:off
|
||||
this.mockMvc.perform(post("/").with(csrf().asHeader().useInvalidToken()))
|
||||
.andExpect(status().isForbidden())
|
||||
.andExpect(csrfAsHeader());
|
||||
// @formatter:on
|
||||
}
|
||||
|
||||
// SEC-3097
|
||||
@Test
|
||||
public void csrfWithWrappedRequest() throws Exception {
|
||||
mockMvc = MockMvcBuilders
|
||||
.webAppContextSetup(wac)
|
||||
// @formatter:off
|
||||
this.mockMvc = MockMvcBuilders
|
||||
.webAppContextSetup(this.wac)
|
||||
.addFilter(new SessionRepositoryFilter())
|
||||
.apply(springSecurity())
|
||||
.build();
|
||||
|
||||
mockMvc.perform(post("/").with(csrf()))
|
||||
this.mockMvc.perform(post("/").with(csrf()))
|
||||
.andExpect(status().is2xxSuccessful())
|
||||
.andExpect(csrfAsParam());
|
||||
// @formatter:on
|
||||
}
|
||||
|
||||
public static ResultMatcher csrfAsParam() {
|
||||
|
|
@ -117,6 +129,7 @@ public class SecurityMockMvcRequestPostProcessorsCsrfTests {
|
|||
|
||||
static class CsrfParamResultMatcher implements ResultMatcher {
|
||||
|
||||
@Override
|
||||
public void match(MvcResult result) throws Exception {
|
||||
MockHttpServletRequest request = result.getRequest();
|
||||
assertThat(request.getParameter("_csrf")).isNotNull();
|
||||
|
|
@ -130,6 +143,7 @@ public class SecurityMockMvcRequestPostProcessorsCsrfTests {
|
|||
|
||||
static class CsrfHeaderResultMatcher implements ResultMatcher {
|
||||
|
||||
@Override
|
||||
public void match(MvcResult result) throws Exception {
|
||||
MockHttpServletRequest request = result.getRequest();
|
||||
assertThat(request.getParameter("_csrf")).isNull();
|
||||
|
|
@ -140,9 +154,10 @@ public class SecurityMockMvcRequestPostProcessorsCsrfTests {
|
|||
static class SessionRepositoryFilter extends OncePerRequestFilter {
|
||||
|
||||
@Override
|
||||
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
|
||||
throws ServletException, IOException {
|
||||
filterChain.doFilter(new SessionRequestWrapper(request) , response);
|
||||
protected void doFilterInternal(HttpServletRequest request,
|
||||
HttpServletResponse response, FilterChain filterChain)
|
||||
throws ServletException, IOException {
|
||||
filterChain.doFilter(new SessionRequestWrapper(request), response);
|
||||
}
|
||||
|
||||
static class SessionRequestWrapper extends HttpServletRequestWrapper {
|
||||
|
|
@ -154,12 +169,12 @@ public class SecurityMockMvcRequestPostProcessorsCsrfTests {
|
|||
|
||||
@Override
|
||||
public HttpSession getSession(boolean create) {
|
||||
return session;
|
||||
return this.session;
|
||||
}
|
||||
|
||||
@Override
|
||||
public HttpSession getSession() {
|
||||
return session;
|
||||
return this.session;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -15,15 +15,16 @@
|
|||
*/
|
||||
package org.springframework.security.test.web.servlet.setup;
|
||||
|
||||
import javax.servlet.Filter;
|
||||
|
||||
import org.junit.Test;
|
||||
import org.junit.runner.RunWith;
|
||||
import org.mockito.Mock;
|
||||
import org.mockito.runners.MockitoJUnitRunner;
|
||||
|
||||
import org.springframework.test.web.servlet.setup.ConfigurableMockMvcBuilder;
|
||||
import org.springframework.web.context.WebApplicationContext;
|
||||
|
||||
import javax.servlet.Filter;
|
||||
|
||||
import static org.mockito.Matchers.anyString;
|
||||
import static org.mockito.Matchers.eq;
|
||||
import static org.mockito.Mockito.verify;
|
||||
|
|
@ -36,18 +37,18 @@ public class SecurityMockMvcConfigurerTests {
|
|||
@Mock
|
||||
private Filter beanFilter;
|
||||
@Mock
|
||||
private ConfigurableMockMvcBuilder builder;
|
||||
private ConfigurableMockMvcBuilder<?> builder;
|
||||
@Mock
|
||||
private WebApplicationContext context;
|
||||
|
||||
@Test
|
||||
public void beforeMockMvcCreatedOverrideBean() throws Exception {
|
||||
returnFilterBean();
|
||||
SecurityMockMvcConfigurer configurer = new SecurityMockMvcConfigurer(filter);
|
||||
SecurityMockMvcConfigurer configurer = new SecurityMockMvcConfigurer(this.filter);
|
||||
|
||||
configurer.beforeMockMvcCreated(builder, context);
|
||||
configurer.beforeMockMvcCreated(this.builder, this.context);
|
||||
|
||||
verify(builder).addFilters(filter);
|
||||
verify(this.builder).addFilters(this.filter);
|
||||
}
|
||||
|
||||
@Test
|
||||
|
|
@ -55,29 +56,30 @@ public class SecurityMockMvcConfigurerTests {
|
|||
returnFilterBean();
|
||||
SecurityMockMvcConfigurer configurer = new SecurityMockMvcConfigurer();
|
||||
|
||||
configurer.beforeMockMvcCreated(builder, context);
|
||||
configurer.beforeMockMvcCreated(this.builder, this.context);
|
||||
|
||||
verify(builder).addFilters(beanFilter);
|
||||
verify(this.builder).addFilters(this.beanFilter);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void beforeMockMvcCreatedNoBean() throws Exception {
|
||||
SecurityMockMvcConfigurer configurer = new SecurityMockMvcConfigurer(filter);
|
||||
SecurityMockMvcConfigurer configurer = new SecurityMockMvcConfigurer(this.filter);
|
||||
|
||||
configurer.beforeMockMvcCreated(builder, context);
|
||||
configurer.beforeMockMvcCreated(this.builder, this.context);
|
||||
|
||||
verify(builder).addFilters(filter);
|
||||
verify(this.builder).addFilters(this.filter);
|
||||
}
|
||||
|
||||
@Test(expected = IllegalStateException.class)
|
||||
public void beforeMockMvcCreatedNoFilter() throws Exception {
|
||||
SecurityMockMvcConfigurer configurer = new SecurityMockMvcConfigurer();
|
||||
|
||||
configurer.beforeMockMvcCreated(builder, context);
|
||||
configurer.beforeMockMvcCreated(this.builder, this.context);
|
||||
}
|
||||
|
||||
private void returnFilterBean() {
|
||||
when(context.containsBean(anyString())).thenReturn(true);
|
||||
when(context.getBean(anyString(), eq(Filter.class))).thenReturn(beanFilter);
|
||||
when(this.context.containsBean(anyString())).thenReturn(true);
|
||||
when(this.context.getBean(anyString(), eq(Filter.class)))
|
||||
.thenReturn(this.beanFilter);
|
||||
}
|
||||
}
|
||||
|
|
@ -15,16 +15,13 @@
|
|||
*/
|
||||
package org.springframework.security.test.web.support;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.springframework.security.test.web.support.WebTestUtils.getCsrfTokenRepository;
|
||||
import static org.springframework.security.test.web.support.WebTestUtils.getSecurityContextRepository;
|
||||
|
||||
import org.junit.After;
|
||||
import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
import org.junit.runner.RunWith;
|
||||
import org.mockito.Mock;
|
||||
import org.mockito.runners.MockitoJUnitRunner;
|
||||
|
||||
import org.springframework.context.ConfigurableApplicationContext;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.mock.web.MockHttpServletRequest;
|
||||
|
|
@ -39,6 +36,10 @@ import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
|
|||
import org.springframework.web.context.WebApplicationContext;
|
||||
import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.springframework.security.test.web.support.WebTestUtils.getCsrfTokenRepository;
|
||||
import static org.springframework.security.test.web.support.WebTestUtils.getSecurityContextRepository;
|
||||
|
||||
@RunWith(MockitoJUnitRunner.class)
|
||||
public class WebTestUtilsTests {
|
||||
@Mock
|
||||
|
|
@ -51,72 +52,72 @@ public class WebTestUtilsTests {
|
|||
|
||||
@Before
|
||||
public void setup() {
|
||||
request = new MockHttpServletRequest();
|
||||
this.request = new MockHttpServletRequest();
|
||||
}
|
||||
|
||||
@After
|
||||
public void cleanup() {
|
||||
if (context != null) {
|
||||
context.close();
|
||||
if (this.context != null) {
|
||||
this.context.close();
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void getCsrfTokenRepositorytNoWac() {
|
||||
assertThat(getCsrfTokenRepository(request)).isInstanceOf(
|
||||
HttpSessionCsrfTokenRepository.class);
|
||||
assertThat(getCsrfTokenRepository(this.request))
|
||||
.isInstanceOf(HttpSessionCsrfTokenRepository.class);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void getCsrfTokenRepositorytNoSecurity() {
|
||||
loadConfig(Config.class);
|
||||
assertThat(getCsrfTokenRepository(request)).isInstanceOf(
|
||||
HttpSessionCsrfTokenRepository.class);
|
||||
assertThat(getCsrfTokenRepository(this.request))
|
||||
.isInstanceOf(HttpSessionCsrfTokenRepository.class);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void getCsrfTokenRepositorytSecurityNoCsrf() {
|
||||
loadConfig(SecurityNoCsrfConfig.class);
|
||||
assertThat(getCsrfTokenRepository(request)).isInstanceOf(
|
||||
HttpSessionCsrfTokenRepository.class);
|
||||
assertThat(getCsrfTokenRepository(this.request))
|
||||
.isInstanceOf(HttpSessionCsrfTokenRepository.class);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void getCsrfTokenRepositorytSecurityCustomRepo() {
|
||||
CustomSecurityConfig.CONTEXT_REPO = contextRepo;
|
||||
CustomSecurityConfig.CSRF_REPO = csrfRepo;
|
||||
CustomSecurityConfig.CONTEXT_REPO = this.contextRepo;
|
||||
CustomSecurityConfig.CSRF_REPO = this.csrfRepo;
|
||||
loadConfig(CustomSecurityConfig.class);
|
||||
assertThat(getCsrfTokenRepository(request)).isSameAs(csrfRepo);
|
||||
assertThat(getCsrfTokenRepository(this.request)).isSameAs(this.csrfRepo);
|
||||
}
|
||||
|
||||
// getSecurityContextRepository
|
||||
|
||||
@Test
|
||||
public void getSecurityContextRepositoryNoWac() {
|
||||
assertThat(getSecurityContextRepository(request)).isInstanceOf(
|
||||
HttpSessionSecurityContextRepository.class);
|
||||
assertThat(getSecurityContextRepository(this.request))
|
||||
.isInstanceOf(HttpSessionSecurityContextRepository.class);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void getSecurityContextRepositoryNoSecurity() {
|
||||
loadConfig(Config.class);
|
||||
assertThat(getSecurityContextRepository(request)).isInstanceOf(
|
||||
HttpSessionSecurityContextRepository.class);
|
||||
assertThat(getSecurityContextRepository(this.request))
|
||||
.isInstanceOf(HttpSessionSecurityContextRepository.class);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void getSecurityContextRepositorySecurityNoCsrf() {
|
||||
loadConfig(SecurityNoCsrfConfig.class);
|
||||
assertThat(getSecurityContextRepository(request)).isInstanceOf(
|
||||
HttpSessionSecurityContextRepository.class);
|
||||
assertThat(getSecurityContextRepository(this.request))
|
||||
.isInstanceOf(HttpSessionSecurityContextRepository.class);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void getSecurityContextRepositorySecurityCustomRepo() {
|
||||
CustomSecurityConfig.CONTEXT_REPO = contextRepo;
|
||||
CustomSecurityConfig.CSRF_REPO = csrfRepo;
|
||||
CustomSecurityConfig.CONTEXT_REPO = this.contextRepo;
|
||||
CustomSecurityConfig.CSRF_REPO = this.csrfRepo;
|
||||
loadConfig(CustomSecurityConfig.class);
|
||||
assertThat(getSecurityContextRepository(request)).isSameAs(contextRepo);
|
||||
assertThat(getSecurityContextRepository(this.request)).isSameAs(this.contextRepo);
|
||||
}
|
||||
|
||||
// gh-3343
|
||||
|
|
@ -124,7 +125,8 @@ public class WebTestUtilsTests {
|
|||
public void findFilterNoMatchingFilters() {
|
||||
loadConfig(PartialSecurityConfig.class);
|
||||
|
||||
assertThat(WebTestUtils.findFilter(request, SecurityContextPersistenceFilter.class)).isNull();
|
||||
assertThat(WebTestUtils.findFilter(this.request,
|
||||
SecurityContextPersistenceFilter.class)).isNull();
|
||||
}
|
||||
|
||||
private void loadConfig(Class<?> config) {
|
||||
|
|
@ -132,7 +134,7 @@ public class WebTestUtilsTests {
|
|||
context.register(config);
|
||||
context.refresh();
|
||||
this.context = context;
|
||||
request.getServletContext().setAttribute(
|
||||
this.request.getServletContext().setAttribute(
|
||||
WebApplicationContext.ROOT_WEB_APPLICATION_CONTEXT_ATTRIBUTE, context);
|
||||
}
|
||||
|
||||
|
|
@ -167,8 +169,6 @@ public class WebTestUtilsTests {
|
|||
// @formatter:on
|
||||
}
|
||||
|
||||
|
||||
|
||||
@EnableWebSecurity
|
||||
static class PartialSecurityConfig extends WebSecurityConfigurerAdapter {
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue