Use ServletContext in AuthorizationManagerWebInvocationPrivilegeEvaluator
Closes gh-10908
This commit is contained in:
Marcus Da Coregio
parent
67fd46bfa6
commit
6c52c52a68
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2002-2021 the original author or authors.
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
|
|
@ -16,6 +16,7 @@
|
|||
|
||||
package org.springframework.security.web.access;
|
||||
|
||||
import javax.servlet.ServletContext;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
|
||||
import org.springframework.security.authorization.AuthorizationDecision;
|
||||
|
|
@ -23,6 +24,7 @@ import org.springframework.security.authorization.AuthorizationManager;
|
|||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.web.FilterInvocation;
|
||||
import org.springframework.util.Assert;
|
||||
import org.springframework.web.context.ServletContextAware;
|
||||
|
||||
/**
|
||||
* An implementation of {@link WebInvocationPrivilegeEvaluator} which delegates the checks
|
||||
|
|
@ -31,10 +33,13 @@ import org.springframework.util.Assert;
|
|||
* @author Marcus Da Coregio
|
||||
* @since 5.5.5
|
||||
*/
|
||||
public final class AuthorizationManagerWebInvocationPrivilegeEvaluator implements WebInvocationPrivilegeEvaluator {
|
||||
public final class AuthorizationManagerWebInvocationPrivilegeEvaluator
|
||||
implements WebInvocationPrivilegeEvaluator, ServletContextAware {
|
||||
|
||||
private final AuthorizationManager<HttpServletRequest> authorizationManager;
|
||||
|
||||
private ServletContext servletContext;
|
||||
|
||||
public AuthorizationManagerWebInvocationPrivilegeEvaluator(
|
||||
AuthorizationManager<HttpServletRequest> authorizationManager) {
|
||||
Assert.notNull(authorizationManager, "authorizationManager cannot be null");
|
||||
|
|
@ -48,10 +53,15 @@ public final class AuthorizationManagerWebInvocationPrivilegeEvaluator implement
|
|||
|
||||
@Override
|
||||
public boolean isAllowed(String contextPath, String uri, String method, Authentication authentication) {
|
||||
FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method);
|
||||
FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method, this.servletContext);
|
||||
AuthorizationDecision decision = this.authorizationManager.check(() -> authentication,
|
||||
filterInvocation.getHttpRequest());
|
||||
return decision == null || decision.isGranted();
|
||||
}
|
||||
|
||||
@Override
|
||||
public void setServletContext(ServletContext servletContext) {
|
||||
this.servletContext = servletContext;
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2002-2021 the original author or authors.
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
|
|
@ -16,14 +16,17 @@
|
|||
|
||||
package org.springframework.security.web.access;
|
||||
|
||||
import javax.servlet.ServletContext;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
|
||||
import org.junit.jupiter.api.Test;
|
||||
import org.junit.jupiter.api.extension.ExtendWith;
|
||||
import org.mockito.ArgumentCaptor;
|
||||
import org.mockito.InjectMocks;
|
||||
import org.mockito.Mock;
|
||||
import org.mockito.junit.jupiter.MockitoExtension;
|
||||
|
||||
import org.springframework.mock.web.MockServletContext;
|
||||
import org.springframework.security.authentication.TestAuthentication;
|
||||
import org.springframework.security.authorization.AuthorizationDecision;
|
||||
import org.springframework.security.authorization.AuthorizationManager;
|
||||
|
|
@ -72,4 +75,14 @@ class AuthorizationManagerWebInvocationPrivilegeEvaluatorTests {
|
|||
assertThat(allowed).isTrue();
|
||||
}
|
||||
|
||||
@Test
|
||||
void isAllowedWhenServletContextExistsThenFilterInvocationHasServletContext() {
|
||||
ServletContext servletContext = new MockServletContext();
|
||||
this.privilegeEvaluator.setServletContext(servletContext);
|
||||
this.privilegeEvaluator.isAllowed("/test", TestAuthentication.authenticatedUser());
|
||||
ArgumentCaptor<HttpServletRequest> captor = ArgumentCaptor.forClass(HttpServletRequest.class);
|
||||
verify(this.authorizationManager).check(any(), captor.capture());
|
||||
assertThat(captor.getValue().getServletContext()).isSameAs(servletContext);
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue