SEC-1878: Added test to ensure that DefaultFilterChainValidator can handle web expressions

2025-09-08 20:51:41 +00:00 · 2011-12-28 12:50:06 -06:00 · 2011-12-28 12:50:06 -06:00 · 863b36962b
commit 863b36962b
parent bbfb3da9c7
1 changed files with 101 additions and 0 deletions
--- a/config/src/test/java/org/springframework/security/config/http/DefaultFilterChainValidatorTests.java
+++ b/config/src/test/java/org/springframework/security/config/http/DefaultFilterChainValidatorTests.java
@ -0,0 +1,101 @@
 /*
 * Copyright 2011 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 * the License. You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
 * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
 * specific language governing permissions and limitations under the License.
 */
 package org.springframework.security.config.http;
 import static org.mockito.Matchers.any;
 import static org.mockito.Matchers.anyObject;
 import static org.mockito.Matchers.contains;
 import static org.mockito.Mockito.doThrow;
 import static org.mockito.Mockito.verify;
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.LinkedHashMap;
 import java.util.Map;
 import org.apache.commons.logging.Log;
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.mockito.Mock;
 import org.mockito.internal.util.reflection.Whitebox;
 import org.mockito.runners.MockitoJUnitRunner;
 import org.springframework.security.access.AccessDecisionManager;
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.userdetails.memory.UserAttribute;
 import org.springframework.security.web.FilterChainProxy;
 import org.springframework.security.web.access.ExceptionTranslationFilter;
 import org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource;
 import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
 import org.springframework.security.web.access.intercept.RequestKey;
 import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
 import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
 import org.springframework.security.web.util.AntUrlPathMatcher;
 /**
 *
 * @author Rob Winch
 */
@RunWith(MockitoJUnitRunner.class)
 public class DefaultFilterChainValidatorTests {
    private DefaultFilterChainValidator validator;
    private FilterChainProxy fcp;
    @Mock
    private Log logger;
    @Mock
    private AccessDecisionManager accessDecisionManager;
    @SuppressWarnings({"unchecked","rawtypes"})
    @Before
    public void setUp() throws Exception {
        AntUrlPathMatcher matcher = new AntUrlPathMatcher();
        LinkedHashMap<RequestKey, Collection<ConfigAttribute>> requestMap = new LinkedHashMap<RequestKey, Collection<ConfigAttribute>>();
        requestMap.put(new RequestKey("/login"), Collections.<ConfigAttribute>emptyList());
        DefaultFilterInvocationSecurityMetadataSource metadataSource = new DefaultFilterInvocationSecurityMetadataSource(matcher,requestMap);
        AnonymousAuthenticationFilter aaf = new AnonymousAuthenticationFilter();
        aaf.setKey("anonymous");
        UserAttribute userAttribute = new UserAttribute();
        userAttribute.setAuthorities(AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
        userAttribute.setPassword("password");
        aaf.setUserAttribute(userAttribute);
        FilterSecurityInterceptor fsi = new FilterSecurityInterceptor();
        fsi.setAccessDecisionManager(accessDecisionManager);
        fsi.setSecurityMetadataSource(metadataSource);
        LoginUrlAuthenticationEntryPoint authenticationEntryPoint = new LoginUrlAuthenticationEntryPoint();
        authenticationEntryPoint.setLoginFormUrl("/login");
        ExceptionTranslationFilter etf = new ExceptionTranslationFilter();
        etf.setAuthenticationEntryPoint(authenticationEntryPoint);
        Map filterChainMap = new HashMap();
        filterChainMap.put("/**",Arrays.asList(aaf,etf,fsi));
        fcp = new FilterChainProxy();
        fcp.setFilterChainMap(filterChainMap);
        fcp.setMatcher(matcher);
        validator = new DefaultFilterChainValidator();
        Whitebox.setInternalState(validator, "logger", logger);
    }
    // Ensure SEC-1878 does not occur later
    @SuppressWarnings("unchecked")
    @Test
    public void validateCheckLoginPageIsntProtectedThrowsIllegalArgumentException() {
        IllegalArgumentException toBeThrown = new IllegalArgumentException("failed to eval expression");
        doThrow(toBeThrown).when(accessDecisionManager).decide(any(Authentication.class), anyObject(), any(Collection.class));
        validator.validate(fcp);
        verify(logger).warn(contains(toBeThrown.toString()));
    }
 }