diff --git a/web/src/main/java/org/springframework/security/web/authentication/SimpleUrlAuthenticationFailureHandler.java b/web/src/main/java/org/springframework/security/web/authentication/SimpleUrlAuthenticationFailureHandler.java index 4ad1a2b046..e6c7a6b46d 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/SimpleUrlAuthenticationFailureHandler.java +++ b/web/src/main/java/org/springframework/security/web/authentication/SimpleUrlAuthenticationFailureHandler.java @@ -22,7 +22,7 @@ import org.springframework.util.Assert; * If the property has not been set it will send a 401 response to the client, with the error message from the * AuthenticationException which caused the failure. *

- * If the forwardToDestination parameter is set, a RequestDispatcher.forward call will be made to + * If the {@code useForward} property is set, a {@code RequestDispatcher.forward} call will be made to * the destination instead of a redirect. * * @author Luke Taylor diff --git a/web/src/test/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilterTests.java b/web/src/test/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilterTests.java index e1ad396e8a..5591470b37 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilterTests.java @@ -15,7 +15,8 @@ package org.springframework.security.web.authentication; -import static org.mockito.Mockito.*; +import static org.junit.Assert.*; +import static org.mockito.Mockito.mock; import java.io.IOException; import java.util.Properties; @@ -30,8 +31,9 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; -import junit.framework.TestCase; - +import org.junit.After; +import org.junit.Before; +import org.junit.Test; import org.springframework.mock.web.MockFilterConfig; import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletResponse; @@ -44,10 +46,6 @@ import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.authority.AuthorityUtils; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.web.PortResolverImpl; -import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter; -import org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler; -import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler; -import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler; import org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices; import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy; import org.springframework.security.web.savedrequest.DefaultSavedRequest; @@ -57,9 +55,10 @@ import org.springframework.security.web.savedrequest.DefaultSavedRequest; * Tests {@link AbstractAuthenticationProcessingFilter}. * * @author Ben Alex + * @author Luke Taylor */ @SuppressWarnings("deprecation") -public class AbstractAuthenticationProcessingFilterTests extends TestCase { +public class AbstractAuthenticationProcessingFilterTests { SavedRequestAwareAuthenticationSuccessHandler successHandler; SimpleUrlAuthenticationFailureHandler failureHandler; //~ Methods ======================================================================================================== @@ -105,8 +104,8 @@ public class AbstractAuthenticationProcessingFilterTests extends TestCase { // return new DefaultSavedRequest(request, new PortResolverImpl()); // } - protected void setUp() throws Exception { - super.setUp(); + @Before + public void setUp() throws Exception { successHandler = new SavedRequestAwareAuthenticationSuccessHandler(); successHandler.setDefaultTargetUrl("/logged_in.jsp"); failureHandler = new SimpleUrlAuthenticationFailureHandler(); @@ -114,11 +113,12 @@ public class AbstractAuthenticationProcessingFilterTests extends TestCase { SecurityContextHolder.clearContext(); } - protected void tearDown() throws Exception { - super.tearDown(); + @After + public void tearDown() throws Exception { SecurityContextHolder.clearContext(); } + @Test public void testDefaultProcessesFilterUrlMatchesWithPathParameter() { MockHttpServletRequest request = createMockRequest(); MockHttpServletResponse response = new MockHttpServletResponse(); @@ -129,6 +129,7 @@ public class AbstractAuthenticationProcessingFilterTests extends TestCase { assertTrue(filter.requiresAuthentication(request, response)); } + @Test public void testFailedAuthenticationRedirectsAppropriately() throws Exception { // Setup our HTTP request MockHttpServletRequest request = createMockRequest(); @@ -166,6 +167,7 @@ public class AbstractAuthenticationProcessingFilterTests extends TestCase { assertNull(SecurityContextHolder.getContext().getAuthentication()); } + @Test public void testFilterProcessesUrlVariationsRespected() throws Exception { // Setup our HTTP request MockHttpServletRequest request = createMockRequest(); @@ -191,6 +193,7 @@ public class AbstractAuthenticationProcessingFilterTests extends TestCase { assertEquals("test", SecurityContextHolder.getContext().getAuthentication().getPrincipal().toString()); } + @Test public void testGettersSetters() throws Exception { AbstractAuthenticationProcessingFilter filter = new MockAuthenticationFilter(); filter.setAuthenticationManager(mock(AuthenticationManager.class)); @@ -204,6 +207,7 @@ public class AbstractAuthenticationProcessingFilterTests extends TestCase { assertEquals("/p", filter.getFilterProcessesUrl()); } + @Test public void testIgnoresAnyServletPathOtherThanFilterProcessesUrl() throws Exception { // Setup our HTTP request MockHttpServletRequest request = createMockRequest(); @@ -224,6 +228,7 @@ public class AbstractAuthenticationProcessingFilterTests extends TestCase { executeFilterInContainerSimulator(config, filter, request, response, chain); } + @Test public void testNormalOperationWithDefaultFilterProcessesUrl() throws Exception { // Setup our HTTP request MockHttpServletRequest request = createMockRequest(); @@ -255,6 +260,7 @@ public class AbstractAuthenticationProcessingFilterTests extends TestCase { assertEquals(sessionPreAuth, request.getSession()); } + @Test public void testStartupDetectsInvalidAuthenticationManager() throws Exception { AbstractAuthenticationProcessingFilter filter = new MockAuthenticationFilter(); filter.setAuthenticationFailureHandler(failureHandler); @@ -270,6 +276,7 @@ public class AbstractAuthenticationProcessingFilterTests extends TestCase { } } + @Test public void testStartupDetectsInvalidFilterProcessesUrl() throws Exception { AbstractAuthenticationProcessingFilter filter = new MockAuthenticationFilter(); filter.setAuthenticationFailureHandler(failureHandler); @@ -285,6 +292,7 @@ public class AbstractAuthenticationProcessingFilterTests extends TestCase { } } + @Test public void testSuccessLoginThenFailureLoginResultsInSessionLosingToken() throws Exception { // Setup our HTTP request MockHttpServletRequest request = createMockRequest(); @@ -323,6 +331,7 @@ public class AbstractAuthenticationProcessingFilterTests extends TestCase { assertNull(SecurityContextHolder.getContext().getAuthentication()); } + @Test public void testSuccessfulAuthenticationButWithAlwaysUseDefaultTargetUrlCausesRedirectToDefaultTargetUrl() throws Exception { // Setup our HTTP request @@ -349,6 +358,7 @@ public class AbstractAuthenticationProcessingFilterTests extends TestCase { assertNotNull(SecurityContextHolder.getContext().getAuthentication()); } + @Test public void testSuccessfulAuthenticationCausesRedirectToSessionSpecifiedUrl() throws Exception { // Setup our HTTP request MockHttpServletRequest request = createMockRequest(); @@ -374,6 +384,7 @@ public class AbstractAuthenticationProcessingFilterTests extends TestCase { /** * SEC-297 fix. */ + @Test public void testFullDefaultTargetUrlDoesNotHaveContextPathPrepended() throws Exception { MockHttpServletRequest request = createMockRequest(); MockFilterConfig config = new MockFilterConfig(null, null); @@ -395,6 +406,7 @@ public class AbstractAuthenticationProcessingFilterTests extends TestCase { /** * SEC-571 */ + @Test public void testNoSessionIsCreatedIfAllowSessionCreationIsFalse() throws Exception { MockHttpServletRequest request = createMockRequest(); @@ -404,7 +416,7 @@ public class AbstractAuthenticationProcessingFilterTests extends TestCase { // Reject authentication, so exception would normally be stored in session MockAuthenticationFilter filter = new MockAuthenticationFilter(false); - filter.setAllowSessionCreation(false); + failureHandler.setAllowSessionCreation(false); filter.setAuthenticationFailureHandler(failureHandler); successHandler.setDefaultTargetUrl("http://monkeymachine.co.uk/"); filter.setAuthenticationSuccessHandler(successHandler); @@ -417,6 +429,7 @@ public class AbstractAuthenticationProcessingFilterTests extends TestCase { /** * SEC-462 */ + @Test public void testLoginErrorWithNoFailureUrlSendsUnauthorizedStatus() throws Exception { MockHttpServletRequest request = createMockRequest(); @@ -436,6 +449,7 @@ public class AbstractAuthenticationProcessingFilterTests extends TestCase { /** * SEC-462 */ + @Test public void testServerSideRedirectForwardsToFailureUrl() throws Exception { MockHttpServletRequest request = createMockRequest(); @@ -458,6 +472,7 @@ public class AbstractAuthenticationProcessingFilterTests extends TestCase { /** * SEC-213 */ + @Test public void testTargetUrlParameterIsUsedIfPresent() throws Exception { MockHttpServletRequest request = createMockRequest(); request.setParameter("targetUrl", "/target"); diff --git a/web/src/test/java/org/springframework/security/web/authentication/SimpleUrlAuthenticationFailureHandlerTests.java b/web/src/test/java/org/springframework/security/web/authentication/SimpleUrlAuthenticationFailureHandlerTests.java new file mode 100644 index 0000000000..95ab3c211a --- /dev/null +++ b/web/src/test/java/org/springframework/security/web/authentication/SimpleUrlAuthenticationFailureHandlerTests.java @@ -0,0 +1,76 @@ +package org.springframework.security.web.authentication; + +import static org.junit.Assert.*; +import static org.mockito.Mockito.mock; + +import org.junit.Test; +import org.springframework.mock.web.MockHttpServletRequest; +import org.springframework.mock.web.MockHttpServletResponse; +import org.springframework.security.core.AuthenticationException; +import org.springframework.security.web.RedirectStrategy; +import org.springframework.security.web.WebAttributes; + +/** + * + * @author Luke Taylor + */ +public class SimpleUrlAuthenticationFailureHandlerTests { + + @Test + public void error401IsReturnedIfNoUrlIsSet() throws Exception { + SimpleUrlAuthenticationFailureHandler afh = new SimpleUrlAuthenticationFailureHandler(); + RedirectStrategy rs = mock(RedirectStrategy.class); + afh.setRedirectStrategy(rs); + assertSame(rs, afh.getRedirectStrategy()); + MockHttpServletRequest request = new MockHttpServletRequest(); + MockHttpServletResponse response = new MockHttpServletResponse(); + + afh.onAuthenticationFailure(request, response, mock(AuthenticationException.class)); + assertEquals(401, response.getStatus()); + } + + @Test + public void exceptionIsSavedToSessionOnRedirect() throws Exception { + SimpleUrlAuthenticationFailureHandler afh = new SimpleUrlAuthenticationFailureHandler(); + afh.setDefaultFailureUrl("/target"); + MockHttpServletRequest request = new MockHttpServletRequest(); + MockHttpServletResponse response = new MockHttpServletResponse(); + + AuthenticationException e = mock(AuthenticationException.class); + + afh.onAuthenticationFailure(request, response, e); + assertSame(e, request.getSession().getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION)); + assertEquals("/target", response.getRedirectedUrl()); + } + + @Test + public void exceptionIsNotSavedIfAllowSessionCreationIsFalse() throws Exception { + SimpleUrlAuthenticationFailureHandler afh = new SimpleUrlAuthenticationFailureHandler("/target"); + afh.setAllowSessionCreation(false); + assertFalse(afh.isAllowSessionCreation()); + MockHttpServletRequest request = new MockHttpServletRequest(); + MockHttpServletResponse response = new MockHttpServletResponse(); + + afh.onAuthenticationFailure(request, response, mock(AuthenticationException.class)); + assertNull(request.getSession(false)); + } + + @Test + public void responseIsForwardedIfUseForwardIsTrue() throws Exception { + SimpleUrlAuthenticationFailureHandler afh = new SimpleUrlAuthenticationFailureHandler("/target"); + afh.setUseForward(true); + assertTrue(afh.isUseForward()); + + MockHttpServletRequest request = new MockHttpServletRequest(); + MockHttpServletResponse response = new MockHttpServletResponse(); + AuthenticationException e = mock(AuthenticationException.class); + + afh.onAuthenticationFailure(request, response, e); + assertNull(request.getSession(false)); + assertNull(response.getRedirectedUrl()); + assertEquals("/target", response.getForwardedUrl()); + // Request scope should be used for forward + assertSame(e, request.getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION)); + } + +} diff --git a/web/src/test/java/org/springframework/security/web/authentication/SimpleUrlAuthenticationSuccessHandlerTests.java b/web/src/test/java/org/springframework/security/web/authentication/SimpleUrlAuthenticationSuccessHandlerTests.java new file mode 100644 index 0000000000..c9b6bfbae2 --- /dev/null +++ b/web/src/test/java/org/springframework/security/web/authentication/SimpleUrlAuthenticationSuccessHandlerTests.java @@ -0,0 +1,29 @@ +package org.springframework.security.web.authentication; + +import static org.junit.Assert.*; +import static org.mockito.Mockito.*; + +import org.junit.Test; +import org.springframework.mock.web.MockHttpServletRequest; +import org.springframework.mock.web.MockHttpServletResponse; +import org.springframework.security.core.Authentication; + +/** + * + * @author Luke Taylor + */ +public class SimpleUrlAuthenticationSuccessHandlerTests { + + // SEC-1428 + @Test + public void redirectIsNotPerformedIfResponseIsCommitted() throws Exception { + SimpleUrlAuthenticationSuccessHandler ash = new SimpleUrlAuthenticationSuccessHandler("/target"); + MockHttpServletRequest request = new MockHttpServletRequest(); + MockHttpServletResponse response = new MockHttpServletResponse(); + response.setCommitted(true); + + ash.onAuthenticationSuccess(request, response, mock(Authentication.class)); + assertNull(response.getRedirectedUrl()); + } + +} diff --git a/web/src/test/java/org/springframework/security/web/authentication/logout/SimpleUrlLogoutSuccessHandlerTests.java b/web/src/test/java/org/springframework/security/web/authentication/logout/SimpleUrlLogoutSuccessHandlerTests.java new file mode 100644 index 0000000000..2752f4ca7c --- /dev/null +++ b/web/src/test/java/org/springframework/security/web/authentication/logout/SimpleUrlLogoutSuccessHandlerTests.java @@ -0,0 +1,29 @@ +package org.springframework.security.web.authentication.logout; + +import static org.junit.Assert.*; +import static org.mockito.Mockito.mock; + +import org.junit.Test; +import org.springframework.mock.web.MockHttpServletRequest; +import org.springframework.mock.web.MockHttpServletResponse; +import org.springframework.security.core.Authentication; + +/** + * + * @author Luke Taylor + */ +public class SimpleUrlLogoutSuccessHandlerTests { + + @Test + public void doesntRedirectIfResponseIsCommitted() throws Exception { + SimpleUrlLogoutSuccessHandler lsh = new SimpleUrlLogoutSuccessHandler(); + lsh.setDefaultTargetUrl("/target"); + MockHttpServletRequest request = new MockHttpServletRequest(); + MockHttpServletResponse response = new MockHttpServletResponse(); + response.setCommitted(true); + lsh.onLogoutSuccess(request, response, mock(Authentication.class)); + assertNull(request.getSession(false)); + assertNull(response.getRedirectedUrl()); + assertNull(response.getForwardedUrl()); + } +}