Additional test classes for authentication and logout success/failure handling.

web/src/main/java/org/springframework/security/web/authentication/SimpleUrlAuthenticationFailureHandler.java

@@ -22,7 +22,7 @@ import org.springframework.util.Assert;
  * If the property has not been set it will send a 401 response to the client, with the error message from the
  * <tt>AuthenticationException</tt> which caused the failure.
  * <p>
- * If the <tt>forwardToDestination</tt> parameter is set, a <tt>RequestDispatcher.forward</tt> call will be made to
+ * If the {@code useForward} property is set, a {@code RequestDispatcher.forward} call will be made to
  * the destination instead of a redirect.
  *
  * @author Luke Taylor

web/src/test/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilterTests.java

@@ -15,7 +15,8 @@
 
 package org.springframework.security.web.authentication;
 
-import static org.mockito.Mockito.*;
+import static org.junit.Assert.*;
+import static org.mockito.Mockito.mock;
 
 import java.io.IOException;
 import java.util.Properties;
@@ -30,8 +31,9 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 
-import junit.framework.TestCase;
+import org.junit.After;
-
+import org.junit.Before;
+import org.junit.Test;
 import org.springframework.mock.web.MockFilterConfig;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
@@ -44,10 +46,6 @@ import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.web.PortResolverImpl;
-import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
-import org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler;
-import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
-import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
 import org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices;
 import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
 import org.springframework.security.web.savedrequest.DefaultSavedRequest;
@@ -57,9 +55,10 @@ import org.springframework.security.web.savedrequest.DefaultSavedRequest;
  * Tests {@link AbstractAuthenticationProcessingFilter}.
  *
  * @author Ben Alex
+ * @author Luke Taylor
  */
 @SuppressWarnings("deprecation")
-public class AbstractAuthenticationProcessingFilterTests extends TestCase {
+public class AbstractAuthenticationProcessingFilterTests {
     SavedRequestAwareAuthenticationSuccessHandler successHandler;
     SimpleUrlAuthenticationFailureHandler failureHandler;
     //~ Methods ========================================================================================================
@@ -105,8 +104,8 @@ public class AbstractAuthenticationProcessingFilterTests extends TestCase {
 //        return new DefaultSavedRequest(request, new PortResolverImpl());
 //    }
 
-    protected void setUp() throws Exception {
+    @Before
-        super.setUp();
+    public void setUp() throws Exception {
         successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
         successHandler.setDefaultTargetUrl("/logged_in.jsp");
         failureHandler = new SimpleUrlAuthenticationFailureHandler();
@@ -114,11 +113,12 @@ public class AbstractAuthenticationProcessingFilterTests extends TestCase {
         SecurityContextHolder.clearContext();
     }
 
-    protected void tearDown() throws Exception {
+    @After
-        super.tearDown();
+    public void tearDown() throws Exception {
         SecurityContextHolder.clearContext();
     }
 
+    @Test
     public void testDefaultProcessesFilterUrlMatchesWithPathParameter() {
         MockHttpServletRequest request = createMockRequest();
         MockHttpServletResponse response = new MockHttpServletResponse();
@@ -129,6 +129,7 @@ public class AbstractAuthenticationProcessingFilterTests extends TestCase {
         assertTrue(filter.requiresAuthentication(request, response));
     }
 
+    @Test
     public void testFailedAuthenticationRedirectsAppropriately() throws Exception {
         // Setup our HTTP request
         MockHttpServletRequest request = createMockRequest();
@@ -166,6 +167,7 @@ public class AbstractAuthenticationProcessingFilterTests extends TestCase {
         assertNull(SecurityContextHolder.getContext().getAuthentication());
     }
 
+    @Test
     public void testFilterProcessesUrlVariationsRespected() throws Exception {
         // Setup our HTTP request
         MockHttpServletRequest request = createMockRequest();
@@ -191,6 +193,7 @@ public class AbstractAuthenticationProcessingFilterTests extends TestCase {
         assertEquals("test", SecurityContextHolder.getContext().getAuthentication().getPrincipal().toString());
     }
 
+    @Test
     public void testGettersSetters() throws Exception {
         AbstractAuthenticationProcessingFilter filter = new MockAuthenticationFilter();
         filter.setAuthenticationManager(mock(AuthenticationManager.class));
@@ -204,6 +207,7 @@ public class AbstractAuthenticationProcessingFilterTests extends TestCase {
         assertEquals("/p", filter.getFilterProcessesUrl());
     }
 
+    @Test
     public void testIgnoresAnyServletPathOtherThanFilterProcessesUrl() throws Exception {
         // Setup our HTTP request
         MockHttpServletRequest request = createMockRequest();
@@ -224,6 +228,7 @@ public class AbstractAuthenticationProcessingFilterTests extends TestCase {
         executeFilterInContainerSimulator(config, filter, request, response, chain);
     }
 
+    @Test
     public void testNormalOperationWithDefaultFilterProcessesUrl() throws Exception {
         // Setup our HTTP request
         MockHttpServletRequest request = createMockRequest();
@@ -255,6 +260,7 @@ public class AbstractAuthenticationProcessingFilterTests extends TestCase {
         assertEquals(sessionPreAuth, request.getSession());
     }
 
+    @Test
     public void testStartupDetectsInvalidAuthenticationManager() throws Exception {
         AbstractAuthenticationProcessingFilter filter = new MockAuthenticationFilter();
         filter.setAuthenticationFailureHandler(failureHandler);
@@ -270,6 +276,7 @@ public class AbstractAuthenticationProcessingFilterTests extends TestCase {
         }
     }
 
+    @Test
     public void testStartupDetectsInvalidFilterProcessesUrl() throws Exception {
         AbstractAuthenticationProcessingFilter filter = new MockAuthenticationFilter();
         filter.setAuthenticationFailureHandler(failureHandler);
@@ -285,6 +292,7 @@ public class AbstractAuthenticationProcessingFilterTests extends TestCase {
         }
     }
 
+    @Test
     public void testSuccessLoginThenFailureLoginResultsInSessionLosingToken() throws Exception {
         // Setup our HTTP request
         MockHttpServletRequest request = createMockRequest();
@@ -323,6 +331,7 @@ public class AbstractAuthenticationProcessingFilterTests extends TestCase {
         assertNull(SecurityContextHolder.getContext().getAuthentication());
     }
 
+    @Test
     public void testSuccessfulAuthenticationButWithAlwaysUseDefaultTargetUrlCausesRedirectToDefaultTargetUrl()
             throws Exception {
         // Setup our HTTP request
@@ -349,6 +358,7 @@ public class AbstractAuthenticationProcessingFilterTests extends TestCase {
         assertNotNull(SecurityContextHolder.getContext().getAuthentication());
     }
 
+    @Test
     public void testSuccessfulAuthenticationCausesRedirectToSessionSpecifiedUrl() throws Exception {
         // Setup our HTTP request
         MockHttpServletRequest request = createMockRequest();
@@ -374,6 +384,7 @@ public class AbstractAuthenticationProcessingFilterTests extends TestCase {
     /**
      * SEC-297 fix.
      */
+    @Test
     public void testFullDefaultTargetUrlDoesNotHaveContextPathPrepended() throws Exception {
         MockHttpServletRequest request = createMockRequest();
         MockFilterConfig config = new MockFilterConfig(null, null);
@@ -395,6 +406,7 @@ public class AbstractAuthenticationProcessingFilterTests extends TestCase {
     /**
      * SEC-571
      */
+    @Test
     public void testNoSessionIsCreatedIfAllowSessionCreationIsFalse() throws Exception {
         MockHttpServletRequest request = createMockRequest();
 
@@ -404,7 +416,7 @@ public class AbstractAuthenticationProcessingFilterTests extends TestCase {
 
         // Reject authentication, so exception would normally be stored in session
         MockAuthenticationFilter filter = new MockAuthenticationFilter(false);
-        filter.setAllowSessionCreation(false);
+        failureHandler.setAllowSessionCreation(false);
         filter.setAuthenticationFailureHandler(failureHandler);
         successHandler.setDefaultTargetUrl("http://monkeymachine.co.uk/");
         filter.setAuthenticationSuccessHandler(successHandler);
@@ -417,6 +429,7 @@ public class AbstractAuthenticationProcessingFilterTests extends TestCase {
     /**
      * SEC-462
      */
+    @Test
     public void testLoginErrorWithNoFailureUrlSendsUnauthorizedStatus() throws Exception {
         MockHttpServletRequest request = createMockRequest();
 
@@ -436,6 +449,7 @@ public class AbstractAuthenticationProcessingFilterTests extends TestCase {
     /**
      * SEC-462
      */
+    @Test
     public void testServerSideRedirectForwardsToFailureUrl() throws Exception {
         MockHttpServletRequest request = createMockRequest();
 
@@ -458,6 +472,7 @@ public class AbstractAuthenticationProcessingFilterTests extends TestCase {
     /**
      * SEC-213
      */
+    @Test
     public void testTargetUrlParameterIsUsedIfPresent() throws Exception {
         MockHttpServletRequest request = createMockRequest();
         request.setParameter("targetUrl", "/target");

web/src/test/java/org/springframework/security/web/authentication/SimpleUrlAuthenticationFailureHandlerTests.java

@@ -0,0 +1,76 @@
+package org.springframework.security.web.authentication;
+
+import static org.junit.Assert.*;
+import static org.mockito.Mockito.mock;
+
+import org.junit.Test;
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.web.RedirectStrategy;
+import org.springframework.security.web.WebAttributes;
+
+/**
+ *
+ * @author Luke Taylor
+ */
+public class SimpleUrlAuthenticationFailureHandlerTests {
+
+    @Test
+    public void error401IsReturnedIfNoUrlIsSet() throws Exception {
+        SimpleUrlAuthenticationFailureHandler afh = new SimpleUrlAuthenticationFailureHandler();
+        RedirectStrategy rs = mock(RedirectStrategy.class);
+        afh.setRedirectStrategy(rs);
+        assertSame(rs, afh.getRedirectStrategy());
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        MockHttpServletResponse response = new MockHttpServletResponse();
+
+        afh.onAuthenticationFailure(request, response, mock(AuthenticationException.class));
+        assertEquals(401, response.getStatus());
+    }
+
+    @Test
+    public void exceptionIsSavedToSessionOnRedirect() throws Exception {
+        SimpleUrlAuthenticationFailureHandler afh = new SimpleUrlAuthenticationFailureHandler();
+        afh.setDefaultFailureUrl("/target");
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        MockHttpServletResponse response = new MockHttpServletResponse();
+
+        AuthenticationException e = mock(AuthenticationException.class);
+
+        afh.onAuthenticationFailure(request, response, e);
+        assertSame(e, request.getSession().getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION));
+        assertEquals("/target", response.getRedirectedUrl());
+    }
+
+    @Test
+    public void exceptionIsNotSavedIfAllowSessionCreationIsFalse() throws Exception {
+        SimpleUrlAuthenticationFailureHandler afh = new SimpleUrlAuthenticationFailureHandler("/target");
+        afh.setAllowSessionCreation(false);
+        assertFalse(afh.isAllowSessionCreation());
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        MockHttpServletResponse response = new MockHttpServletResponse();
+
+        afh.onAuthenticationFailure(request, response, mock(AuthenticationException.class));
+        assertNull(request.getSession(false));
+    }
+
+    @Test
+    public void responseIsForwardedIfUseForwardIsTrue() throws Exception {
+        SimpleUrlAuthenticationFailureHandler afh = new SimpleUrlAuthenticationFailureHandler("/target");
+        afh.setUseForward(true);
+        assertTrue(afh.isUseForward());
+
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        MockHttpServletResponse response = new MockHttpServletResponse();
+        AuthenticationException e = mock(AuthenticationException.class);
+
+        afh.onAuthenticationFailure(request, response, e);
+        assertNull(request.getSession(false));
+        assertNull(response.getRedirectedUrl());
+        assertEquals("/target", response.getForwardedUrl());
+        // Request scope should be used for forward
+        assertSame(e, request.getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION));
+    }
+
+}

web/src/test/java/org/springframework/security/web/authentication/SimpleUrlAuthenticationSuccessHandlerTests.java

@@ -0,0 +1,29 @@
+package org.springframework.security.web.authentication;
+
+import static org.junit.Assert.*;
+import static org.mockito.Mockito.*;
+
+import org.junit.Test;
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.security.core.Authentication;
+
+/**
+ *
+ * @author Luke Taylor
+ */
+public class SimpleUrlAuthenticationSuccessHandlerTests {
+
+    // SEC-1428
+    @Test
+    public void redirectIsNotPerformedIfResponseIsCommitted() throws Exception {
+        SimpleUrlAuthenticationSuccessHandler ash = new SimpleUrlAuthenticationSuccessHandler("/target");
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        MockHttpServletResponse response = new MockHttpServletResponse();
+        response.setCommitted(true);
+
+        ash.onAuthenticationSuccess(request, response, mock(Authentication.class));
+        assertNull(response.getRedirectedUrl());
+    }
+
+}

web/src/test/java/org/springframework/security/web/authentication/logout/SimpleUrlLogoutSuccessHandlerTests.java

@@ -0,0 +1,29 @@
+package org.springframework.security.web.authentication.logout;
+
+import static org.junit.Assert.*;
+import static org.mockito.Mockito.mock;
+
+import org.junit.Test;
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.security.core.Authentication;
+
+/**
+ *
+ * @author Luke Taylor
+ */
+public class SimpleUrlLogoutSuccessHandlerTests {
+
+    @Test
+    public void doesntRedirectIfResponseIsCommitted() throws Exception {
+        SimpleUrlLogoutSuccessHandler lsh = new SimpleUrlLogoutSuccessHandler();
+        lsh.setDefaultTargetUrl("/target");
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        MockHttpServletResponse response = new MockHttpServletResponse();
+        response.setCommitted(true);
+        lsh.onLogoutSuccess(request, response, mock(Authentication.class));
+        assertNull(request.getSession(false));
+        assertNull(response.getRedirectedUrl());
+        assertNull(response.getForwardedUrl());
+    }
+}