From 9008a7af1d13da6542ff1322722014364442fb64 Mon Sep 17 00:00:00 2001 From: Andrei Ivanov Date: Fri, 12 Feb 2016 16:43:29 +0200 Subject: [PATCH] Allow override of SwitchUserFilter.ROLE_PREVIOUS_ADMINISTRATOR Fixes gh-3697 --- .../switchuser/SwitchUserFilter.java | 13 ++++- .../switchuser/SwitchUserFilterTests.java | 49 +++++++++++++++++++ 2 files changed, 61 insertions(+), 1 deletion(-) diff --git a/web/src/main/java/org/springframework/security/web/authentication/switchuser/SwitchUserFilter.java b/web/src/main/java/org/springframework/security/web/authentication/switchuser/SwitchUserFilter.java index 52d51fe5bb..aaab14f76c 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/switchuser/SwitchUserFilter.java +++ b/web/src/main/java/org/springframework/security/web/authentication/switchuser/SwitchUserFilter.java @@ -123,6 +123,7 @@ public class SwitchUserFilter extends GenericFilterBean implements private String targetUrl; private String switchFailureUrl; private String usernameParameter = SPRING_SECURITY_SWITCH_USERNAME_KEY; + private String switchAuthorityRole = ROLE_PREVIOUS_ADMINISTRATOR; private SwitchUserAuthorityChanger switchUserAuthorityChanger; private UserDetailsService userDetailsService; private UserDetailsChecker userDetailsChecker = new AccountStatusUserDetailsChecker(); @@ -319,7 +320,7 @@ public class SwitchUserFilter extends GenericFilterBean implements } GrantedAuthority switchAuthority = new SwitchUserGrantedAuthority( - ROLE_PREVIOUS_ADMINISTRATOR, currentAuth); + switchAuthorityRole, currentAuth); // get the original authorities Collection orig = targetUser.getAuthorities(); @@ -527,6 +528,16 @@ public class SwitchUserFilter extends GenericFilterBean implements this.usernameParameter = usernameParameter; } + /** + * Allows the role of the switchAuthority to be customized. + * + * @param switchAuthorityRole the role name. Defaults to {@link #ROLE_PREVIOUS_ADMINISTRATOR} + */ + public void setSwitchAuthorityRole(String switchAuthorityRole) { + Assert.notNull(switchAuthorityRole, "switchAuthorityRole cannot be null"); + this.switchAuthorityRole = switchAuthorityRole; + } + /** * Strips any content after the ';' in the request URI * diff --git a/web/src/test/java/org/springframework/security/web/authentication/switchuser/SwitchUserFilterTests.java b/web/src/test/java/org/springframework/security/web/authentication/switchuser/SwitchUserFilterTests.java index ebee64f07e..75d421933c 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/switchuser/SwitchUserFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/switchuser/SwitchUserFilterTests.java @@ -19,6 +19,7 @@ import static org.junit.Assert.*; import static org.mockito.Mockito.*; import org.junit.*; +import org.junit.rules.ExpectedException; import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletResponse; import org.springframework.security.authentication.AccountExpiredException; @@ -52,6 +53,8 @@ import java.util.*; public class SwitchUserFilterTests { private final static List ROLES_12 = AuthorityUtils .createAuthorityList("ROLE_ONE", "ROLE_TWO"); + @Rule + public ExpectedException thrown = ExpectedException.none(); @Before public void authenticateCurrentUser() { @@ -86,6 +89,17 @@ public class SwitchUserFilterTests { } + private Authentication switchToUserWithAuthorityRole(String name, String switchAuthorityRole) { + MockHttpServletRequest request = new MockHttpServletRequest(); + request.addParameter(SwitchUserFilter.SPRING_SECURITY_SWITCH_USERNAME_KEY, name); + + SwitchUserFilter filter = new SwitchUserFilter(); + filter.setUserDetailsService(new MockUserDetailsService()); + filter.setSwitchAuthorityRole(switchAuthorityRole); + + return filter.attemptSwitchUser(request); + } + @Test public void requiresExitUserMatchesCorrectly() { SwitchUserFilter filter = new SwitchUserFilter(); @@ -412,9 +426,44 @@ public class SwitchUserFilterTests { } } + assertNotNull(switchedFrom); assertSame(source, switchedFrom.getSource()); } + // gh-3697 + @Test + public void switchAuthorityRoleCannotBeNull() throws Exception { + thrown.expect(IllegalArgumentException.class); + thrown.expectMessage("switchAuthorityRole cannot be null"); + switchToUserWithAuthorityRole("dano", null); + } + + // gh-3697 + @Test + public void switchAuthorityRoleCanBeChanged() throws Exception { + String switchAuthorityRole = "PREVIOUS_ADMINISTRATOR"; + + // original user + UsernamePasswordAuthenticationToken source = new UsernamePasswordAuthenticationToken( + "orig", "hawaii50", ROLES_12); + SecurityContextHolder.getContext().setAuthentication(source); + SecurityContextHolder.getContext().setAuthentication(switchToUser("jacklord")); + Authentication switched = switchToUserWithAuthorityRole("dano", switchAuthorityRole); + + SwitchUserGrantedAuthority switchedFrom = null; + + for (GrantedAuthority ga : switched.getAuthorities()) { + if (ga instanceof SwitchUserGrantedAuthority) { + switchedFrom = (SwitchUserGrantedAuthority) ga; + break; + } + } + + assertNotNull(switchedFrom); + assertSame(source, switchedFrom.getSource()); + assertEquals(switchAuthorityRole, switchedFrom.getAuthority()); + } + // ~ Inner Classes // ==================================================================================================