Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SEC-1878: DefaultFilterChainValidator properly handles AccessDecisionManager throwing exceptions other than AccessDeniedException

This commit is contained in:
Rob Winch 2011-12-27 14:28:49 -06:00
parent 00936c6b49
commit aabb16912f
2 changed files with 84 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
config/src/main/java/org/springframework/security/config/http/DefaultFilterChainValidator.java
View File

@ -172,6 +172,10 @@ public class DefaultFilterChainValidator implements FilterChainProxy.FilterChain
logger.warn("Anonymous access to the login page doesn't appear to be enabled. This is almost certainly " +
"an error. Please check your configuration allows unauthenticated access to the configured " +
"login page. (Simulated access was rejected: " + e + ")");
} catch (Exception e) {
// May happen legitimately if a filter-chain request matcher requires more request data than that provided
// by the dummy request used when creating the filter invocation. See SEC-1878
logger.info("Unable to check access to the login page to determine if anonymous access is allowed. This might be an error, but can happen under normal circumstances.", e);
}
}

80
config/src/test/java/org/springframework/security/config/http/DefaultFilterChainValidatorTests.java Normal file
View File

@ -0,0 +1,80 @@
/*
* Copyright 2011 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
* an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
* specific language governing permissions and limitations under the License.
*/
package org.springframework.security.config.http;
import static org.mockito.Matchers.any;
import static org.mockito.Matchers.anyObject;
import static org.mockito.Mockito.doThrow;
import static org.mockito.Mockito.verify;
import java.util.Collection;
import org.apache.commons.logging.Log;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.internal.util.reflection.Whitebox;
import org.mockito.runners.MockitoJUnitRunner;
import org.springframework.security.access.AccessDecisionManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.DefaultSecurityFilterChain;
import org.springframework.security.web.FilterChainProxy;
import org.springframework.security.web.access.ExceptionTranslationFilter;
import org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource;
import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
import org.springframework.security.web.util.AnyRequestMatcher;
/**
*
* @author Rob Winch
*/
@RunWith(MockitoJUnitRunner.class)
public class DefaultFilterChainValidatorTests {
private DefaultFilterChainValidator validator;
private FilterChainProxy fcp;
@Mock
private Log logger;
@Mock
private DefaultFilterInvocationSecurityMetadataSource metadataSource;
@Mock
private AccessDecisionManager accessDecisionManager;
@Before
public void setUp() throws Exception {
AnonymousAuthenticationFilter aaf = new AnonymousAuthenticationFilter("anonymous");
FilterSecurityInterceptor fsi = new FilterSecurityInterceptor();
fsi.setAccessDecisionManager(accessDecisionManager);
fsi.setSecurityMetadataSource(metadataSource);
AuthenticationEntryPoint authenticationEntryPoint = new LoginUrlAuthenticationEntryPoint("/login");
ExceptionTranslationFilter etf = new ExceptionTranslationFilter(authenticationEntryPoint);
DefaultSecurityFilterChain securityChain = new DefaultSecurityFilterChain(new AnyRequestMatcher(),aaf,etf,fsi);
fcp = new FilterChainProxy(securityChain);
validator = new DefaultFilterChainValidator();
Whitebox.setInternalState(validator, "logger", logger);
}
// SEC-1878
@SuppressWarnings("unchecked")
@Test
public void validateCheckLoginPageIsntProtectedThrowsIllegalArgumentException() {
IllegalArgumentException toBeThrown = new IllegalArgumentException("failed to eval expression");
doThrow(toBeThrown).when(accessDecisionManager).decide(any(Authentication.class), anyObject(), any(Collection.class));
validator.validate(fcp);
verify(logger).info("Unable to check access to the login page to determine if anonymous access is allowed. This might be an error, but can happen under normal circumstances.", toBeThrown);
}
}