SEC-1878: DefaultFilterChainValidator properly handles AccessDecisionManager throwing exceptions other than AccessDeniedException
This commit is contained in:
Rob Winch
parent
00936c6b49
commit
aabb16912f
|
|
@ -172,6 +172,10 @@ public class DefaultFilterChainValidator implements FilterChainProxy.FilterChain
|
||||||
logger.warn("Anonymous access to the login page doesn't appear to be enabled. This is almost certainly " +
|
logger.warn("Anonymous access to the login page doesn't appear to be enabled. This is almost certainly " +
|
||||||
"an error. Please check your configuration allows unauthenticated access to the configured " +
|
"an error. Please check your configuration allows unauthenticated access to the configured " +
|
||||||
"login page. (Simulated access was rejected: " + e + ")");
|
"login page. (Simulated access was rejected: " + e + ")");
|
||||||
|
} catch (Exception e) {
|
||||||
|
// May happen legitimately if a filter-chain request matcher requires more request data than that provided
|
||||||
|
// by the dummy request used when creating the filter invocation. See SEC-1878
|
||||||
|
logger.info("Unable to check access to the login page to determine if anonymous access is allowed. This might be an error, but can happen under normal circumstances.", e);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,80 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2011 the original author or authors.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
|
||||||
|
* the License. You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
|
||||||
|
* an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
|
||||||
|
* specific language governing permissions and limitations under the License.
|
||||||
|
*/
|
||||||
|
package org.springframework.security.config.http;
|
||||||
|
|
||||||
|
import static org.mockito.Matchers.any;
|
||||||
|
import static org.mockito.Matchers.anyObject;
|
||||||
|
import static org.mockito.Mockito.doThrow;
|
||||||
|
import static org.mockito.Mockito.verify;
|
||||||
|
|
||||||
|
import java.util.Collection;
|
||||||
|
|
||||||
|
import org.apache.commons.logging.Log;
|
||||||
|
import org.junit.Before;
|
||||||
|
import org.junit.Test;
|
||||||
|
import org.junit.runner.RunWith;
|
||||||
|
import org.mockito.Mock;
|
||||||
|
import org.mockito.internal.util.reflection.Whitebox;
|
||||||
|
import org.mockito.runners.MockitoJUnitRunner;
|
||||||
|
import org.springframework.security.access.AccessDecisionManager;
|
||||||
|
import org.springframework.security.core.Authentication;
|
||||||
|
import org.springframework.security.web.AuthenticationEntryPoint;
|
||||||
|
import org.springframework.security.web.DefaultSecurityFilterChain;
|
||||||
|
import org.springframework.security.web.FilterChainProxy;
|
||||||
|
import org.springframework.security.web.access.ExceptionTranslationFilter;
|
||||||
|
import org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource;
|
||||||
|
import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
|
||||||
|
import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
|
||||||
|
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
|
||||||
|
import org.springframework.security.web.util.AnyRequestMatcher;
|
||||||
|
|
||||||
|
/**
|
||||||
|
*
|
||||||
|
* @author Rob Winch
|
||||||
|
*/
|
||||||
|
@RunWith(MockitoJUnitRunner.class)
|
||||||
|
public class DefaultFilterChainValidatorTests {
|
||||||
|
private DefaultFilterChainValidator validator;
|
||||||
|
private FilterChainProxy fcp;
|
||||||
|
@Mock
|
||||||
|
private Log logger;
|
||||||
|
@Mock
|
||||||
|
private DefaultFilterInvocationSecurityMetadataSource metadataSource;
|
||||||
|
@Mock
|
||||||
|
private AccessDecisionManager accessDecisionManager;
|
||||||
|
|
||||||
|
@Before
|
||||||
|
public void setUp() throws Exception {
|
||||||
|
AnonymousAuthenticationFilter aaf = new AnonymousAuthenticationFilter("anonymous");
|
||||||
|
FilterSecurityInterceptor fsi = new FilterSecurityInterceptor();
|
||||||
|
fsi.setAccessDecisionManager(accessDecisionManager);
|
||||||
|
fsi.setSecurityMetadataSource(metadataSource);
|
||||||
|
AuthenticationEntryPoint authenticationEntryPoint = new LoginUrlAuthenticationEntryPoint("/login");
|
||||||
|
ExceptionTranslationFilter etf = new ExceptionTranslationFilter(authenticationEntryPoint);
|
||||||
|
DefaultSecurityFilterChain securityChain = new DefaultSecurityFilterChain(new AnyRequestMatcher(),aaf,etf,fsi);
|
||||||
|
fcp = new FilterChainProxy(securityChain);
|
||||||
|
validator = new DefaultFilterChainValidator();
|
||||||
|
Whitebox.setInternalState(validator, "logger", logger);
|
||||||
|
}
|
||||||
|
|
||||||
|
// SEC-1878
|
||||||
|
@SuppressWarnings("unchecked")
|
||||||
|
@Test
|
||||||
|
public void validateCheckLoginPageIsntProtectedThrowsIllegalArgumentException() {
|
||||||
|
IllegalArgumentException toBeThrown = new IllegalArgumentException("failed to eval expression");
|
||||||
|
doThrow(toBeThrown).when(accessDecisionManager).decide(any(Authentication.class), anyObject(), any(Collection.class));
|
||||||
|
validator.validate(fcp);
|
||||||
|
verify(logger).info("Unable to check access to the login page to determine if anonymous access is allowed. This might be an error, but can happen under normal circumstances.", toBeThrown);
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
Loading…
Reference in New Issue