Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add WebFlux 

Fixes gh-4128
This commit is contained in:
Rob Winch 2017-05-02 21:19:14 -05:00
parent 051e3fb079
commit b4f2777755
91 changed files with 7036 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
config/spring-security-config.gradle
View File

@ -15,6 +15,7 @@ dependencies {
optional project(':spring-security-oauth2-client')
optional project(':spring-security-openid')
optional project(':spring-security-web')
optional project(':spring-security-webflux')
optional 'org.aspectj:aspectjweaver'
optional 'org.springframework:spring-jdbc'
optional 'org.springframework:spring-tx'
@ -27,6 +28,7 @@ dependencies {
testCompile project(':spring-security-aspects')
testCompile project(':spring-security-cas')
testCompile project(path : ':spring-security-core', configuration : 'tests')
testCompile project(path : ':spring-security-webflux', configuration : 'tests')
testCompile apachedsDependencies
testCompile powerMockDependencies
testCompile spockDependencies

120
config/src/main/java/org/springframework/security/config/web/server/AbstractServerWebExchangeMatcherRegistry.java Normal file
View File

@ -0,0 +1,120 @@
/*
* Copyright 2017 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.config.web.server;
import org.springframework.http.HttpMethod;
import org.springframework.security.web.server.util.matcher.OrServerWebExchangeMatcher;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers;
import static org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers.*;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
/**
* @author Rob Winch
* @since 5.0
*/
abstract class AbstractServerWebExchangeMatcherRegistry<T> {
/**
* Maps any request.
*
* @return the object that is chained after creating the {@link ServerWebExchangeMatcher}
*/
public T anyExchange() {
return matcher(ServerWebExchangeMatchers.anyExchange());
}
/**
* Maps a {@link List} of
* {@link org.springframework.security.web.server.util.matcher.PathMatcherServerWebExchangeMatcher}
* instances.
*
* @param method the {@link HttpMethod} to use for any
* {@link HttpMethod}.
*
* @return the object that is chained after creating the {@link ServerWebExchangeMatcher}
*/
public T antMatchers(HttpMethod method) {
return antMatchers(method, new String[] { "/**" });
}
/**
* Maps a {@link List} of
* {@link org.springframework.security.web.server.util.matcher.PathMatcherServerWebExchangeMatcher}
* instances.
*
* @param method the {@link HttpMethod} to use or {@code null} for any
* {@link HttpMethod}.
* @param antPatterns the ant patterns to create. If {@code null} or empty, then matches on nothing.
* {@link org.springframework.security.web.server.util.matcher.PathMatcherServerWebExchangeMatcher} from
*
* @return the object that is chained after creating the {@link ServerWebExchangeMatcher}
*/
public T antMatchers(HttpMethod method, String... antPatterns) {
return matcher(ServerWebExchangeMatchers.antMatchers(method, antPatterns));
}
/**
* Maps a {@link List} of
* {@link org.springframework.security.web.server.util.matcher.PathMatcherServerWebExchangeMatcher}
* instances that do not care which {@link HttpMethod} is used.
*
* @param antPatterns the ant patterns to create
* {@link org.springframework.security.web.server.util.matcher.PathMatcherServerWebExchangeMatcher} from
*
* @return the object that is chained after creating the {@link ServerWebExchangeMatcher}
*/
public T antMatchers(String... antPatterns) {
return matcher(ServerWebExchangeMatchers.antMatchers(antPatterns));
}
/**
* Associates a list of {@link ServerWebExchangeMatcher} instances
*
* @param matchers the {@link ServerWebExchangeMatcher} instances
*
* @return the object that is chained after creating the {@link ServerWebExchangeMatcher}
*/
public T matchers(ServerWebExchangeMatcher... matchers) {
return registerMatcher(new OrServerWebExchangeMatcher(matchers));
}
/**
* Subclasses should implement this method for returning the object that is chained to
* the creation of the {@link ServerWebExchangeMatcher} instances.
*
* @param matcher the {@link ServerWebExchangeMatcher} instances that were created
* @return the chained Object for the subclass which allows association of something
* else to the {@link ServerWebExchangeMatcher}
*/
protected abstract T registerMatcher(ServerWebExchangeMatcher matcher);
/**
* Associates a {@link ServerWebExchangeMatcher} instances
*
* @param matcher the {@link ServerWebExchangeMatcher} instance
*
* @return the object that is chained after creating the {@link ServerWebExchangeMatcher}
*/
private T matcher(ServerWebExchangeMatcher matcher) {
return registerMatcher(matcher);
}
}

91
config/src/main/java/org/springframework/security/config/web/server/AuthorizeExchangeBuilder.java Normal file
View File

@ -0,0 +1,91 @@
/*
* Copyright 2002-2017 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.config.web.server;
import org.springframework.security.authorization.AuthenticatedAuthorizationManager;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.web.server.authorization.AuthorizationContext;
import org.springframework.security.authorization.ReactiveAuthorizationManager;
import org.springframework.security.authorization.AuthorityAuthorizationManager;
import org.springframework.security.web.server.authorization.AuthorizationWebFilter;
import org.springframework.security.web.server.authorization.DelegatingReactiveAuthorizationManager;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
import org.springframework.web.server.WebFilter;
import reactor.core.publisher.Mono;
/**
* @author Rob Winch
* @since 5.0
*/
public class AuthorizeExchangeBuilder extends AbstractServerWebExchangeMatcherRegistry<AuthorizeExchangeBuilder.Access> {
private DelegatingReactiveAuthorizationManager.Builder managerBldr = DelegatingReactiveAuthorizationManager.builder();
private ServerWebExchangeMatcher matcher;
private boolean anyExchangeRegistered;
@Override
public Access anyExchange() {
Access result = super.anyExchange();
anyExchangeRegistered = true;
return result;
}
@Override
protected Access registerMatcher(ServerWebExchangeMatcher matcher) {
if(anyExchangeRegistered) {
throw new IllegalStateException("Cannot register " + matcher + " which would be unreachable because anyExchange() has already been registered.");
}
if(this.matcher != null) {
throw new IllegalStateException("The matcher " + matcher + " does not have an access rule defined");
}
this.matcher = matcher;
return new Access();
}
public WebFilter build() {
if(this.matcher != null) {
throw new IllegalStateException("The matcher " + matcher + " does not have an access rule defined");
}
return new AuthorizationWebFilter(managerBldr.build());
}
public final class Access {
public void permitAll() {
access( (a,e) -> Mono.just(new AuthorizationDecision(true)));
}
public void denyAll() {
access( (a,e) -> Mono.just(new AuthorizationDecision(false)));
}
public void hasRole(String role) {
access(AuthorityAuthorizationManager.hasRole(role));
}
public void hasAuthority(String authority) {
access(AuthorityAuthorizationManager.hasAuthority(authority));
}
public void authenticated() {
access(AuthenticatedAuthorizationManager.authenticated());
}
public void access(ReactiveAuthorizationManager<AuthorizationContext> manager) {
managerBldr.add(matcher, manager);
matcher = null;
}
}
}

128
config/src/main/java/org/springframework/security/config/web/server/HeaderBuilder.java Normal file
View File

@ -0,0 +1,128 @@
/*
* Copyright 2002-2017 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.config.web.server;
import org.springframework.security.web.server.header.CacheControlHttpHeadersWriter;
import org.springframework.security.web.server.header.CompositeHttpHeadersWriter;
import org.springframework.security.web.server.header.ContentTypeOptionsHttpHeadersWriter;
import org.springframework.security.web.server.header.HttpHeaderWriterWebFilter;
import org.springframework.security.web.server.header.HttpHeadersWriter;
import org.springframework.security.web.server.header.StrictTransportSecurityHttpHeadersWriter;
import org.springframework.security.web.server.header.XFrameOptionsHttpHeadersWriter;
import org.springframework.security.web.server.header.XXssProtectionHttpHeadersWriter;
import java.time.Duration;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
/**
* @author Rob Winch
* @since 5.0
*/
public class HeaderBuilder {
private final List<HttpHeadersWriter> writers;
private CacheControlHttpHeadersWriter cacheControl = new CacheControlHttpHeadersWriter();
private ContentTypeOptionsHttpHeadersWriter contentTypeOptions = new ContentTypeOptionsHttpHeadersWriter();
private StrictTransportSecurityHttpHeadersWriter hsts = new StrictTransportSecurityHttpHeadersWriter();
private XFrameOptionsHttpHeadersWriter frameOptions = new XFrameOptionsHttpHeadersWriter();
private XXssProtectionHttpHeadersWriter xss = new XXssProtectionHttpHeadersWriter();
public HeaderBuilder() {
this.writers = new ArrayList<>(Arrays.asList(cacheControl, contentTypeOptions, hsts, frameOptions, xss));
}
public CacheSpec cache() {
return new CacheSpec();
}
public ContentTypeOptionsSpec contentTypeOptions() {
return new ContentTypeOptionsSpec();
}
public FrameOptionsSpec frameOptions() {
return new FrameOptionsSpec();
}
public HstsSpec hsts() {
return new HstsSpec();
}
public HttpHeaderWriterWebFilter build() {
HttpHeadersWriter writer = new CompositeHttpHeadersWriter(writers);
return new HttpHeaderWriterWebFilter(writer);
}
public XssProtectionSpec xssProtection() {
return new XssProtectionSpec();
}
public class CacheSpec {
public void disable() {
writers.remove(cacheControl);
}
private CacheSpec() {}
}
public class ContentTypeOptionsSpec {
public void disable() {
writers.remove(contentTypeOptions);
}
private ContentTypeOptionsSpec() {}
}
public class FrameOptionsSpec {
public void mode(XFrameOptionsHttpHeadersWriter.Mode mode) {
frameOptions.setMode(mode);
}
public void disable() {
writers.remove(frameOptions);
}
private FrameOptionsSpec() {}
}
public class HstsSpec {
public void maxAge(Duration maxAge) {
hsts.setMaxAge(maxAge);
}
public void includeSubdomains(boolean includeSubDomains) {
hsts.setIncludeSubDomains(includeSubDomains);
}
public void disable() {
writers.remove(hsts);
}
private HstsSpec() {}
}
public class XssProtectionSpec {
public void disable() {
writers.remove(xss);
}
private XssProtectionSpec() {}
}
}

58
config/src/main/java/org/springframework/security/config/web/server/HttpBasicBuilder.java Normal file
View File

@ -0,0 +1,58 @@
/*
* Copyright 2002-2016 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.config.web.server;
import org.springframework.security.authentication.ReactiveAuthenticationManager;
import org.springframework.security.web.server.AuthenticationEntryPoint;
import org.springframework.security.web.server.authentication.AuthenticationWebFilter;
import org.springframework.security.web.server.HttpBasicAuthenticationConverter;
import org.springframework.security.web.server.authentication.DefaultAuthenticationSuccessHandler;
import org.springframework.security.web.server.authentication.www.HttpBasicAuthenticationEntryPoint;
import org.springframework.security.web.server.context.SecurityContextRepository;
/**
* @author Rob Winch
* @since 5.0
*/
public class HttpBasicBuilder {
private ReactiveAuthenticationManager authenticationManager;
private SecurityContextRepository securityContextRepository;
private AuthenticationEntryPoint entryPoint = new HttpBasicAuthenticationEntryPoint();
public HttpBasicBuilder authenticationManager(ReactiveAuthenticationManager authenticationManager) {
this.authenticationManager = authenticationManager;
return this;
}
public HttpBasicBuilder securityContextRepository(SecurityContextRepository securityContextRepository) {
this.securityContextRepository = securityContextRepository;
return this;
}
public AuthenticationWebFilter build() {
AuthenticationWebFilter authenticationFilter = new AuthenticationWebFilter(authenticationManager);
authenticationFilter.setEntryPoint(entryPoint);
authenticationFilter.setAuthenticationConverter(new HttpBasicAuthenticationConverter());
if(securityContextRepository != null) {
DefaultAuthenticationSuccessHandler handler = new DefaultAuthenticationSuccessHandler();
handler.setSecurityContextRepository(securityContextRepository);
authenticationFilter.setAuthenticationSuccessHandler(handler);
}
return authenticationFilter;
}
}

101
config/src/main/java/org/springframework/security/config/web/server/HttpSecurity.java Normal file
View File

@ -0,0 +1,101 @@
/*
* Copyright 2002-2016 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.config.web.server;
import java.util.ArrayList;
import java.util.List;
import java.util.Optional;
import org.springframework.security.authentication.ReactiveAuthenticationManager;
import org.springframework.security.web.server.context.SecurityContextRepositoryWebFilter;
import org.springframework.security.web.server.WebFilterChainFilter;
import org.springframework.security.web.server.authorization.ExceptionTranslationWebFilter;
import org.springframework.security.web.server.context.SecurityContextRepository;
import org.springframework.util.Assert;
import org.springframework.web.server.WebFilter;
/**
* @author Rob Winch
* @since 5.0
*/
public class HttpSecurity {
private AuthorizeExchangeBuilder authorizeExchangeBuilder;
private HeaderBuilder headers = new HeaderBuilder();
private HttpBasicBuilder httpBasic;
private ReactiveAuthenticationManager authenticationManager;
private Optional<SecurityContextRepository> securityContextRepository = Optional.empty();
public HttpSecurity securityContextRepository(SecurityContextRepository securityContextRepository) {
Assert.notNull(securityContextRepository, "securityContextRepository cannot be null");
this.securityContextRepository = Optional.of(securityContextRepository);
return this;
}
public HttpBasicBuilder httpBasic() {
if(httpBasic == null) {
httpBasic = new HttpBasicBuilder();
}
return httpBasic;
}
public HeaderBuilder headers() {
return headers;
}
public AuthorizeExchangeBuilder authorizeExchange() {
if(authorizeExchangeBuilder == null) {
authorizeExchangeBuilder = new AuthorizeExchangeBuilder();
}
return authorizeExchangeBuilder;
}
public HttpSecurity authenticationManager(ReactiveAuthenticationManager manager) {
this.authenticationManager = manager;
return this;
}
public WebFilter build() {
List<WebFilter> filters = new ArrayList<>();
if(headers != null) {
filters.add(headers.build());
}
securityContextRepositoryWebFilter().ifPresent( f-> filters.add(f));
if(httpBasic != null) {
httpBasic.authenticationManager(authenticationManager);
securityContextRepository.ifPresent( scr -> httpBasic.securityContextRepository(scr)) ;
filters.add(httpBasic.build());
}
if(authorizeExchangeBuilder != null) {
filters.add(new ExceptionTranslationWebFilter());
filters.add(authorizeExchangeBuilder.build());
}
return new WebFilterChainFilter(filters);
}
public static HttpSecurity http() {
return new HttpSecurity();
}
private Optional<SecurityContextRepositoryWebFilter> securityContextRepositoryWebFilter() {
return securityContextRepository
.flatMap( r -> Optional.of(new SecurityContextRepositoryWebFilter(r)));
}
private HttpSecurity() {}
}

112
config/src/test/java/org/springframework/security/config/web/server/AuthorizeExchangeBuilderTests.java Normal file
View File

@ -0,0 +1,112 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.config.web.server;
import org.junit.Test;
import org.springframework.http.HttpMethod;
import org.springframework.security.test.web.reactive.server.WebTestClientBuilder;
import org.springframework.security.web.server.authorization.ExceptionTranslationWebFilter;
import org.springframework.test.web.reactive.server.WebTestClient;
/**
* @author Rob Winch
* @since 5.0
*/
public class AuthorizeExchangeBuilderTests {
AuthorizeExchangeBuilder authorization = new AuthorizeExchangeBuilder();
@Test
public void antMatchersWhenMethodAndPatternsThenDiscriminatesByMethod() {
authorization.antMatchers(HttpMethod.POST, "/a", "/b").denyAll();
authorization.anyExchange().permitAll();
WebTestClient client = buildClient();
client.get()
.uri("/a")
.exchange()
.expectStatus().isOk();
client.get()
.uri("/b")
.exchange()
.expectStatus().isOk();
client.post()
.uri("/a")
.exchange()
.expectStatus().isUnauthorized();
client.post()
.uri("/b")
.exchange()
.expectStatus().isUnauthorized();
}
@Test
public void antMatchersWhenPatternsThenAnyMethod() {
authorization.antMatchers("/a", "/b").denyAll();
authorization.anyExchange().permitAll();
WebTestClient client = buildClient();
client.get()
.uri("/a")
.exchange()
.expectStatus().isUnauthorized();
client.get()
.uri("/b")
.exchange()
.expectStatus().isUnauthorized();
client.post()
.uri("/a")
.exchange()
.expectStatus().isUnauthorized();
client.post()
.uri("/b")
.exchange()
.expectStatus().isUnauthorized();
}
@Test(expected = IllegalStateException.class)
public void antMatchersWhenNoAccessAndAnotherMatcherThenThrowsException() {
authorization.antMatchers("/incomplete");
authorization.antMatchers("/throws-exception");
}
@Test(expected = IllegalStateException.class)
public void anyExchangeWhenFollowedByMatcherThenThrowsException() {
authorization.anyExchange().denyAll();
authorization.antMatchers("/never-reached");
}
@Test(expected = IllegalStateException.class)
public void buildWhenMatcherDefinedWithNoAccessThenThrowsException() {
authorization.antMatchers("/incomplete");
authorization.build();
}
private WebTestClient buildClient() {
return WebTestClientBuilder.bindToWebFilters(new ExceptionTranslationWebFilter(), authorization.build()).build();
}
}

144
config/src/test/java/org/springframework/security/config/web/server/HeaderBuilderTests.java Normal file
View File

@ -0,0 +1,144 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.config.web.server;
import org.junit.Before;
import org.junit.Test;
import org.springframework.http.HttpHeaders;
import org.springframework.security.test.web.reactive.server.WebTestClientBuilder;
import org.springframework.security.web.server.header.ContentTypeOptionsHttpHeadersWriter;
import org.springframework.security.web.server.header.StrictTransportSecurityHttpHeadersWriter;
import org.springframework.security.web.server.header.XFrameOptionsHttpHeadersWriter;
import org.springframework.security.web.server.header.XXssProtectionHttpHeadersWriter;
import org.springframework.test.web.reactive.server.FluxExchangeResult;
import org.springframework.test.web.reactive.server.WebTestClient;
import java.time.Duration;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Set;
import static org.assertj.core.api.AssertionsForInterfaceTypes.assertThat;
/**
* @author Rob Winch
* @since 5.0
*/
public class HeaderBuilderTests {
HeaderBuilder headers = new HeaderBuilder();
HttpHeaders expectedHeaders = new HttpHeaders();
Set<String> ignoredHeaderNames = Collections.singleton(HttpHeaders.CONTENT_TYPE);
@Before
public void setup() {
expectedHeaders.add(StrictTransportSecurityHttpHeadersWriter.STRICT_TRANSPORT_SECURITY, "max-age=31536000 ; includeSubDomains");
expectedHeaders.add(HttpHeaders.CACHE_CONTROL, "no-cache, no-store, max-age=0, must-revalidate");
expectedHeaders.add(HttpHeaders.PRAGMA, "no-cache");
expectedHeaders.add(HttpHeaders.EXPIRES, "0");
expectedHeaders.add(ContentTypeOptionsHttpHeadersWriter.X_CONTENT_OPTIONS, "nosniff");
expectedHeaders.add(XFrameOptionsHttpHeadersWriter.X_FRAME_OPTIONS, "DENY");
expectedHeaders.add(XXssProtectionHttpHeadersWriter.X_XSS_PROTECTION, "1 ; mode=block");
}
@Test
public void headersWhenDefaultsThenAllDefaultsWritten() {
assertHeaders();
}
@Test
public void headersWhenCacheDisableThenCacheNotWritten() {
expectedHeaders.remove(HttpHeaders.CACHE_CONTROL);
expectedHeaders.remove(HttpHeaders.PRAGMA);
expectedHeaders.remove(HttpHeaders.EXPIRES);
headers.cache().disable();
assertHeaders();
}
@Test
public void headersWhenContentOptionsDisableThenContentTypeOptionsNotWritten() {
expectedHeaders.remove(ContentTypeOptionsHttpHeadersWriter.X_CONTENT_OPTIONS);
headers.contentTypeOptions().disable();
assertHeaders();
}
@Test
public void headersWhenHstsDisableThenHstsNotWritten() {
expectedHeaders.remove(StrictTransportSecurityHttpHeadersWriter.STRICT_TRANSPORT_SECURITY);
headers.hsts().disable();
assertHeaders();
}
@Test
public void headersWhenHstsCustomThenCustomHstsWritten() {
expectedHeaders.remove(StrictTransportSecurityHttpHeadersWriter.STRICT_TRANSPORT_SECURITY);
expectedHeaders.add(StrictTransportSecurityHttpHeadersWriter.STRICT_TRANSPORT_SECURITY, "max-age=60");
headers.hsts().maxAge(Duration.ofSeconds(60));
headers.hsts().includeSubdomains(false);
assertHeaders();
}
@Test
public void headersWhenFrameOptionsDisableThenFrameOptionsNotWritten() {
expectedHeaders.remove(XFrameOptionsHttpHeadersWriter.X_FRAME_OPTIONS);
headers.frameOptions().disable();
assertHeaders();
}
@Test
public void headersWhenFrameOptionsModeThenFrameOptionsCustomMode() {
expectedHeaders.remove(XFrameOptionsHttpHeadersWriter.X_FRAME_OPTIONS);
expectedHeaders.add(XFrameOptionsHttpHeadersWriter.X_FRAME_OPTIONS, "SAMEORIGIN");
headers.frameOptions().mode(XFrameOptionsHttpHeadersWriter.Mode.SAMEORIGIN);
assertHeaders();
}
@Test
public void headersWhenXssProtectionDisableThenXssProtectionNotWritten() {
expectedHeaders.remove("X-Xss-Protection");
headers.xssProtection().disable();
assertHeaders();
}
private void assertHeaders() {
WebTestClient client = buildClient();
FluxExchangeResult<String> response = client.get()
.uri("https://example.com/")
.exchange()
.returnResult(String.class);
Map<String,List<String>> responseHeaders = response.getResponseHeaders();
ignoredHeaderNames.stream().forEach(responseHeaders::remove);
assertThat(responseHeaders).describedAs(response.toString()).isEqualTo(expectedHeaders);
}
private WebTestClient buildClient() {
return WebTestClientBuilder.bindToWebFilters(headers.build()).build();
}
}

107
config/src/test/java/org/springframework/security/config/web/server/HttpSecurityTests.java Normal file
View File

@ -0,0 +1,107 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.config.web.server;
import org.apache.http.HttpHeaders;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.runners.MockitoJUnitRunner;
import org.springframework.security.authentication.ReactiveAuthenticationManager;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.test.web.reactive.server.WebTestClientBuilder;
import org.springframework.security.web.server.context.SecurityContextRepository;
import org.springframework.security.web.server.context.WebSessionSecurityContextRepository;
import org.springframework.test.web.reactive.server.EntityExchangeResult;
import org.springframework.test.web.reactive.server.FluxExchangeResult;
import org.springframework.test.web.reactive.server.WebTestClient;
import org.springframework.web.server.WebSession;
import reactor.core.publisher.Mono;
import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.BDDMockito.given;
import static org.mockito.Matchers.any;
import static org.mockito.Mockito.verifyZeroInteractions;
import static org.springframework.web.reactive.function.client.ExchangeFilterFunctions.basicAuthentication;
/**
* @author Rob Winch
* @since 5.0
*/
@RunWith(MockitoJUnitRunner.class)
public class HttpSecurityTests {
@Mock
SecurityContextRepository contextRepository;
@Mock
ReactiveAuthenticationManager authenticationManager;
HttpSecurity http;
@Before
public void setup() {
http = HttpSecurity.http();
}
@Test
public void defaults() {
http.securityContextRepository(this.contextRepository);
WebTestClient client = buildClient();
FluxExchangeResult<String> result = client.get()
.uri("/")
.exchange()
.expectHeader().valueMatches(HttpHeaders.CACHE_CONTROL, ".+")
.returnResult(String.class);
assertThat(result.getResponseCookies()).isEmpty();
// there is no need to try and load the SecurityContext by default
verifyZeroInteractions(contextRepository);
}
@Test
public void basic() {
given(this.authenticationManager.authenticate(any())).willReturn(Mono.just(new TestingAuthenticationToken("rob", "rob", "ROLE_USER", "ROLE_ADMIN")));
http.securityContextRepository(new WebSessionSecurityContextRepository());
http.httpBasic();
http.authenticationManager(authenticationManager);
AuthorizeExchangeBuilder authorize = http.authorizeExchange();
authorize.anyExchange().authenticated();
WebTestClient client = buildClient();
EntityExchangeResult<byte[]> result = client
.filter(basicAuthentication("rob", "rob"))
.get()
.uri("/")
.exchange()
.expectStatus().isOk()
.expectHeader().valueMatches(HttpHeaders.CACHE_CONTROL, ".+")
.expectBody().consumeAsStringWith( b-> assertThat(b).isEqualTo("ok"))
.returnResult();
assertThat(result.getResponseCookies().getFirst("SESSION")).isNotNull();
}
private WebTestClient buildClient() {
return WebTestClientBuilder.bindToWebFilters(http.build()).build();
}
}

2
core/spring-security-core.gradle
View File

@ -18,6 +18,7 @@ dependencies {
included includeProject
optional 'com.fasterxml.jackson.core:jackson-databind'
optional 'io.projectreactor:reactor-core'
optional 'javax.annotation:jsr250-api'
optional 'net.sf.ehcache:ehcache'
optional 'org.aspectj:aspectjrt'
@ -26,6 +27,7 @@ dependencies {
testCompile powerMockDependencies
testCompile 'commons-collections:commons-collections'
testCompile 'io.projectreactor.addons:reactor-test'
testCompile 'org.skyscreamer:jsonassert'
testCompile 'org.slf4j:jcl-over-slf4j'
testCompile 'org.springframework:spring-test'

55
core/src/main/java/org/springframework/security/authentication/MapUserDetailsRepository.java Normal file
View File

@ -0,0 +1,55 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.authentication;
import java.util.Collection;
import java.util.Map;
import java.util.function.Function;
import java.util.stream.Collectors;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.util.Assert;
import reactor.core.publisher.Mono;
/**
*
* @author Rob Winch
* @since 5.0
*/
public class MapUserDetailsRepository implements UserDetailsRepository {
private final Map<String,UserDetails> users;
public MapUserDetailsRepository(Collection<UserDetails> users) {
Assert.notEmpty(users, "users cannot be null or empty");
this.users = users.stream().collect(Collectors.toMap( u -> getKey(u.getName()), Function.identity()));
}
@Override
public Mono<UserDetails> findByUsername(String username) {
String key = getKey(username);
UserDetails result = users.get(key);
return result == null ? Mono.empty() : Mono.just(User.withUserDetails(result).build());
}
private String getKey(String username) {
return username.toLowerCase();
}
}

30
core/src/main/java/org/springframework/security/authentication/ReactiveAuthenticationManager.java Normal file
View File

@ -0,0 +1,30 @@
/*
* Copyright 2002-2017 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.authentication;
import org.springframework.security.core.Authentication;
import reactor.core.publisher.Mono;
/**
*
* @author Rob Winch
* @since 5.0
*/
public interface ReactiveAuthenticationManager {
Mono<Authentication> authenticate(Authentication authentication);
}

53
core/src/main/java/org/springframework/security/authentication/ReactiveAuthenticationManagerAdapter.java Normal file
View File

@ -0,0 +1,53 @@
/*
* Copyright 2002-2016 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.authentication;
import org.springframework.security.core.Authentication;
import org.springframework.util.Assert;
import reactor.core.publisher.Mono;
import reactor.core.scheduler.Schedulers;
/**
* Adapts an AuthenticationManager to the reactive APIs. This is somewhat necessary because many of the ways that
* credentials are stored (i.e. JDBC, LDAP, etc) do not have reactive implementations. What's more is it is generally
* considered best practice to store passwords in a hash that is intentionally slow which would block ever request
* from coming in unless it was put on another thread.
*
* @author Rob Winch
* @since 5.0
*/
public class ReactiveAuthenticationManagerAdapter implements ReactiveAuthenticationManager {
private final AuthenticationManager authenticationManager;
public ReactiveAuthenticationManagerAdapter(AuthenticationManager authenticationManager) {
Assert.notNull(authenticationManager, "authenticationManager cannot be null");
this.authenticationManager = authenticationManager;
}
@Override
public Mono<Authentication> authenticate(Authentication token) {
return Mono.just(token)
.publishOn(Schedulers.elastic())
.flatMap( t -> {
try {
return Mono.just(authenticationManager.authenticate(t));
} catch(Throwable error) {
return Mono.error(error);
}
})
.filter( a -> a.isAuthenticated());
}
}

10
core/src/main/java/org/springframework/security/authentication/UserDetailsRepository.java Normal file
View File

@ -0,0 +1,10 @@
package org.springframework.security.authentication;
import org.springframework.security.core.userdetails.UserDetails;
import reactor.core.publisher.Mono;
public interface UserDetailsRepository {
Mono<UserDetails> findByUsername(String username);
}

47
core/src/main/java/org/springframework/security/authentication/UserDetailsRepositoryAuthenticationManager.java Normal file
View File

@ -0,0 +1,47 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.authentication;
import org.springframework.security.core.Authentication;
import org.springframework.util.Assert;
import reactor.core.publisher.Mono;
/**
* @author Rob Winch
* @since 5.0
*/
public class UserDetailsRepositoryAuthenticationManager implements ReactiveAuthenticationManager {
private final UserDetailsRepository repository;
public UserDetailsRepositoryAuthenticationManager(UserDetailsRepository userDetailsRepository) {
Assert.notNull(userDetailsRepository, "userDetailsRepository cannot be null");
this.repository = userDetailsRepository;
}
@Override
public Mono<Authentication> authenticate(Authentication authentication) {
final String username = authentication.getName();
return repository
.findByUsername(username)
.filter( u -> u.getPassword().equals(authentication.getCredentials()))
.switchIfEmpty( Mono.error(new BadCredentialsException("Invalid Credentials")) )
.map( u -> new UsernamePasswordAuthenticationToken(u, u.getPassword(), u.getAuthorities()) );
}
}

42
core/src/main/java/org/springframework/security/authorization/AuthenticatedAuthorizationManager.java Normal file
View File

@ -0,0 +1,42 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.authorization;
import org.springframework.security.core.Authentication;
import reactor.core.publisher.Mono;
/**
* @author Rob Winch
* @since 5.0
*/
public class AuthenticatedAuthorizationManager<T> implements ReactiveAuthorizationManager<T> {
@Override
public Mono<AuthorizationDecision> check(Mono<Authentication> authentication, T object) {
return authentication
.map(a -> new AuthorizationDecision(a.isAuthenticated()))
.defaultIfEmpty(new AuthorizationDecision(false));
}
public static <T> AuthenticatedAuthorizationManager<T> authenticated() {
return new AuthenticatedAuthorizationManager<>();
}
private AuthenticatedAuthorizationManager() {}
}

56
core/src/main/java/org/springframework/security/authorization/AuthorityAuthorizationManager.java Normal file
View File

@ -0,0 +1,56 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.authorization;
import org.springframework.security.core.Authentication;
import org.springframework.util.Assert;
import reactor.core.publisher.Mono;
/**
* @author Rob Winch
* @since 5.0
*/
public class AuthorityAuthorizationManager<T> implements ReactiveAuthorizationManager<T> {
private final String authority;
private AuthorityAuthorizationManager(String authority) {
this.authority = authority;
}
@Override
public Mono<AuthorizationDecision> check(Mono<Authentication> authentication, T object) {
return authentication
.filter(a -> a.isAuthenticated())
.flatMapIterable( a -> a.getAuthorities())
.map( g-> g.getAuthority())
.hasElement(this.authority)
.map( hasAuthority -> new AuthorizationDecision(hasAuthority))
.defaultIfEmpty(new AuthorizationDecision(false));
}
public static <T> AuthorityAuthorizationManager<T> hasAuthority(String authority) {
Assert.notNull(authority, "authority cannot be null");
return new AuthorityAuthorizationManager<>(authority);
}
public static <T> AuthorityAuthorizationManager<T> hasRole(String role) {
Assert.notNull(role, "role cannot be null");
return hasAuthority("ROLE_" + role);
}
}

35
core/src/main/java/org/springframework/security/authorization/AuthorizationDecision.java Normal file
View File

@ -0,0 +1,35 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.authorization;
/**
* @author Rob Winch
* @since 5.0
*/
public class AuthorizationDecision {
private final boolean granted;
public AuthorizationDecision(boolean granted) {
this.granted = granted;
}
public boolean isGranted() {
return granted;
}
}

39
core/src/main/java/org/springframework/security/authorization/ReactiveAuthorizationManager.java Normal file
View File

@ -0,0 +1,39 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.authorization;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.core.Authentication;
import reactor.core.publisher.Mono;
/**
*
* @author Rob Winch
* @since 5.0
*/
public interface ReactiveAuthorizationManager<T> {
Mono<AuthorizationDecision> check(Mono<Authentication> authentication, T object);
default Mono<Void> verify(Mono<Authentication> authentication, T object) {
return check(authentication, object)
.filter( d -> d.isGranted())
.switchIfEmpty( Mono.error(new AccessDeniedException("Access Denied")) )
.flatMap( d -> Mono.empty() );
}
}

76
core/src/test/java/org/springframework/security/authentication/MapUserDetailsRepositoryTests.java Normal file
View File

@ -0,0 +1,76 @@
/*
* Copyright 2017 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.authentication;
import static org.assertj.core.api.Assertions.assertThat;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import org.junit.Test;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import reactor.core.publisher.Mono;
public class MapUserDetailsRepositoryTests {
private static final UserDetails USER_DETAILS = User.withUsername("user")
.password("password")
.roles("USER")
.build();
private MapUserDetailsRepository users = new MapUserDetailsRepository(Arrays.asList(USER_DETAILS));
@Test(expected = IllegalArgumentException.class)
public void constructorNullUsers() {
Collection<UserDetails> users = null;
new MapUserDetailsRepository(users);
}
@Test(expected = IllegalArgumentException.class)
public void constructorEmptyUsers() {
Collection<UserDetails> users = Collections.emptyList();
new MapUserDetailsRepository(users);
}
@Test
public void findByUsernameWhenFoundThenReturns() {
assertThat((users.findByUsername(USER_DETAILS.getUsername()).block())).isEqualTo(USER_DETAILS);
}
@Test
public void findByUsernameWhenDifferentCaseThenReturns() {
assertThat((users.findByUsername("uSeR").block())).isEqualTo(USER_DETAILS);
}
@Test
public void findByUsernameWhenClearCredentialsThenFindByUsernameStillHasCredentials() {
User foundUser = users.findByUsername(USER_DETAILS.getUsername()).cast(User.class).block();
assertThat(foundUser.getPassword()).isNotEmpty();
foundUser.eraseCredentials();
assertThat(foundUser.getPassword()).isNull();
foundUser = users.findByUsername(USER_DETAILS.getUsername()).cast(User.class).block();
assertThat(foundUser.getPassword()).isNotEmpty();
}
@Test
public void findByUsernameWhenNotFoundThenEmpty() {
assertThat((users.findByUsername("notfound"))).isEqualTo(Mono.empty());
}
}

89
core/src/test/java/org/springframework/security/authentication/ReactiveAuthenticationManagerAdapterTests.java Normal file
View File

@ -0,0 +1,89 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.authentication;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.runners.MockitoJUnitRunner;
import org.springframework.context.annotation.Bean;
import org.springframework.security.core.Authentication;
import reactor.core.publisher.Mono;
import reactor.test.StepVerifier;
import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.Matchers.any;
import static org.mockito.Mockito.when;
/**
* @author Rob Winch
* @since 5.0
*/
@RunWith(MockitoJUnitRunner.class)
public class ReactiveAuthenticationManagerAdapterTests {
@Mock
AuthenticationManager delegate;
@Mock
Authentication authentication;
ReactiveAuthenticationManagerAdapter manager;
@Before
public void setup() {
manager = new ReactiveAuthenticationManagerAdapter(delegate);
}
@Test(expected = IllegalArgumentException.class)
public void constructorNullAuthenticationManager() {
new ReactiveAuthenticationManagerAdapter(null);
}
@Test
public void authenticateWhenSuccessThenSucces() {
when(delegate.authenticate(any())).thenReturn(authentication);
when(authentication.isAuthenticated()).thenReturn(true);
Authentication result = manager.authenticate(authentication).block();
assertThat(result).isEqualTo(authentication);
}
@Test
public void authenticateWhenReturnNotAuthenticatedThenError() {
when(delegate.authenticate(any())).thenReturn(authentication);
Authentication result = manager.authenticate(authentication).block();
assertThat(result).isNull();
}
@Test
public void authenticateWhenBadCredentialsThenError() {
when(delegate.authenticate(any())).thenThrow(new BadCredentialsException("Failed"));
when(authentication.isAuthenticated()).thenReturn(true);
Mono<Authentication> result = manager.authenticate(authentication);
StepVerifier.create(result)
.expectError(BadCredentialsException.class)
.verify();
}
}

96
core/src/test/java/org/springframework/security/authentication/UserDetailsRepositoryAuthenticationManagerTests.java Normal file
View File

@ -0,0 +1,96 @@
/*
* Copyright 2002-2017 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.authentication;
import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.Mockito.when;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.runners.MockitoJUnitRunner;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.userdetails.User;
import reactor.core.publisher.Mono;
import reactor.test.StepVerifier;
/**
* @author Rob Winch
* @since 5.0
*/
@RunWith(MockitoJUnitRunner.class)
public class UserDetailsRepositoryAuthenticationManagerTests {
@Mock
UserDetailsRepository repository;
UserDetailsRepositoryAuthenticationManager manager;
String username;
String password;
@Before
public void setup() {
manager = new UserDetailsRepositoryAuthenticationManager(repository);
username = "user";
password = "pass";
}
@Test(expected = IllegalArgumentException.class)
public void constructorNullUserDetailsRepository() {
UserDetailsRepository udr = null;
new UserDetailsRepositoryAuthenticationManager(udr);
}
@Test
public void authenticateWhenUserNotFoundThenBadCredentials() {
when(repository.findByUsername(username)).thenReturn(Mono.empty());
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(username, password);
Mono<Authentication> authentication = manager.authenticate(token);
StepVerifier
.create(authentication)
.expectError(BadCredentialsException.class)
.verify();
}
@Test
public void authenticateWhenPasswordNotEqualThenBadCredentials() {
User user = new User(username, password, AuthorityUtils.createAuthorityList("ROLE_USER"));
when(repository.findByUsername(user.getUsername())).thenReturn(Mono.just(user));
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(username, password + "INVALID");
Mono<Authentication> authentication = manager.authenticate(token);
StepVerifier
.create(authentication)
.expectError(BadCredentialsException.class)
.verify();
}
@Test
public void authenticateWhenSuccessThenSuccess() {
User user = new User(username, password, AuthorityUtils.createAuthorityList("ROLE_USER"));
when(repository.findByUsername(user.getUsername())).thenReturn(Mono.just(user));
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(username, password);
Authentication authentication = manager.authenticate(token).block();
assertThat(authentication).isEqualTo(authentication);
}
}

77
core/src/test/java/org/springframework/security/authorization/AuthenticatedAuthorizationManagerTests.java Normal file
View File

@ -0,0 +1,77 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.authorization;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.runners.MockitoJUnitRunner;
import org.springframework.security.core.Authentication;
import reactor.core.publisher.Mono;
import reactor.test.StepVerifier;
import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.Mockito.when;
/**
* @author Rob Winch
* @since 5.0
*/
@RunWith(MockitoJUnitRunner.class)
public class AuthenticatedAuthorizationManagerTests {
@Mock
Authentication authentication;
AuthenticatedAuthorizationManager<Object> manager = AuthenticatedAuthorizationManager.authenticated();
@Test
public void checkWhenAuthenticatedThenReturnTrue() {
when(authentication.isAuthenticated()).thenReturn(true);
boolean granted = manager.check(Mono.just(authentication), null).block().isGranted();
assertThat(granted).isTrue();
}
@Test
public void checkWhenNotAuthenticatedThenReturnFalse() {
boolean granted = manager.check(Mono.just(authentication), null).block().isGranted();
assertThat(granted).isFalse();
}
@Test
public void checkWhenEmptyThenReturnFalse() {
boolean granted = manager.check(Mono.empty(), null).block().isGranted();
assertThat(granted).isFalse();
}
@Test
public void checkWhenErrorThenError() {
Mono<AuthorizationDecision> result = manager.check(Mono.error(new RuntimeException("ooops")), null);
StepVerifier
.create(result)
.expectError()
.verify();
}
}

133
core/src/test/java/org/springframework/security/authorization/AuthorityAuthorizationManagerTests.java Normal file
View File

@ -0,0 +1,133 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.authorization;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.runners.MockitoJUnitRunner;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import reactor.core.publisher.Mono;
import reactor.test.StepVerifier;
import java.util.Collection;
import java.util.Collections;
import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.Mockito.when;
import static org.springframework.security.core.authority.AuthorityUtils.createAuthorityList;
/**
* @author Rob Winch
* @since 5.0
*/
@RunWith(MockitoJUnitRunner.class)
public class AuthorityAuthorizationManagerTests {
@Mock
Authentication authentication;
AuthorityAuthorizationManager<Object> manager = AuthorityAuthorizationManager.hasAuthority("ADMIN");
@Test
public void checkWhenHasAuthorityAndNotAuthenticatedThenReturnFalse() {
boolean granted = manager.check(Mono.just(authentication), null).block().isGranted();
assertThat(granted).isFalse();
}
@Test
public void checkWhenHasAuthorityAndEmptyThenReturnFalse() {
boolean granted = manager.check(Mono.empty(), null).block().isGranted();
assertThat(granted).isFalse();
}
@Test
public void checkWhenHasAuthorityAndErrorThenError() {
Mono<AuthorizationDecision> result = manager.check(Mono.error(new RuntimeException("ooops")), null);
StepVerifier
.create(result)
.expectError()
.verify();
}
@Test
public void checkWhenHasAuthorityAndAuthenticatedAndNoAuthoritiesThenReturnFalse() {
when(authentication.isAuthenticated()).thenReturn(true);
when(authentication.getAuthorities()).thenReturn(Collections.emptyList());
boolean granted = manager.check(Mono.just(authentication), null).block().isGranted();
assertThat(granted).isFalse();
}
@Test
public void checkWhenHasAuthorityAndAuthenticatedAndWrongAuthoritiesThenReturnFalse() {
authentication = new TestingAuthenticationToken("rob", "secret", "ROLE_ADMIN");
boolean granted = manager.check(Mono.just(authentication), null).block().isGranted();
assertThat(granted).isFalse();
}
@Test
public void checkWhenHasAuthorityAndAuthorizedThenReturnTrue() {
authentication = new TestingAuthenticationToken("rob", "secret", "ADMIN");
boolean granted = manager.check(Mono.just(authentication), null).block().isGranted();
assertThat(granted).isTrue();
}
@Test
public void checkWhenHasRoleAndAuthorizedThenReturnTrue() {
manager = AuthorityAuthorizationManager.hasRole("ADMIN");
authentication = new TestingAuthenticationToken("rob", "secret", "ROLE_ADMIN");
boolean granted = manager.check(Mono.just(authentication), null).block().isGranted();
assertThat(granted).isTrue();
}
@Test
public void checkWhenHasRoleAndNotAuthorizedThenReturnTrue() {
manager = AuthorityAuthorizationManager.hasRole("ADMIN");
authentication = new TestingAuthenticationToken("rob", "secret", "ADMIN");
boolean granted = manager.check(Mono.just(authentication), null).block().isGranted();
assertThat(granted).isFalse();
}
@Test(expected = IllegalArgumentException.class)
public void hasRoleWhenNullThenException() {
String role = null;
AuthorityAuthorizationManager.hasRole(role);
}
@Test(expected = IllegalArgumentException.class)
public void hasAuthorityWhenNullThenException() {
String authority = null;
AuthorityAuthorizationManager.hasAuthority(authority);
}
}

2
gradle/dependency-management.gradle
View File

@ -1,6 +1,7 @@
dependencyManagement {
dependencies {
dependency 'cglib:cglib-nodep:3.2.5'
dependency 'com.squareup.okhttp3:mockwebserver:3.7.0'
dependency 'opensymphony:sitemesh:2.4.2'
dependency 'org.gebish:geb-spock:0.10.0'
dependency 'org.jasig.cas:cas-server-webapp:4.0.0'
@ -26,6 +27,7 @@ dependencyManagement {
dependencyManagement {
imports {
mavenBom 'io.projectreactor:reactor-bom:Bismuth-M1'
mavenBom 'org.springframework.data:spring-data-releasetrain:Kay-M3'
mavenBom 'org.springframework:spring-framework-bom:5.0.0.RC1'
}

16
samples/javaconfig/hellowebflux/spring-security-samples-javaconfig-hellowebflux.gradle Normal file
View File

@ -0,0 +1,16 @@
apply plugin: 'io.spring.convention.spring-sample'
dependencies {
compile project(':spring-security-core')
compile project(':spring-security-config')
compile project(':spring-security-webflux')
compile 'com.fasterxml.jackson.core:jackson-databind'
compile 'io.netty:netty-buffer'
compile 'io.projectreactor.ipc:reactor-netty'
compile 'org.springframework:spring-context'
compile 'org.springframework:spring-webflux'
testCompile 'io.projectreactor.addons:reactor-test'
testCompile 'org.skyscreamer:jsonassert'
testCompile 'org.springframework:spring-test'
}

221
samples/javaconfig/hellowebflux/src/integration-test/java/sample/SecurityTests.java Normal file
View File

@ -0,0 +1,221 @@
/*
* Copyright 2002-2017 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package sample;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpStatus;
import org.springframework.security.web.server.header.ContentTypeOptionsHttpHeadersWriter;
import org.springframework.test.context.ContextConfiguration;
import org.springframework.test.context.TestPropertySource;
import org.springframework.test.context.junit4.SpringRunner;
import org.springframework.test.web.reactive.server.ExchangeResult;
import org.springframework.test.web.reactive.server.WebTestClient;
import org.springframework.web.reactive.function.client.ExchangeFilterFunction;
import java.nio.charset.Charset;
import java.time.Duration;
import java.util.Base64;
import static org.springframework.web.reactive.function.client.ExchangeFilterFunctions.basicAuthentication;
/**
* @author Rob Winch
* @since 5.0
*/
@RunWith(SpringRunner.class)
@ContextConfiguration(classes = Application.class)
@TestPropertySource(properties = "server.port=0")
public class SecurityTests {
@Value("#{@nettyContext.address().getPort()}")
int port;
WebTestClient rest;
@Before
public void setup() {
this.rest = WebTestClient.bindToServer()
.responseTimeout(Duration.ofDays(1))
.baseUrl("http://localhost:" + this.port)
.build();
}
@Test
public void basicRequired() throws Exception {
this.rest
.get()
.uri("/users")
.exchange()
.expectStatus().isUnauthorized();
}
@Test
public void basicWorks() throws Exception {
this.rest
.filter(robsCredentials())
.get()
.uri("/users")
.exchange()
.expectStatus().isOk()
.expectBody().json("[{\"id\":null,\"username\":\"rob\",\"password\":\"rob\",\"firstname\":\"Rob\",\"lastname\":\"Winch\"},{\"id\":null,\"username\":\"admin\",\"password\":\"admin\",\"firstname\":\"Admin\",\"lastname\":\"User\"}]");
}
@Test
public void basicWhenPasswordInvalid401() throws Exception {
this.rest
.filter(invalidPassword())
.get()
.uri("/users")
.exchange()
.expectStatus().isUnauthorized()
.expectBody().isEmpty();
}
@Test
public void authorizationAdmin403() throws Exception {
this.rest
.filter(robsCredentials())
.get()
.uri("/admin")
.exchange()
.expectStatus().isEqualTo(HttpStatus.FORBIDDEN)
.expectBody().isEmpty();
}
@Test
public void authorizationAdmin200() throws Exception {
this.rest
.filter(adminCredentials())
.get()
.uri("/admin")
.exchange()
.expectStatus().isOk();
}
@Test
public void basicMissingUser401() throws Exception {
this.rest
.filter(basicAuthentication("missing-user", "password"))
.get()
.uri("/admin")
.exchange()
.expectStatus().isUnauthorized();
}
@Test
public void basicInvalidPassword401() throws Exception {
this.rest
.filter(invalidPassword())
.get()
.uri("/admin")
.exchange()
.expectStatus().isUnauthorized();
}
@Test
public void basicInvalidParts401() throws Exception {
this.rest
.get()
.uri("/admin")
.header("Authorization", "Basic " + base64Encode("no colon"))
.exchange()
.expectStatus().isUnauthorized();
}
@Test
public void sessionWorks() throws Exception {
ExchangeResult result = this.rest
.filter(robsCredentials())
.get()
.uri("/users")
.exchange()
.returnResult(String.class);
String session = result.getResponseHeaders().getFirst("Set-Cookie");
this.rest
.get()
.uri("/users")
.header("Cookie", session)
.exchange()
.expectStatus().isOk();
}
@Test
public void me() throws Exception {
this.rest
.filter(robsCredentials())
.get()
.uri("/me")
.exchange()
.expectStatus().isOk()
.expectBody().json("{\"username\" : \"rob\"}");
}
@Test
public void monoMe() throws Exception {
this.rest
.filter(robsCredentials())
.get()
.uri("/mono/me")
.exchange()
.expectStatus().isOk()
.expectBody().json("{\"username\" : \"rob\"}");
}
@Test
public void principal() throws Exception {
this.rest
.filter(robsCredentials())
.get()
.uri("/principal")
.exchange()
.expectStatus().isOk()
.expectBody().json("{\"username\" : \"rob\"}");
}
@Test
public void headers() throws Exception {
this.rest
.filter(robsCredentials())
.get()
.uri("/principal")
.exchange()
.expectHeader().valueEquals(HttpHeaders.CACHE_CONTROL, "no-cache, no-store, max-age=0, must-revalidate")
.expectHeader().valueEquals(HttpHeaders.EXPIRES, "0")
.expectHeader().valueEquals(HttpHeaders.PRAGMA, "no-cache")
.expectHeader().valueEquals(ContentTypeOptionsHttpHeadersWriter.X_CONTENT_OPTIONS, ContentTypeOptionsHttpHeadersWriter.NOSNIFF);
}
private ExchangeFilterFunction robsCredentials() {
return basicAuthentication("rob","rob");
}
private ExchangeFilterFunction invalidPassword() {
return basicAuthentication("rob","INVALID");
}
private ExchangeFilterFunction adminCredentials() {
return basicAuthentication("admin","admin");
}
private String base64Encode(String value) {
return Base64.getEncoder().encodeToString(value.getBytes(Charset.defaultCharset()));
}
}

51
samples/javaconfig/hellowebflux/src/integration-test/java/sample/UserRepositoryTests.java Normal file
View File

@ -0,0 +1,51 @@
/*
* Copyright 2002-2017 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package sample;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.test.context.ContextConfiguration;
import org.springframework.test.context.TestPropertySource;
import org.springframework.test.context.junit4.SpringRunner;
import static org.assertj.core.api.Assertions.assertThat;
/**
*
* @author Rob Winch
* @since 5.0
*/
@SuppressWarnings("unused")
@RunWith(SpringRunner.class)
@ContextConfiguration(classes = Application.class)
@TestPropertySource(properties = "server.port=0")
public class UserRepositoryTests {
@Autowired UserRepository repository;
String robUsername = "rob";
@Test
public void findByUsernameWhenUsernameMatchesThenFound() {
assertThat(repository.findByUsername(this.robUsername).block()).isNotNull();
}
@Test
public void findByUsernameWhenUsernameDoesNotMatchThenFound() {
assertThat(repository.findByUsername(this.robUsername + "NOTFOUND").block()).isNull();
}
}

111
samples/javaconfig/hellowebflux/src/main/java/sample/Application.java Normal file
View File

@ -0,0 +1,111 @@
/*
* Copyright 2002-2017 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package sample;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.ApplicationContext;
import org.springframework.context.annotation.AnnotationConfigApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.ReactiveAdapterRegistry;
import org.springframework.http.server.reactive.HttpHandler;
import org.springframework.http.server.reactive.ReactorHttpHandlerAdapter;
import org.springframework.security.authentication.ReactiveAuthenticationManager;
import org.springframework.security.authentication.UserDetailsRepositoryAuthenticationManager;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.config.web.server.AuthorizeExchangeBuilder;
import org.springframework.security.config.web.server.HttpSecurity;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.reactive.result.method.annotation.AuthenticationPrincipalArgumentResolver;
import org.springframework.security.web.server.authorization.AuthorizationContext;
import org.springframework.security.web.server.context.WebSessionSecurityContextRepository;
import org.springframework.web.reactive.DispatcherHandler;
import org.springframework.web.reactive.config.EnableWebFlux;
import org.springframework.web.reactive.config.WebFluxConfigurer;
import org.springframework.web.reactive.result.method.annotation.ArgumentResolverConfigurer;
import org.springframework.web.server.WebFilter;
import reactor.core.publisher.Mono;
import reactor.ipc.netty.NettyContext;
import reactor.ipc.netty.http.server.HttpServer;
import static org.springframework.security.config.web.server.HttpSecurity.http;
/**
* @author Rob Winch
* @since 5.0
*/
@Configuration
@EnableWebFlux
@ComponentScan
public class Application implements WebFluxConfigurer {
@Value("${server.port:8080}")
private int port = 8080;
@Autowired
private ReactiveAdapterRegistry adapterRegistry = new ReactiveAdapterRegistry();
public static void main(String[] args) throws Exception {
try(AnnotationConfigApplicationContext context = new AnnotationConfigApplicationContext(Application.class)) {
context.getBean(NettyContext.class).onClose().block();
}
}
@Override
public void configureArgumentResolvers(ArgumentResolverConfigurer configurer) {
configurer.addCustomResolver(authenticationPrincipalArgumentResolver());
}
@Bean
public NettyContext nettyContext(ApplicationContext context) {
HttpHandler handler = DispatcherHandler.toHttpHandler(context);
ReactorHttpHandlerAdapter adapter = new ReactorHttpHandlerAdapter(handler);
HttpServer httpServer = HttpServer.create("localhost", port);
return httpServer.newHandler(adapter).block();
}
@Bean
public AuthenticationPrincipalArgumentResolver authenticationPrincipalArgumentResolver() {
return new AuthenticationPrincipalArgumentResolver(adapterRegistry);
}
@Bean
WebFilter springSecurityFilterChain(ReactiveAuthenticationManager manager) throws Exception {
HttpSecurity http = http();
http.securityContextRepository(new WebSessionSecurityContextRepository());
http.authenticationManager(manager);
http.httpBasic();
AuthorizeExchangeBuilder authorize = http.authorizeExchange();
authorize.antMatchers("/admin/**").hasRole("ADMIN");
authorize.antMatchers("/users/{user}/**").access(this::currentUserMatchesPath);
authorize.anyExchange().authenticated();
return http.build();
}
private Mono<AuthorizationDecision> currentUserMatchesPath(Mono<Authentication> authentication, AuthorizationContext context) {
return authentication
.map( a -> context.getVariables().get("user").equals(a.getName()))
.map( granted -> new AuthorizationDecision(granted));
}
@Bean
public ReactiveAuthenticationManager authenticationManager(UserRepositoryUserDetailsRepository udr) {
return new UserDetailsRepositoryAuthenticationManager(udr);
}
}

58
samples/javaconfig/hellowebflux/src/main/java/sample/MapUserRepository.java Normal file
View File

@ -0,0 +1,58 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package sample;
import java.util.HashMap;
import java.util.Map;
import org.springframework.stereotype.Service;
import reactor.core.publisher.Flux;
import reactor.core.publisher.Mono;
/**
* @author Rob Winch
* @since 5.0
*/
@Service
public class MapUserRepository implements UserRepository {
private final Map<String,User> users = new HashMap<>();
public MapUserRepository() {
save(new User("rob", "rob", "Rob", "Winch")).block();
save(new User("admin", "admin", "Admin", "User")).block();
}
@Override
public Flux<User> findAll() {
return Flux.fromIterable(users.values());
}
@Override
public Mono<User> findByUsername(String username) {
User result = users.get(username);
return result == null ? Mono.empty() : Mono.just(result);
}
public Mono<User> save(User user) {
users.put(user.getUsername(), user);
return Mono.just(user);
}
}

84
samples/javaconfig/hellowebflux/src/main/java/sample/User.java Normal file
View File

@ -0,0 +1,84 @@
/*
* Copyright 2002-2017 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package sample;
/**
* @author Rob Winch
* @since 5.0
*/
public class User {
private Long id;
private String username;
private String password;
private String firstname;
private String lastname;
public User() {}
public User(User copy) {
this(copy.getUsername(), copy.getPassword(), copy.getFirstname(), copy.getLastname());
}
public User(String username, String password, String firstname, String lastname) {
super();
this.username = username;
this.password = password;
this.firstname = firstname;
this.lastname = lastname;
}
public Long getId() {
return id;
}
public void setId(Long id) {
this.id = id;
}
public String getUsername() {
return username;
}
public void setUsername(String username) {
this.username = username;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
public String getFirstname() {
return firstname;
}
public void setFirstname(String firstname) {
this.firstname = firstname;
}
public String getLastname() {
return lastname;
}
public void setLastname(String lastname) {
this.lastname = lastname;
}
}

77
samples/javaconfig/hellowebflux/src/main/java/sample/UserController.java Normal file
View File

@ -0,0 +1,77 @@
/*
* Copyright 2002-2017 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package sample;
import java.security.Principal;
import java.util.Collections;
import java.util.Map;
import org.springframework.security.core.annotation.AuthenticationPrincipal;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.server.WebSession;
import reactor.core.publisher.Flux;
import reactor.core.publisher.Mono;
/**
* @author Rob Winch
* @since 5.0
*/
@RestController
public class UserController {
private final UserRepository users;
public UserController(UserRepository users) {
this.users = users;
}
@GetMapping("/me")
public Mono<Map<String,String>> me(@AuthenticationPrincipal User user) {
return me(Mono.just(user));
}
@GetMapping("/mono/me")
public Mono<Map<String,String>> me(@AuthenticationPrincipal Mono<User> user) {
return user.flatMap( u -> Mono.just(Collections.singletonMap("username", u.getUsername())));
}
@GetMapping("/mono/session")
public Mono<Map<String,Object>> Session(Mono<WebSession> session) {
return session.flatMap( s -> Mono.just(s.getAttributes()));
}
@GetMapping("/users")
public Flux<User> users() {
return this.users.findAll();
}
@GetMapping("/principal")
public Mono<Map<String,String>> principal(Principal principal) {
return principal(Mono.just(principal));
}
@GetMapping("/mono/principal")
public Mono<Map<String,String>> principal(Mono<Principal> principal) {
return principal.flatMap( p -> Mono.just(Collections.singletonMap("username", p.getName())));
}
@GetMapping("/admin")
public Map<String,String> admin() {
return Collections.singletonMap("isadmin", "true");
}
}

33
samples/javaconfig/hellowebflux/src/main/java/sample/UserRepository.java Normal file
View File

@ -0,0 +1,33 @@
/*
* Copyright 2002-2017 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package sample;
import reactor.core.publisher.Flux;
import reactor.core.publisher.Mono;
/**
*
* @author Rob Winch
* @since 5.0
*/
public interface UserRepository {
Flux<User> findAll();
Mono<User> findByUsername(String username);
Mono<User> save(User user);
}

87
samples/javaconfig/hellowebflux/src/main/java/sample/UserRepositoryUserDetailsRepository.java Normal file
View File

@ -0,0 +1,87 @@
/*
* Copyright 2002-2017 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package sample;
import java.util.Collection;
import java.util.List;
import org.springframework.security.authentication.UserDetailsRepository;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.stereotype.Component;
import reactor.core.publisher.Mono;
/**
* @author Rob Winch
* @since 5.0
*/
@Component
public class UserRepositoryUserDetailsRepository implements UserDetailsRepository {
private final UserRepository users;
public UserRepositoryUserDetailsRepository(UserRepository users) {
super();
this.users = users;
}
@Override
public Mono<UserDetails> findByUsername(String username) {
return this.users
.findByUsername(username)
.map(UserDetailsAdapter::new);
}
@SuppressWarnings("serial")
private static class UserDetailsAdapter extends User implements UserDetails {
private static List<GrantedAuthority> USER_ROLES = AuthorityUtils.createAuthorityList("ROLE_USER");
private static List<GrantedAuthority> ADMIN_ROLES = AuthorityUtils.createAuthorityList("ROLE_ADMIN", "ROLE_USER");
private UserDetailsAdapter(User delegate) {
super(delegate);
}
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
return isAdmin() ? ADMIN_ROLES : USER_ROLES ;
}
private boolean isAdmin() {
return getUsername().contains("admin");
}
@Override
public boolean isAccountNonExpired() {
return true;
}
@Override
public boolean isAccountNonLocked() {
return true;
}
@Override
public boolean isCredentialsNonExpired() {
return true;
}
@Override
public boolean isEnabled() {
return true;
}
}
}

2
samples/javaconfig/messages/spring-security-samples-javaconfig-messages.gradle
View File

@ -25,5 +25,5 @@ dependencies {
compile 'org.springframework:spring-webmvc'
compile 'org.thymeleaf:thymeleaf-spring5'
provided 'javax.servlet:javax.servlet-api'
providedCompile 'javax.servlet:javax.servlet-api'
}

13
webflux/spring-security-webflux.gradle Normal file
View File

@ -0,0 +1,13 @@
apply plugin: 'io.spring.convention.spring-module'
dependencies {
compile project(':spring-security-core')
compile project(':spring-security-web')
compile 'org.springframework:spring-webflux'
testCompile 'io.projectreactor.addons:reactor-test'
testCompile 'org.springframework:spring-test'
integrationTestCompile 'com.squareup.okhttp3:mockwebserver'
integrationTestCompile 'io.projectreactor.ipc:reactor-netty'
}

103
webflux/src/integration-test/java/webclient/oauth2/poc/WebClientOAuth2PocTests.java Normal file
View File

@ -0,0 +1,103 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package webclient.oauth2.poc;
import okhttp3.mockwebserver.MockResponse;
import okhttp3.mockwebserver.MockWebServer;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.springframework.http.HttpStatus;
import org.springframework.web.reactive.function.client.ClientRequest;
import org.springframework.web.reactive.function.client.ClientResponse;
import org.springframework.web.reactive.function.client.ExchangeFilterFunction;
import org.springframework.web.reactive.function.client.WebClient;
import reactor.core.publisher.Mono;
import static org.assertj.core.api.Assertions.assertThat;
import static org.springframework.web.reactive.function.client.ExchangeFilterFunctions.basicAuthentication;
/**
* @author Rob Winch
* @since 5.0
*/
public class WebClientOAuth2PocTests {
private MockWebServer server;
private WebClient webClient;
@Before
public void setup() {
this.server = new MockWebServer();
String baseUrl = this.server.url("/").toString();
this.webClient = WebClient.create(baseUrl);
}
@After
public void shutdown() throws Exception {
this.server.shutdown();
}
@Test
public void httpBasicWhenNeeded() throws Exception {
this.server.enqueue(new MockResponse().setResponseCode(401).setHeader("WWW-Authenticate", "Basic realm=\"Test\""));
this.server.enqueue(new MockResponse().setResponseCode(200).setBody("OK"));
ClientResponse response = this.webClient
.filter(basicIfNeeded("rob", "rob"))
.get()
.uri("/")
.exchange()
.block();
assertThat(response.statusCode()).isEqualTo(HttpStatus.OK);
assertThat(this.server.takeRequest().getHeader("Authorization")).isNull();
assertThat(this.server.takeRequest().getHeader("Authorization")).isEqualTo("Basic cm9iOnJvYg==");
}
@Test
public void httpBasicWhenNotNeeded() throws Exception {
this.server.enqueue(new MockResponse().setResponseCode(200).setBody("OK"));
ClientResponse response = this.webClient
.filter(basicIfNeeded("rob", "rob"))
.get()
.uri("/")
.exchange()
.block();
assertThat(response.statusCode()).isEqualTo(HttpStatus.OK);
assertThat(this.server.getRequestCount()).isEqualTo(1);
assertThat(this.server.takeRequest().getHeader("Authorization")).isNull();
}
private ExchangeFilterFunction basicIfNeeded(String username, String password) {
return (request, next) ->
next.exchange(request)
.filter( r -> !HttpStatus.UNAUTHORIZED.equals(r.statusCode()))
.switchIfEmpty( Mono.defer(() -> {
return basicAuthentication(username, password).filter(request, next);
}));
}
}

115
webflux/src/main/java/org/springframework/security/web/reactive/result/method/annotation/AuthenticationPrincipalArgumentResolver.java Normal file
View File

@ -0,0 +1,115 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.reactive.result.method.annotation;
import org.springframework.core.MethodParameter;
import org.springframework.core.ReactiveAdapter;
import org.springframework.core.ReactiveAdapterRegistry;
import org.springframework.core.annotation.AnnotationUtils;
import org.springframework.expression.BeanResolver;
import org.springframework.expression.Expression;
import org.springframework.expression.ExpressionParser;
import org.springframework.expression.spel.standard.SpelExpressionParser;
import org.springframework.expression.spel.support.StandardEvaluationContext;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.annotation.AuthenticationPrincipal;
import org.springframework.util.StringUtils;
import org.springframework.web.reactive.BindingContext;
import org.springframework.web.reactive.result.method.HandlerMethodArgumentResolverSupport;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
import java.lang.annotation.Annotation;
/**
* Resolves the Authentication
* @author Rob Winch
* @since 5.0
*/
public class AuthenticationPrincipalArgumentResolver extends HandlerMethodArgumentResolverSupport {
private ExpressionParser parser = new SpelExpressionParser();
private BeanResolver beanResolver;
public AuthenticationPrincipalArgumentResolver(ReactiveAdapterRegistry adapterRegistry) {
super(adapterRegistry);
}
@Override
public boolean supportsParameter(MethodParameter parameter) {
return findMethodAnnotation(AuthenticationPrincipal.class, parameter) != null;
}
@Override
public Mono<Object> resolveArgument(MethodParameter parameter, BindingContext bindingContext,
ServerWebExchange exchange) {
ReactiveAdapter adapter = getAdapterRegistry().getAdapter(parameter.getParameterType());
return exchange.getPrincipal()
.ofType(Authentication.class)
.flatMap( a -> {
Object p = resolvePrincipal(parameter, a.getPrincipal());
Mono<Object> principal = Mono.justOrEmpty(p);
return adapter == null ? principal : Mono.just(adapter.fromPublisher(principal));
});
}
private Object resolvePrincipal(MethodParameter parameter, Object principal) {
AuthenticationPrincipal authPrincipal = findMethodAnnotation(
AuthenticationPrincipal.class, parameter);
String expressionToParse = authPrincipal.expression();
if (StringUtils.hasLength(expressionToParse)) {
StandardEvaluationContext context = new StandardEvaluationContext();
context.setRootObject(principal);
context.setVariable("this", principal);
context.setBeanResolver(beanResolver);
Expression expression = this.parser.parseExpression(expressionToParse);
principal = expression.getValue(context);
}
return principal;
}
/**
* Obtains the specified {@link Annotation} on the specified {@link MethodParameter}.
*
* @param annotationClass the class of the {@link Annotation} to find on the
* {@link MethodParameter}
* @param parameter the {@link MethodParameter} to search for an {@link Annotation}
* @return the {@link Annotation} that was found or null.
*/
private <T extends Annotation> T findMethodAnnotation(Class<T> annotationClass,
MethodParameter parameter) {
T annotation = parameter.getParameterAnnotation(annotationClass);
if (annotation != null) {
return annotation;
}
Annotation[] annotationsToSearch = parameter.getParameterAnnotations();
for (Annotation toSearch : annotationsToSearch) {
annotation = AnnotationUtils.findAnnotation(toSearch.annotationType(),
annotationClass);
if (annotation != null) {
return annotation;
}
}
return null;
}
}

34
webflux/src/main/java/org/springframework/security/web/server/AuthenticationEntryPoint.java Normal file
View File

@ -0,0 +1,34 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server;
import org.springframework.security.core.AuthenticationException;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
/**
*
* @author Rob Winch
* @since 5.0
*/
public interface AuthenticationEntryPoint {
<T> Mono<T> commence(ServerWebExchange exchange, AuthenticationException e);
}

73
webflux/src/main/java/org/springframework/security/web/server/HttpBasicAuthenticationConverter.java Normal file
View File

@ -0,0 +1,73 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server;
import java.util.Base64;
import java.util.function.Function;
import org.springframework.core.convert.converter.Converter;
import org.springframework.http.HttpHeaders;
import org.springframework.http.server.reactive.ServerHttpRequest;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
/**
*
* @author Rob Winch
* @since 5.0
*/
public class HttpBasicAuthenticationConverter implements Function<ServerWebExchange,Mono<Authentication>> {
public static final String BASIC = "Basic ";
@Override
public Mono<Authentication> apply(ServerWebExchange serverWebExchange) {
ServerHttpRequest request = serverWebExchange.getRequest();
String authorization = request.getHeaders().getFirst(HttpHeaders.AUTHORIZATION);
if(authorization == null) {
return Mono.empty();
}
String credentials = authorization.length() <= BASIC.length() ?
"" : authorization.substring(BASIC.length(), authorization.length());
byte[] decodedCredentials = base64Decode(credentials);
String decodedAuthz = new String(decodedCredentials);
String[] userParts = decodedAuthz.split(":");
if(userParts.length != 2) {
return Mono.empty();
}
String username = userParts[0];
String password = userParts[1];
return Mono.just(new UsernamePasswordAuthenticationToken(username, password));
}
private byte[] base64Decode(String value) {
try {
return Base64.getDecoder().decode(value);
} catch(Exception e) {
return new byte[0];
}
}
}

68
webflux/src/main/java/org/springframework/security/web/server/WebFilterChainFilter.java Normal file
View File

@ -0,0 +1,68 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server;
import java.util.Iterator;
import java.util.List;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;
/**
* @author Rob Winch
* @since 5.0
*/
public class WebFilterChainFilter implements WebFilter {
private final List<WebFilter> filters;
public WebFilterChainFilter(List<WebFilter> filters) {
super();
this.filters = filters;
}
@Override
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
SecurityWebFilterChain delegate = new SecurityWebFilterChain(chain, filters.iterator());
return delegate.filter(exchange);
}
static class SecurityWebFilterChain implements WebFilterChain {
private final WebFilterChain delegate;
private final Iterator<WebFilter> filters;
public SecurityWebFilterChain(WebFilterChain delegate, Iterator<WebFilter> filters) {
super();
this.delegate = delegate;
this.filters = filters;
}
@Override
public Mono<Void> filter(ServerWebExchange exchange) {
if (filters.hasNext()) {
WebFilter filter = filters.next();
return filter.filter(exchange, this);
} else {
return delegate.filter(exchange);
}
}
}
}

32
webflux/src/main/java/org/springframework/security/web/server/authentication/AuthenticationSuccessHandler.java Normal file
View File

@ -0,0 +1,32 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server.authentication;
import org.springframework.security.core.Authentication;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;
/**
* @author Rob Winch
* @since 5.0
*/
public interface AuthenticationSuccessHandler {
Mono<Void> success(Authentication authentication, ServerWebExchange exchange, WebFilterChain chain);
}

75
webflux/src/main/java/org/springframework/security/web/server/authentication/AuthenticationWebFilter.java Normal file
View File

@ -0,0 +1,75 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server.authentication;
import org.springframework.security.authentication.ReactiveAuthenticationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.server.AuthenticationEntryPoint;
import org.springframework.security.web.server.HttpBasicAuthenticationConverter;
import org.springframework.security.web.server.authentication.www.HttpBasicAuthenticationEntryPoint;
import org.springframework.util.Assert;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;
import java.util.function.Function;
/**
*
* @author Rob Winch
* @since 5.0
*/
public class AuthenticationWebFilter implements WebFilter {
private final ReactiveAuthenticationManager authenticationManager;
private AuthenticationSuccessHandler authenticationSuccessHandler = new DefaultAuthenticationSuccessHandler();
private Function<ServerWebExchange,Mono<Authentication>> authenticationConverter = new HttpBasicAuthenticationConverter();
private AuthenticationEntryPoint entryPoint = new HttpBasicAuthenticationEntryPoint();
public AuthenticationWebFilter(ReactiveAuthenticationManager authenticationManager) {
Assert.notNull(authenticationManager, "authenticationManager cannot be null");
this.authenticationManager = authenticationManager;
}
@Override
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
return authenticationConverter.apply(exchange)
.switchIfEmpty(Mono.defer(() -> chain.filter(exchange).cast(Authentication.class)))
.flatMap( token -> authenticationManager.authenticate(token)
.flatMap(authentication -> authenticationSuccessHandler.success(authentication, exchange, chain))
.onErrorResume( AuthenticationException.class, t -> entryPoint.commence(exchange, t))
);
}
public void setAuthenticationSuccessHandler(AuthenticationSuccessHandler authenticationSuccessHandler) {
this.authenticationSuccessHandler = authenticationSuccessHandler;
}
public void setAuthenticationConverter(Function<ServerWebExchange,Mono<Authentication>> authenticationConverter) {
this.authenticationConverter = authenticationConverter;
}
public void setEntryPoint(AuthenticationEntryPoint entryPoint) {
this.entryPoint = entryPoint;
}
}

56
webflux/src/main/java/org/springframework/security/web/server/authentication/DefaultAuthenticationSuccessHandler.java Normal file
View File

@ -0,0 +1,56 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server.authentication;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextImpl;
import org.springframework.security.web.server.context.SecurityContextRepository;
import org.springframework.security.web.server.context.ServerWebExchangeAttributeSecurityContextRepository;
import org.springframework.util.Assert;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;
/**
* @author Rob Winch
* @since 5.0
*/
public class DefaultAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
private SecurityContextRepository securityContextRepository = new ServerWebExchangeAttributeSecurityContextRepository();
private AuthenticationSuccessHandler delegate = new WebFilterChainAuthenticationSuccessHandler();
@Override
public Mono<Void> success(Authentication authentication, ServerWebExchange exchange, WebFilterChain chain) {
SecurityContextImpl securityContext = new SecurityContextImpl();
securityContext.setAuthentication(authentication);
return securityContextRepository.save(exchange, securityContext)
.flatMap( wrappedExchange -> delegate.success(authentication, wrappedExchange, chain));
}
public void setDelegate(AuthenticationSuccessHandler delegate) {
Assert.notNull(delegate, "delegate cannot be null");
this.delegate = delegate;
}
public void setSecurityContextRepository(SecurityContextRepository securityContextRepository) {
Assert.notNull(securityContextRepository, "securityContextRepository cannot be null");
this.securityContextRepository = securityContextRepository;
}
}

35
webflux/src/main/java/org/springframework/security/web/server/authentication/WebFilterChainAuthenticationSuccessHandler.java Normal file
View File

@ -0,0 +1,35 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server.authentication;
import org.springframework.security.core.Authentication;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;
/**
* @author Rob Winch
* @since 5.0
*/
public class WebFilterChainAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
@Override
public Mono<Void> success(Authentication authentication, ServerWebExchange exchange, WebFilterChain chain) {
return chain.filter(exchange);
}
}

42
webflux/src/main/java/org/springframework/security/web/server/authentication/www/HttpBasicAuthenticationEntryPoint.java Normal file
View File

@ -0,0 +1,42 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server.authentication.www;
import org.springframework.http.HttpStatus;
import org.springframework.http.server.reactive.ServerHttpResponse;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.server.AuthenticationEntryPoint;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
/**
*
* @author Rob Winch
* @since 5.0
*/
public class HttpBasicAuthenticationEntryPoint implements AuthenticationEntryPoint {
@Override
public <T> Mono<T> commence(ServerWebExchange exchange, AuthenticationException e) {
ServerHttpResponse response = exchange.getResponse();
response.setStatusCode(HttpStatus.UNAUTHORIZED);
response.getHeaders().set("WWW-Authenticate", "Basic realm=\"Realm\"");
return Mono.empty();
}
}

33
webflux/src/main/java/org/springframework/security/web/server/authorization/AccessDeniedHandler.java Normal file
View File

@ -0,0 +1,33 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server.authorization;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.core.AuthenticationException;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
/**
*
* @author Rob Winch
* @since 5.0
*/
public interface AccessDeniedHandler {
<T> Mono<T> handle(ServerWebExchange exchange, AccessDeniedException denied);
}

50
webflux/src/main/java/org/springframework/security/web/server/authorization/AuthorizationContext.java Normal file
View File

@ -0,0 +1,50 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server.authorization;
import org.springframework.web.server.ServerWebExchange;
import java.util.Collections;
import java.util.Map;
/**
* @author Rob Winch
* @since 5.0
*/
public class AuthorizationContext {
private final ServerWebExchange exchange;
private final Map<String,Object> variables;
public AuthorizationContext(ServerWebExchange exchange) {
this(exchange, Collections.emptyMap());
}
public AuthorizationContext(ServerWebExchange exchange, Map<String,Object> variables) {
this.exchange = exchange;
this.variables = variables;
}
public ServerWebExchange getExchange() {
return exchange;
}
public Map<String,Object> getVariables() {
return Collections.unmodifiableMap(variables);
}
}

48
webflux/src/main/java/org/springframework/security/web/server/authorization/AuthorizationWebFilter.java Normal file
View File

@ -0,0 +1,48 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server.authorization;
import org.springframework.security.authorization.ReactiveAuthorizationManager;
import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
import org.springframework.security.web.server.AuthenticationEntryPoint;
import org.springframework.security.web.server.authentication.www.HttpBasicAuthenticationEntryPoint;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;
/**
*
* @author Rob Winch
* @since 5.0
*/
public class AuthorizationWebFilter implements WebFilter {
private ReactiveAuthorizationManager<? super ServerWebExchange> accessDecisionManager;
public AuthorizationWebFilter(ReactiveAuthorizationManager<? super ServerWebExchange> accessDecisionManager) {
this.accessDecisionManager = accessDecisionManager;
}
@Override
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
return accessDecisionManager.verify(exchange.getPrincipal(), exchange)
.switchIfEmpty( Mono.defer(() -> chain.filter(exchange)) );
}
}

75
webflux/src/main/java/org/springframework/security/web/server/authorization/DelegatingReactiveAuthorizationManager.java Normal file
View File

@ -0,0 +1,75 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server.authorization;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.ReactiveAuthorizationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
import java.util.LinkedHashMap;
import java.util.Map;
/**
* @author Rob Winch
* @since 5.0
*/
public class DelegatingReactiveAuthorizationManager implements ReactiveAuthorizationManager<ServerWebExchange> {
private final LinkedHashMap<ServerWebExchangeMatcher, ReactiveAuthorizationManager<AuthorizationContext>> mappings;
private DelegatingReactiveAuthorizationManager(LinkedHashMap<ServerWebExchangeMatcher, ReactiveAuthorizationManager<AuthorizationContext>> mappings) {
this.mappings = mappings;
}
@Override
public Mono<AuthorizationDecision> check(Mono<Authentication> authentication, ServerWebExchange exchange) {
for(Map.Entry<ServerWebExchangeMatcher, ReactiveAuthorizationManager<AuthorizationContext>> entry : mappings.entrySet()) {
ServerWebExchangeMatcher matcher = entry.getKey();
ServerWebExchangeMatcher.MatchResult match = matcher.matches(exchange);
if(match.isMatch()) {
Map<String,Object> variables = match.getVariables();
AuthorizationContext context = new AuthorizationContext(exchange, variables);
return entry.getValue().check(authentication, context);
}
}
return Mono.just(new AuthorizationDecision(false));
}
public static DelegatingReactiveAuthorizationManager.Builder builder() {
return new DelegatingReactiveAuthorizationManager.Builder();
}
public static class Builder {
private final LinkedHashMap<ServerWebExchangeMatcher, ReactiveAuthorizationManager<AuthorizationContext>> mappings = new LinkedHashMap<>();
private Builder() {
}
public DelegatingReactiveAuthorizationManager.Builder add(ServerWebExchangeMatcher matcher, ReactiveAuthorizationManager<AuthorizationContext> manager) {
this.mappings.put(matcher, manager);
return this;
}
public DelegatingReactiveAuthorizationManager build() {
return new DelegatingReactiveAuthorizationManager(mappings);
}
}
}

51
webflux/src/main/java/org/springframework/security/web/server/authorization/ExceptionTranslationWebFilter.java Normal file
View File

@ -0,0 +1,51 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server.authorization;
import org.springframework.http.HttpStatus;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
import org.springframework.security.web.server.AuthenticationEntryPoint;
import org.springframework.security.web.server.authentication.www.HttpBasicAuthenticationEntryPoint;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;
/**
*
* @author Rob Winch
* @since 5.0
*/
public class ExceptionTranslationWebFilter implements WebFilter {
private AuthenticationEntryPoint entryPoint = new HttpBasicAuthenticationEntryPoint();
private AccessDeniedHandler accessDeniedHandler = new HttpStatusAccessDeniedHandler(HttpStatus.FORBIDDEN);
@Override
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
return chain.filter(exchange)
.onErrorResume(AccessDeniedException.class, denied -> {
return exchange.getPrincipal()
.switchIfEmpty( Mono.defer( () -> entryPoint.commence(exchange, new AuthenticationCredentialsNotFoundException("Not Authenticated", denied))))
.flatMap( principal -> accessDeniedHandler.handle(exchange, denied));
});
}
}

43
webflux/src/main/java/org/springframework/security/web/server/authorization/HttpStatusAccessDeniedHandler.java Normal file
View File

@ -0,0 +1,43 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server.authorization;
import org.springframework.http.HttpStatus;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import reactor.core.publisher.Mono;
/**
* @author Rob Winch
* @since 5.0
*/
public class HttpStatusAccessDeniedHandler implements AccessDeniedHandler {
private final HttpStatus httpStatus;
public HttpStatusAccessDeniedHandler(HttpStatus httpStatus) {
this.httpStatus = httpStatus;
}
@Override
public <T> Mono<T> handle(ServerWebExchange exchange, AccessDeniedException e) {
exchange.getResponse().setStatusCode(HttpStatus.FORBIDDEN);
return Mono.empty();
}
}

30
webflux/src/main/java/org/springframework/security/web/server/context/SecurityContextRepository.java Normal file
View File

@ -0,0 +1,30 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server.context;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public interface SecurityContextRepository {
Mono<ServerWebExchange> save(ServerWebExchange exchange, SecurityContext context);
Mono<SecurityContext> load(ServerWebExchange exchange);
}

48
webflux/src/main/java/org/springframework/security/web/server/context/SecurityContextRepositoryServerWebExchange.java Normal file
View File

@ -0,0 +1,48 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server.context;
import java.security.Principal;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.ServerWebExchangeDecorator;
import reactor.core.publisher.Mono;
/**
* @author Rob Winch
* @since 5.0
*/
final class SecurityContextRepositoryServerWebExchange extends ServerWebExchangeDecorator {
private final SecurityContextRepository repository;
public SecurityContextRepositoryServerWebExchange(ServerWebExchange delegate, SecurityContextRepository repository) {
super(delegate);
this.repository = repository;
}
@Override
@SuppressWarnings("unchecked")
public <T extends Principal> Mono<T> getPrincipal() {
return Mono.defer(() ->
this.repository.load(this)
.filter(c -> c.getAuthentication() != null)
.flatMap(c -> Mono.just((T) c.getAuthentication()))
);
}
}

46
webflux/src/main/java/org/springframework/security/web/server/context/SecurityContextRepositoryWebFilter.java Normal file
View File

@ -0,0 +1,46 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server.context;
import org.springframework.security.web.server.context.SecurityContextRepository;
import org.springframework.security.web.server.context.SecurityContextRepositoryServerWebExchange;
import org.springframework.util.Assert;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;
/**
* @author Rob Winch
* @since 5.0
*/
public class SecurityContextRepositoryWebFilter implements WebFilter {
private final SecurityContextRepository repository;
public SecurityContextRepositoryWebFilter(SecurityContextRepository repository) {
Assert.notNull(repository, "repository cannot be null");
this.repository = repository;
}
@Override
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
SecurityContextRepositoryServerWebExchange delegate =
new SecurityContextRepositoryServerWebExchange(exchange, repository);
return chain.filter(delegate);
}
}

41
webflux/src/main/java/org/springframework/security/web/server/context/ServerWebExchangeAttributeSecurityContextRepository.java Normal file
View File

@ -0,0 +1,41 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server.context;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
/**
* @author Rob Winch
* @since 5.0
*/
public class ServerWebExchangeAttributeSecurityContextRepository implements SecurityContextRepository {
final String ATTR = "USER";
public Mono<ServerWebExchange> save(ServerWebExchange exchange, SecurityContext context) {
exchange.getAttributes().put(ATTR, context);
return Mono.just(new SecurityContextRepositoryServerWebExchange(exchange, this));
}
public Mono<SecurityContext> load(ServerWebExchange exchange) {
return Mono.justOrEmpty(exchange.getAttribute(ATTR));
}
}

45
webflux/src/main/java/org/springframework/security/web/server/context/WebSessionSecurityContextRepository.java Normal file
View File

@ -0,0 +1,45 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server.context;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
/**
*
* @author Rob Winch
* @since 5.0
*/
public class WebSessionSecurityContextRepository implements SecurityContextRepository {
final String SESSION_ATTR = "USER";
public Mono<ServerWebExchange> save(ServerWebExchange exchange, SecurityContext context) {
return exchange.getSession()
.doOnNext(session -> session.getAttributes().put(SESSION_ATTR, context))
.flatMap( session -> Mono.just(new SecurityContextRepositoryServerWebExchange(exchange, this)));
}
public Mono<SecurityContext> load(ServerWebExchange exchange) {
return exchange.getSession().flatMap( session -> {
SecurityContext context = (SecurityContext) session.getAttributes().get(SESSION_ATTR);
return context == null ? Mono.empty() : Mono.just(context);
});
}
}

61
webflux/src/main/java/org/springframework/security/web/server/header/CacheControlHttpHeadersWriter.java Normal file
View File

@ -0,0 +1,61 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server.header;
import org.springframework.http.HttpHeaders;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
/**
*
* @author Rob Winch
* @since 5.0
*/
public class CacheControlHttpHeadersWriter implements HttpHeadersWriter {
/**
* The value for expires value
*/
public static final String EXPIRES_VALUE = "0";
/**
* The value for pragma value
*/
public static final String PRAGMA_VALUE = "no-cache";
/**
* The value for cache control value
*/
public static final String CACHE_CONTRTOL_VALUE = "no-cache, no-store, max-age=0, must-revalidate";
/**
* The delegate to write all the cache control related headers
*/
private static final HttpHeadersWriter CACHE_HEADERS = StaticHttpHeadersWriter.builder()
.header(HttpHeaders.CACHE_CONTROL, CacheControlHttpHeadersWriter.CACHE_CONTRTOL_VALUE)
.header(HttpHeaders.PRAGMA, CacheControlHttpHeadersWriter.PRAGMA_VALUE)
.header(HttpHeaders.EXPIRES, CacheControlHttpHeadersWriter.EXPIRES_VALUE)
.build();
@Override
public Mono<Void> writeHttpHeaders(ServerWebExchange exchange) {
return CACHE_HEADERS.writeHttpHeaders(exchange);
}
}

51
webflux/src/main/java/org/springframework/security/web/server/header/CompositeHttpHeadersWriter.java Normal file
View File

@ -0,0 +1,51 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server.header;
import java.util.Arrays;
import java.util.List;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
/**
*
* @author Rob Winch
* @since 5.0
*/
public class CompositeHttpHeadersWriter implements HttpHeadersWriter {
private final List<HttpHeadersWriter> writers;
public CompositeHttpHeadersWriter(HttpHeadersWriter... writers) {
this(Arrays.asList(writers));
}
public CompositeHttpHeadersWriter(List<HttpHeadersWriter> writers) {
this.writers = writers;
}
@Override
public Mono<Void> writeHttpHeaders(ServerWebExchange exchange) {
Stream<Mono<Void>> results = writers.stream().map( writer -> writer.writeHttpHeaders(exchange));
return Mono.when(results.collect(Collectors.toList()));
}
}

48
webflux/src/main/java/org/springframework/security/web/server/header/ContentTypeOptionsHttpHeadersWriter.java Normal file
View File

@ -0,0 +1,48 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server.header;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
/**
* Adds X-Content-Type-Options: nosniff
*
* @author Rob Winch
* @since 5.0
*/
public class ContentTypeOptionsHttpHeadersWriter implements HttpHeadersWriter {
public static final String X_CONTENT_OPTIONS = "X-Content-Type-Options";
public static final String NOSNIFF = "nosniff";
/**
* The delegate to write all the cache control related headers
*/
private static final HttpHeadersWriter CONTENT_TYPE_HEADERS = StaticHttpHeadersWriter.builder()
.header(X_CONTENT_OPTIONS, NOSNIFF)
.build();
@Override
public Mono<Void> writeHttpHeaders(ServerWebExchange exchange) {
return CONTENT_TYPE_HEADERS.writeHttpHeaders(exchange);
}
}

48
webflux/src/main/java/org/springframework/security/web/server/header/HttpHeaderWriterWebFilter.java Normal file
View File

@ -0,0 +1,48 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server.header;
import org.springframework.http.server.reactive.ServerHttpResponse;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;
/**
* Invokes a {@link HttpHeadersWriter} on
* {@link ServerHttpResponse#beforeCommit(java.util.function.Supplier)}.
*
* @author Rob Winch
* @since 5.0
*/
public class HttpHeaderWriterWebFilter implements WebFilter {
private final HttpHeadersWriter writer;
public HttpHeaderWriterWebFilter(HttpHeadersWriter writer) {
super();
this.writer = writer;
}
@Override
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
exchange.getResponse().beforeCommit(() -> writer.writeHttpHeaders(exchange));
return chain.filter(exchange);
}
}

43
webflux/src/main/java/org/springframework/security/web/server/header/HttpHeadersWriter.java Normal file
View File

@ -0,0 +1,43 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server.header;
import java.util.function.Supplier;
import org.springframework.http.server.reactive.ServerHttpResponse;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
/**
* Interface for writing headers just before the response is committed.
*
* @author Rob Winch
* @since 5.0
*/
public interface HttpHeadersWriter {
/**
* Write the headers to the response.
*
* @param exchange
* @return A Mono which is returned to the {@link Supplier} of the
* {@link ServerHttpResponse#beforeCommit(Supplier)}.
*/
Mono<Void> writeHttpHeaders(ServerWebExchange exchange);
}

70
webflux/src/main/java/org/springframework/security/web/server/header/StaticHttpHeadersWriter.java Normal file
View File

@ -0,0 +1,70 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server.header;
import java.util.Arrays;
import java.util.Collections;
import org.springframework.http.HttpHeaders;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
/**
* @author Rob Winch
* @since 5.0
*/
public class StaticHttpHeadersWriter implements HttpHeadersWriter {
private final HttpHeaders headersToAdd;
public StaticHttpHeadersWriter(HttpHeaders headersToAdd) {
this.headersToAdd = headersToAdd;
}
/* (non-Javadoc)
* @see org.springframework.security.web.server.HttpHeadersWriter#writeHttpHeaders(org.springframework.web.server.ServerWebExchange)
*/
@Override
public Mono<Void> writeHttpHeaders(ServerWebExchange exchange) {
HttpHeaders headers = exchange.getResponse().getHeaders();
boolean containsOneHeaderToAdd = Collections.disjoint(headers.keySet(), this.headersToAdd.keySet());
if(containsOneHeaderToAdd) {
this.headersToAdd.forEach((name, values) -> {
headers.put(name, values);
});
}
return Mono.empty();
}
public static Builder builder() {
return new Builder();
}
public static class Builder {
private HttpHeaders headers = new HttpHeaders();
public Builder header(String headerName, String...values) {
headers.put(headerName, Arrays.asList(values));
return this;
}
public StaticHttpHeadersWriter build() {
return new StaticHttpHeadersWriter(headers);
}
}
}

77
webflux/src/main/java/org/springframework/security/web/server/header/StrictTransportSecurityHttpHeadersWriter.java Normal file
View File

@ -0,0 +1,77 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server.header;
import java.time.Duration;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
/**
* @author Rob Winch
* @since 5.0
*/
public final class StrictTransportSecurityHttpHeadersWriter implements HttpHeadersWriter {
public static final String STRICT_TRANSPORT_SECURITY = "Strict-Transport-Security";
private String maxAge;
private String subdomain;
private HttpHeadersWriter delegate;
/**
*
*/
public StrictTransportSecurityHttpHeadersWriter() {
setIncludeSubDomains(true);
setMaxAge(Duration.ofDays(365L));
updateDelegate();
}
/* (non-Javadoc)
* @see org.springframework.security.web.server.HttpHeadersWriter#writeHttpHeaders(org.springframework.http.HttpHeaders)
*/
@Override
public Mono<Void> writeHttpHeaders(ServerWebExchange exchange) {
return isSecure(exchange) ? delegate.writeHttpHeaders(exchange) : Mono.empty();
}
public void setIncludeSubDomains(boolean includeSubDomains) {
subdomain = includeSubDomains ? " ; includeSubDomains" : "";
updateDelegate();
}
public void setMaxAge(Duration maxAge) {
this.maxAge = "max-age=" + maxAge.getSeconds();
updateDelegate();
}
private void updateDelegate() {
delegate = StaticHttpHeadersWriter.builder()
.header(STRICT_TRANSPORT_SECURITY, maxAge + subdomain)
.build();
}
private boolean isSecure(ServerWebExchange exchange) {
String scheme = exchange.getRequest().getURI().getScheme();
boolean isSecure = scheme != null && scheme.equalsIgnoreCase("https");
return isSecure;
}
}

49
webflux/src/main/java/org/springframework/security/web/server/header/XContentTypeOptionsHttpHeadersWriter.java Normal file
View File

@ -0,0 +1,49 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server.header;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
/**
* Adds X-Content-Type-Options: nosniff
*
* @author Rob Winch
* @since 5.0
*/
public class XContentTypeOptionsHttpHeadersWriter implements HttpHeadersWriter {
public static final String X_CONTENT_OPTIONS = "X-Content-Options";
public static final String NOSNIFF = "nosniff";
/**
* The delegate to write all the cache control related headers
*/
private static final HttpHeadersWriter CONTENT_TYPE_HEADERS = StaticHttpHeadersWriter.builder()
.header(X_CONTENT_OPTIONS, NOSNIFF)
.build();
@Override
public Mono<Void> writeHttpHeaders(ServerWebExchange exchange) {
return CONTENT_TYPE_HEADERS.writeHttpHeaders(exchange);
}
}

93
webflux/src/main/java/org/springframework/security/web/server/header/XFrameOptionsHttpHeadersWriter.java Normal file
View File

@ -0,0 +1,93 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server.header;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
/**
* @author Rob Winch
* @since 5.0
*/
public class XFrameOptionsHttpHeadersWriter implements HttpHeadersWriter {
public static final String X_FRAME_OPTIONS = "X-Frame-Options";
private HttpHeadersWriter delegate = createDelegate(Mode.DENY);
/*
* (non-Javadoc)
*
* @see org.springframework.security.web.server.HttpHeadersWriter#
* writeHttpHeaders(org.springframework.web.server.ServerWebExchange)
*/
@Override
public Mono<Void> writeHttpHeaders(ServerWebExchange exchange) {
return delegate.writeHttpHeaders(exchange);
}
/**
* Sets the X-Frame-Options mode. There is no support for ALLOW-FROM because
* not <a href=
* "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options">all
* browsers support it</a>. Consider using X-Frame-Options with
* Content-Security-Policy <a href=
* "https://w3c.github.io/webappsec/specs/content-security-policy/#directive-frame-ancestors">frame-ancestors</a>.
*
* @param mode
*/
public void setMode(Mode mode) {
this.delegate = createDelegate(mode);
}
/**
* The X-Frame-Options values. There is no support for ALLOW-FROM because
* not <a href=
* "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options">all
* browsers support it</a>. Consider using X-Frame-Options with
* Content-Security-Policy <a href=
* "https://w3c.github.io/webappsec/specs/content-security-policy/#directive-frame-ancestors">frame-ancestors</a>.
*
* @author Rob Winch
* @since 5.0
*/
public enum Mode {
/**
* A browser receiving content with this header field MUST NOT display
* this content in any frame.
*/
DENY,
/**
* A browser receiving content with this header field MUST NOT display
* this content in any frame from a page of different origin than the
* content itself.
*
* If a browser or plugin cannot reliably determine whether or not the
* origin of the content and the frame are the same, this MUST be
* treated as "DENY".
*/
SAMEORIGIN;
}
private static HttpHeadersWriter createDelegate(Mode mode) {
// @formatter:off
return StaticHttpHeadersWriter.builder().header(X_FRAME_OPTIONS, mode.name()).build();
// @formatter:on
}
}

116
webflux/src/main/java/org/springframework/security/web/server/header/XXssProtectionHttpHeadersWriter.java Normal file
View File

@ -0,0 +1,116 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server.header;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
/**
* @author Rob Winch
* @since 5.0
*/
public class XXssProtectionHttpHeadersWriter implements HttpHeadersWriter {
public static final String X_XSS_PROTECTION = "X-XSS-Protection";
private boolean enabled;
private boolean block;
private HttpHeadersWriter delegate;
/**
*
*/
public XXssProtectionHttpHeadersWriter() {
this.enabled = true;
this.block = true;
updateDelegate();
}
/* (non-Javadoc)
* @see org.springframework.security.web.server.HttpHeadersWriter#writeHttpHeaders(org.springframework.web.server.ServerWebExchange)
*/
@Override
public Mono<Void> writeHttpHeaders(ServerWebExchange exchange) {
return delegate.writeHttpHeaders(exchange);
}
/**
* If true, will contain a value of 1. For example:
*
* <pre>
* X-XSS-Protection: 1
* </pre>
*
* or if {@link #setBlock(boolean)} is true
*
*
* <pre>
* X-XSS-Protection: 1; mode=block
* </pre>
*
* If false, will explicitly disable specify that X-XSS-Protection is disabled. For
* example:
*
* <pre>
* X-XSS-Protection: 0
* </pre>
*
* @param enabled the new value
*/
public void setEnabled(boolean enabled) {
if (!enabled) {
setBlock(false);
}
this.enabled = enabled;
updateDelegate();
}
/**
* If false, will not specify the mode as blocked. In this instance, any content will
* be attempted to be fixed. If true, the content will be replaced with "#".
*
* @param block the new value
*/
public void setBlock(boolean block) {
if (!enabled && block) {
throw new IllegalArgumentException(
"Cannot set block to true with enabled false");
}
this.block = block;
updateDelegate();
}
private void updateDelegate() {
this.delegate = StaticHttpHeadersWriter.builder()
.header(X_XSS_PROTECTION, createHeaderValue())
.build();
}
private String createHeaderValue() {
if (!enabled) {
return "0";
}
if(!block) {
return "1";
}
return "1 ; mode=block";
}
}

62
webflux/src/main/java/org/springframework/security/web/server/util/matcher/AndServerWebExchangeMatcher.java Normal file
View File

@ -0,0 +1,62 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server.util.matcher;
import org.springframework.util.Assert;
import org.springframework.web.server.ServerWebExchange;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
/**
* @author Rob Winch
* @since 5.0
*/
public class AndServerWebExchangeMatcher implements ServerWebExchangeMatcher {
private final List<ServerWebExchangeMatcher> matchers;
public AndServerWebExchangeMatcher(List<ServerWebExchangeMatcher> matchers) {
Assert.notEmpty(matchers, "matchers cannot be empty");
this.matchers = matchers;
}
public AndServerWebExchangeMatcher(ServerWebExchangeMatcher... matchers) {
this(Arrays.asList(matchers));
}
/* (non-Javadoc)
* @see org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher#matches(org.springframework.web.server.ServerWebExchange)
*/
@Override
public MatchResult matches(ServerWebExchange exchange) {
Map<String, Object> variables = new HashMap<>();
return matchers.stream()
.map(m -> m.matches(exchange))
.peek( m -> variables.putAll(m.getVariables()))
.allMatch(m -> m.isMatch()) ? MatchResult.match(variables) : MatchResult.notMatch();
}
@Override
public String toString() {
return "AndServerWebExchangeMatcher{" +
"matchers=" + matchers +
'}';
}
}

62
webflux/src/main/java/org/springframework/security/web/server/util/matcher/OrServerWebExchangeMatcher.java Normal file
View File

@ -0,0 +1,62 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server.util.matcher;
import java.util.Arrays;
import java.util.List;
import java.util.function.Predicate;
import org.springframework.util.Assert;
import org.springframework.web.server.ServerWebExchange;
/**
* @author Rob Winch
* @since 5.0
*/
public class OrServerWebExchangeMatcher implements ServerWebExchangeMatcher {
private final List<ServerWebExchangeMatcher> matchers;
public OrServerWebExchangeMatcher(List<ServerWebExchangeMatcher> matchers) {
Assert.notEmpty(matchers, "matchers cannot be empty");
this.matchers = matchers;
}
public OrServerWebExchangeMatcher(ServerWebExchangeMatcher... matchers) {
this(Arrays.asList(matchers));
}
/* (non-Javadoc)
* @see org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher#matches(org.springframework.web.server.ServerWebExchange)
*/
@Override
public MatchResult matches(ServerWebExchange exchange) {
return matchers.stream()
.map(m -> m.matches(exchange))
.filter(m -> m.isMatch())
.findFirst()
.orElse(MatchResult.notMatch());
}
@Override
public String toString() {
return "OrServerWebExchangeMatcher{" +
"matchers=" + matchers +
'}';
}
}

81
webflux/src/main/java/org/springframework/security/web/server/util/matcher/PathMatcherServerWebExchangeMatcher.java Normal file
View File

@ -0,0 +1,81 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server.util.matcher;
import java.util.HashMap;
import java.util.Map;
import org.springframework.http.HttpMethod;
import org.springframework.http.server.reactive.ServerHttpRequest;
import org.springframework.util.AntPathMatcher;
import org.springframework.util.Assert;
import org.springframework.util.PathMatcher;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.support.HttpRequestPathHelper;
/**
* @author Rob Winch
* @since 5.0
*/
public final class PathMatcherServerWebExchangeMatcher implements ServerWebExchangeMatcher {
private HttpRequestPathHelper helper = new HttpRequestPathHelper();
private PathMatcher pathMatcher = new AntPathMatcher();
private final String pattern;
private final HttpMethod method;
public PathMatcherServerWebExchangeMatcher(String pattern) {
this(pattern, null);
}
public PathMatcherServerWebExchangeMatcher(String pattern, HttpMethod method) {
Assert.notNull(pattern, "pattern cannot be null");
this.pattern = pattern;
this.method = method;
}
@Override
public MatchResult matches(ServerWebExchange exchange) {
ServerHttpRequest request = exchange.getRequest();
if(this.method != null && !this.method.equals(request.getMethod())) {
return MatchResult.notMatch();
}
String path = helper.getLookupPathForRequest(exchange);
boolean match = pathMatcher.match(pattern, path);
if(!match) {
return MatchResult.notMatch();
}
Map<String,String> pathVariables = pathMatcher.extractUriTemplateVariables(pattern, path);
Map<String,Object> variables = new HashMap<>(pathVariables);
return MatchResult.match(variables);
}
public void setPathMatcher(PathMatcher pathMatcher) {
Assert.notNull(pathMatcher, "pathMatcher cannot be null");
this.pathMatcher = pathMatcher;
}
@Override
public String toString() {
return "PathMatcherServerWebExchangeMatcher{" +
"pattern='" + pattern + '\'' +
", method=" + method +
'}';
}
}

63
webflux/src/main/java/org/springframework/security/web/server/util/matcher/ServerWebExchangeMatcher.java Normal file
View File

@ -0,0 +1,63 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server.util.matcher;
import java.util.Collections;
import java.util.Map;
import org.springframework.web.server.ServerWebExchange;
/**
*
* @author Rob Winch
* @since 5.0
*/
public interface ServerWebExchangeMatcher {
MatchResult matches(ServerWebExchange exchange);
class MatchResult {
private final boolean match;
private final Map<String,Object> variables;
private MatchResult(boolean match, Map<String, Object> variables) {
this.match = match;
this.variables = variables;
}
public boolean isMatch() {
return match;
}
public Map<String,Object> getVariables() {
return variables;
}
public static MatchResult match() {
return match(Collections.emptyMap());
}
public static MatchResult match(Map<String,Object> variables) {
return new MatchResult(true, variables);
}
public static MatchResult notMatch() {
return new MatchResult(false, Collections.emptyMap());
}
}
}

59
webflux/src/main/java/org/springframework/security/web/server/util/matcher/ServerWebExchangeMatchers.java Normal file
View File

@ -0,0 +1,59 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server.util.matcher;
import org.springframework.http.HttpMethod;
import org.springframework.web.server.ServerWebExchange;
import java.util.ArrayList;
import java.util.List;
/**
* @author Rob Winch
* @since 5.0
*/
public abstract class ServerWebExchangeMatchers {
public static ServerWebExchangeMatcher antMatchers(HttpMethod method, String... patterns) {
List<ServerWebExchangeMatcher> matchers = new ArrayList<>(patterns.length);
for (String pattern : patterns) {
matchers.add(new PathMatcherServerWebExchangeMatcher(pattern, method));
}
return new OrServerWebExchangeMatcher(matchers);
}
public static ServerWebExchangeMatcher antMatchers(String... patterns) {
return antMatchers(null, patterns);
}
public static ServerWebExchangeMatcher matchers(ServerWebExchangeMatcher... matchers) {
return new OrServerWebExchangeMatcher(matchers);
}
public static ServerWebExchangeMatcher anyExchange() {
return new ServerWebExchangeMatcher() {
@Override
public MatchResult matches(ServerWebExchange exchange) {
return ServerWebExchangeMatcher.MatchResult.match();
}
};
}
private ServerWebExchangeMatchers() {
}
}

50
webflux/src/test/java/org/springframework/security/test/web/reactive/server/WebTestClientBuilder.java Normal file
View File

@ -0,0 +1,50 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.test.web.reactive.server;
import org.springframework.http.HttpStatus;
import org.springframework.test.web.reactive.server.WebTestClient;
import org.springframework.test.web.reactive.server.WebTestClient.Builder;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseStatus;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.server.WebFilter;
/**
* Provides a convenient mechanism for running {@link WebTestClient} against
* {@link WebFilter}
*
* @author Rob Winch
* @since 5.0
*
*/
public class WebTestClientBuilder {
public static Builder bindToWebFilters(WebFilter... webFilters) {
return WebTestClient.bindToController(new Http200RestController()).webFilter(webFilters).configureClient();
}
@RestController
static class Http200RestController {
@RequestMapping("/**")
@ResponseStatus(HttpStatus.OK)
public String ok() {
return "ok";
}
}
}

63
webflux/src/test/java/org/springframework/security/test/web/reactive/server/WebTestHandler.java Normal file
View File

@ -0,0 +1,63 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.test.web.reactive.server;
import org.springframework.mock.http.server.reactive.MockServerHttpRequest.BaseBuilder;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebHandler;
import org.springframework.web.server.handler.FilteringWebHandler;
import reactor.core.publisher.Mono;
import java.util.Arrays;
/**
*
* @author Rob Winch
* @since 5.0
*/
public class WebTestHandler {
private final WebHandler handler;
private WebTestHandler(WebHandler handler) {
this.handler = handler;
}
public WebHandlerResult exchange(BaseBuilder<?> baseBuilder) {
ServerWebExchange exchange = baseBuilder.toExchange();
handler.handle(exchange).block();
return new WebHandlerResult(exchange);
}
public static class WebHandlerResult {
private final ServerWebExchange exchange;
private WebHandlerResult(ServerWebExchange exchange) {
this.exchange = exchange;
}
public ServerWebExchange getExchange() {
return exchange;
}
}
public static WebTestHandler bindToWebFilters(WebFilter... filters) {
return new WebTestHandler(new FilteringWebHandler(exchange -> Mono.empty(), Arrays.asList(filters)));
}
}

679
webflux/src/test/java/org/springframework/security/web/method/ResolvableMethod.java Normal file
View File

@ -0,0 +1,679 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.method;
import java.lang.annotation.Annotation;
import java.lang.reflect.Method;
import java.lang.reflect.Parameter;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.Consumer;
import java.util.function.Predicate;
import java.util.function.Supplier;
import org.aopalliance.intercept.MethodInterceptor;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.aop.framework.ProxyFactory;
import org.springframework.aop.target.EmptyTargetSource;
import org.springframework.cglib.core.SpringNamingPolicy;
import org.springframework.cglib.proxy.Callback;
import org.springframework.cglib.proxy.Enhancer;
import org.springframework.cglib.proxy.Factory;
import org.springframework.cglib.proxy.MethodProxy;
import org.springframework.core.LocalVariableTableParameterNameDiscoverer;
import org.springframework.core.MethodIntrospector;
import org.springframework.core.MethodParameter;
import org.springframework.core.ParameterNameDiscoverer;
import org.springframework.core.ResolvableType;
import org.springframework.core.annotation.AnnotatedElementUtils;
import org.springframework.core.annotation.AnnotationUtils;
import org.springframework.core.annotation.SynthesizingMethodParameter;
import org.springframework.objenesis.ObjenesisException;
import org.springframework.objenesis.SpringObjenesis;
import org.springframework.util.Assert;
import org.springframework.util.ObjectUtils;
import org.springframework.util.ReflectionUtils;
import org.springframework.web.bind.annotation.ValueConstants;
import static java.util.stream.Collectors.joining;
/**
* Convenience class to resolve method parameters from hints.
*
* <h1>Background</h1>
*
* <p>When testing annotated methods we create test classes such as
* "TestController" with a diverse range of method signatures representing
* supported annotations and argument types. It becomes challenging to use
* naming strategies to keep track of methods and arguments especially in
* combination with variables for reflection metadata.
*
* <p>The idea with {@link ResolvableMethod} is NOT to rely on naming techniques
* but to use hints to zero in on method parameters. Such hints can be strongly
* typed and explicit about what is being tested.
*
* <h2>1. Declared Return Type</h2>
*
* When testing return types it's likely to have many methods with a unique
* return type, possibly with or without an annotation.
*
* <pre>
*
* import static org.springframework.web.method.ResolvableMethod.on;
* import static org.springframework.web.method.MvcAnnotationPredicates.requestMapping;
*
* // Return type
* on(TestController.class).resolveReturnType(Foo.class);
* on(TestController.class).resolveReturnType(List.class, Foo.class);
* on(TestController.class).resolveReturnType(Mono.class, responseEntity(Foo.class));
*
* // Annotation + return type
* on(TestController.class).annotPresent(RequestMapping.class).resolveReturnType(Bar.class);
*
* // Annotation not present
* on(TestController.class).annotNotPresent(RequestMapping.class).resolveReturnType();
*
* // Annotation with attributes
* on(TestController.class).annot(requestMapping("/foo").params("p")).resolveReturnType();
* </pre>
*
* <h2>2. Method Arguments</h2>
*
* When testing method arguments it's more likely to have one or a small number
* of methods with a wide array of argument types and parameter annotations.
*
* <pre>
*
* import static org.springframework.web.method.MvcAnnotationPredicates.requestParam;
*
* ResolvableMethod testMethod = ResolvableMethod.on(getClass()).named("handle").build();
*
* testMethod.arg(Foo.class);
* testMethod.annotPresent(RequestParam.class).arg(Integer.class);
* testMethod.annotNotPresent(RequestParam.class)).arg(Integer.class);
* testMethod.annot(requestParam().name("c").notRequired()).arg(Integer.class);
* </pre>
*
* <h3>3. Mock Handler Method Invocation</h3>
*
* Locate a method by invoking it through a proxy of the target handler:
*
* <pre>
*
* ResolvableMethod.on(TestController.class).mockCall(o -> o.handle(null)).method();
* </pre>
*
* @author Rossen Stoyanchev
* @since 5.0
*/
public class ResolvableMethod {
private static final Log logger = LogFactory.getLog(ResolvableMethod.class);
private static final SpringObjenesis objenesis = new SpringObjenesis();
private static final ParameterNameDiscoverer nameDiscoverer =
new LocalVariableTableParameterNameDiscoverer();
private final Method method;
private ResolvableMethod(Method method) {
Assert.notNull(method, "method is required");
this.method = method;
}
/**
* Return the resolved method.
*/
public Method method() {
return this.method;
}
/**
* Return the declared return type of the resolved method.
*/
public MethodParameter returnType() {
return new SynthesizingMethodParameter(this.method, -1);
}
/**
* Find a unique argument matching the given type.
* @param type the expected type
* @param generics optional array of generic types
*/
public MethodParameter arg(Class<?> type, Class<?>... generics) {
return new ArgResolver().arg(type, generics);
}
/**
* Find a unique argument matching the given type.
* @param type the expected type
* @param generic at least one generic type
* @param generics optional array of generic types
*/
public MethodParameter arg(Class<?> type, ResolvableType generic, ResolvableType... generics) {
return new ArgResolver().arg(type, generic, generics);
}
/**
* Find a unique argument matching the given type.
* @param type the expected type
*/
public MethodParameter arg(ResolvableType type) {
return new ArgResolver().arg(type);
}
/**
* Filter on method arguments with annotation.
* See {@link MvcAnnotationPredicates}.
*/
@SafeVarargs
public final ArgResolver annot(Predicate<MethodParameter>... filter) {
return new ArgResolver(filter);
}
@SafeVarargs
public final ArgResolver annotPresent(Class<? extends Annotation>... annotationTypes) {
return new ArgResolver().annotPresent(annotationTypes);
}
/**
* Filter on method arguments that don't have the given annotation type(s).
* @param annotationTypes the annotation types
*/
@SafeVarargs
public final ArgResolver annotNotPresent(Class<? extends Annotation>... annotationTypes) {
return new ArgResolver().annotNotPresent(annotationTypes);
}
@Override
public String toString() {
return "ResolvableMethod=" + formatMethod();
}
private String formatMethod() {
return this.method().getName() +
Arrays.stream(this.method.getParameters())
.map(this::formatParameter)
.collect(joining(",\n\t", "(\n\t", "\n)"));
}
private String formatParameter(Parameter param) {
Annotation[] annot = param.getAnnotations();
return annot.length > 0 ?
Arrays.stream(annot).map(this::formatAnnotation).collect(joining(",", "[", "]")) + " " + param :
param.toString();
}
private String formatAnnotation(Annotation annotation) {
Map<String, Object> map = AnnotationUtils.getAnnotationAttributes(annotation);
map.forEach((key, value) -> {
if (value.equals(ValueConstants.DEFAULT_NONE)) {
map.put(key, "NONE");
}
});
return annotation.annotationType().getName() + map;
}
private static ResolvableType toResolvableType(Class<?> type, Class<?>... generics) {
return ObjectUtils.isEmpty(generics) ?
ResolvableType.forClass(type) :
ResolvableType.forClassWithGenerics(type, generics);
}
private static ResolvableType toResolvableType(Class<?> type, ResolvableType generic, ResolvableType... generics) {
ResolvableType[] genericTypes = new ResolvableType[generics.length + 1];
genericTypes[0] = generic;
System.arraycopy(generics, 0, genericTypes, 1, generics.length);
return ResolvableType.forClassWithGenerics(type, genericTypes);
}
/**
* Main entry point providing access to a {@code ResolvableMethod} builder.
*/
public static <T> Builder<T> on(Class<T> objectClass) {
return new Builder<>(objectClass);
}
/**
* Builder for {@code ResolvableMethod}.
*/
public static class Builder<T> {
private final Class<?> objectClass;
private final List<Predicate<Method>> filters = new ArrayList<>(4);
private Builder(Class<?> objectClass) {
Assert.notNull(objectClass, "Class must not be null");
this.objectClass = objectClass;
}
private void addFilter(String message, Predicate<Method> filter) {
this.filters.add(new LabeledPredicate<>(message, filter));
}
/**
* Filter on methods with the given name.
*/
public Builder<T> named(String methodName) {
addFilter("methodName=" + methodName, m -> m.getName().equals(methodName));
return this;
}
/**
* Filter on annotated methods.
* See {@link MvcAnnotationPredicates}.
*/
@SafeVarargs
public final Builder<T> annot(Predicate<Method>... filters) {
this.filters.addAll(Arrays.asList(filters));
return this;
}
/**
* Filter on methods annotated with the given annotation type.
* @see #annot(Predicate[])
* @see MvcAnnotationPredicates
*/
@SafeVarargs
public final Builder<T> annotPresent(Class<? extends Annotation>... annotationTypes) {
String message = "annotationPresent=" + Arrays.toString(annotationTypes);
addFilter(message, method ->
Arrays.stream(annotationTypes).allMatch(annotType ->
AnnotatedElementUtils.findMergedAnnotation(method, annotType) != null));
return this;
}
/**
* Filter on methods not annotated with the given annotation type.
*/
@SafeVarargs
public final Builder<T> annotNotPresent(Class<? extends Annotation>... annotationTypes) {
String message = "annotationNotPresent=" + Arrays.toString(annotationTypes);
addFilter(message, method -> {
if (annotationTypes.length != 0) {
return Arrays.stream(annotationTypes).noneMatch(annotType ->
AnnotatedElementUtils.findMergedAnnotation(method, annotType) != null);
}
else {
return method.getAnnotations().length == 0;
}
});
return this;
}
/**
* Filter on methods returning the given type.
* @param returnType the return type
* @param generics optional array of generic types
*/
public Builder<T> returning(Class<?> returnType, Class<?>... generics) {
return returning(toResolvableType(returnType, generics));
}
/**
* Filter on methods returning the given type with generics.
* @param returnType the return type
* @param generic at least one generic type
* @param generics optional extra generic types
*/
public Builder<T> returning(Class<?> returnType, ResolvableType generic, ResolvableType... generics) {
return returning(toResolvableType(returnType, generic, generics));
}
/**
* Filter on methods returning the given type.
* @param returnType the return type
*/
public Builder<T> returning(ResolvableType returnType) {
String expected = returnType.toString();
String message = "returnType=" + expected;
addFilter(message, m -> expected.equals(ResolvableType.forMethodReturnType(m).toString()));
return this;
}
/**
* Build a {@code ResolvableMethod} from the provided filters which must
* resolve to a unique, single method.
*
* <p>See additional resolveXxx shortcut methods going directly to
* {@link Method} or return type parameter.
*
* @throws IllegalStateException for no match or multiple matches
*/
public ResolvableMethod build() {
Set<Method> methods = MethodIntrospector.selectMethods(this.objectClass, this::isMatch);
Assert.state(!methods.isEmpty(), "No matching method: " + this);
Assert.state(methods.size() == 1, "Multiple matching methods: " + this + formatMethods(methods));
return new ResolvableMethod(methods.iterator().next());
}
private boolean isMatch(Method method) {
return this.filters.stream().allMatch(p -> p.test(method));
}
private String formatMethods(Set<Method> methods) {
return "\nMatched:\n" + methods.stream()
.map(Method::toGenericString).collect(joining(",\n\t", "[\n\t", "\n]"));
}
public ResolvableMethod mockCall(Consumer<T> invoker) {
MethodInvocationInterceptor interceptor = new MethodInvocationInterceptor();
T proxy = initProxy(this.objectClass, interceptor);
invoker.accept(proxy);
Method method = interceptor.getInvokedMethod();
return new ResolvableMethod(method);
}
// Build & resolve shortcuts...
/**
* Resolve and return the {@code Method} equivalent to:
* <p>{@code build().method()}
*/
public final Method resolveMethod() {
return build().method();
}
/**
* Resolve and return the {@code Method} equivalent to:
* <p>{@code named(methodName).build().method()}
*/
public Method resolveMethod(String methodName) {
return named(methodName).build().method();
}
/**
* Resolve and return the declared return type equivalent to:
* <p>{@code build().returnType()}
*/
public final MethodParameter resolveReturnType() {
return build().returnType();
}
/**
* Shortcut to the unique return type equivalent to:
* <p>{@code returning(returnType).build().returnType()}
* @param returnType the return type
* @param generics optional array of generic types
*/
public MethodParameter resolveReturnType(Class<?> returnType, Class<?>... generics) {
return returning(returnType, generics).build().returnType();
}
/**
* Shortcut to the unique return type equivalent to:
* <p>{@code returning(returnType).build().returnType()}
* @param returnType the return type
* @param generic at least one generic type
* @param generics optional extra generic types
*/
public MethodParameter resolveReturnType(Class<?> returnType, ResolvableType generic,
ResolvableType... generics) {
return returning(returnType, generic, generics).build().returnType();
}
public MethodParameter resolveReturnType(ResolvableType returnType) {
return returning(returnType).build().returnType();
}
@Override
public String toString() {
return "ResolvableMethod.Builder[\n" +
"\tobjectClass = " + this.objectClass.getName() + ",\n" +
"\tfilters = " + formatFilters() + "\n]";
}
private String formatFilters() {
return this.filters.stream().map(Object::toString)
.collect(joining(",\n\t\t", "[\n\t\t", "\n\t]"));
}
}
/**
* Predicate with a descriptive label.
*/
private static class LabeledPredicate<T> implements Predicate<T> {
private final String label;
private final Predicate<T> delegate;
private LabeledPredicate(String label, Predicate<T> delegate) {
this.label = label;
this.delegate = delegate;
}
@Override
public boolean test(T method) {
return this.delegate.test(method);
}
@Override
public Predicate<T> and(Predicate<? super T> other) {
return this.delegate.and(other);
}
@Override
public Predicate<T> negate() {
return this.delegate.negate();
}
@Override
public Predicate<T> or(Predicate<? super T> other) {
return this.delegate.or(other);
}
@Override
public String toString() {
return this.label;
}
}
/**
* Resolver for method arguments.
*/
public class ArgResolver {
private final List<Predicate<MethodParameter>> filters = new ArrayList<>(4);
@SafeVarargs
private ArgResolver(Predicate<MethodParameter>... filter) {
this.filters.addAll(Arrays.asList(filter));
}
/**
* Filter on method arguments with annotations.
* See {@link MvcAnnotationPredicates}.
*/
@SafeVarargs
public final ArgResolver annot(Predicate<MethodParameter>... filters) {
this.filters.addAll(Arrays.asList(filters));
return this;
}
/**
* Filter on method arguments that have the given annotations.
* @param annotationTypes the annotation types
* @see #annot(Predicate[])
* @see MvcAnnotationPredicates
*/
@SafeVarargs
public final ArgResolver annotPresent(Class<? extends Annotation>... annotationTypes) {
this.filters.add(param -> Arrays.stream(annotationTypes).allMatch(param::hasParameterAnnotation));
return this;
}
/**
* Filter on method arguments that don't have the given annotations.
* @param annotationTypes the annotation types
*/
@SafeVarargs
public final ArgResolver annotNotPresent(Class<? extends Annotation>... annotationTypes) {
this.filters.add(param ->
(annotationTypes.length != 0) ?
Arrays.stream(annotationTypes).noneMatch(param::hasParameterAnnotation) :
param.getParameterAnnotations().length == 0);
return this;
}
/**
* Resolve the argument also matching to the given type.
* @param type the expected type
*/
public MethodParameter arg(Class<?> type, Class<?>... generics) {
return arg(toResolvableType(type, generics));
}
/**
* Resolve the argument also matching to the given type.
* @param type the expected type
*/
public MethodParameter arg(Class<?> type, ResolvableType generic, ResolvableType... generics) {
return arg(toResolvableType(type, generic, generics));
}
/**
* Resolve the argument also matching to the given type.
* @param type the expected type
*/
public MethodParameter arg(ResolvableType type) {
this.filters.add(p -> type.toString().equals(ResolvableType.forMethodParameter(p).toString()));
return arg();
}
/**
* Resolve the argument.
*/
public final MethodParameter arg() {
List<MethodParameter> matches = applyFilters();
Assert.state(!matches.isEmpty(), () ->
"No matching arg in method\n" + formatMethod());
Assert.state(matches.size() == 1, () ->
"Multiple matching args in method\n" + formatMethod() + "\nMatches:\n\t" + matches);
return matches.get(0);
}
private List<MethodParameter> applyFilters() {
List<MethodParameter> matches = new ArrayList<>();
for (int i = 0; i < method.getParameterCount(); i++) {
MethodParameter param = new SynthesizingMethodParameter(method, i);
param.initParameterNameDiscovery(nameDiscoverer);
if (this.filters.stream().allMatch(p -> p.test(param))) {
matches.add(param);
}
}
return matches;
}
}
private static class MethodInvocationInterceptor
implements org.springframework.cglib.proxy.MethodInterceptor, MethodInterceptor {
private Method invokedMethod;
Method getInvokedMethod() {
return this.invokedMethod;
}
@Override
public Object intercept(Object object, Method method, Object[] args, MethodProxy proxy) {
if (ReflectionUtils.isObjectMethod(method)) {
return ReflectionUtils.invokeMethod(method, object, args);
}
else {
this.invokedMethod = method;
return null;
}
}
@Override
public Object invoke(org.aopalliance.intercept.MethodInvocation inv) throws Throwable {
return intercept(inv.getThis(), inv.getMethod(), inv.getArguments(), null);
}
}
@SuppressWarnings("unchecked")
private static <T> T initProxy(Class<?> type, MethodInvocationInterceptor interceptor) {
Assert.notNull(type, "'type' must not be null");
if (type.isInterface()) {
ProxyFactory factory = new ProxyFactory(EmptyTargetSource.INSTANCE);
factory.addInterface(type);
factory.addInterface(Supplier.class);
factory.addAdvice(interceptor);
return (T) factory.getProxy();
}
else {
Enhancer enhancer = new Enhancer();
enhancer.setSuperclass(type);
enhancer.setInterfaces(new Class<?>[] {Supplier.class});
enhancer.setNamingPolicy(SpringNamingPolicy.INSTANCE);
enhancer.setCallbackType(org.springframework.cglib.proxy.MethodInterceptor.class);
Class<?> proxyClass = enhancer.createClass();
Object proxy = null;
if (objenesis.isWorthTrying()) {
try {
proxy = objenesis.newInstance(proxyClass, enhancer.getUseCache());
}
catch (ObjenesisException ex) {
logger.debug("Objenesis failed, falling back to default constructor", ex);
}
}
if (proxy == null) {
try {
proxy = ReflectionUtils.accessibleConstructor(proxyClass).newInstance();
}
catch (Throwable ex) {
throw new IllegalStateException("Unable to instantiate proxy " +
"via both Objenesis and default constructor fails as well", ex);
}
}
((Factory) proxy).setCallbacks(new Callback[] {interceptor});
return (T) proxy;
}
}
}

167
webflux/src/test/java/org/springframework/security/web/reactive/result/method/annotation/AuthenticationPrincipalArgumentResolverTests.java Normal file
View File

@ -0,0 +1,167 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.reactive.result.method.annotation;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.runners.MockitoJUnitRunner;
import org.springframework.core.MethodParameter;
import org.springframework.core.ReactiveAdapterRegistry;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.annotation.AuthenticationPrincipal;
import org.springframework.security.web.method.ResolvableMethod;
import org.springframework.web.reactive.BindingContext;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
import java.lang.annotation.*;
import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.Mockito.when;
/**
* @author Rob Winch
* @since 5.0
*/
@RunWith(MockitoJUnitRunner.class)
public class AuthenticationPrincipalArgumentResolverTests {
@Mock
ServerWebExchange exchange;
@Mock
BindingContext bindingContext;
@Mock
Authentication authentication;
ResolvableMethod authenticationPrincipal = ResolvableMethod.on(getClass()).named("authenticationPrincipal").build();
ResolvableMethod spel = ResolvableMethod.on(getClass()).named("spel").build();
ResolvableMethod meta = ResolvableMethod.on(getClass()).named("meta").build();
AuthenticationPrincipalArgumentResolver resolver;
@Before
public void setup() {
resolver = new AuthenticationPrincipalArgumentResolver(new ReactiveAdapterRegistry());
}
@Test
public void supportsParameterAuthenticationPrincipal() throws Exception {
assertThat(resolver.supportsParameter(this.authenticationPrincipal.arg(String.class))).isTrue();
}
@Test
public void supportsParameterCurrentUser() throws Exception {
assertThat(resolver.supportsParameter(this.meta.arg(String.class))).isTrue();
}
@Test
public void resolveArgumentWhenIsAuthenticationThenObtainsPrincipal() throws Exception {
MethodParameter parameter = this.authenticationPrincipal.arg(String.class);
when(authentication.getPrincipal()).thenReturn("user");
when(exchange.getPrincipal()).thenReturn(Mono.just(authentication));
Mono<Object> argument = resolver.resolveArgument(parameter, bindingContext, exchange);
assertThat(argument.block()).isEqualTo(authentication.getPrincipal());
}
@Test
public void resolveArgumentWhenIsNotAuthenticationThenMonoEmpty() throws Exception {
MethodParameter parameter = this.authenticationPrincipal.arg(String.class);
when(exchange.getPrincipal()).thenReturn(Mono.just(() -> ""));
Mono<Object> argument = resolver.resolveArgument(parameter, bindingContext, exchange);
assertThat(argument).isNotNull();
assertThat(argument.block()).isNull();
}
@Test
public void resolveArgumentWhenIsEmptyThenMonoEmpty() throws Exception {
MethodParameter parameter = this.authenticationPrincipal.arg(String.class);
when(authentication.getPrincipal()).thenReturn("user");
when(exchange.getPrincipal()).thenReturn(Mono.empty());
Mono<Object> argument = resolver.resolveArgument(parameter, bindingContext, exchange);
assertThat(argument).isNotNull();
assertThat(argument.block()).isNull();
}
@Test
public void resolveArgumentWhenMonoIsAuthenticationThenObtainsPrincipal() throws Exception {
MethodParameter parameter = this.authenticationPrincipal.arg(Mono.class, String.class);
when(authentication.getPrincipal()).thenReturn("user");
when(exchange.getPrincipal()).thenReturn(Mono.just(authentication));
Mono<Object> argument = resolver.resolveArgument(parameter, bindingContext, exchange);
assertThat(argument.cast(Mono.class).block().block()).isEqualTo(authentication.getPrincipal());
}
@Test
public void resolveArgumentWhenSpelThenObtainsPrincipal() throws Exception {
MyUser user = new MyUser(3L);
MethodParameter parameter = this.spel.arg(Long.class);
when(authentication.getPrincipal()).thenReturn(user);
when(exchange.getPrincipal()).thenReturn(Mono.just(authentication));
Mono<Object> argument = resolver.resolveArgument(parameter, bindingContext, exchange);
assertThat(argument.block()).isEqualTo(user.getId());
}
@Test
public void resolveArgumentWhenMetaThenObtainsPrincipal() throws Exception {
MethodParameter parameter = this.meta.arg(String.class);
when(authentication.getPrincipal()).thenReturn("user");
when(exchange.getPrincipal()).thenReturn(Mono.just(authentication));
Mono<Object> argument = resolver.resolveArgument(parameter, bindingContext, exchange);
assertThat(argument.block()).isEqualTo("user");
}
void authenticationPrincipal(@AuthenticationPrincipal String principal, @AuthenticationPrincipal Mono<String> monoPrincipal) {}
void spel(@AuthenticationPrincipal(expression = "id") Long id) {}
void meta(@CurrentUser String principal) {}
static class MyUser {
private final Long id;
MyUser(Long id) {
this.id = id;
}
public Long getId() {
return id;
}
}
@Target({ ElementType.PARAMETER, ElementType.ANNOTATION_TYPE })
@Retention(RetentionPolicy.RUNTIME)
@Documented
@AuthenticationPrincipal
public @interface CurrentUser {}
}

83
webflux/src/test/java/org/springframework/security/web/server/HttpBasicAuthenticationConverterTests.java Normal file
View File

@ -0,0 +1,83 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server;
import org.junit.Test;
import org.springframework.http.HttpHeaders;
import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import reactor.core.publisher.Mono;
import reactor.test.StepVerifier;
import static org.assertj.core.api.Assertions.assertThat;
/**
* @author Rob Winch
* @since 5.0
*/
public class HttpBasicAuthenticationConverterTests {
HttpBasicAuthenticationConverter converter = new HttpBasicAuthenticationConverter();
MockServerHttpRequest.BaseBuilder<?> request = MockServerHttpRequest.get("/");
@Test
public void applyWhenNoAuthorizationHeaderThenEmpty() {
Mono<Authentication> result = converter.apply(request.toExchange());
assertThat(result.block()).isNull();
}
@Test
public void applyWhenEmptyAuthorizationHeaderThenEmpty() {
Mono<Authentication> result = converter.apply(request.header(HttpHeaders.AUTHORIZATION, "").toExchange());
assertThat(result.block()).isNull();
}
@Test
public void applyWhenOnlyBasicAuthorizationHeaderThenEmpty() {
Mono<Authentication> result = converter.apply(request.header(HttpHeaders.AUTHORIZATION, "Basic ").toExchange());
assertThat(result.block()).isNull();
}
@Test
public void applyWhenNotBase64ThenEmpty() {
Mono<Authentication> result = converter.apply(request.header(HttpHeaders.AUTHORIZATION, "Basic z").toExchange());
assertThat(result.block()).isNull();
}
@Test
public void applyWhenNoSemicolonThenEmpty() {
Mono<Authentication> result = converter.apply(request.header(HttpHeaders.AUTHORIZATION, "Basic dXNlcg==").toExchange());
assertThat(result.block()).isNull();
}
@Test
public void applyWhenUserPasswordThenAuthentication() {
Mono<Authentication> result = converter.apply(request.header(HttpHeaders.AUTHORIZATION, "Basic dXNlcjpwYXNzd29yZA==").toExchange());
UsernamePasswordAuthenticationToken authentication = result.cast(UsernamePasswordAuthenticationToken.class).block();
assertThat(authentication.getPrincipal()).isEqualTo("user");
assertThat(authentication.getCredentials()).isEqualTo("password");
}
}

235
webflux/src/test/java/org/springframework/security/web/server/authentication/AuthenticationWebFilterTests.java Normal file
View File

@ -0,0 +1,235 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server.authentication;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.runners.MockitoJUnitRunner;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.ReactiveAuthenticationManager;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.test.web.reactive.server.WebTestClientBuilder;
import org.springframework.security.web.server.AuthenticationEntryPoint;
import org.springframework.test.web.reactive.server.EntityExchangeResult;
import org.springframework.test.web.reactive.server.WebTestClient;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
import java.util.function.Function;
import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.Matchers.any;
import static org.mockito.Matchers.eq;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.verifyZeroInteractions;
import static org.mockito.Mockito.when;
import static org.springframework.web.reactive.function.client.ExchangeFilterFunctions.basicAuthentication;
/**
* @author Rob Winch
* @since 5.0
*/
@RunWith(MockitoJUnitRunner.class)
public class AuthenticationWebFilterTests {
@Mock
AuthenticationSuccessHandler successHandler;
@Mock
Function<ServerWebExchange,Mono<Authentication>> authenticationConverter;
@Mock
ReactiveAuthenticationManager authenticationManager;
@Mock
AuthenticationEntryPoint entryPoint;
AuthenticationWebFilter filter;
@Before
public void setup() {
filter = new AuthenticationWebFilter(authenticationManager);
filter.setAuthenticationSuccessHandler(successHandler);
filter.setAuthenticationConverter(authenticationConverter);
filter.setEntryPoint(entryPoint);
}
@Test
public void filterWhenDefaultsAndNoAuthenticationThenContinues() {
filter = new AuthenticationWebFilter(authenticationManager);
WebTestClient client = WebTestClientBuilder
.bindToWebFilters(filter)
.build();
EntityExchangeResult<byte[]> result = client.get()
.uri("/")
.exchange()
.expectStatus().isOk()
.expectBody().consumeAsStringWith(b -> assertThat(b).isEqualTo("ok"))
.returnResult();
verifyZeroInteractions(authenticationManager);
assertThat(result.getResponseCookies()).isEmpty();
}
@Test
public void filterWhenDefaultsAndAuthenticationSuccessThenContinues() {
when(authenticationManager.authenticate(any())).thenReturn(Mono.just(new TestingAuthenticationToken("test","this", "ROLE")));
filter = new AuthenticationWebFilter(authenticationManager);
WebTestClient client = WebTestClientBuilder
.bindToWebFilters(filter)
.build();
EntityExchangeResult<byte[]> result = client
.filter(basicAuthentication("test","this"))
.get()
.uri("/")
.exchange()
.expectStatus().isOk()
.expectBody().consumeAsStringWith(b -> assertThat(b).isEqualTo("ok"))
.returnResult();
assertThat(result.getResponseCookies()).isEmpty();
}
@Test
public void filterWhenDefaultsAndAuthenticationFailThenUnauthorized() {
when(authenticationManager.authenticate(any())).thenReturn(Mono.error(new BadCredentialsException("failed")));
filter = new AuthenticationWebFilter(authenticationManager);
WebTestClient client = WebTestClientBuilder
.bindToWebFilters(filter)
.build();
EntityExchangeResult<Void> result = client
.filter(basicAuthentication("test", "this"))
.get()
.uri("/")
.exchange()
.expectStatus().isUnauthorized()
.expectHeader().valueMatches("WWW-Authenticate", "Basic realm=\"Realm\"")
.expectBody().isEmpty();
assertThat(result.getResponseCookies()).isEmpty();
}
@Test
public void filterWhenConvertEmptyThenOk() {
when(authenticationConverter.apply(any())).thenReturn(Mono.empty());
WebTestClient client = WebTestClientBuilder
.bindToWebFilters(filter)
.build();
EntityExchangeResult<byte[]> result = client
.get()
.uri("/")
.exchange()
.expectStatus().isOk()
.expectBody().consumeAsStringWith(b -> assertThat(b).isEqualTo("ok"))
.returnResult();
verifyZeroInteractions(authenticationManager, successHandler, entryPoint);
}
@Test
public void filterWhenConvertErrorThenServerError() {
when(authenticationConverter.apply(any())).thenReturn(Mono.error(new RuntimeException("Unexpected")));
WebTestClient client = WebTestClientBuilder
.bindToWebFilters(filter)
.build();
client
.get()
.uri("/")
.exchange()
.expectStatus().is5xxServerError()
.expectBody().isEmpty();
verifyZeroInteractions(authenticationManager, successHandler, entryPoint);
}
@Test
public void filterWhenConvertAndAuthenticationSuccessThenSuccessHandler() {
Mono<Authentication> authentication = Mono.just(new TestingAuthenticationToken("test", "this", "ROLE_USER"));
when(authenticationConverter.apply(any())).thenReturn(authentication);
when(authenticationManager.authenticate(any())).thenReturn(authentication);
when(successHandler.success(any(),any(),any())).thenReturn(Mono.empty());
WebTestClient client = WebTestClientBuilder
.bindToWebFilters(filter)
.build();
client
.get()
.uri("/")
.exchange()
.expectStatus().isOk()
.expectBody().isEmpty();
verify(successHandler).success(eq(authentication.block()), any(), any());
verifyZeroInteractions(entryPoint);
}
@Test
public void filterWhenConvertAndAuthenticationFailThenEntryPoint() {
Mono<Authentication> authentication = Mono.just(new TestingAuthenticationToken("test", "this", "ROLE_USER"));
when(authenticationConverter.apply(any())).thenReturn(authentication);
when(authenticationManager.authenticate(any())).thenReturn(Mono.error(new BadCredentialsException("Failed")));
when(entryPoint.commence(any(),any())).thenReturn(Mono.empty());
WebTestClient client = WebTestClientBuilder
.bindToWebFilters(filter)
.build();
client
.get()
.uri("/")
.exchange()
.expectStatus().isOk()
.expectBody().isEmpty();
verify(entryPoint).commence(any(),any());
verifyZeroInteractions(successHandler);
}
@Test
public void filterWhenConvertAndAuthenticationExceptionThenServerError() {
Mono<Authentication> authentication = Mono.just(new TestingAuthenticationToken("test", "this", "ROLE_USER"));
when(authenticationConverter.apply(any())).thenReturn(authentication);
when(authenticationManager.authenticate(any())).thenReturn(Mono.error(new RuntimeException("Failed")));
when(entryPoint.commence(any(),any())).thenReturn(Mono.empty());
WebTestClient client = WebTestClientBuilder
.bindToWebFilters(filter)
.build();
client
.get()
.uri("/")
.exchange()
.expectStatus().is5xxServerError()
.expectBody().isEmpty();
verifyZeroInteractions(successHandler, entryPoint);
}
}

92
webflux/src/test/java/org/springframework/security/web/server/context/SecurityContextRepositoryWebFilterTests.java Normal file
View File

@ -0,0 +1,92 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server.context;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.runners.MockitoJUnitRunner;
import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
import org.springframework.security.test.web.reactive.server.WebTestHandler;
import reactor.core.publisher.Mono;
import java.security.Principal;
import static org.mockito.Matchers.any;
import static org.mockito.Mockito.*;
/**
* @author Rob Winch
* @since 5.0
*/
@RunWith(MockitoJUnitRunner.class)
public class SecurityContextRepositoryWebFilterTests {
@Mock
SecurityContextRepository repository;
MockServerHttpRequest.BaseBuilder<?> exchange = MockServerHttpRequest.get("/");
SecurityContextRepositoryWebFilter filter;
WebTestHandler filters;
@Before
public void setup() {
filter = new SecurityContextRepositoryWebFilter(repository);
filters = WebTestHandler.bindToWebFilters(filter);
}
@Test(expected = IllegalArgumentException.class)
public void constructorNullSecurityContextRepository() {
SecurityContextRepository repository = null;
new SecurityContextRepositoryWebFilter(repository);
}
@Test
public void filterWhenNoPrincipalAccessThenNoInteractions() {
filters.exchange(exchange);
verifyZeroInteractions(repository);
}
@Test
public void filterWhenGetPrincipalMonoThenNoInteractions() {
filters = WebTestHandler.bindToWebFilters(filter, (e,c) -> {
Mono<Principal> p = e.getPrincipal();
return c.filter(e);
});
filters.exchange(exchange);
verifyZeroInteractions(repository);
}
@Test
public void filterWhenGetPrincipalThenInteract() {
when(repository.load(any())).thenReturn(Mono.empty());
filters = WebTestHandler.bindToWebFilters(filter, (e,c) -> e.getPrincipal().flatMap( p-> c.filter(e))) ;
filters.exchange(exchange);
verify(repository).load(any());
}
}

83
webflux/src/test/java/org/springframework/security/web/server/header/CacheControlHttpHeadersWriterTests.java Normal file
View File

@ -0,0 +1,83 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server.header;
import static org.assertj.core.api.Assertions.assertThat;
import org.junit.Test;
import org.springframework.http.HttpHeaders;
import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
import org.springframework.web.server.ServerWebExchange;
/**
*
* @author Rob Winch
* @since 5.0
*
*/
public class CacheControlHttpHeadersWriterTests {
CacheControlHttpHeadersWriter writer = new CacheControlHttpHeadersWriter();
ServerWebExchange exchange = MockServerHttpRequest.get("/").toExchange();
HttpHeaders headers = exchange.getResponse().getHeaders();
@Test
public void writeHeadersWhenCacheHeadersThenWritesAllCacheControl() {
writer.writeHttpHeaders(exchange);
assertThat(headers).hasSize(3);
assertThat(headers.get(HttpHeaders.CACHE_CONTROL)).containsOnly(CacheControlHttpHeadersWriter.CACHE_CONTRTOL_VALUE);
assertThat(headers.get(HttpHeaders.EXPIRES)).containsOnly(CacheControlHttpHeadersWriter.EXPIRES_VALUE);
assertThat(headers.get(HttpHeaders.PRAGMA)).containsOnly(CacheControlHttpHeadersWriter.PRAGMA_VALUE);
}
@Test
public void writeHeadersWhenCacheControlThenNoCacheControlHeaders() {
String cacheControl = "max-age=1234";
headers.set(HttpHeaders.CACHE_CONTROL, cacheControl);
writer.writeHttpHeaders(exchange);
assertThat(headers.get(HttpHeaders.CACHE_CONTROL)).containsOnly(cacheControl);
}
@Test
public void writeHeadersWhenPragmaThenNoCacheControlHeaders() {
String pragma = "1";
headers.set(HttpHeaders.PRAGMA, pragma);
writer.writeHttpHeaders(exchange);
assertThat(headers).hasSize(1);
assertThat(headers.get(HttpHeaders.PRAGMA)).containsOnly(pragma);
}
@Test
public void writeHeadersWhenExpiresThenNoCacheControlHeaders() {
String expires = "1";
headers.set(HttpHeaders.EXPIRES, expires);
writer.writeHttpHeaders(exchange);
assertThat(headers).hasSize(1);
assertThat(headers.get(HttpHeaders.EXPIRES)).containsOnly(expires);
}
}

102
webflux/src/test/java/org/springframework/security/web/server/header/CompositeHttpHeadersWriterTests.java Normal file
View File

@ -0,0 +1,102 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server.header;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;
import java.util.Arrays;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.runners.MockitoJUnitRunner;
import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
import reactor.test.StepVerifier;
/**
*
* @author Rob Winch
* @since 5.0
*/
@RunWith(MockitoJUnitRunner.class)
public class CompositeHttpHeadersWriterTests {
@Mock
HttpHeadersWriter writer1;
@Mock
HttpHeadersWriter writer2;
CompositeHttpHeadersWriter writer;
ServerWebExchange exchange = MockServerHttpRequest.get("/").toExchange();
@Before
public void setup() {
writer = new CompositeHttpHeadersWriter(Arrays.asList(writer1, writer2));
}
@Test
public void writeHttpHeadersWhenErrorNoErrorThenError() {
when(writer1.writeHttpHeaders(exchange)).thenReturn(Mono.error(new RuntimeException()));
when(writer2.writeHttpHeaders(exchange)).thenReturn(Mono.empty());
Mono<Void> result = writer.writeHttpHeaders(exchange);
StepVerifier.create(result)
.expectError()
.verify();
verify(writer1).writeHttpHeaders(exchange);
verify(writer2).writeHttpHeaders(exchange);
}
@Test
public void writeHttpHeadersWhenErrorErrorThenError() {
when(writer1.writeHttpHeaders(exchange)).thenReturn(Mono.error(new RuntimeException()));
when(writer2.writeHttpHeaders(exchange)).thenReturn(Mono.error(new RuntimeException()));
Mono<Void> result = writer.writeHttpHeaders(exchange);
StepVerifier.create(result)
.expectError()
.verify();
verify(writer1).writeHttpHeaders(exchange);
verify(writer2).writeHttpHeaders(exchange);
}
@Test
public void writeHttpHeadersWhenNoErrorThenNoError() {
when(writer1.writeHttpHeaders(exchange)).thenReturn(Mono.empty());
when(writer2.writeHttpHeaders(exchange)).thenReturn(Mono.empty());
Mono<Void> result = writer.writeHttpHeaders(exchange);
StepVerifier.create(result)
.expectComplete()
.verify();
verify(writer1).writeHttpHeaders(exchange);
verify(writer2).writeHttpHeaders(exchange);
}
}

77
webflux/src/test/java/org/springframework/security/web/server/header/HttpHeaderWriterWebFilterTests.java Normal file
View File

@ -0,0 +1,77 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server.header;
import static org.mockito.Matchers.any;
import static org.mockito.Mockito.never;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.runners.MockitoJUnitRunner;
import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
import org.springframework.security.test.web.reactive.server.WebTestHandler;
import org.springframework.security.test.web.reactive.server.WebTestHandler.WebHandlerResult;
import org.springframework.security.test.web.reactive.server.WebTestClientBuilder;
import org.springframework.test.web.reactive.server.WebTestClient;
import reactor.core.publisher.Mono;
/**
*
* @author Rob Winch
* @since 5.0
*/
@RunWith(MockitoJUnitRunner.class)
public class HttpHeaderWriterWebFilterTests {
@Mock
HttpHeadersWriter writer;
HttpHeaderWriterWebFilter filter;
@Before
public void setup() {
when(writer.writeHttpHeaders(any())).thenReturn(Mono.empty());
filter = new HttpHeaderWriterWebFilter(writer);
}
@Test
public void filterWhenCompleteThenWritten() {
WebTestClient rest = WebTestClientBuilder.bindToWebFilters(filter).build();
rest.get().uri("/foo").exchange();
verify(writer).writeHttpHeaders(any());
}
@Test
public void filterWhenNotCompleteThenNotWritten() {
WebTestHandler handler = WebTestHandler.bindToWebFilters(filter);
WebHandlerResult result = handler.exchange(MockServerHttpRequest.get("/foo"));
verify(writer, never()).writeHttpHeaders(any());
result.getExchange().getResponse().setComplete();
verify(writer).writeHttpHeaders(any());
}
}

89
webflux/src/test/java/org/springframework/security/web/server/header/StaticHttpHeadersWriterTests.java Normal file
View File

@ -0,0 +1,89 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server.header;
import static org.assertj.core.api.Assertions.assertThat;
import org.junit.Test;
import org.springframework.http.HttpHeaders;
import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
import org.springframework.web.server.ServerWebExchange;
/**
* @author Rob Winch
* @since 5.0
*/
public class StaticHttpHeadersWriterTests {
StaticHttpHeadersWriter writer = StaticHttpHeadersWriter.builder()
.header(ContentTypeOptionsHttpHeadersWriter.X_CONTENT_OPTIONS, ContentTypeOptionsHttpHeadersWriter.NOSNIFF)
.build();
ServerWebExchange exchange = MockServerHttpRequest.get("/").toExchange();
HttpHeaders headers = exchange.getResponse().getHeaders();
@Test
public void writeHeadersWhenSingleHeaderThenWritesHeader() {
writer.writeHttpHeaders(exchange);
assertThat(headers.get(ContentTypeOptionsHttpHeadersWriter.X_CONTENT_OPTIONS)).containsOnly(ContentTypeOptionsHttpHeadersWriter.NOSNIFF);
}
@Test
public void writeHeadersWhenSingleHeaderAndHeaderWrittenThenSuccess() {
String headerValue = "other";
headers.set(ContentTypeOptionsHttpHeadersWriter.X_CONTENT_OPTIONS, headerValue);
writer.writeHttpHeaders(exchange);
assertThat(headers.get(ContentTypeOptionsHttpHeadersWriter.X_CONTENT_OPTIONS)).containsOnly(headerValue);
}
@Test
public void writeHeadersWhenMultiHeaderThenWritesAllHeaders() {
writer = StaticHttpHeadersWriter.builder()
.header(HttpHeaders.CACHE_CONTROL, CacheControlHttpHeadersWriter.CACHE_CONTRTOL_VALUE)
.header(HttpHeaders.PRAGMA, CacheControlHttpHeadersWriter.PRAGMA_VALUE)
.header(HttpHeaders.EXPIRES, CacheControlHttpHeadersWriter.EXPIRES_VALUE)
.build();
writer.writeHttpHeaders(exchange);
assertThat(headers.get(HttpHeaders.CACHE_CONTROL)).containsOnly(CacheControlHttpHeadersWriter.CACHE_CONTRTOL_VALUE);
assertThat(headers.get(HttpHeaders.PRAGMA)).containsOnly(CacheControlHttpHeadersWriter.PRAGMA_VALUE);
assertThat(headers.get(HttpHeaders.EXPIRES)).containsOnly(CacheControlHttpHeadersWriter.EXPIRES_VALUE);
}
@Test
public void writeHeadersWhenMultiHeaderAndSingleWrittenThenNoHeadersOverridden() {
String headerValue = "other";
headers.set(HttpHeaders.CACHE_CONTROL, headerValue);
writer = StaticHttpHeadersWriter.builder()
.header(HttpHeaders.CACHE_CONTROL, CacheControlHttpHeadersWriter.CACHE_CONTRTOL_VALUE)
.header(HttpHeaders.PRAGMA, CacheControlHttpHeadersWriter.PRAGMA_VALUE)
.header(HttpHeaders.EXPIRES, CacheControlHttpHeadersWriter.EXPIRES_VALUE)
.build();
writer.writeHttpHeaders(exchange);
assertThat(headers).hasSize(1);
assertThat(headers.get(HttpHeaders.CACHE_CONTROL)).containsOnly(headerValue);
}
}

97
webflux/src/test/java/org/springframework/security/web/server/header/StrictTransportSecurityHttpHeadersWriterTests.java Normal file
View File

@ -0,0 +1,97 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server.header;
import static org.assertj.core.api.Assertions.assertThat;
import java.time.Duration;
import java.util.Arrays;
import org.junit.Test;
import org.springframework.http.HttpHeaders;
import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
import org.springframework.web.server.ServerWebExchange;
/**
* @author Rob Winch
* @since 5.0
*/
public class StrictTransportSecurityHttpHeadersWriterTests {
StrictTransportSecurityHttpHeadersWriter hsts = new StrictTransportSecurityHttpHeadersWriter();
ServerWebExchange exchange;
@Test
public void writeHttpHeadersWhenHttpsThenWrites() {
exchange = MockServerHttpRequest.get("https://example.com/").toExchange();
hsts.writeHttpHeaders(exchange);
HttpHeaders headers = exchange.getResponse().getHeaders();
assertThat(headers).hasSize(1);
assertThat(headers).containsEntry(StrictTransportSecurityHttpHeadersWriter.STRICT_TRANSPORT_SECURITY,
Arrays.asList("max-age=31536000 ; includeSubDomains"));
}
@Test
public void writeHttpHeadersWhenCustomMaxAgeThenWrites() {
Duration maxAge = Duration.ofDays(1);
hsts.setMaxAge(maxAge);
exchange = MockServerHttpRequest.get("https://example.com/").toExchange();
hsts.writeHttpHeaders(exchange);
HttpHeaders headers = exchange.getResponse().getHeaders();
assertThat(headers).hasSize(1);
assertThat(headers).containsEntry(StrictTransportSecurityHttpHeadersWriter.STRICT_TRANSPORT_SECURITY,
Arrays.asList("max-age=" + maxAge.getSeconds() + " ; includeSubDomains"));
}
@Test
public void writeHttpHeadersWhenCustomIncludeSubDomainsThenWrites() {
hsts.setIncludeSubDomains(false);
exchange = MockServerHttpRequest.get("https://example.com/").toExchange();
hsts.writeHttpHeaders(exchange);
HttpHeaders headers = exchange.getResponse().getHeaders();
assertThat(headers).hasSize(1);
assertThat(headers).containsEntry(StrictTransportSecurityHttpHeadersWriter.STRICT_TRANSPORT_SECURITY,
Arrays.asList("max-age=31536000"));
}
@Test
public void writeHttpHeadersWhenNullSchemeThenNoHeaders() {
exchange = MockServerHttpRequest.get("/").toExchange();
hsts.writeHttpHeaders(exchange);
HttpHeaders headers = exchange.getResponse().getHeaders();
assertThat(headers).isEmpty();
}
@Test
public void writeHttpHeadersWhenHttpThenNoHeaders() {
exchange = MockServerHttpRequest.get("http://example.com/").toExchange();
hsts.writeHttpHeaders(exchange);
HttpHeaders headers = exchange.getResponse().getHeaders();
assertThat(headers).isEmpty();
}
}

57
webflux/src/test/java/org/springframework/security/web/server/header/XContentTypeOptionsHttpHeadersWriterTests.java Normal file
View File

@ -0,0 +1,57 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server.header;
import static org.assertj.core.api.Assertions.assertThat;
import org.junit.Test;
import org.springframework.http.HttpHeaders;
import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
import org.springframework.web.server.ServerWebExchange;
/**
* @author Rob Winch
* @since 5.0
*/
public class XContentTypeOptionsHttpHeadersWriterTests {
ContentTypeOptionsHttpHeadersWriter writer = new ContentTypeOptionsHttpHeadersWriter();
ServerWebExchange exchange = MockServerHttpRequest.get("/").toExchange();
HttpHeaders headers = exchange.getResponse().getHeaders();
@Test
public void writeHeadersWhenNoHeadersThenWriteHeaders() {
writer.writeHttpHeaders(exchange);
assertThat(headers).hasSize(1);
assertThat(headers.get(ContentTypeOptionsHttpHeadersWriter.X_CONTENT_OPTIONS)).containsOnly(ContentTypeOptionsHttpHeadersWriter.NOSNIFF);
}
@Test
public void writeHeadersWhenHeaderWrittenThenDoesNotOverrride() {
String headerValue = "value";
headers.set(ContentTypeOptionsHttpHeadersWriter.X_CONTENT_OPTIONS, headerValue);
writer.writeHttpHeaders(exchange);
assertThat(headers).hasSize(1);
assertThat(headers.get(ContentTypeOptionsHttpHeadersWriter.X_CONTENT_OPTIONS)).containsOnly(headerValue);
}
}

86
webflux/src/test/java/org/springframework/security/web/server/header/XFrameOptionsHttpHeadersWriterTests.java Normal file
View File

@ -0,0 +1,86 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server.header;
import static org.assertj.core.api.Assertions.assertThat;
import org.junit.Before;
import org.junit.Test;
import org.springframework.http.HttpHeaders;
import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
import org.springframework.web.server.ServerWebExchange;
/**
* @author Rob Winch
* @since 5.0
*/
public class XFrameOptionsHttpHeadersWriterTests {
ServerWebExchange exchange = MockServerHttpRequest.get("/").toExchange();
XFrameOptionsHttpHeadersWriter writer;
@Before
public void setup() {
writer = new XFrameOptionsHttpHeadersWriter();
}
@Test
public void writeHeadersWhenUsingDefaultsThenWritesDeny() {
writer.writeHttpHeaders(exchange);
HttpHeaders headers = exchange.getResponse().getHeaders();
assertThat(headers).hasSize(1);
assertThat(headers.get(XFrameOptionsHttpHeadersWriter.X_FRAME_OPTIONS)).containsOnly("DENY");
}
@Test
public void writeHeadersWhenUsingExplicitDenyThenWritesDeny() {
writer.setMode(XFrameOptionsHttpHeadersWriter.Mode.DENY);
writer.writeHttpHeaders(exchange);
HttpHeaders headers = exchange.getResponse().getHeaders();
assertThat(headers).hasSize(1);
assertThat(headers.get(XFrameOptionsHttpHeadersWriter.X_FRAME_OPTIONS)).containsOnly("DENY");
}
@Test
public void writeHeadersWhenUsingSameOriginThenWritesSameOrigin() {
writer.setMode(XFrameOptionsHttpHeadersWriter.Mode.SAMEORIGIN);
writer.writeHttpHeaders(exchange);
HttpHeaders headers = exchange.getResponse().getHeaders();
assertThat(headers).hasSize(1);
assertThat(headers.get(XFrameOptionsHttpHeadersWriter.X_FRAME_OPTIONS)).containsOnly("SAMEORIGIN");
}
@Test
public void writeHeadersWhenAlreadyWrittenThenWritesHeader() {
String headerValue = "other";
exchange.getResponse().getHeaders().set(XFrameOptionsHttpHeadersWriter.X_FRAME_OPTIONS, headerValue);
writer.writeHttpHeaders(exchange);
HttpHeaders headers = exchange.getResponse().getHeaders();
assertThat(headers).hasSize(1);
assertThat(headers.get(XFrameOptionsHttpHeadersWriter.X_FRAME_OPTIONS)).containsOnly(headerValue);
}
}

77
webflux/src/test/java/org/springframework/security/web/server/header/XXssProtectionHttpHeadersWriterTests.java Normal file
View File

@ -0,0 +1,77 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server.header;
import static org.assertj.core.api.Assertions.assertThat;
import org.junit.Test;
import org.springframework.http.HttpHeaders;
import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
import org.springframework.web.server.ServerWebExchange;
/**
* @author Rob Winch
* @since 5.0
*/
public class XXssProtectionHttpHeadersWriterTests {
ServerWebExchange exchange = MockServerHttpRequest.get("/").toExchange();
HttpHeaders headers = exchange.getResponse().getHeaders();
XXssProtectionHttpHeadersWriter writer = new XXssProtectionHttpHeadersWriter();
@Test
public void writeHeadersWhenNoHeadersThenWriteHeaders() {
writer.writeHttpHeaders(exchange);
assertThat(headers).hasSize(1);
assertThat(headers.get(XXssProtectionHttpHeadersWriter.X_XSS_PROTECTION)).containsOnly("1 ; mode=block");
}
@Test
public void writeHeadersWhenBlockFalseThenWriteHeaders() {
writer.setBlock(false);
writer.writeHttpHeaders(exchange);
assertThat(headers).hasSize(1);
assertThat(headers.get(XXssProtectionHttpHeadersWriter.X_XSS_PROTECTION)).containsOnly("1");
}
@Test
public void writeHeadersWhenEnabledFalseThenWriteHeaders() {
writer.setEnabled(false);
writer.writeHttpHeaders(exchange);
assertThat(headers).hasSize(1);
assertThat(headers.get(XXssProtectionHttpHeadersWriter.X_XSS_PROTECTION)).containsOnly("0");
}
@Test
public void writeHeadersWhenHeaderWrittenThenDoesNotOverrride() {
String headerValue = "value";
headers.set(XXssProtectionHttpHeadersWriter.X_XSS_PROTECTION, headerValue);
writer.writeHttpHeaders(exchange);
assertThat(headers).hasSize(1);
assertThat(headers.get(XXssProtectionHttpHeadersWriter.X_XSS_PROTECTION)).containsOnly(headerValue);
}
}

116
webflux/src/test/java/org/springframework/security/web/server/util/matcher/AndServerWebExchangeMatcherTests.java Normal file
View File

@ -0,0 +1,116 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server.util.matcher;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.runners.MockitoJUnitRunner;
import org.springframework.web.server.ServerWebExchange;
import java.util.Collections;
import java.util.Map;
import static org.assertj.core.api.Assertions.assertThat;
import static org.junit.Assert.*;
import static org.mockito.Mockito.never;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;
/**
* @author Rob Winch
* @since 5.0
*/
@RunWith(MockitoJUnitRunner.class)
public class AndServerWebExchangeMatcherTests {
@Mock
ServerWebExchange exchange;
@Mock
ServerWebExchangeMatcher matcher1;
@Mock
ServerWebExchangeMatcher matcher2;
AndServerWebExchangeMatcher matcher;
@Before
public void setUp() throws Exception {
matcher = new AndServerWebExchangeMatcher(matcher1, matcher2);
}
@Test
public void matchesWhenTrueTrueThenTrue() throws Exception {
Map<String, Object> params1 = Collections.singletonMap("foo", "bar");
Map<String, Object> params2 = Collections.singletonMap("x", "y");
when(matcher1.matches(exchange)).thenReturn(ServerWebExchangeMatcher.MatchResult.match(params1));
when(matcher2.matches(exchange)).thenReturn(ServerWebExchangeMatcher.MatchResult.match(params2));
ServerWebExchangeMatcher.MatchResult matches = matcher.matches(exchange);
assertThat(matches.isMatch()).isTrue();
assertThat(matches.getVariables()).hasSize(2);
assertThat(matches.getVariables()).containsAllEntriesOf(params1);
assertThat(matches.getVariables()).containsAllEntriesOf(params2);
verify(matcher1).matches(exchange);
verify(matcher2).matches(exchange);
}
@Test
public void matchesWhenFalseFalseThenFalseAndMatcher2NotInvoked() throws Exception {
when(matcher1.matches(exchange)).thenReturn(ServerWebExchangeMatcher.MatchResult.notMatch());
ServerWebExchangeMatcher.MatchResult matches = matcher.matches(exchange);
assertThat(matches.isMatch()).isFalse();
assertThat(matches.getVariables()).isEmpty();
verify(matcher1).matches(exchange);
verify(matcher2, never()).matches(exchange);
}
@Test
public void matchesWhenTrueFalseThenFalse() throws Exception {
Map<String, Object> params = Collections.singletonMap("foo", "bar");
when(matcher1.matches(exchange)).thenReturn(ServerWebExchangeMatcher.MatchResult.match(params));
when(matcher2.matches(exchange)).thenReturn(ServerWebExchangeMatcher.MatchResult.notMatch());
ServerWebExchangeMatcher.MatchResult matches = matcher.matches(exchange);
assertThat(matches.isMatch()).isFalse();
assertThat(matches.getVariables()).isEmpty();
verify(matcher1).matches(exchange);
verify(matcher2).matches(exchange);
}
@Test
public void matchesWhenFalseTrueThenFalse() throws Exception {
when(matcher1.matches(exchange)).thenReturn(ServerWebExchangeMatcher.MatchResult.notMatch());
ServerWebExchangeMatcher.MatchResult matches = matcher.matches(exchange);
assertThat(matches.isMatch()).isFalse();
assertThat(matches.getVariables()).isEmpty();
verify(matcher1).matches(exchange);
verify(matcher2, never()).matches(exchange);
}
}

99
webflux/src/test/java/org/springframework/security/web/server/util/matcher/OrServerWebExchangeMatcherTests.java Normal file
View File

@ -0,0 +1,99 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server.util.matcher;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.runners.MockitoJUnitRunner;
import org.springframework.web.server.ServerWebExchange;
import java.util.Collections;
import java.util.Map;
import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.Mockito.never;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;
/**
* @author Rob Winch
* @since 5.0
*/
@RunWith(MockitoJUnitRunner.class)
public class OrServerWebExchangeMatcherTests {
@Mock
ServerWebExchange exchange;
@Mock
ServerWebExchangeMatcher matcher1;
@Mock
ServerWebExchangeMatcher matcher2;
OrServerWebExchangeMatcher matcher;
@Before
public void setUp() throws Exception {
matcher = new OrServerWebExchangeMatcher(matcher1, matcher2);
}
@Test
public void matchesWhenFalseFalseThenFalse() throws Exception {
when(matcher1.matches(exchange)).thenReturn(ServerWebExchangeMatcher.MatchResult.notMatch());
when(matcher2.matches(exchange)).thenReturn(ServerWebExchangeMatcher.MatchResult.notMatch());
ServerWebExchangeMatcher.MatchResult matches = matcher.matches(exchange);
assertThat(matches.isMatch()).isFalse();
assertThat(matches.getVariables()).isEmpty();
verify(matcher1).matches(exchange);
verify(matcher2).matches(exchange);
}
@Test
public void matchesWhenTrueFalseThenTrueAndMatcher2NotInvoked() throws Exception {
Map<String, Object> params = Collections.singletonMap("foo", "bar");
when(matcher1.matches(exchange)).thenReturn(ServerWebExchangeMatcher.MatchResult.match(params));
ServerWebExchangeMatcher.MatchResult matches = matcher.matches(exchange);
assertThat(matches.isMatch()).isTrue();
assertThat(matches.getVariables()).isEqualTo(params);
verify(matcher1).matches(exchange);
verify(matcher2, never()).matches(exchange);
}
@Test
public void matchesWhenFalseTrueThenTrue() throws Exception {
Map<String, Object> params = Collections.singletonMap("foo", "bar");
when(matcher1.matches(exchange)).thenReturn(ServerWebExchangeMatcher.MatchResult.notMatch());
when(matcher2.matches(exchange)).thenReturn(ServerWebExchangeMatcher.MatchResult.match(params));
ServerWebExchangeMatcher.MatchResult matches = matcher.matches(exchange);
assertThat(matches.isMatch()).isTrue();
assertThat(matches.getVariables()).isEqualTo(params);
verify(matcher1).matches(exchange);
verify(matcher2).matches(exchange);
}
}

115
webflux/src/test/java/org/springframework/security/web/server/util/matcher/PathMatcherServerWebExchangeMatcherTests.java Normal file
View File

@ -0,0 +1,115 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server.util.matcher;
import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.verifyZeroInteractions;
import static org.mockito.Mockito.when;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.runners.MockitoJUnitRunner;
import org.springframework.http.HttpMethod;
import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
import org.springframework.mock.http.server.reactive.MockServerHttpResponse;
import org.springframework.mock.http.server.reactive.MockServerWebExchange;
import org.springframework.util.PathMatcher;
import org.springframework.web.server.adapter.DefaultServerWebExchange;
import org.springframework.web.server.session.DefaultWebSessionManager;
/**
* @author Rob Winch
* @since 5.0
*/
@RunWith(MockitoJUnitRunner.class)
public class PathMatcherServerWebExchangeMatcherTests {
@Mock
PathMatcher pathMatcher;
MockServerWebExchange exchange;
PathMatcherServerWebExchangeMatcher matcher;
String pattern;
String path;
@Before
public void setup() {
MockServerHttpRequest request = MockServerHttpRequest.post("/path").build();
MockServerHttpResponse response = new MockServerHttpResponse();
DefaultWebSessionManager sessionManager = new DefaultWebSessionManager();
exchange = request.toExchange();
pattern = "/pattern";
path = "/path";
matcher = new PathMatcherServerWebExchangeMatcher(pattern);
matcher.setPathMatcher(pathMatcher);
}
@Test(expected = IllegalArgumentException.class)
public void constructorPatternWhenPatternNullThenThrowsException() {
new PathMatcherServerWebExchangeMatcher(null);
}
@Test(expected = IllegalArgumentException.class)
public void constructorPatternAndMethodWhenPatternNullThenThrowsException() {
new PathMatcherServerWebExchangeMatcher(null, HttpMethod.GET);
}
@Test
public void matchesWhenPathMatcherTrueThenReturnTrue() {
when(pathMatcher.match(pattern, path)).thenReturn(true);
assertThat(matcher.matches(exchange).isMatch()).isTrue();
}
@Test
public void matchesWhenPathMatcherFalseThenReturnFalse() {
when(pathMatcher.match(pattern, path)).thenReturn(false);
assertThat(matcher.matches(exchange).isMatch()).isFalse();
verify(pathMatcher).match(pattern, path);
}
@Test
public void matchesWhenPathMatcherTrueAndMethodTrueThenReturnTrue() {
matcher = new PathMatcherServerWebExchangeMatcher(pattern, exchange.getRequest().getMethod());
matcher.setPathMatcher(pathMatcher);
when(pathMatcher.match(pattern, path)).thenReturn(true);
assertThat(matcher.matches(exchange).isMatch()).isTrue();
}
@Test
public void matchesWhenPathMatcherTrueAndMethodFalseThenReturnFalse() {
HttpMethod method = HttpMethod.OPTIONS;
assertThat(exchange.getRequest().getMethod()).isNotEqualTo(method);
matcher = new PathMatcherServerWebExchangeMatcher(pattern, method);
matcher.setPathMatcher(pathMatcher);
assertThat(matcher.matches(exchange).isMatch()).isFalse();
verifyZeroInteractions(pathMatcher);
}
@Test(expected = IllegalArgumentException.class)
public void setPathMatcherWhenNullThenThrowException() {
matcher.setPathMatcher(null);
}
}

86
webflux/src/test/java/org/springframework/security/web/server/util/matcher/ServerWebExchangeMatchersTests.java Normal file
View File

@ -0,0 +1,86 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.web.server.util.matcher;
import org.junit.Test;
import org.springframework.http.HttpMethod;
import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
import org.springframework.web.server.ServerWebExchange;
import static org.assertj.core.api.Assertions.*;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.verifyZeroInteractions;
import static org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers.antMatchers;
import static org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers.anyExchange;
/**
* @author Rob Winch
* @since 5.0
*/
public class ServerWebExchangeMatchersTests {
ServerWebExchange exchange = MockServerHttpRequest.get("/").toExchange();
@Test
public void antMatchersWhenSingleAndSamePatternThenMatches() throws Exception {
assertThat(antMatchers("/").matches(exchange).isMatch()).isTrue();
}
@Test
public void antMatchersWhenSingleAndSamePatternAndMethodThenMatches() throws Exception {
assertThat(antMatchers(HttpMethod.GET, "/").matches(exchange).isMatch()).isTrue();
}
@Test
public void antMatchersWhenSingleAndSamePatternAndDiffMethodThenDoesNotMatch() throws Exception {
assertThat(antMatchers(HttpMethod.POST, "/").matches(exchange).isMatch()).isFalse();
}
@Test
public void antMatchersWhenSingleAndDifferentPatternThenDoesNotMatch() throws Exception {
assertThat(antMatchers("/foobar").matches(exchange).isMatch()).isFalse();
}
@Test
public void antMatchersWhenMultiThenMatches() throws Exception {
assertThat(antMatchers("/foobar", "/").matches(exchange).isMatch()).isTrue();
}
@Test
public void anyExchangeWhenMockThenMatches() {
ServerWebExchange mockExchange = mock(ServerWebExchange.class);
assertThat(anyExchange().matches(mockExchange).isMatch()).isTrue();
verifyZeroInteractions(mockExchange);
}
/**
* If a LinkedMap is used and anyRequest equals anyRequest then the following is added:
* anyRequest() -> authenticated()
* antMatchers("/admin/**") -> hasRole("ADMIN")
* anyRequest() -> permitAll
*
* will result in the first entry being overridden
*/
@Test
public void anyExchangeWhenTwoCreatedThenDifferentToPreventIssuesInMap() {
assertThat(anyExchange()).isNotEqualTo(anyExchange());
}
}