mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-05-31 09:12:14 +00:00
Add hasAnyRole and hasAnyAuthority to authorizeRequests in Kotlin DSL
Closes gh-8892
This commit is contained in:
koishikawa11
GitHub
parent
5142d39079
commit
be6d2f117e
@ -153,6 +153,18 @@ class AuthorizeRequestsDsl : AbstractRequestMatcherDsl() {
|
||||
*/
|
||||
fun hasAuthority(authority: String) = "hasAuthority('$authority')"
|
||||
|
||||
/**
|
||||
* Specify that URLs requires any of a number authorities.
|
||||
*
|
||||
* @param authorities the authorities to require (i.e. ROLE_USER, ROLE_ADMIN, etc).
|
||||
* @return the SpEL expression "hasAnyAuthority" with the given authorities as a
|
||||
* parameter
|
||||
*/
|
||||
fun hasAnyAuthority(vararg authorities: String): String {
|
||||
val anyAuthorities = authorities.joinToString("','")
|
||||
return "hasAnyAuthority('$anyAuthorities')"
|
||||
}
|
||||
|
||||
/**
|
||||
* Specify that URLs require a particular role.
|
||||
*
|
||||
@ -162,6 +174,18 @@ class AuthorizeRequestsDsl : AbstractRequestMatcherDsl() {
|
||||
*/
|
||||
fun hasRole(role: String) = "hasRole('$role')"
|
||||
|
||||
/**
|
||||
* Specify that URLs requires any of a number roles.
|
||||
*
|
||||
* @param roles the roles to require (i.e. USER, ADMIN, etc).
|
||||
* @return the SpEL expression "hasAnyRole" with the given roles as a
|
||||
* parameter
|
||||
*/
|
||||
fun hasAnyRole(vararg roles: String): String {
|
||||
val anyRoles = roles.joinToString("','")
|
||||
return "hasAnyRole('$anyRoles')"
|
||||
}
|
||||
|
||||
/**
|
||||
* Specify that URLs are allowed by anyone.
|
||||
*/
|
||||
|
||||
@ -267,6 +267,142 @@ class AuthorizeRequestsDslTests {
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
fun `request when user has some allowed roles then responds with OK`() {
|
||||
this.spring.register(HasAnyRoleConfig::class.java).autowire()
|
||||
|
||||
this.mockMvc.get("/") {
|
||||
with(httpBasic("user", "password"))
|
||||
}.andExpect {
|
||||
status { isOk }
|
||||
}
|
||||
|
||||
this.mockMvc.get("/") {
|
||||
with(httpBasic("admin", "password"))
|
||||
}.andExpect {
|
||||
status { isOk }
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
fun `request when user does not have any allowed roles then responds with forbidden`() {
|
||||
this.spring.register(HasAnyRoleConfig::class.java).autowire()
|
||||
|
||||
this.mockMvc.get("/") {
|
||||
with(httpBasic("other", "password"))
|
||||
}.andExpect {
|
||||
status { isForbidden }
|
||||
}
|
||||
}
|
||||
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
open class HasAnyRoleConfig : WebSecurityConfigurerAdapter() {
|
||||
override fun configure(http: HttpSecurity) {
|
||||
http {
|
||||
authorizeRequests {
|
||||
authorize("/**", hasAnyRole("ADMIN", "USER"))
|
||||
}
|
||||
httpBasic { }
|
||||
}
|
||||
}
|
||||
|
||||
@RestController
|
||||
internal class PathController {
|
||||
@GetMapping("/")
|
||||
fun index() {
|
||||
}
|
||||
}
|
||||
|
||||
@Bean
|
||||
override fun userDetailsService(): UserDetailsService {
|
||||
val userDetails = User.withDefaultPasswordEncoder()
|
||||
.username("user")
|
||||
.password("password")
|
||||
.roles("USER")
|
||||
.build()
|
||||
val admin1Details = User.withDefaultPasswordEncoder()
|
||||
.username("admin")
|
||||
.password("password")
|
||||
.roles("ADMIN")
|
||||
.build()
|
||||
val admin2Details = User.withDefaultPasswordEncoder()
|
||||
.username("other")
|
||||
.password("password")
|
||||
.roles("OTHER")
|
||||
.build()
|
||||
return InMemoryUserDetailsManager(userDetails, admin1Details, admin2Details)
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
fun `request when user has some allowed authorities then responds with OK`() {
|
||||
this.spring.register(HasAnyAuthorityConfig::class.java).autowire()
|
||||
|
||||
this.mockMvc.get("/") {
|
||||
with(httpBasic("user", "password"))
|
||||
}.andExpect {
|
||||
status { isOk }
|
||||
}
|
||||
|
||||
this.mockMvc.get("/") {
|
||||
with(httpBasic("admin", "password"))
|
||||
}.andExpect {
|
||||
status { isOk }
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
fun `request when user does not have any allowed authorities then responds with forbidden`() {
|
||||
this.spring.register(HasAnyAuthorityConfig::class.java).autowire()
|
||||
|
||||
this.mockMvc.get("/") {
|
||||
with(httpBasic("other", "password"))
|
||||
}.andExpect {
|
||||
status { isForbidden }
|
||||
}
|
||||
}
|
||||
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
open class HasAnyAuthorityConfig : WebSecurityConfigurerAdapter() {
|
||||
override fun configure(http: HttpSecurity) {
|
||||
http {
|
||||
authorizeRequests {
|
||||
authorize("/**", hasAnyAuthority("ROLE_ADMIN", "ROLE_USER"))
|
||||
}
|
||||
httpBasic { }
|
||||
}
|
||||
}
|
||||
|
||||
@RestController
|
||||
internal class PathController {
|
||||
@GetMapping("/")
|
||||
fun index() {
|
||||
}
|
||||
}
|
||||
|
||||
@Bean
|
||||
override fun userDetailsService(): UserDetailsService {
|
||||
val userDetails = User.withDefaultPasswordEncoder()
|
||||
.username("user")
|
||||
.password("password")
|
||||
.authorities("ROLE_USER")
|
||||
.build()
|
||||
val admin1Details = User.withDefaultPasswordEncoder()
|
||||
.username("admin")
|
||||
.password("password")
|
||||
.authorities("ROLE_ADMIN")
|
||||
.build()
|
||||
val admin2Details = User.withDefaultPasswordEncoder()
|
||||
.username("other")
|
||||
.password("password")
|
||||
.authorities("ROLE_OTHER")
|
||||
.build()
|
||||
return InMemoryUserDetailsManager(userDetails, admin1Details, admin2Details)
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
fun `request when secured by mvc with servlet path then responds based on servlet path`() {
|
||||
this.spring.register(MvcMatcherServletPathConfig::class.java).autowire()
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user