Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-07-24 03:03:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add hasAnyRole and hasAnyAuthority to authorizeRequests in Kotlin DSL

Browse Source 
Closes gh-8892
This commit is contained in:
koishikawa11 2020-08-11 20:59:22 +09:00 committed by GitHub
parent 5142d39079
commit be6d2f117e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 160 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
config/src/main/kotlin/org/springframework/security/config/web/servlet/AuthorizeRequestsDsl.kt
View File

@ -153,6 +153,18 @@ class AuthorizeRequestsDsl : AbstractRequestMatcherDsl() {
*/ */
fun hasAuthority(authority: String) = "hasAuthority('$authority')" fun hasAuthority(authority: String) = "hasAuthority('$authority')"
/**
* Specify that URLs requires any of a number authorities.
*
* @param authorities the authorities to require (i.e. ROLE_USER, ROLE_ADMIN, etc).
* @return the SpEL expression "hasAnyAuthority" with the given authorities as a
* parameter
*/
fun hasAnyAuthority(vararg authorities: String): String {
val anyAuthorities = authorities.joinToString("','")
return "hasAnyAuthority('$anyAuthorities')"
}
/** /**
* Specify that URLs require a particular role. * Specify that URLs require a particular role.
* *
@ -162,6 +174,18 @@ class AuthorizeRequestsDsl : AbstractRequestMatcherDsl() {
*/ */
fun hasRole(role: String) = "hasRole('$role')" fun hasRole(role: String) = "hasRole('$role')"
/**
* Specify that URLs requires any of a number roles.
*
* @param roles the roles to require (i.e. USER, ADMIN, etc).
* @return the SpEL expression "hasAnyRole" with the given roles as a
* parameter
*/
fun hasAnyRole(vararg roles: String): String {
val anyRoles = roles.joinToString("','")
return "hasAnyRole('$anyRoles')"
}
/** /**
* Specify that URLs are allowed by anyone. * Specify that URLs are allowed by anyone.
*/ */

136
config/src/test/kotlin/org/springframework/security/config/web/servlet/AuthorizeRequestsDslTests.kt
View File

@ -267,6 +267,142 @@ class AuthorizeRequestsDslTests {
} }
} }
@Test
fun `request when user has some allowed roles then responds with OK`() {
this.spring.register(HasAnyRoleConfig::class.java).autowire()
this.mockMvc.get("/") {
with(httpBasic("user", "password"))
}.andExpect {
status { isOk }
}
this.mockMvc.get("/") {
with(httpBasic("admin", "password"))
}.andExpect {
status { isOk }
}
}
@Test
fun `request when user does not have any allowed roles then responds with forbidden`() {
this.spring.register(HasAnyRoleConfig::class.java).autowire()
this.mockMvc.get("/") {
with(httpBasic("other", "password"))
}.andExpect {
status { isForbidden }
}
}
@EnableWebSecurity
@EnableWebMvc
open class HasAnyRoleConfig : WebSecurityConfigurerAdapter() {
override fun configure(http: HttpSecurity) {
http {
authorizeRequests {
authorize("/**", hasAnyRole("ADMIN", "USER"))
}
httpBasic { }
}
}
@RestController
internal class PathController {
@GetMapping("/")
fun index() {
}
}
@Bean
override fun userDetailsService(): UserDetailsService {
val userDetails = User.withDefaultPasswordEncoder()
.username("user")
.password("password")
.roles("USER")
.build()
val admin1Details = User.withDefaultPasswordEncoder()
.username("admin")
.password("password")
.roles("ADMIN")
.build()
val admin2Details = User.withDefaultPasswordEncoder()
.username("other")
.password("password")
.roles("OTHER")
.build()
return InMemoryUserDetailsManager(userDetails, admin1Details, admin2Details)
}
}
@Test
fun `request when user has some allowed authorities then responds with OK`() {
this.spring.register(HasAnyAuthorityConfig::class.java).autowire()
this.mockMvc.get("/") {
with(httpBasic("user", "password"))
}.andExpect {
status { isOk }
}
this.mockMvc.get("/") {
with(httpBasic("admin", "password"))
}.andExpect {
status { isOk }
}
}
@Test
fun `request when user does not have any allowed authorities then responds with forbidden`() {
this.spring.register(HasAnyAuthorityConfig::class.java).autowire()
this.mockMvc.get("/") {
with(httpBasic("other", "password"))
}.andExpect {
status { isForbidden }
}
}
@EnableWebSecurity
@EnableWebMvc
open class HasAnyAuthorityConfig : WebSecurityConfigurerAdapter() {
override fun configure(http: HttpSecurity) {
http {
authorizeRequests {
authorize("/**", hasAnyAuthority("ROLE_ADMIN", "ROLE_USER"))
}
httpBasic { }
}
}
@RestController
internal class PathController {
@GetMapping("/")
fun index() {
}
}
@Bean
override fun userDetailsService(): UserDetailsService {
val userDetails = User.withDefaultPasswordEncoder()
.username("user")
.password("password")
.authorities("ROLE_USER")
.build()
val admin1Details = User.withDefaultPasswordEncoder()
.username("admin")
.password("password")
.authorities("ROLE_ADMIN")
.build()
val admin2Details = User.withDefaultPasswordEncoder()
.username("other")
.password("password")
.authorities("ROLE_OTHER")
.build()
return InMemoryUserDetailsManager(userDetails, admin1Details, admin2Details)
}
}
@Test @Test
fun `request when secured by mvc with servlet path then responds based on servlet path`() { fun `request when secured by mvc with servlet path then responds based on servlet path`() {
this.spring.register(MvcMatcherServletPathConfig::class.java).autowire() this.spring.register(MvcMatcherServletPathConfig::class.java).autowire()