Changed method protection config to make it compatible with MethodDefinitionMap for the time being.

2025-06-28 14:52:24 +00:00 · 2007-10-14 14:29:15 +00:00 · 2007-10-14 14:29:15 +00:00 · c51bcd9c1f
commit c51bcd9c1f
parent a4b522351f
3 changed files with 80 additions and 9 deletions
--- a/core/src/main/java/org/springframework/security/config/InterceptMethodsBeanDefinitionDecorator.java
+++ b/core/src/main/java/org/springframework/security/config/InterceptMethodsBeanDefinitionDecorator.java
@ -44,7 +44,10 @@ public class InterceptMethodsBeanDefinitionDecorator extends AbstractInterceptor
            String accessConfig = protectmethodElt.getAttribute("access");
            attributeEditor.setAsText(accessConfig);

-            methodMap.addSecureMethod(targetClass, protectmethodElt.getAttribute("method"), 
+// TODO: We want to use just the method names, but MethodDefinitionMap won't work that way.            
+//            methodMap.addSecureMethod(targetClass, protectmethodElt.getAttribute("method"),
+//                    (ConfigAttributeDefinition) attributeEditor.getValue());
+            methodMap.addSecureMethod(protectmethodElt.getAttribute("method"), 
                    (ConfigAttributeDefinition) attributeEditor.getValue());
        }

--- a/core/src/test/java/org/springframework/security/config/InterceptMethodsBeanDefinitionDecoratorTests.java
+++ b/core/src/test/java/org/springframework/security/config/InterceptMethodsBeanDefinitionDecoratorTests.java
@ -1,8 +1,16 @@
 package org.springframework.security.config;

 import org.springframework.context.support.ClassPathXmlApplicationContext;
-import org.junit.BeforeClass;
-import org.junit.Test;
+import org.springframework.security.context.SecurityContextHolder;
+import org.springframework.security.context.SecurityContext;
+import org.springframework.security.providers.UsernamePasswordAuthenticationToken;
+import org.springframework.security.GrantedAuthority;
+import org.springframework.security.GrantedAuthorityImpl;
+import org.springframework.security.AuthenticationCredentialsNotFoundException;
+import org.springframework.security.AccessDeniedException;
+
+import static org.junit.Assert.*;
+import org.junit.*;

 /**
 * @author luke
@ -11,12 +19,71 @@ import org.junit.Test;
 public class InterceptMethodsBeanDefinitionDecoratorTests {
    private static ClassPathXmlApplicationContext appContext;

+    private TestBusinessBean target;
+
    @BeforeClass
    public static void loadContext() {
        appContext = new ClassPathXmlApplicationContext("org/springframework/security/config/method-security.xml");
    }

-    @Test
-    public void contextShouldContainCorrectBeans() {
+    @AfterClass
+    public static void closeAppContext() {
+        if (appContext != null) {
+            appContext.close();
+        }
    }
+
+    @Before
+    public void setUp() {
+        target = (TestBusinessBean) appContext.getBean("target");
+    }
+
+    @After
+    public void clearSecurityContext() {
+        SecurityContextHolder.clearContext();
+    }
+
+    @Test
+    public void targetShouldAllowUnprotectedMethodInvocationWithNoContext() {
+
+//        UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("Test", "Password",
+//        new GrantedAuthority[] {new GrantedAuthorityImpl("MOCK_LOWER")});
+
+        target.unprotected();
+
+    }
+
+    @Test
+    public void targetShouldPreventProtectedMethodInvocationWithNoContext() {
+        try {
+            target.doSomething();
+            fail("Expected AuthenticationCredentialsNotFoundException");
+        } catch (AuthenticationCredentialsNotFoundException expected) {
+        }
+    }
+
+    @Test
+    public void targetShouldAllowProtectedMethodInvocationWithCorrectRole() {
+        UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("Test", "Password",
+                new GrantedAuthority[] {new GrantedAuthorityImpl("ROLE_USER")});
+        SecurityContextHolder.getContext().setAuthentication(token);
+
+
+        target.doSomething();
+    }
+
+    @Test
+    public void targetShouldPreventProtectedMethodInvocationWithIncorrectRole() {
+        UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("Test", "Password",
+                new GrantedAuthority[] {new GrantedAuthorityImpl("ROLE_SOMEOTHERROLE")});
+        SecurityContextHolder.getContext().setAuthentication(token);
+
+        try {
+            target.doSomething();
+            fail("Expected AccessDeniedException");
+        } catch (AccessDeniedException expected) {
+        }
+    }
+
+
 }
--- a/core/src/test/resources/org/springframework/security/config/method-security.xml
+++ b/core/src/test/resources/org/springframework/security/config/method-security.xml
@ -8,12 +8,13 @@ http://www.springframework.org/schema/security http://www.springframework.org/sc

    <security:autoconfig />

-    <bean id="someBusinessObject" class="org.springframework.security.config.TestBusinessBeanImpl">
+    <bean id="target" class="org.springframework.security.config.TestBusinessBeanImpl">
        <!-- This will add a security interceptor to the bean -->
        <security:intercept-methods>
-            <security:protect method="set*" access="ROLE_ADMIN" />
-            <security:protect method="get*" access="ROLE_ADMIN,ROLE_USER" />
-            <security:protect method="doSomething" access="ROLE_USER" />
+            <!-- TODO: It would be better if we didn't need the package/interface names here -->
+            <security:protect method="org.springframework.security.config.TestBusinessBean.set*" access="ROLE_ADMIN" />
+            <security:protect method="org.springframework.security.config.TestBusinessBean.get*" access="ROLE_ADMIN,ROLE_USER" />
+            <security:protect method="org.springframework.security.config.TestBusinessBean.doSomething" access="ROLE_USER" />
        </security:intercept-methods>
    </bean>