From c51bcd9c1f85deca0826cf7dc8a48da444de0b17 Mon Sep 17 00:00:00 2001
From: Luke Taylor <luke.taylor@springsource.com>
Date: Sun, 14 Oct 2007 14:29:15 +0000
Subject: [PATCH] Changed method protection config to make it compatible with
 MethodDefinitionMap for the time being.

---
 ...terceptMethodsBeanDefinitionDecorator.java |  5 +-
 ...ptMethodsBeanDefinitionDecoratorTests.java | 75 ++++++++++++++++++-
 .../security/config/method-security.xml       |  9 ++-
 3 files changed, 80 insertions(+), 9 deletions(-)

diff --git a/core/src/main/java/org/springframework/security/config/InterceptMethodsBeanDefinitionDecorator.java b/core/src/main/java/org/springframework/security/config/InterceptMethodsBeanDefinitionDecorator.java
index 4df0a14741..64bf7aea3e 100644
--- a/core/src/main/java/org/springframework/security/config/InterceptMethodsBeanDefinitionDecorator.java
+++ b/core/src/main/java/org/springframework/security/config/InterceptMethodsBeanDefinitionDecorator.java
@@ -44,7 +44,10 @@ public class InterceptMethodsBeanDefinitionDecorator extends AbstractInterceptor
             String accessConfig = protectmethodElt.getAttribute("access");
             attributeEditor.setAsText(accessConfig);
 
-            methodMap.addSecureMethod(targetClass, protectmethodElt.getAttribute("method"), 
+// TODO: We want to use just the method names, but MethodDefinitionMap won't work that way.            
+//            methodMap.addSecureMethod(targetClass, protectmethodElt.getAttribute("method"),
+//                    (ConfigAttributeDefinition) attributeEditor.getValue());
+            methodMap.addSecureMethod(protectmethodElt.getAttribute("method"), 
                     (ConfigAttributeDefinition) attributeEditor.getValue());
         }
 
diff --git a/core/src/test/java/org/springframework/security/config/InterceptMethodsBeanDefinitionDecoratorTests.java b/core/src/test/java/org/springframework/security/config/InterceptMethodsBeanDefinitionDecoratorTests.java
index 92aad11bbd..efefe7c6dd 100644
--- a/core/src/test/java/org/springframework/security/config/InterceptMethodsBeanDefinitionDecoratorTests.java
+++ b/core/src/test/java/org/springframework/security/config/InterceptMethodsBeanDefinitionDecoratorTests.java
@@ -1,8 +1,16 @@
 package org.springframework.security.config;
 
 import org.springframework.context.support.ClassPathXmlApplicationContext;
-import org.junit.BeforeClass;
-import org.junit.Test;
+import org.springframework.security.context.SecurityContextHolder;
+import org.springframework.security.context.SecurityContext;
+import org.springframework.security.providers.UsernamePasswordAuthenticationToken;
+import org.springframework.security.GrantedAuthority;
+import org.springframework.security.GrantedAuthorityImpl;
+import org.springframework.security.AuthenticationCredentialsNotFoundException;
+import org.springframework.security.AccessDeniedException;
+
+import static org.junit.Assert.*;
+import org.junit.*;
 
 /**
  * @author luke
@@ -11,12 +19,71 @@ import org.junit.Test;
 public class InterceptMethodsBeanDefinitionDecoratorTests {
     private static ClassPathXmlApplicationContext appContext;
 
+    private TestBusinessBean target;
+
     @BeforeClass
     public static void loadContext() {
         appContext = new ClassPathXmlApplicationContext("org/springframework/security/config/method-security.xml");
     }
 
-    @Test
-    public void contextShouldContainCorrectBeans() {
+    @AfterClass
+    public static void closeAppContext() {
+        if (appContext != null) {
+            appContext.close();
+        }
     }
+
+    @Before
+    public void setUp() {
+        target = (TestBusinessBean) appContext.getBean("target");
+    }
+
+    @After
+    public void clearSecurityContext() {
+        SecurityContextHolder.clearContext();
+    }
+
+    @Test
+    public void targetShouldAllowUnprotectedMethodInvocationWithNoContext() {
+
+//        UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("Test", "Password",
+//        new GrantedAuthority[] {new GrantedAuthorityImpl("MOCK_LOWER")});
+
+        target.unprotected();
+
+    }
+
+    @Test
+    public void targetShouldPreventProtectedMethodInvocationWithNoContext() {
+        try {
+            target.doSomething();
+            fail("Expected AuthenticationCredentialsNotFoundException");
+        } catch (AuthenticationCredentialsNotFoundException expected) {
+        }
+    }
+
+    @Test
+    public void targetShouldAllowProtectedMethodInvocationWithCorrectRole() {
+        UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("Test", "Password",
+                new GrantedAuthority[] {new GrantedAuthorityImpl("ROLE_USER")});
+        SecurityContextHolder.getContext().setAuthentication(token);
+
+
+        target.doSomething();
+    }
+
+    @Test
+    public void targetShouldPreventProtectedMethodInvocationWithIncorrectRole() {
+        UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("Test", "Password",
+                new GrantedAuthority[] {new GrantedAuthorityImpl("ROLE_SOMEOTHERROLE")});
+        SecurityContextHolder.getContext().setAuthentication(token);
+
+        try {
+            target.doSomething();
+            fail("Expected AccessDeniedException");
+        } catch (AccessDeniedException expected) {
+        }
+    }
+
+
 }
diff --git a/core/src/test/resources/org/springframework/security/config/method-security.xml b/core/src/test/resources/org/springframework/security/config/method-security.xml
index 0a9d68cf69..a25c205b71 100644
--- a/core/src/test/resources/org/springframework/security/config/method-security.xml
+++ b/core/src/test/resources/org/springframework/security/config/method-security.xml
@@ -8,12 +8,13 @@ http://www.springframework.org/schema/security http://www.springframework.org/sc
 
     <security:autoconfig />
 
-    <bean id="someBusinessObject" class="org.springframework.security.config.TestBusinessBeanImpl">
+    <bean id="target" class="org.springframework.security.config.TestBusinessBeanImpl">
         <!-- This will add a security interceptor to the bean -->
         <security:intercept-methods>
-            <security:protect method="set*" access="ROLE_ADMIN" />
-            <security:protect method="get*" access="ROLE_ADMIN,ROLE_USER" />
-            <security:protect method="doSomething" access="ROLE_USER" />
+            <!-- TODO: It would be better if we didn't need the package/interface names here -->
+            <security:protect method="org.springframework.security.config.TestBusinessBean.set*" access="ROLE_ADMIN" />
+            <security:protect method="org.springframework.security.config.TestBusinessBean.get*" access="ROLE_ADMIN,ROLE_USER" />
+            <security:protect method="org.springframework.security.config.TestBusinessBean.doSomething" access="ROLE_USER" />
         </security:intercept-methods>
     </bean>