From c67632225de2a2601a6905f4598c88046c6efe4b Mon Sep 17 00:00:00 2001 From: Marcus Da Coregio Date: Fri, 25 Mar 2022 15:09:04 -0300 Subject: [PATCH] Use ServletContext in AuthorizationManagerWebInvocationPrivilegeEvaluator Closes gh-10908 --- ...onManagerWebInvocationPrivilegeEvaluator.java | 16 +++++++++++++--- ...agerWebInvocationPrivilegeEvaluatorTests.java | 15 ++++++++++++++- 2 files changed, 27 insertions(+), 4 deletions(-) diff --git a/web/src/main/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluator.java b/web/src/main/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluator.java index d1da376ce4..b97debfa3e 100644 --- a/web/src/main/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluator.java +++ b/web/src/main/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluator.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,6 +16,7 @@ package org.springframework.security.web.access; +import javax.servlet.ServletContext; import javax.servlet.http.HttpServletRequest; import org.springframework.security.authorization.AuthorizationDecision; @@ -23,6 +24,7 @@ import org.springframework.security.authorization.AuthorizationManager; import org.springframework.security.core.Authentication; import org.springframework.security.web.FilterInvocation; import org.springframework.util.Assert; +import org.springframework.web.context.ServletContextAware; /** * An implementation of {@link WebInvocationPrivilegeEvaluator} which delegates the checks @@ -31,10 +33,13 @@ import org.springframework.util.Assert; * @author Marcus Da Coregio * @since 5.5.5 */ -public final class AuthorizationManagerWebInvocationPrivilegeEvaluator implements WebInvocationPrivilegeEvaluator { +public final class AuthorizationManagerWebInvocationPrivilegeEvaluator + implements WebInvocationPrivilegeEvaluator, ServletContextAware { private final AuthorizationManager authorizationManager; + private ServletContext servletContext; + public AuthorizationManagerWebInvocationPrivilegeEvaluator( AuthorizationManager authorizationManager) { Assert.notNull(authorizationManager, "authorizationManager cannot be null"); @@ -48,10 +53,15 @@ public final class AuthorizationManagerWebInvocationPrivilegeEvaluator implement @Override public boolean isAllowed(String contextPath, String uri, String method, Authentication authentication) { - FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method); + FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method, this.servletContext); AuthorizationDecision decision = this.authorizationManager.check(() -> authentication, filterInvocation.getHttpRequest()); return decision == null || decision.isGranted(); } + @Override + public void setServletContext(ServletContext servletContext) { + this.servletContext = servletContext; + } + } diff --git a/web/src/test/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluatorTests.java b/web/src/test/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluatorTests.java index 76be770777..39d9e068f4 100644 --- a/web/src/test/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluatorTests.java +++ b/web/src/test/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluatorTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,14 +16,17 @@ package org.springframework.security.web.access; +import javax.servlet.ServletContext; import javax.servlet.http.HttpServletRequest; import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; +import org.mockito.ArgumentCaptor; import org.mockito.InjectMocks; import org.mockito.Mock; import org.mockito.junit.jupiter.MockitoExtension; +import org.springframework.mock.web.MockServletContext; import org.springframework.security.authentication.TestAuthentication; import org.springframework.security.authorization.AuthorizationDecision; import org.springframework.security.authorization.AuthorizationManager; @@ -72,4 +75,14 @@ class AuthorizationManagerWebInvocationPrivilegeEvaluatorTests { assertThat(allowed).isTrue(); } + @Test + void isAllowedWhenServletContextExistsThenFilterInvocationHasServletContext() { + ServletContext servletContext = new MockServletContext(); + this.privilegeEvaluator.setServletContext(servletContext); + this.privilegeEvaluator.isAllowed("/test", TestAuthentication.authenticatedUser()); + ArgumentCaptor captor = ArgumentCaptor.forClass(HttpServletRequest.class); + verify(this.authorizationManager).check(any(), captor.capture()); + assertThat(captor.getValue().getServletContext()).isSameAs(servletContext); + } + }