logoutHandlers;
HttpServlet3RequestFactory(String rolePrefix) {
this.rolePrefix = rolePrefix;
}
- public HttpServletRequest create(HttpServletRequest request) {
- return new Servlet3SecurityContextHolderAwareRequestWrapper(request, rolePrefix);
+ /**
+ *
+ * Sets the {@link AuthenticationEntryPoint} used when integrating {@link HttpServletRequest} with Servlet 3 APIs.
+ * Specifically, it will be used when {@link HttpServletRequest#authenticate(HttpServletResponse)} is called and the
+ * user is not authenticated.
+ *
+ *
+ * If the value is null (default), then the default container behavior will be be retained when invoking
+ * {@link HttpServletRequest#authenticate(HttpServletResponse)}.
+ *
+ * @param authenticationEntryPoint the {@link AuthenticationEntryPoint} to use when invoking
+ * {@link HttpServletRequest#authenticate(HttpServletResponse)} if the user is not authenticated.
+ */
+
+ public void setAuthenticationEntryPoint(AuthenticationEntryPoint authenticationEntryPoint) {
+ this.authenticationEntryPoint = authenticationEntryPoint;
}
- private static class Servlet3SecurityContextHolderAwareRequestWrapper extends SecurityContextHolderAwareRequestWrapper {
- public Servlet3SecurityContextHolderAwareRequestWrapper(HttpServletRequest request, String rolePrefix) {
+ /**
+ *
+ * Sets the {@link AuthenticationManager} used when integrating {@link HttpServletRequest} with Servlet 3 APIs.
+ * Specifically, it will be used when {@link HttpServletRequest#login(String, String)} is invoked to determine if
+ * the user is authenticated.
+ *
+ *
+ * If the value is null (default), then the default container behavior will be retained when invoking
+ * {@link HttpServletRequest#login(String, String)}.
+ *
+ *
+ * @param authenticationManager the {@link AuthenticationManager} to use when invoking
+ * {@link HttpServletRequest#login(String, String)}
+ */
+ public void setAuthenticationManager(AuthenticationManager authenticationManager) {
+ this.authenticationManager = authenticationManager;
+ }
+
+ /**
+ *
+ * Sets the {@link LogoutHandler}s used when integrating with {@link HttpServletRequest} with Servlet 3 APIs.
+ * Specifically it will be used when {@link HttpServletRequest#logout()} is invoked in order to log the user out. So
+ * long as the {@link LogoutHandler}s do not commit the {@link HttpServletResponse} (expected), then the user is in
+ * charge of handling the response.
+ *
+ *
+ * If the value is null (default), the default container behavior will be retained when invoking
+ * {@link HttpServletRequest#logout()}.
+ *
+ *
+ * @param logoutHandlers the {@link List}s when invoking {@link HttpServletRequest#logout()}.
+ */
+ public void setLogoutHandlers(List logoutHandlers) {
+ this.logoutHandlers = logoutHandlers;
+ }
+
+ public HttpServletRequest create(HttpServletRequest request, HttpServletResponse response) {
+ return new Servlet3SecurityContextHolderAwareRequestWrapper(request, rolePrefix, response);
+ }
+
+ private class Servlet3SecurityContextHolderAwareRequestWrapper extends SecurityContextHolderAwareRequestWrapper {
+ private final HttpServletResponse response;
+
+ public Servlet3SecurityContextHolderAwareRequestWrapper(HttpServletRequest request, String rolePrefix, HttpServletResponse response) {
super(request, rolePrefix);
+ this.response = response;
}
public AsyncContext startAsync() {
@@ -48,6 +150,50 @@ final class HttpServlet3RequestFactory implements HttpServletRequestFactory {
AsyncContext startAsync = super.startAsync(servletRequest, servletResponse);
return new SecurityContextAsyncContext(startAsync);
}
+
+ public boolean authenticate(HttpServletResponse response) throws IOException, ServletException {
+ AuthenticationEntryPoint entryPoint = authenticationEntryPoint;
+ if(entryPoint == null) {
+ logger.debug("authenticationEntryPoint is null, so allowing original HttpServletRequest to handle authenticate");
+ return super.authenticate(response);
+ }
+ Principal userPrincipal = getUserPrincipal();
+ if(userPrincipal != null) {
+ return true;
+ }
+ entryPoint.commence(this, response, new AuthenticationCredentialsNotFoundException("User is not Authenticated"));
+ return false;
+ }
+
+ public void login(String username, String password) throws ServletException {
+ AuthenticationManager authManager = authenticationManager;
+ if(authManager == null) {
+ logger.debug("authenticationManager is null, so allowing original HttpServletRequest to handle login");
+ super.login(username, password);
+ return;
+ }
+ Authentication authentication;
+ try {
+ authentication = authManager.authenticate(new UsernamePasswordAuthenticationToken(username,password));
+ } catch(AuthenticationException loginFailed) {
+ SecurityContextHolder.clearContext();
+ throw new ServletException(loginFailed.getMessage(), loginFailed);
+ }
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+ }
+
+ public void logout() throws ServletException {
+ List handlers = logoutHandlers;
+ if(handlers == null) {
+ logger.debug("logoutHandlers is null, so allowing original HttpServletRequest to handle logout");
+ super.logout();
+ return;
+ }
+ Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+ for(LogoutHandler logoutHandler : handlers) {
+ logoutHandler.logout(this, response, authentication);
+ }
+ }
}
private static class SecurityContextAsyncContext implements AsyncContext {
diff --git a/web/src/main/java/org/springframework/security/web/servletapi/HttpServletRequestFactory.java b/web/src/main/java/org/springframework/security/web/servletapi/HttpServletRequestFactory.java
index f5c785b6c2..ef4a7f5f0f 100644
--- a/web/src/main/java/org/springframework/security/web/servletapi/HttpServletRequestFactory.java
+++ b/web/src/main/java/org/springframework/security/web/servletapi/HttpServletRequestFactory.java
@@ -13,6 +13,7 @@
package org.springframework.security.web.servletapi;
import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
/**
* Internal interface for creating a {@link HttpServletRequest}. This allows for creating a different implementation for
@@ -29,7 +30,8 @@ interface HttpServletRequestFactory {
* Given a {@link HttpServletRequest} returns a {@link HttpServletRequest} that in most cases wraps the original
* {@link HttpServletRequest}.
* @param request the original {@link HttpServletRequest}. Cannot be null.
+ * @param response the original {@link HttpServletResponse}. Cannot be null.
* @return a non-null HttpServletRequest
*/
- public HttpServletRequest create(HttpServletRequest request);
+ public HttpServletRequest create(HttpServletRequest request, HttpServletResponse response);
}
diff --git a/web/src/main/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestFilter.java b/web/src/main/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestFilter.java
index 2dd88ebebc..56516c2f8e 100644
--- a/web/src/main/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestFilter.java
+++ b/web/src/main/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestFilter.java
@@ -1,4 +1,5 @@
-/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
+/* Copyright 2002-2012 the original author or authors.
+ * Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -16,13 +17,21 @@
package org.springframework.security.web.servletapi;
import java.io.IOException;
+import java.util.List;
+import javax.servlet.AsyncContext;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.security.web.authentication.logout.LogoutHandler;
import org.springframework.util.Assert;
import org.springframework.util.ClassUtils;
import org.springframework.web.filter.GenericFilterBean;
@@ -32,35 +41,134 @@ import org.springframework.web.filter.GenericFilterBean;
* A Filter which populates the ServletRequest with a request wrapper
* which implements the servlet API security methods.
*
- * The wrapper class used is {@link SecurityContextHolderAwareRequestWrapper}.
+ * In pre servlet 3 environment the wrapper class used is {@link SecurityContextHolderAwareRequestWrapper}. See its javadoc for the methods that are implemented.
+ *
+ *
+ * In a servlet 3 environment {@link SecurityContextHolderAwareRequestWrapper} is extended to provide the following additional methods:
+ *
+ *
+ * - {@link HttpServletRequest#authenticate(HttpServletResponse)} - Allows the user to determine if they are
+ * authenticated and if not send the user to the login page. See
+ * {@link #setAuthenticationEntryPoint(AuthenticationEntryPoint)}.
+ * - {@link HttpServletRequest#login(String, String)} - Allows the user to authenticate using the
+ * {@link AuthenticationManager}. See {@link #setAuthenticationManager(AuthenticationManager)}.
+ * - {@link HttpServletRequest#logout()} - Allows the user to logout using the {@link LogoutHandler}s configured in
+ * Spring Security. See {@link #setLogoutHandlers(List)}.
+ * - {@link AsyncContext#start(Runnable)} - Automatically copy the {@link SecurityContext} from the
+ * {@link SecurityContextHolder} found on the Thread that invoked {@link AsyncContext#start(Runnable)} to the Thread
+ * that processes the {@link Runnable}.
+ *
+ *
*
* @author Orlando Garcia Carmona
* @author Ben Alex
* @author Luke Taylor
+ * @author Rob Winch
*/
public class SecurityContextHolderAwareRequestFilter extends GenericFilterBean {
//~ Instance fields ================================================================================================
+ private String rolePrefix;
+
private HttpServletRequestFactory requestFactory;
- public SecurityContextHolderAwareRequestFilter() {
- setRequestFactory(null);
- }
+ private AuthenticationEntryPoint authenticationEntryPoint;
+
+ private AuthenticationManager authenticationManager;
+
+ private List logoutHandlers;
//~ Methods ========================================================================================================
public void setRolePrefix(String rolePrefix) {
Assert.notNull(rolePrefix, "Role prefix must not be null");
- setRequestFactory(rolePrefix.trim());
+ this.rolePrefix = rolePrefix;
}
- private void setRequestFactory(String rolePrefix) {
- boolean isServlet3 = ClassUtils.hasMethod(ServletRequest.class, "startAsync");
- requestFactory = isServlet3 ? new HttpServlet3RequestFactory(rolePrefix) : new HttpServlet25RequestFactory(rolePrefix);
+ /**
+ *
+ * Sets the {@link AuthenticationEntryPoint} used when integrating {@link HttpServletRequest} with Servlet 3 APIs.
+ * Specifically, it will be used when {@link HttpServletRequest#authenticate(HttpServletResponse)} is called and the
+ * user is not authenticated.
+ *
+ *
+ * If the value is null (default), then the default container behavior will be be retained when invoking
+ * {@link HttpServletRequest#authenticate(HttpServletResponse)}.
+ *
+ *
+ * @param authenticationEntryPoint the {@link AuthenticationEntryPoint} to use when invoking
+ * {@link HttpServletRequest#authenticate(HttpServletResponse)} if the user is not authenticated.
+ *
+ * @throws IllegalStateException if the Servlet 3 APIs are not found on the classpath
+ */
+ public void setAuthenticationEntryPoint(AuthenticationEntryPoint authenticationEntryPoint) {
+ this.authenticationEntryPoint = authenticationEntryPoint;
+ }
+
+ /**
+ *
+ * Sets the {@link AuthenticationManager} used when integrating {@link HttpServletRequest} with Servlet 3 APIs.
+ * Specifically, it will be used when {@link HttpServletRequest#login(String, String)} is invoked to determine if
+ * the user is authenticated.
+ *
+ *
+ * If the value is null (default), then the default container behavior will be retained when invoking
+ * {@link HttpServletRequest#login(String, String)}.
+ *
+ *
+ * @param authenticationManager the {@link AuthenticationManager} to use when invoking
+ * {@link HttpServletRequest#login(String, String)}
+ *
+ * @throws IllegalStateException if the Servlet 3 APIs are not found on the classpath
+ */
+ public void setAuthenticationManager(AuthenticationManager authenticationManager) {
+ this.authenticationManager = authenticationManager;
+ }
+
+ /**
+ *
+ * Sets the {@link LogoutHandler}s used when integrating with {@link HttpServletRequest} with Servlet 3 APIs.
+ * Specifically it will be used when {@link HttpServletRequest#logout()} is invoked in order to log the user out. So
+ * long as the {@link LogoutHandler}s do not commit the {@link HttpServletResponse} (expected), then the user is in
+ * charge of handling the response.
+ *
+ *
+ * If the value is null (default), the default container behavior will be retained when invoking
+ * {@link HttpServletRequest#logout()}.
+ *
+ *
+ * @param logoutHandlers the {@link List}s when invoking {@link HttpServletRequest#logout()}.
+ *
+ * @throws IllegalStateException if the Servlet 3 APIs are not found on the classpath
+ */
+ public void setLogoutHandlers(List logoutHandlers) {
+ this.logoutHandlers = logoutHandlers;
}
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
- chain.doFilter(requestFactory.create((HttpServletRequest)req), res);
+ chain.doFilter(requestFactory.create((HttpServletRequest)req, (HttpServletResponse) res), res);
+ }
+
+ @Override
+ public void afterPropertiesSet() throws ServletException {
+ super.afterPropertiesSet();
+ requestFactory = isServlet3() ? createServlet3Factory(rolePrefix) : new HttpServlet25RequestFactory(rolePrefix);
+ }
+
+ private HttpServlet3RequestFactory createServlet3Factory(String rolePrefix) {
+ HttpServlet3RequestFactory factory = new HttpServlet3RequestFactory(rolePrefix);
+ factory.setAuthenticationEntryPoint(authenticationEntryPoint);
+ factory.setAuthenticationManager(authenticationManager);
+ factory.setLogoutHandlers(logoutHandlers);
+ return factory;
+ }
+
+ /**
+ * Returns true if the Servlet 3 APIs are detected.
+ * @return
+ */
+ private boolean isServlet3() {
+ return ClassUtils.hasMethod(ServletRequest.class, "startAsync");
}
}
diff --git a/web/src/main/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestWrapper.java b/web/src/main/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestWrapper.java
index 809543326b..8b0f096abe 100644
--- a/web/src/main/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestWrapper.java
+++ b/web/src/main/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestWrapper.java
@@ -33,8 +33,13 @@ import org.springframework.security.core.userdetails.UserDetails;
/**
* A Spring Security-aware HttpServletRequestWrapper, which uses the
* SecurityContext-defined Authentication object to implement the servlet API security
- * methods {@link SecurityContextHolderAwareRequestWrapper#isUserInRole(String)} and {@link
- * HttpServletRequestWrapper#getRemoteUser()}.
+ * methods:
+ *
+ *
+ * - {@link #getUserPrincipal()}
+ * - {@link SecurityContextHolderAwareRequestWrapper#isUserInRole(String)}
+ * - {@link HttpServletRequestWrapper#getRemoteUser()}.
+ *
*
* @see SecurityContextHolderAwareRequestFilter
*
diff --git a/web/src/test/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestFilterTests.java b/web/src/test/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestFilterTests.java
index c25271ae44..6dada5d9dd 100644
--- a/web/src/test/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestFilterTests.java
+++ b/web/src/test/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestFilterTests.java
@@ -1,4 +1,5 @@
-/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
+/* Copyright 2002-2012 the original author or authors.
+ * Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -15,31 +16,101 @@
package org.springframework.security.web.servletapi;
+import static org.fest.assertions.Assertions.assertThat;
import static org.mockito.Matchers.any;
-import static org.mockito.Mockito.*;
+import static org.mockito.Matchers.anyString;
+import static org.mockito.Matchers.eq;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
+import static org.powermock.api.mockito.PowerMockito.doThrow;
+import static org.powermock.api.mockito.PowerMockito.mock;
+import static org.powermock.api.mockito.PowerMockito.verifyZeroInteractions;
+import static org.powermock.api.mockito.PowerMockito.when;
+import java.util.Arrays;
+import java.util.List;
+
+import javax.servlet.AsyncContext;
import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import junit.framework.Assert;
+
+import org.junit.After;
+import org.junit.Before;
import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.ArgumentCaptor;
+import org.mockito.Captor;
+import org.mockito.Mock;
+import org.powermock.core.classloader.annotations.PrepareForTest;
+import org.powermock.modules.junit4.PowerMockRunner;
+import org.powermock.reflect.internal.WhiteboxImpl;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.security.authentication.TestingAuthenticationToken;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.concurrent.DelegatingSecurityContextRunnable;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.security.web.authentication.logout.LogoutHandler;
+import org.springframework.util.ClassUtils;
/**
* Tests {@link SecurityContextHolderAwareRequestFilter}.
*
* @author Ben Alex
+ * @author Rob Winch
*/
+@RunWith(PowerMockRunner.class)
+@PrepareForTest(ClassUtils.class)
public class SecurityContextHolderAwareRequestFilterTests {
+ @Captor
+ private ArgumentCaptor requestCaptor;
+ @Mock
+ private AuthenticationManager authenticationManager;
+ @Mock
+ private AuthenticationEntryPoint authenticationEntryPoint;
+ @Mock
+ private LogoutHandler logoutHandler;
+ @Mock
+ private FilterChain filterChain;
+ @Mock
+ private HttpServletRequest request;
+ @Mock
+ private HttpServletResponse response;
+
+ private List logoutHandlers;
+
+ private SecurityContextHolderAwareRequestFilter filter;
+
+ @Before
+ public void setUp() throws Exception {
+ logoutHandlers = Arrays.asList(logoutHandler);
+ filter = new SecurityContextHolderAwareRequestFilter();
+ filter.setAuthenticationEntryPoint(authenticationEntryPoint);
+ filter.setAuthenticationManager(authenticationManager);
+ filter.setLogoutHandlers(logoutHandlers);
+ filter.afterPropertiesSet();
+ }
+
+ @After
+ public void clearContext() {
+ SecurityContextHolder.clearContext();
+ }
//~ Methods ========================================================================================================
@Test
public void expectedRequestWrapperClassIsUsed() throws Exception {
- SecurityContextHolderAwareRequestFilter filter = new SecurityContextHolderAwareRequestFilter();
filter.setRolePrefix("ROLE_");
- final FilterChain filterChain = mock(FilterChain.class);
filter.doFilter(new MockHttpServletRequest(), new MockHttpServletResponse(), filterChain);
@@ -50,4 +121,137 @@ public class SecurityContextHolderAwareRequestFilterTests {
filter.destroy();
}
+
+ @Test
+ public void authenticateFalse() throws Exception {
+ assertThat(wrappedRequest().authenticate(response)).isFalse();
+ verify(authenticationEntryPoint).commence(eq(requestCaptor.getValue()), eq(response), any(AuthenticationException.class));
+ verifyZeroInteractions(authenticationManager, logoutHandler);
+ verify(request, times(0)).authenticate(any(HttpServletResponse.class));
+ }
+
+ @Test
+ public void authenticateTrue() throws Exception {
+ SecurityContextHolder.getContext().setAuthentication(new TestingAuthenticationToken("test","password","ROLE_USER"));
+
+ assertThat(wrappedRequest().authenticate(response)).isTrue();
+ verifyZeroInteractions(authenticationEntryPoint, authenticationManager, logoutHandler);
+ verify(request, times(0)).authenticate(any(HttpServletResponse.class));
+ }
+
+ @Test
+ public void authenticateNullEntryPointFalse() throws Exception {
+ filter.setAuthenticationEntryPoint(null);
+ filter.afterPropertiesSet();
+
+ assertThat(wrappedRequest().authenticate(response)).isFalse();
+ verify(request).authenticate(response);
+ verifyZeroInteractions(authenticationEntryPoint, authenticationManager, logoutHandler);
+ }
+
+ @Test
+ public void authenticateNullEntryPointTrue() throws Exception {
+ when(request.authenticate(response)).thenReturn(true);
+ filter.setAuthenticationEntryPoint(null);
+ filter.afterPropertiesSet();
+
+ assertThat(wrappedRequest().authenticate(response)).isTrue();
+ verify(request).authenticate(response);
+ verifyZeroInteractions(authenticationEntryPoint, authenticationManager, logoutHandler);
+ }
+
+ @Test
+ public void login() throws Exception {
+ TestingAuthenticationToken expectedAuth = new TestingAuthenticationToken("user", "password","ROLE_USER");
+ when(authenticationManager.authenticate(any(UsernamePasswordAuthenticationToken.class))).thenReturn(expectedAuth);
+
+ wrappedRequest().login(expectedAuth.getName(),String.valueOf(expectedAuth.getCredentials()));
+
+ assertThat(SecurityContextHolder.getContext().getAuthentication()).isSameAs(expectedAuth);
+ verifyZeroInteractions(authenticationEntryPoint, logoutHandler);
+ verify(request, times(0)).login(anyString(),anyString());
+ }
+
+ @Test
+ public void loginFail() throws Exception {
+ AuthenticationException authException = new BadCredentialsException("Invalid");
+ when(authenticationManager.authenticate(any(UsernamePasswordAuthenticationToken.class))).thenThrow(authException);
+ SecurityContextHolder.getContext().setAuthentication(new TestingAuthenticationToken("should","be cleared","ROLE_USER"));
+
+ try {
+ wrappedRequest().login("invalid","credentials");
+ Assert.fail("Expected Exception");
+ } catch(ServletException success) {
+ assertThat(success.getCause()).isEqualTo(authException);
+ }
+ assertThat(SecurityContextHolder.getContext().getAuthentication()).isNull();
+
+ verifyZeroInteractions(authenticationEntryPoint, logoutHandler);
+ verify(request, times(0)).login(anyString(),anyString());
+ }
+
+ @Test
+ public void loginNullAuthenticationManager() throws Exception {
+ filter.setAuthenticationManager(null);
+ filter.afterPropertiesSet();
+
+ String username = "username";
+ String password = "password";
+
+ wrappedRequest().login(username, password);
+
+ verify(request).login(username, password);
+ verifyZeroInteractions(authenticationEntryPoint, authenticationManager, logoutHandler);
+ }
+
+ @Test
+ public void loginNullAuthenticationManagerFail() throws Exception {
+ filter.setAuthenticationManager(null);
+ filter.afterPropertiesSet();
+
+ String username = "username";
+ String password = "password";
+ ServletException authException = new ServletException("Failed Login");
+ doThrow(authException).when(request).login(username, password);
+
+ try {
+ wrappedRequest().login(username, password);
+ Assert.fail("Expected Exception");
+ } catch(ServletException success) {
+ assertThat(success).isEqualTo(authException);
+ }
+
+ verifyZeroInteractions(authenticationEntryPoint, authenticationManager, logoutHandler);
+ }
+
+ @Test
+ public void logout() throws Exception {
+ TestingAuthenticationToken expectedAuth = new TestingAuthenticationToken("user", "password","ROLE_USER");
+ SecurityContextHolder.getContext().setAuthentication(expectedAuth);
+
+ HttpServletRequest wrappedRequest = wrappedRequest();
+ wrappedRequest.logout();
+
+ verify(logoutHandler).logout(wrappedRequest, response, expectedAuth);
+ verifyZeroInteractions(authenticationManager, logoutHandler);
+ verify(request, times(0)).logout();
+ }
+
+ @Test
+ public void logoutNullLogoutHandler() throws Exception {
+ filter.setLogoutHandlers(null);
+ filter.afterPropertiesSet();
+
+ wrappedRequest().logout();
+
+ verify(request).logout();
+ verifyZeroInteractions(authenticationEntryPoint, authenticationManager, logoutHandler);
+ }
+
+ private HttpServletRequest wrappedRequest() throws Exception {
+ filter.doFilter(request, response, filterChain);
+ verify(filterChain).doFilter(requestCaptor.capture(), any(HttpServletResponse.class));
+
+ return requestCaptor.getValue();
+ }
}