SEC-2803: Add HttpStatusEntryPoint

2015-03-11 14:45:59 -05:00 · 2015-03-11 14:45:59 -05:00 · e776a1fd35
parent 1da1b8b12f
commit e776a1fd35
3 changed files with 118 additions and 21 deletions
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurer.java
@ -15,13 +15,10 @@
 */
 package org.springframework.security.config.annotation.web.configurers;

-import java.io.IOException;
 import java.util.Collections;
 import java.util.LinkedHashMap;

-import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;

 import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
@ -29,15 +26,15 @@ import org.springframework.security.authentication.AuthenticationDetailsSource;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint;
+import org.springframework.security.web.authentication.HttpStatusEntryPoint;
 import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
 import org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint;
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
-import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.security.web.util.matcher.MediaTypeRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestHeaderRequestMatcher;
+import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.web.accept.ContentNegotiationStrategy;
 import org.springframework.web.accept.HeaderContentNegotiationStrategy;

@ -170,20 +167,4 @@ public final class HttpBasicConfigurer<B extends HttpSecurityBuilder<B>> extends
        basicAuthenticationFilter = postProcess(basicAuthenticationFilter);
        http.addFilter(basicAuthenticationFilter);
    }
-
-    private static class HttpStatusEntryPoint implements AuthenticationEntryPoint {
-        private final HttpStatus httpStatus;
-
-        public HttpStatusEntryPoint(HttpStatus httpStatus) {
-            super();
-            this.httpStatus = httpStatus;
-        }
-
-        public void commence(HttpServletRequest request,
-                HttpServletResponse response,
-                AuthenticationException authException) throws IOException,
-                ServletException {
-            response.setStatus(httpStatus.value());
-        }
-    }
 }
--- a/web/src/main/java/org/springframework/security/web/authentication/HttpStatusEntryPoint.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/HttpStatusEntryPoint.java
@ -0,0 +1,56 @@
+/*
+ * Copyright 2002-2015 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.springframework.security.web.authentication;
+
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.util.Assert;
+
+/**
+ * An {@link AuthenticationEntryPoint} that sends a generic {@link HttpStatus}
+ * as a response. Useful for JavaScript clients which cannot use Basic
+ * authentication since the browser intercepts the response.
+ *
+ * @author Rob Winch
+ * @since 4.0
+ */
+public final class HttpStatusEntryPoint implements AuthenticationEntryPoint {
+    private final HttpStatus httpStatus;
+
+    /**
+     * Creates a new instance.
+     *
+     * @param httpStatus the HttpSatus to set
+     */
+    public HttpStatusEntryPoint(HttpStatus httpStatus) {
+        Assert.notNull(httpStatus, "httpStatus cannot be null");
+        this.httpStatus = httpStatus;
+    }
+
+    public void commence(HttpServletRequest request,
+            HttpServletResponse response,
+            AuthenticationException authException) throws IOException,
+            ServletException {
+        response.setStatus(httpStatus.value());
+    }
+}
--- a/web/src/test/java/org/springframework/security/web/authentication/HttpStatusEntryPointTests.java
+++ b/web/src/test/java/org/springframework/security/web/authentication/HttpStatusEntryPointTests.java
@ -0,0 +1,60 @@
+/*
+ * Copyright 2002-2015 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.springframework.security.web.authentication;
+
+import static org.fest.assertions.Assertions.assertThat;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.springframework.http.HttpStatus;
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.security.core.AuthenticationException;
+
+/**
+ *
+ * @author Rob Winch
+ * @since 4.0
+ */
+public class HttpStatusEntryPointTests {
+    MockHttpServletRequest request;
+    MockHttpServletResponse response;
+    AuthenticationException authException;
+
+    HttpStatusEntryPoint entryPoint;
+
+    @SuppressWarnings("serial")
+    @Before
+    public void setup() {
+        request = new MockHttpServletRequest();
+        response = new MockHttpServletResponse();
+        authException = new AuthenticationException("") {};
+        entryPoint = new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED);
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    public void constructorNullStatus() {
+        new HttpStatusEntryPoint(null);
+    }
+
+    @Test
+    public void unauthorized() throws Exception {
+        entryPoint.commence(request, response, authException);
+
+        assertThat(response.getStatus()).isEqualTo(HttpStatus.UNAUTHORIZED.value());
+    }
+
+}