mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-07-05 10:12:36 +00:00
SEC-1584: Additional integration tests.
This commit is contained in:
parent
8f6ddb0f17
commit
ed7f589998
@ -5,13 +5,18 @@
|
||||
<parent>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-itest</artifactId>
|
||||
<version>2.0.4-SNAPSHOT</version>
|
||||
<version>2.0.6.CI-SNAPSHOT</version>
|
||||
</parent>
|
||||
<artifactId>spring-security-itest-context</artifactId>
|
||||
<name>Spring Security - Miscellaneous Application Context Integration Tests</name>
|
||||
<packaging>jar</packaging>
|
||||
|
||||
<dependencies>
|
||||
<dependency>
|
||||
<groupId>javax.servlet</groupId>
|
||||
<artifactId>servlet-api</artifactId>
|
||||
<version>2.5</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>junit</groupId>
|
||||
<artifactId>junit</artifactId>
|
||||
|
@ -0,0 +1,67 @@
|
||||
package org.springframework.security.integration;
|
||||
|
||||
import static org.junit.Assert.assertEquals;
|
||||
|
||||
import org.junit.Test;
|
||||
import org.junit.runner.RunWith;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.mock.web.MockFilterChain;
|
||||
import org.springframework.mock.web.MockHttpServletRequest;
|
||||
import org.springframework.mock.web.MockHttpServletResponse;
|
||||
import org.springframework.mock.web.MockHttpSession;
|
||||
import org.springframework.security.context.HttpSessionContextIntegrationFilter;
|
||||
import org.springframework.security.context.SecurityContextHolder;
|
||||
import org.springframework.security.providers.UsernamePasswordAuthenticationToken;
|
||||
import org.springframework.security.util.AuthorityUtils;
|
||||
import org.springframework.security.util.FilterChainProxy;
|
||||
import org.springframework.test.context.ContextConfiguration;
|
||||
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
|
||||
|
||||
import javax.servlet.http.HttpSession;
|
||||
|
||||
@ContextConfiguration(locations={"/http-path-param-stripping-app-context.xml"})
|
||||
@RunWith(SpringJUnit4ClassRunner.class)
|
||||
public class HttpPathParameterStrippingTests {
|
||||
|
||||
@Autowired
|
||||
private FilterChainProxy fcp;
|
||||
|
||||
@Test
|
||||
public void securedFilterChainCannotBeBypassedByAddingPathParameters() throws Exception {
|
||||
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||
request.setPathInfo("/secured;x=y/admin.html");
|
||||
request.setSession(createAuthenticatedSession("ROLE_USER"));
|
||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
fcp.doFilter(request, response, new MockFilterChain());
|
||||
assertEquals(403, response.getStatus());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void adminFilePatternCannotBeBypassedByAddingPathParameters() throws Exception {
|
||||
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||
request.setServletPath("/secured/admin.html;x=user.html");
|
||||
request.setSession(createAuthenticatedSession("ROLE_USER"));
|
||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
fcp.doFilter(request, response, new MockFilterChain());
|
||||
assertEquals(403, response.getStatus());
|
||||
|
||||
// Try with pathInfo
|
||||
request = new MockHttpServletRequest();
|
||||
request.setServletPath("/secured");
|
||||
request.setPathInfo("/admin.html;x=user.html");
|
||||
request.setSession(createAuthenticatedSession("ROLE_USER"));
|
||||
response = new MockHttpServletResponse();
|
||||
fcp.doFilter(request, response, new MockFilterChain());
|
||||
assertEquals(403, response.getStatus());
|
||||
}
|
||||
|
||||
public HttpSession createAuthenticatedSession(String... roles) {
|
||||
MockHttpSession session = new MockHttpSession();
|
||||
SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken("bob", "bobspassword",
|
||||
AuthorityUtils.stringArrayToAuthorityArray(roles)));
|
||||
session.setAttribute(HttpSessionContextIntegrationFilter.SPRING_SECURITY_CONTEXT_KEY, SecurityContextHolder.getContext());
|
||||
SecurityContextHolder.clearContext();
|
||||
return session;
|
||||
}
|
||||
|
||||
}
|
@ -0,0 +1,28 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
|
||||
<!--
|
||||
-
|
||||
-->
|
||||
|
||||
<b:beans xmlns="http://www.springframework.org/schema/security"
|
||||
xmlns:b="http://www.springframework.org/schema/beans"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
|
||||
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">
|
||||
|
||||
<http>
|
||||
<intercept-url pattern="/secured/*user.html" access="ROLE_USER" />
|
||||
<intercept-url pattern="/secured/admin.html" access="ROLE_ADMIN" />
|
||||
<intercept-url pattern="/secured/user/**" access="ROLE_USER" />
|
||||
<intercept-url pattern="/secured/admin/*" access="ROLE_ADMIN" />
|
||||
<intercept-url pattern="/**" filters="none" />
|
||||
<form-login />
|
||||
</http>
|
||||
|
||||
<authentication-provider>
|
||||
<user-service id="userService">
|
||||
<user name="notused" password="notused" authorities="ROLE_0,ROLE_1"/>
|
||||
</user-service>
|
||||
</authentication-provider>
|
||||
|
||||
</b:beans>
|
@ -1,20 +1,20 @@
|
||||
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
|
||||
<modelVersion>4.0.0</modelVersion>
|
||||
<modelVersion>4.0.0</modelVersion>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-itest</artifactId>
|
||||
<name>Spring Security - Integration Tests</name>
|
||||
<packaging>pom</packaging>
|
||||
<version>2.0.4-SNAPSHOT</version>
|
||||
<version>2.0.6.CI-SNAPSHOT</version>
|
||||
<modules>
|
||||
<module>web</module>
|
||||
<!-- module>webflow</module-->
|
||||
<module>context</module>
|
||||
</modules>
|
||||
<dependencies>
|
||||
<dependencies>
|
||||
<dependency>
|
||||
<groupId>org.springframework</groupId>
|
||||
<artifactId>spring</artifactId>
|
||||
<version>2.5.5</version>
|
||||
<version>2.5.6.SEC02</version>
|
||||
<exclusions>
|
||||
<exclusion>
|
||||
<groupId>commons-logging</groupId>
|
||||
@ -25,14 +25,14 @@
|
||||
<dependency>
|
||||
<groupId>org.springframework</groupId>
|
||||
<artifactId>spring-test</artifactId>
|
||||
<version>2.5.5</version>
|
||||
<version>2.5.6.SEC02</version>
|
||||
<exclusions>
|
||||
<exclusion>
|
||||
<groupId>commons-logging</groupId>
|
||||
<artifactId>commons-logging</artifactId>
|
||||
</exclusion>
|
||||
</exclusions>
|
||||
</dependency>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-core</artifactId>
|
||||
@ -58,7 +58,7 @@
|
||||
<groupId>commons-logging</groupId>
|
||||
<artifactId>commons-logging</artifactId>
|
||||
</exclusion>
|
||||
</exclusions>
|
||||
</exclusions>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
@ -69,18 +69,18 @@
|
||||
<groupId>commons-logging</groupId>
|
||||
<artifactId>commons-logging</artifactId>
|
||||
</exclusion>
|
||||
</exclusions>
|
||||
</exclusions>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.aspectj</groupId>
|
||||
<artifactId>aspectjrt</artifactId>
|
||||
<version>1.6.1</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.aspectj</groupId>
|
||||
<artifactId>aspectjweaver</artifactId>
|
||||
<version>1.6.1</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.aspectj</groupId>
|
||||
<artifactId>aspectjrt</artifactId>
|
||||
<version>1.6.1</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.aspectj</groupId>
|
||||
<artifactId>aspectjweaver</artifactId>
|
||||
<version>1.6.1</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.slf4j</groupId>
|
||||
<artifactId>slf4j-api</artifactId>
|
||||
@ -97,7 +97,7 @@
|
||||
<groupId>commons-logging</groupId>
|
||||
<artifactId>commons-logging</artifactId>
|
||||
</exclusion>
|
||||
</exclusions>
|
||||
</exclusions>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.apache.directory.server</groupId>
|
||||
@ -128,9 +128,9 @@
|
||||
<exclusion>
|
||||
<groupId>commons-logging</groupId>
|
||||
<artifactId>commons-logging</artifactId>
|
||||
</exclusion>
|
||||
</exclusions>
|
||||
</dependency>
|
||||
</exclusion>
|
||||
</exclusions>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.slf4j</groupId>
|
||||
<artifactId>slf4j-log4j12</artifactId>
|
||||
@ -195,10 +195,10 @@
|
||||
</property>
|
||||
</systemProperties>
|
||||
</configuration>
|
||||
</plugin>
|
||||
</plugin>
|
||||
</plugins>
|
||||
</build>
|
||||
<properties>
|
||||
<jetty.version>6.1.11</jetty.version>
|
||||
</properties>
|
||||
</properties>
|
||||
</project>
|
||||
|
@ -5,7 +5,7 @@
|
||||
<parent>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-itest</artifactId>
|
||||
<version>2.0.4-SNAPSHOT</version>
|
||||
<version>2.0.6.CI-SNAPSHOT</version>
|
||||
</parent>
|
||||
<artifactId>spring-security-itest-web</artifactId>
|
||||
<name>Spring Security - Web Integration Tests</name>
|
||||
@ -36,7 +36,7 @@
|
||||
<artifactId>jetty-naming</artifactId>
|
||||
<version>${jetty.version}</version>
|
||||
<scope>test</scope>
|
||||
</dependency>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.mortbay.jetty</groupId>
|
||||
<artifactId>jetty-plus</artifactId>
|
||||
@ -53,8 +53,8 @@
|
||||
<groupId>org.mortbay.jetty</groupId>
|
||||
<artifactId>jsp-api-2.1</artifactId>
|
||||
<version>${jetty.version}</version>
|
||||
</dependency>
|
||||
<!--
|
||||
</dependency>
|
||||
<!--
|
||||
<dependency>
|
||||
<groupId>javax.servlet</groupId>
|
||||
<artifactId>jstl</artifactId>
|
||||
@ -67,10 +67,10 @@
|
||||
<scope>runtime</scope>
|
||||
<version>1.1.2</version>
|
||||
</dependency>
|
||||
-->
|
||||
-->
|
||||
</dependencies>
|
||||
|
||||
<!--
|
||||
<!--
|
||||
<build>
|
||||
<plugins>
|
||||
<plugin>
|
||||
@ -88,7 +88,7 @@
|
||||
</execution>
|
||||
</executions>
|
||||
</plugin>
|
||||
</plugins>
|
||||
</build>
|
||||
</plugins>
|
||||
</build>
|
||||
-->
|
||||
</project>
|
||||
|
Loading…
x
Reference in New Issue
Block a user