SEC-1584: Additional integration tests.

This commit is contained in:
Luke Taylor 2010-10-03 22:42:07 +01:00
parent 8f6ddb0f17
commit ed7f589998
5 changed files with 133 additions and 33 deletions

View File

@ -5,13 +5,18 @@
<parent>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-itest</artifactId>
<version>2.0.4-SNAPSHOT</version>
<version>2.0.6.CI-SNAPSHOT</version>
</parent>
<artifactId>spring-security-itest-context</artifactId>
<name>Spring Security - Miscellaneous Application Context Integration Tests</name>
<packaging>jar</packaging>
<dependencies>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
<version>2.5</version>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>

View File

@ -0,0 +1,67 @@
package org.springframework.security.integration;
import static org.junit.Assert.assertEquals;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.mock.web.MockFilterChain;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.mock.web.MockHttpSession;
import org.springframework.security.context.HttpSessionContextIntegrationFilter;
import org.springframework.security.context.SecurityContextHolder;
import org.springframework.security.providers.UsernamePasswordAuthenticationToken;
import org.springframework.security.util.AuthorityUtils;
import org.springframework.security.util.FilterChainProxy;
import org.springframework.test.context.ContextConfiguration;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import javax.servlet.http.HttpSession;
@ContextConfiguration(locations={"/http-path-param-stripping-app-context.xml"})
@RunWith(SpringJUnit4ClassRunner.class)
public class HttpPathParameterStrippingTests {
@Autowired
private FilterChainProxy fcp;
@Test
public void securedFilterChainCannotBeBypassedByAddingPathParameters() throws Exception {
MockHttpServletRequest request = new MockHttpServletRequest();
request.setPathInfo("/secured;x=y/admin.html");
request.setSession(createAuthenticatedSession("ROLE_USER"));
MockHttpServletResponse response = new MockHttpServletResponse();
fcp.doFilter(request, response, new MockFilterChain());
assertEquals(403, response.getStatus());
}
@Test
public void adminFilePatternCannotBeBypassedByAddingPathParameters() throws Exception {
MockHttpServletRequest request = new MockHttpServletRequest();
request.setServletPath("/secured/admin.html;x=user.html");
request.setSession(createAuthenticatedSession("ROLE_USER"));
MockHttpServletResponse response = new MockHttpServletResponse();
fcp.doFilter(request, response, new MockFilterChain());
assertEquals(403, response.getStatus());
// Try with pathInfo
request = new MockHttpServletRequest();
request.setServletPath("/secured");
request.setPathInfo("/admin.html;x=user.html");
request.setSession(createAuthenticatedSession("ROLE_USER"));
response = new MockHttpServletResponse();
fcp.doFilter(request, response, new MockFilterChain());
assertEquals(403, response.getStatus());
}
public HttpSession createAuthenticatedSession(String... roles) {
MockHttpSession session = new MockHttpSession();
SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken("bob", "bobspassword",
AuthorityUtils.stringArrayToAuthorityArray(roles)));
session.setAttribute(HttpSessionContextIntegrationFilter.SPRING_SECURITY_CONTEXT_KEY, SecurityContextHolder.getContext());
SecurityContextHolder.clearContext();
return session;
}
}

View File

@ -0,0 +1,28 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
-
-->
<b:beans xmlns="http://www.springframework.org/schema/security"
xmlns:b="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">
<http>
<intercept-url pattern="/secured/*user.html" access="ROLE_USER" />
<intercept-url pattern="/secured/admin.html" access="ROLE_ADMIN" />
<intercept-url pattern="/secured/user/**" access="ROLE_USER" />
<intercept-url pattern="/secured/admin/*" access="ROLE_ADMIN" />
<intercept-url pattern="/**" filters="none" />
<form-login />
</http>
<authentication-provider>
<user-service id="userService">
<user name="notused" password="notused" authorities="ROLE_0,ROLE_1"/>
</user-service>
</authentication-provider>
</b:beans>

View File

@ -1,20 +1,20 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-itest</artifactId>
<name>Spring Security - Integration Tests</name>
<packaging>pom</packaging>
<version>2.0.4-SNAPSHOT</version>
<version>2.0.6.CI-SNAPSHOT</version>
<modules>
<module>web</module>
<!-- module>webflow</module-->
<module>context</module>
</modules>
<dependencies>
<dependencies>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring</artifactId>
<version>2.5.5</version>
<version>2.5.6.SEC02</version>
<exclusions>
<exclusion>
<groupId>commons-logging</groupId>
@ -25,14 +25,14 @@
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-test</artifactId>
<version>2.5.5</version>
<version>2.5.6.SEC02</version>
<exclusions>
<exclusion>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
@ -58,7 +58,7 @@
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</exclusion>
</exclusions>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
@ -69,18 +69,18 @@
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</exclusion>
</exclusions>
</exclusions>
</dependency>
<dependency>
<groupId>org.aspectj</groupId>
<artifactId>aspectjrt</artifactId>
<version>1.6.1</version>
</dependency>
<dependency>
<groupId>org.aspectj</groupId>
<artifactId>aspectjweaver</artifactId>
<version>1.6.1</version>
</dependency>
<dependency>
<groupId>org.aspectj</groupId>
<artifactId>aspectjrt</artifactId>
<version>1.6.1</version>
</dependency>
<dependency>
<groupId>org.aspectj</groupId>
<artifactId>aspectjweaver</artifactId>
<version>1.6.1</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
@ -97,7 +97,7 @@
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</exclusion>
</exclusions>
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.directory.server</groupId>
@ -128,9 +128,9 @@
<exclusion>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
@ -195,10 +195,10 @@
</property>
</systemProperties>
</configuration>
</plugin>
</plugin>
</plugins>
</build>
<properties>
<jetty.version>6.1.11</jetty.version>
</properties>
</properties>
</project>

View File

@ -5,7 +5,7 @@
<parent>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-itest</artifactId>
<version>2.0.4-SNAPSHOT</version>
<version>2.0.6.CI-SNAPSHOT</version>
</parent>
<artifactId>spring-security-itest-web</artifactId>
<name>Spring Security - Web Integration Tests</name>
@ -36,7 +36,7 @@
<artifactId>jetty-naming</artifactId>
<version>${jetty.version}</version>
<scope>test</scope>
</dependency>
</dependency>
<dependency>
<groupId>org.mortbay.jetty</groupId>
<artifactId>jetty-plus</artifactId>
@ -53,8 +53,8 @@
<groupId>org.mortbay.jetty</groupId>
<artifactId>jsp-api-2.1</artifactId>
<version>${jetty.version}</version>
</dependency>
<!--
</dependency>
<!--
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>
@ -67,10 +67,10 @@
<scope>runtime</scope>
<version>1.1.2</version>
</dependency>
-->
-->
</dependencies>
<!--
<!--
<build>
<plugins>
<plugin>
@ -88,7 +88,7 @@
</execution>
</executions>
</plugin>
</plugins>
</build>
</plugins>
</build>
-->
</project>