BAEL-4914 Code for EnableGlobalMethodSecurity vs EnableWebSecurity (#11053)
* BAEL-4914 Code for EnableGlobalMethodSecurity vs EnableWebSecurity * BAEL-4914 Add newline after @Autowired in Test
This commit is contained in:
parent
abaa46fd99
commit
6365185c70
|
@ -0,0 +1,15 @@
|
||||||
|
package com.baeldung.annotations.globalmethod;
|
||||||
|
|
||||||
|
import org.springframework.boot.SpringApplication;
|
||||||
|
import org.springframework.boot.autoconfigure.SpringBootApplication;
|
||||||
|
import org.springframework.context.annotation.ComponentScan;
|
||||||
|
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||||
|
|
||||||
|
@SpringBootApplication
|
||||||
|
@EnableWebSecurity
|
||||||
|
public class AnnotationSecuredApplication {
|
||||||
|
|
||||||
|
public static void main(String[] args) {
|
||||||
|
SpringApplication.run(AnnotationSecuredApplication.class, args);
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,50 @@
|
||||||
|
package com.baeldung.annotations.globalmethod;
|
||||||
|
|
||||||
|
import org.springframework.beans.factory.annotation.Autowired;
|
||||||
|
import org.springframework.security.access.prepost.PreAuthorize;
|
||||||
|
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
|
||||||
|
import org.springframework.web.bind.annotation.GetMapping;
|
||||||
|
import org.springframework.web.bind.annotation.RestController;
|
||||||
|
|
||||||
|
import javax.annotation.security.RolesAllowed;
|
||||||
|
|
||||||
|
@RestController
|
||||||
|
@EnableGlobalMethodSecurity(jsr250Enabled = true, prePostEnabled = true)
|
||||||
|
public class AnnotationSecuredController {
|
||||||
|
|
||||||
|
@Autowired
|
||||||
|
DifferentClass differentClass;
|
||||||
|
|
||||||
|
@GetMapping("/public")
|
||||||
|
public String publicHello() {
|
||||||
|
return "Hello Public";
|
||||||
|
}
|
||||||
|
|
||||||
|
@RolesAllowed("ADMIN")
|
||||||
|
@GetMapping("/admin")
|
||||||
|
public String adminHello() {
|
||||||
|
return "Hello Admin";
|
||||||
|
}
|
||||||
|
|
||||||
|
@RolesAllowed("USER")
|
||||||
|
@GetMapping("/protected")
|
||||||
|
public String jsr250Hello() {
|
||||||
|
return "Hello Jsr250";
|
||||||
|
}
|
||||||
|
|
||||||
|
@GetMapping("/indirect")
|
||||||
|
public String indirectHello() {
|
||||||
|
return jsr250Hello();
|
||||||
|
}
|
||||||
|
|
||||||
|
@GetMapping("/differentclass")
|
||||||
|
public String differentClassHello() {
|
||||||
|
return differentClass.differentJsr250Hello();
|
||||||
|
}
|
||||||
|
|
||||||
|
@PreAuthorize("hasRole('USER')")
|
||||||
|
public String preAuthorizeHello() {
|
||||||
|
return "Hello PreAuthorize";
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,22 @@
|
||||||
|
package com.baeldung.annotations.globalmethod;
|
||||||
|
|
||||||
|
import org.springframework.context.annotation.Bean;
|
||||||
|
import org.springframework.context.annotation.Configuration;
|
||||||
|
import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
|
||||||
|
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||||
|
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||||
|
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
|
||||||
|
import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
|
||||||
|
|
||||||
|
|
||||||
|
@Configuration
|
||||||
|
@EnableWebSecurity
|
||||||
|
public class AnnotationSecuredStaticResourceConfig extends WebSecurityConfigurerAdapter {
|
||||||
|
|
||||||
|
@Bean
|
||||||
|
public WebSecurityCustomizer ignoreResources() {
|
||||||
|
return (webSecurity) -> webSecurity
|
||||||
|
.ignoring()
|
||||||
|
.antMatchers("/hello/*");
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,13 @@
|
||||||
|
package com.baeldung.annotations.globalmethod;
|
||||||
|
|
||||||
|
import org.springframework.stereotype.Component;
|
||||||
|
|
||||||
|
import javax.annotation.security.RolesAllowed;
|
||||||
|
|
||||||
|
@Component
|
||||||
|
public class DifferentClass {
|
||||||
|
@RolesAllowed("USER")
|
||||||
|
public String differentJsr250Hello() {
|
||||||
|
return "Hello Jsr250";
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,14 @@
|
||||||
|
package com.baeldung.annotations.websecurity;
|
||||||
|
|
||||||
|
import org.springframework.boot.SpringApplication;
|
||||||
|
import org.springframework.boot.autoconfigure.SpringBootApplication;
|
||||||
|
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||||
|
|
||||||
|
@SpringBootApplication
|
||||||
|
@EnableWebSecurity
|
||||||
|
public class ConfigSecuredApplication {
|
||||||
|
|
||||||
|
public static void main(String[] args) {
|
||||||
|
SpringApplication.run(ConfigSecuredApplication.class, args);
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,30 @@
|
||||||
|
package com.baeldung.annotations.websecurity;
|
||||||
|
|
||||||
|
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||||
|
import org.springframework.web.bind.annotation.GetMapping;
|
||||||
|
import org.springframework.web.bind.annotation.RequestMapping;
|
||||||
|
import org.springframework.web.bind.annotation.RestController;
|
||||||
|
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
|
||||||
|
import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
|
||||||
|
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
|
||||||
|
|
||||||
|
@RestController
|
||||||
|
@EnableWebSecurity
|
||||||
|
public class ConfigSecuredController {
|
||||||
|
|
||||||
|
@GetMapping("/public")
|
||||||
|
public String publicHello() {
|
||||||
|
return "Hello Public";
|
||||||
|
}
|
||||||
|
|
||||||
|
@GetMapping("/protected")
|
||||||
|
public String protectedHello() {
|
||||||
|
return "Hello from protected";
|
||||||
|
}
|
||||||
|
|
||||||
|
@GetMapping("/admin")
|
||||||
|
public String adminHello() {
|
||||||
|
return "Hello from admin";
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,29 @@
|
||||||
|
package com.baeldung.annotations.websecurity;
|
||||||
|
|
||||||
|
import org.springframework.context.annotation.Configuration;
|
||||||
|
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||||
|
import org.springframework.security.config.annotation.web.builders.WebSecurity;
|
||||||
|
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||||
|
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
|
||||||
|
|
||||||
|
@Configuration
|
||||||
|
@EnableWebSecurity
|
||||||
|
public class CustomWebSecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected void configure(HttpSecurity http) throws Exception {
|
||||||
|
http
|
||||||
|
.authorizeRequests()
|
||||||
|
.antMatchers("/admin/**")
|
||||||
|
.hasRole("ADMIN")
|
||||||
|
.antMatchers("/protected/**")
|
||||||
|
.hasRole("USER");
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void configure(WebSecurity web) throws Exception {
|
||||||
|
web
|
||||||
|
.ignoring()
|
||||||
|
.antMatchers("/public/*");
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1 @@
|
||||||
|
Hello From Baeldung
|
|
@ -0,0 +1,104 @@
|
||||||
|
package com.baeldung.annotations.globalmethod;
|
||||||
|
|
||||||
|
import org.junit.Test;
|
||||||
|
import org.junit.runner.RunWith;
|
||||||
|
import org.springframework.beans.factory.annotation.Autowired;
|
||||||
|
import org.springframework.boot.test.context.SpringBootTest;
|
||||||
|
import org.springframework.boot.test.web.client.TestRestTemplate;
|
||||||
|
import org.springframework.http.HttpStatus;
|
||||||
|
import org.springframework.http.ResponseEntity;
|
||||||
|
import org.springframework.security.access.AccessDeniedException;
|
||||||
|
import org.springframework.security.test.context.support.WithAnonymousUser;
|
||||||
|
import org.springframework.security.test.context.support.WithMockUser;
|
||||||
|
import org.springframework.test.context.junit4.SpringRunner;
|
||||||
|
|
||||||
|
import static org.assertj.core.api.Assertions.assertThat;
|
||||||
|
import static org.junit.Assert.assertEquals;
|
||||||
|
import static org.springframework.boot.test.context.SpringBootTest.WebEnvironment.RANDOM_PORT;
|
||||||
|
|
||||||
|
@RunWith(SpringRunner.class)
|
||||||
|
@SpringBootTest(webEnvironment = RANDOM_PORT)
|
||||||
|
public class GlobalMethodSpringBootIntegrationTest {
|
||||||
|
public static final String HELLO_JSR_250 = "Hello Jsr250";
|
||||||
|
public static final String HELLO_PUBLIC = "Hello Public";
|
||||||
|
public static final String HELLO_PRE_AUTHORIZE = "Hello PreAuthorize";
|
||||||
|
public static final String PUBLIC_RESOURCE = "/hello/baeldung.txt";
|
||||||
|
public static final String HELLO_FROM_PUBLIC_RESOURCE = "Hello From Baeldung";
|
||||||
|
private static final String PROTECTED_METHOD = "/protected";
|
||||||
|
|
||||||
|
@Autowired
|
||||||
|
private TestRestTemplate template;
|
||||||
|
|
||||||
|
@Autowired
|
||||||
|
private AnnotationSecuredController api;
|
||||||
|
|
||||||
|
@WithMockUser(username="baeldung", roles = "USER")
|
||||||
|
@Test
|
||||||
|
public void givenUserWithRole_whenJsr250_thenOk() {
|
||||||
|
assertThat(api.jsr250Hello()).isEqualTo(HELLO_JSR_250);
|
||||||
|
}
|
||||||
|
|
||||||
|
@WithMockUser(username="baeldung", roles = "NOT-USER")
|
||||||
|
@Test(expected = AccessDeniedException.class)
|
||||||
|
public void givenWrongRole_whenJsr250_thenAccessDenied() {
|
||||||
|
api.jsr250Hello();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
@WithAnonymousUser
|
||||||
|
public void givenAnonymousUser_whenPublic_thenOk() {
|
||||||
|
assertThat(api.publicHello()).isEqualTo(HELLO_PUBLIC);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test(expected = AccessDeniedException.class)
|
||||||
|
@WithAnonymousUser
|
||||||
|
public void givenAnonymousUser_whenJsr250_thenAccessDenied() {
|
||||||
|
api.jsr250Hello();
|
||||||
|
}
|
||||||
|
|
||||||
|
// Tests for indirect calling of method
|
||||||
|
@Test
|
||||||
|
@WithAnonymousUser
|
||||||
|
public void givenAnonymousUser_whenIndirectCall_thenNoSecurity() {
|
||||||
|
assertThat(api.indirectHello()).isEqualTo(HELLO_JSR_250);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test(expected = AccessDeniedException.class)
|
||||||
|
@WithAnonymousUser
|
||||||
|
public void givenAnonymousUser_whenIndirectToDifferentClass_thenAccessDenied() {
|
||||||
|
api.differentClassHello();
|
||||||
|
}
|
||||||
|
|
||||||
|
// Tests for static resource
|
||||||
|
@Test
|
||||||
|
public void givenPublicResource_whenGetViaWeb_thenOk() {
|
||||||
|
ResponseEntity<String> result = template.getForEntity(PUBLIC_RESOURCE, String.class);
|
||||||
|
assertEquals(HELLO_FROM_PUBLIC_RESOURCE, result.getBody());
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void givenProtectedMethod_whenGetViaWeb_thenRedirectToLogin() {
|
||||||
|
ResponseEntity<String> result = template.getForEntity(PROTECTED_METHOD, String.class);
|
||||||
|
assertEquals(HttpStatus.FOUND, result.getStatusCode());
|
||||||
|
}
|
||||||
|
|
||||||
|
// Tests for preAuthorize annotations
|
||||||
|
@WithMockUser(username="baeldung", roles = "USER")
|
||||||
|
@Test
|
||||||
|
public void givenUserWithRole_whenCallPreAuthorize_thenOk() {
|
||||||
|
assertThat(api.preAuthorizeHello()).isEqualTo(HELLO_PRE_AUTHORIZE);
|
||||||
|
}
|
||||||
|
|
||||||
|
@WithMockUser(username="baeldung", roles = "NOT-USER")
|
||||||
|
@Test(expected = AccessDeniedException.class)
|
||||||
|
public void givenWrongRole_whenCallPreAuthorize_thenAccessDenied() {
|
||||||
|
api.preAuthorizeHello();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test(expected = AccessDeniedException.class)
|
||||||
|
@WithAnonymousUser
|
||||||
|
public void givenAnonymousUser_whenCallPreAuthorize_thenAccessDenied() {
|
||||||
|
api.preAuthorizeHello();
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,62 @@
|
||||||
|
package com.baeldung.annotations.websecurity;
|
||||||
|
|
||||||
|
import org.junit.Test;
|
||||||
|
import org.junit.runner.RunWith;
|
||||||
|
import org.springframework.beans.factory.annotation.Autowired;
|
||||||
|
import org.springframework.boot.test.context.SpringBootTest;
|
||||||
|
import org.springframework.boot.test.web.client.TestRestTemplate;
|
||||||
|
import org.springframework.http.HttpStatus;
|
||||||
|
import org.springframework.http.ResponseEntity;
|
||||||
|
import org.springframework.test.context.junit4.SpringRunner;
|
||||||
|
|
||||||
|
import static org.assertj.core.api.Assertions.assertThat;
|
||||||
|
import static org.junit.Assert.assertEquals;
|
||||||
|
import static org.springframework.boot.test.context.SpringBootTest.WebEnvironment.RANDOM_PORT;
|
||||||
|
|
||||||
|
@RunWith(SpringRunner.class)
|
||||||
|
@SpringBootTest(webEnvironment = RANDOM_PORT)
|
||||||
|
public class WebSecuritySpringBootIntegrationTest {
|
||||||
|
private static final String PUBLIC_RESOURCE = "/hello/baeldung.txt";
|
||||||
|
private static final String HELLO_FROM_PUBLIC_RESOURCE = "Hello From Baeldung";
|
||||||
|
|
||||||
|
@Autowired
|
||||||
|
private ConfigSecuredController api;
|
||||||
|
|
||||||
|
@Autowired
|
||||||
|
private TestRestTemplate template;
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void whenCallPublicDirectly_thenOk() {
|
||||||
|
assertThat(api.publicHello()).isEqualTo("Hello Public");
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void whenCallProtectedDirectly_thenNoSecurity() {
|
||||||
|
assertThat(api.protectedHello()).isEqualTo("Hello from protected");
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void whenGetProtectedViaWeb_thenForbidden() {
|
||||||
|
ResponseEntity<String> result = template.getForEntity("/protected", String.class);
|
||||||
|
assertEquals(HttpStatus.FORBIDDEN, result.getStatusCode());
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void whenGetAdminViaWeb_thenForbidden() {
|
||||||
|
ResponseEntity<String> result = template.getForEntity("/admin", String.class);
|
||||||
|
assertEquals(HttpStatus.FORBIDDEN, result.getStatusCode());
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void whenGetPublicViaWeb_thenSuccess() {
|
||||||
|
ResponseEntity<String> result = template.getForEntity("/public", String.class);
|
||||||
|
assertEquals(HttpStatus.OK, result.getStatusCode());
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void givenPublicResource_whenGetViaWeb_thenOk() {
|
||||||
|
ResponseEntity<String> result = template.getForEntity(PUBLIC_RESOURCE, String.class);
|
||||||
|
assertEquals(HELLO_FROM_PUBLIC_RESOURCE, result.getBody());
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
Loading…
Reference in New Issue