moved AuthenticationFailureHandler example to spring-security-mvc-login

2018-07-18 12:40:56 +01:00 · 2018-07-18 12:40:56 +01:00 · aa0af30497
parent f79e6e3da3
commit aa0af30497
8 changed files with 119 additions and 278 deletions
--- a/spring-boot-security/src/main/java/com/baeldung/springbootsecurity/form_login/SpringBootSecurityApplication.java
+++ b/spring-boot-security/src/main/java/com/baeldung/springbootsecurity/form_login/SpringBootSecurityApplication.java
@ -1,12 +0,0 @@
 package com.baeldung.springbootsecurity.form_login;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
@SpringBootApplication(scanBasePackages = "com.baeldung.springbootsecurity.form_login")
 public class SpringBootSecurityApplication {
    public static void main(String[] args) {
        SpringApplication.run(SpringBootSecurityApplication.class, args);
    }
 }
--- a/spring-boot-security/src/main/java/com/baeldung/springbootsecurity/form_login/configuration/SecurityConfiguration.java
+++ b/spring-boot-security/src/main/java/com/baeldung/springbootsecurity/form_login/configuration/SecurityConfiguration.java
@ -1,67 +0,0 @@
 package com.baeldung.springbootsecurity.form_login.configuration;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpStatus;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.web.authentication.AuthenticationFailureHandler;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import java.util.Calendar;
 import java.util.HashMap;
 import java.util.Map;
@Configuration
@EnableWebSecurity
 public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .inMemoryAuthentication()
                .withUser("baeldung")
                .password("baeldung")
                .roles("USER");
    }
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .anyRequest()
                .authenticated()
                .and()
                .formLogin()
                .failureHandler(customAuthenticationFailureHandler());
    }
    @Bean
    public AuthenticationFailureHandler customAuthenticationFailureHandler() {
        return new CustomAuthenticationFailureHandler();
    }
    /**
     * Custom AuthenticationFailureHandler
     */
    public class CustomAuthenticationFailureHandler implements AuthenticationFailureHandler {
        private final ObjectMapper objectMapper = new ObjectMapper();
        @Override
        public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
            response.setStatus(HttpStatus.UNAUTHORIZED.value());
            Map<String, Object> data = new HashMap<>();
            data.put("timestamp", Calendar.getInstance().getTime());
            data.put("exception", exception.getMessage());
            response.getOutputStream().println(objectMapper.writeValueAsString(data));
        }
    }
 }
--- a/spring-boot-security/src/test/java/com/baeldung/springbootsecurity/form_login/FormLoginIntegrationTest.java
+++ b/spring-boot-security/src/test/java/com/baeldung/springbootsecurity/form_login/FormLoginIntegrationTest.java
@ -1,87 +0,0 @@
 package com.baeldung.springbootsecurity.form_login;
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.test.context.junit4.SpringRunner;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.MvcResult;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 import org.springframework.web.context.WebApplicationContext;
 import javax.servlet.Filter;
 import static org.junit.Assert.assertTrue;
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders.formLogin;
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
 import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.authenticated;
 import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.unauthenticated;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
 import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@RunWith(SpringRunner.class)
@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT, classes = com.baeldung.springbootsecurity.form_login.SpringBootSecurityApplication.class)
 public class FormLoginIntegrationTest {
    @Autowired
    private WebApplicationContext context;
    @Autowired
    private Filter springSecurityFilterChain;
    private MockMvc mvc;
    @Before
    public void setup() {
        mvc = MockMvcBuilders
                .webAppContextSetup(context)
                .addFilters(springSecurityFilterChain)
                .build();
    }
    @Test
    public void givenRequestWithoutSessionOrCsrfToken_shouldFailWith403() throws Exception {
        mvc
                .perform(post("/"))
                .andExpect(status().isForbidden());
    }
    @Test
    public void givenRequestWithInvalidCsrfToken_shouldFailWith403() throws Exception {
        mvc
                .perform(post("/").with(csrf().useInvalidToken()))
                .andExpect(status().isForbidden());
    }
    @Test
    public void givenRequestWithValidCsrfTokenAndWithoutSessionToken_shouldReceive302WithLocationHeaderToLoginPage() throws Exception {
        MvcResult mvcResult = mvc.perform(post("/").with(csrf())).andReturn();
        assertTrue(mvcResult.getResponse().getStatus() == 302);
        assertTrue(mvcResult.getResponse().getHeader("Location").contains("login"));
    }
    @Test
    public void givenValidRequestWithValidCredentials_shouldLoginSuccessfully() throws Exception {
        mvc
                .perform(formLogin().user("baeldung").password("baeldung"))
                .andExpect(status().isFound())
                .andExpect(redirectedUrl("/"))
                .andExpect(authenticated().withUsername("baeldung"));
    }
    @Test
    public void givenValidRequestWithInvalidCredentials_shouldFailWith401() throws Exception {
        MvcResult result = mvc
                .perform(formLogin().user("random").password("random"))
                .andExpect(status().isUnauthorized())
                .andDo(print())
                .andExpect(unauthenticated())
                .andReturn();
        assertTrue(result.getResponse().getContentAsString().contains("Bad credentials"));
    }
 }
--- a/spring-boot-security/src/test/java/com/baeldung/springbootsecurity/form_login/FormLoginUnitTest.java
+++ b/spring-boot-security/src/test/java/com/baeldung/springbootsecurity/form_login/FormLoginUnitTest.java
@ -1,87 +0,0 @@
 package com.baeldung.springbootsecurity.form_login;
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.test.context.junit4.SpringRunner;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.MvcResult;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 import org.springframework.web.context.WebApplicationContext;
 import javax.servlet.Filter;
 import static org.junit.Assert.assertTrue;
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders.formLogin;
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
 import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.authenticated;
 import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.unauthenticated;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
 import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@RunWith(SpringRunner.class)
@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT, classes = com.baeldung.springbootsecurity.form_login.SpringBootSecurityApplication.class)
 public class FormLoginUnitTest {
    @Autowired
    private WebApplicationContext context;
    @Autowired
    private Filter springSecurityFilterChain;
    private MockMvc mvc;
    @Before
    public void setup() {
        mvc = MockMvcBuilders
                .webAppContextSetup(context)
                .addFilters(springSecurityFilterChain)
                .build();
    }
    @Test
    public void givenRequestWithoutSessionOrCsrfToken_shouldFailWith403() throws Exception {
        mvc
                .perform(post("/"))
                .andExpect(status().isForbidden());
    }
    @Test
    public void givenRequestWithInvalidCsrfToken_shouldFailWith403() throws Exception {
        mvc
                .perform(post("/").with(csrf().useInvalidToken()))
                .andExpect(status().isForbidden());
    }
    @Test
    public void givenRequestWithValidCsrfTokenAndWithoutSessionToken_shouldReceive302WithLocationHeaderToLoginPage() throws Exception {
        MvcResult mvcResult = mvc.perform(post("/").with(csrf())).andReturn();
        assertTrue(mvcResult.getResponse().getStatus() == 302);
        assertTrue(mvcResult.getResponse().getHeader("Location").contains("login"));
    }
    @Test
    public void givenValidRequestWithValidCredentials_shouldLoginSuccessfully() throws Exception {
        mvc
                .perform(formLogin().user("baeldung").password("baeldung"))
                .andExpect(status().isFound())
                .andExpect(redirectedUrl("/"))
                .andExpect(authenticated().withUsername("baeldung"));
    }
    @Test
    public void givenValidRequestWithInvalidCredentials_shouldFailWith401() throws Exception {
        MvcResult result = mvc
                .perform(formLogin().user("random").password("random"))
                .andExpect(status().isUnauthorized())
                .andDo(print())
                .andExpect(unauthenticated())
                .andReturn();
        assertTrue(result.getResponse().getContentAsString().contains("Bad credentials"));
    }
 }
--- a/spring-security-mvc-login/src/main/java/org/baeldung/security/CustomAuthenticationFailureHandler.java
+++ b/spring-security-mvc-login/src/main/java/org/baeldung/security/CustomAuthenticationFailureHandler.java
@ -0,0 +1,22 @@
 package org.baeldung.security;
 import org.springframework.http.HttpStatus;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.web.authentication.AuthenticationFailureHandler;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import java.util.Calendar;
 public class CustomAuthenticationFailureHandler implements AuthenticationFailureHandler {
    @Override
    public void onAuthenticationFailure(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e) throws IOException, ServletException {
        httpServletResponse.setStatus(HttpStatus.UNAUTHORIZED.value());
        String jsonPayload = "{\"message\" : \"%s\", \"timestamp\" : \"%s\" }";
        httpServletResponse.getOutputStream().println(String.format(jsonPayload, e.getMessage(), Calendar.getInstance().getTime()));
    }
 }
--- a/spring-security-mvc-login/src/main/java/org/baeldung/spring/SecSecurityConfig.java
+++ b/spring-security-mvc-login/src/main/java/org/baeldung/spring/SecSecurityConfig.java
@ -1,6 +1,7 @@
 package org.baeldung.spring;
 import org.baeldung.security.CustomAccessDeniedHandler;
 import org.baeldung.security.CustomAuthenticationFailureHandler;
 import org.baeldung.security.CustomLogoutSuccessHandler;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@ -10,6 +11,7 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.web.access.AccessDeniedHandler;
 import org.springframework.security.web.authentication.AuthenticationFailureHandler;
 import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
@Configuration
@ -48,8 +50,9 @@ public class SecSecurityConfig extends WebSecurityConfigurerAdapter {
                .formLogin()
                .loginPage("/login.html")
                .loginProcessingUrl("/perform_login")
-        .defaultSuccessUrl("/homepage.html",true)
+                .defaultSuccessUrl("/homepage.html", true)
-        .failureUrl("/login.html?error=true")
+                //.failureUrl("/login.html?error=true")
                .failureHandler(authenticationFailureHandler())
                .and()
                .logout()
                .logoutUrl("/perform_logout")
@ -71,4 +74,8 @@ public class SecSecurityConfig extends WebSecurityConfigurerAdapter {
        return new CustomAccessDeniedHandler();
    }
    @Bean
    public AuthenticationFailureHandler authenticationFailureHandler() {
        return new CustomAuthenticationFailureHandler();
    }
 }
--- a/spring-security-mvc-login/src/main/resources/webSecurityConfig.xml
+++ b/spring-security-mvc-login/src/main/resources/webSecurityConfig.xml
@ -15,8 +15,8 @@
        <csrf disabled="true"/>
-        <form-login login-page='/login.html' login-processing-url="/perform_login" default-target-url="/homepage.html" authentication-failure-url="/login.html?error=true"
+        <form-login login-page='/login.html' login-processing-url="/perform_login" default-target-url="/homepage.html"
-            always-use-default-target="true"/>
+            always-use-default-target="true" authentication-failure-handler-ref="authenticationFailureHandler"/>
        <logout logout-url="/perform_logout" delete-cookies="JSESSIONID" success-handler-ref="customLogoutSuccessHandler"/>
@ -29,6 +29,8 @@
    <beans:bean name="customAccessDeniedHandler" class="org.baeldung.security.CustomAccessDeniedHandler" />
    <beans:bean id="authenticationFailureHandler" name="customAuthenticationFaiureHandler" class="org.baeldung.security.CustomAuthenticationFailureHandler"/>
    <authentication-manager>
        <authentication-provider>
            <user-service>
--- a/spring-security-mvc-login/src/test/java/org/baeldung/security/FormLoginUnitTest.java
+++ b/spring-security-mvc-login/src/test/java/org/baeldung/security/FormLoginUnitTest.java
@ -0,0 +1,63 @@
 package org.baeldung.security;
 import org.baeldung.spring.SecSecurityConfig;
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.test.context.ContextConfiguration;
 import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
 import org.springframework.test.context.web.WebAppConfiguration;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.MvcResult;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 import org.springframework.web.context.WebApplicationContext;
 import javax.servlet.Filter;
 import static org.junit.Assert.assertTrue;
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders.formLogin;
 import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.authenticated;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@RunWith(SpringJUnit4ClassRunner.class)
@ContextConfiguration(classes = {SecSecurityConfig.class})
@WebAppConfiguration
 public class FormLoginUnitTest {
    @Autowired
    private WebApplicationContext context;
    @Autowired
    private Filter springSecurityFilterChain;
    private MockMvc mvc;
    @Before
    public void setup() {
        mvc = MockMvcBuilders
                .webAppContextSetup(context)
                .addFilters(springSecurityFilterChain)
                .build();
    }
    @Test
    public void givenValidRequestWithValidCredentials_shouldLoginSuccessfully() throws Exception {
        mvc
                .perform(formLogin("/perform_login").user("user1").password("user1Pass"))
                .andExpect(status().isFound())
                .andExpect(authenticated().withUsername("user1"));
    }
    @Test
    public void givenValidRequestWithInvalidCredentials_shouldFailWith401() throws Exception {
        MvcResult result = mvc
                .perform(formLogin("/perform_login").user("random").password("random")).andReturn();
                /*.andExpect(status().isUnauthorized())
                .andDo(print())
                .andExpect(unauthenticated())
                .andReturn();*/
        assertTrue(result.getResponse().getContentAsString().contains("Bad credentials"));
    }
 }