moved AuthenticationFailureHandler example to spring-security-mvc-login

This commit is contained in:
db 2018-07-18 12:40:56 +01:00
parent f79e6e3da3
commit aa0af30497
8 changed files with 119 additions and 278 deletions

View File

@ -1,12 +0,0 @@
package com.baeldung.springbootsecurity.form_login;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
@SpringBootApplication(scanBasePackages = "com.baeldung.springbootsecurity.form_login")
public class SpringBootSecurityApplication {
public static void main(String[] args) {
SpringApplication.run(SpringBootSecurityApplication.class, args);
}
}

View File

@ -1,67 +0,0 @@
package com.baeldung.springbootsecurity.form_login.configuration;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpStatus;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Calendar;
import java.util.HashMap;
import java.util.Map;
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("baeldung")
.password("baeldung")
.roles("USER");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.formLogin()
.failureHandler(customAuthenticationFailureHandler());
}
@Bean
public AuthenticationFailureHandler customAuthenticationFailureHandler() {
return new CustomAuthenticationFailureHandler();
}
/**
* Custom AuthenticationFailureHandler
*/
public class CustomAuthenticationFailureHandler implements AuthenticationFailureHandler {
private final ObjectMapper objectMapper = new ObjectMapper();
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
response.setStatus(HttpStatus.UNAUTHORIZED.value());
Map<String, Object> data = new HashMap<>();
data.put("timestamp", Calendar.getInstance().getTime());
data.put("exception", exception.getMessage());
response.getOutputStream().println(objectMapper.writeValueAsString(data));
}
}
}

View File

@ -1,87 +0,0 @@
package com.baeldung.springbootsecurity.form_login;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.test.context.junit4.SpringRunner;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.MvcResult;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
import org.springframework.web.context.WebApplicationContext;
import javax.servlet.Filter;
import static org.junit.Assert.assertTrue;
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders.formLogin;
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.authenticated;
import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.unauthenticated;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@RunWith(SpringRunner.class)
@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT, classes = com.baeldung.springbootsecurity.form_login.SpringBootSecurityApplication.class)
public class FormLoginIntegrationTest {
@Autowired
private WebApplicationContext context;
@Autowired
private Filter springSecurityFilterChain;
private MockMvc mvc;
@Before
public void setup() {
mvc = MockMvcBuilders
.webAppContextSetup(context)
.addFilters(springSecurityFilterChain)
.build();
}
@Test
public void givenRequestWithoutSessionOrCsrfToken_shouldFailWith403() throws Exception {
mvc
.perform(post("/"))
.andExpect(status().isForbidden());
}
@Test
public void givenRequestWithInvalidCsrfToken_shouldFailWith403() throws Exception {
mvc
.perform(post("/").with(csrf().useInvalidToken()))
.andExpect(status().isForbidden());
}
@Test
public void givenRequestWithValidCsrfTokenAndWithoutSessionToken_shouldReceive302WithLocationHeaderToLoginPage() throws Exception {
MvcResult mvcResult = mvc.perform(post("/").with(csrf())).andReturn();
assertTrue(mvcResult.getResponse().getStatus() == 302);
assertTrue(mvcResult.getResponse().getHeader("Location").contains("login"));
}
@Test
public void givenValidRequestWithValidCredentials_shouldLoginSuccessfully() throws Exception {
mvc
.perform(formLogin().user("baeldung").password("baeldung"))
.andExpect(status().isFound())
.andExpect(redirectedUrl("/"))
.andExpect(authenticated().withUsername("baeldung"));
}
@Test
public void givenValidRequestWithInvalidCredentials_shouldFailWith401() throws Exception {
MvcResult result = mvc
.perform(formLogin().user("random").password("random"))
.andExpect(status().isUnauthorized())
.andDo(print())
.andExpect(unauthenticated())
.andReturn();
assertTrue(result.getResponse().getContentAsString().contains("Bad credentials"));
}
}

View File

@ -1,87 +0,0 @@
package com.baeldung.springbootsecurity.form_login;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.test.context.junit4.SpringRunner;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.MvcResult;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
import org.springframework.web.context.WebApplicationContext;
import javax.servlet.Filter;
import static org.junit.Assert.assertTrue;
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders.formLogin;
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.authenticated;
import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.unauthenticated;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@RunWith(SpringRunner.class)
@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT, classes = com.baeldung.springbootsecurity.form_login.SpringBootSecurityApplication.class)
public class FormLoginUnitTest {
@Autowired
private WebApplicationContext context;
@Autowired
private Filter springSecurityFilterChain;
private MockMvc mvc;
@Before
public void setup() {
mvc = MockMvcBuilders
.webAppContextSetup(context)
.addFilters(springSecurityFilterChain)
.build();
}
@Test
public void givenRequestWithoutSessionOrCsrfToken_shouldFailWith403() throws Exception {
mvc
.perform(post("/"))
.andExpect(status().isForbidden());
}
@Test
public void givenRequestWithInvalidCsrfToken_shouldFailWith403() throws Exception {
mvc
.perform(post("/").with(csrf().useInvalidToken()))
.andExpect(status().isForbidden());
}
@Test
public void givenRequestWithValidCsrfTokenAndWithoutSessionToken_shouldReceive302WithLocationHeaderToLoginPage() throws Exception {
MvcResult mvcResult = mvc.perform(post("/").with(csrf())).andReturn();
assertTrue(mvcResult.getResponse().getStatus() == 302);
assertTrue(mvcResult.getResponse().getHeader("Location").contains("login"));
}
@Test
public void givenValidRequestWithValidCredentials_shouldLoginSuccessfully() throws Exception {
mvc
.perform(formLogin().user("baeldung").password("baeldung"))
.andExpect(status().isFound())
.andExpect(redirectedUrl("/"))
.andExpect(authenticated().withUsername("baeldung"));
}
@Test
public void givenValidRequestWithInvalidCredentials_shouldFailWith401() throws Exception {
MvcResult result = mvc
.perform(formLogin().user("random").password("random"))
.andExpect(status().isUnauthorized())
.andDo(print())
.andExpect(unauthenticated())
.andReturn();
assertTrue(result.getResponse().getContentAsString().contains("Bad credentials"));
}
}

View File

@ -0,0 +1,22 @@
package org.baeldung.security;
import org.springframework.http.HttpStatus;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Calendar;
public class CustomAuthenticationFailureHandler implements AuthenticationFailureHandler {
@Override
public void onAuthenticationFailure(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e) throws IOException, ServletException {
httpServletResponse.setStatus(HttpStatus.UNAUTHORIZED.value());
String jsonPayload = "{\"message\" : \"%s\", \"timestamp\" : \"%s\" }";
httpServletResponse.getOutputStream().println(String.format(jsonPayload, e.getMessage(), Calendar.getInstance().getTime()));
}
}

View File

@ -1,6 +1,7 @@
package org.baeldung.spring;
import org.baeldung.security.CustomAccessDeniedHandler;
import org.baeldung.security.CustomAuthenticationFailureHandler;
import org.baeldung.security.CustomLogoutSuccessHandler;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@ -10,6 +11,7 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.access.AccessDeniedHandler;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
@Configuration
@ -26,11 +28,11 @@ public class SecSecurityConfig extends WebSecurityConfigurerAdapter {
protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
// @formatter:off
auth.inMemoryAuthentication()
.withUser("user1").password("user1Pass").roles("USER")
.and()
.withUser("user2").password("user2Pass").roles("USER")
.and()
.withUser("admin").password("adminPass").roles("ADMIN");
.withUser("user1").password("user1Pass").roles("USER")
.and()
.withUser("user2").password("user2Pass").roles("USER")
.and()
.withUser("admin").password("adminPass").roles("ADMIN");
// @formatter:on
}
@ -38,23 +40,24 @@ public class SecSecurityConfig extends WebSecurityConfigurerAdapter {
protected void configure(final HttpSecurity http) throws Exception {
// @formatter:off
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers("/anonymous*").anonymous()
.antMatchers("/login*").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login.html")
.loginProcessingUrl("/perform_login")
.defaultSuccessUrl("/homepage.html",true)
.failureUrl("/login.html?error=true")
.and()
.logout()
.logoutUrl("/perform_logout")
.deleteCookies("JSESSIONID")
.logoutSuccessHandler(logoutSuccessHandler());
.csrf().disable()
.authorizeRequests()
.antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers("/anonymous*").anonymous()
.antMatchers("/login*").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login.html")
.loginProcessingUrl("/perform_login")
.defaultSuccessUrl("/homepage.html", true)
//.failureUrl("/login.html?error=true")
.failureHandler(authenticationFailureHandler())
.and()
.logout()
.logoutUrl("/perform_logout")
.deleteCookies("JSESSIONID")
.logoutSuccessHandler(logoutSuccessHandler());
//.and()
//.exceptionHandling().accessDeniedPage("/accessDenied");
//.exceptionHandling().accessDeniedHandler(accessDeniedHandler());
@ -71,4 +74,8 @@ public class SecSecurityConfig extends WebSecurityConfigurerAdapter {
return new CustomAccessDeniedHandler();
}
@Bean
public AuthenticationFailureHandler authenticationFailureHandler() {
return new CustomAuthenticationFailureHandler();
}
}

View File

@ -15,20 +15,22 @@
<csrf disabled="true"/>
<form-login login-page='/login.html' login-processing-url="/perform_login" default-target-url="/homepage.html" authentication-failure-url="/login.html?error=true"
always-use-default-target="true"/>
<form-login login-page='/login.html' login-processing-url="/perform_login" default-target-url="/homepage.html"
always-use-default-target="true" authentication-failure-handler-ref="authenticationFailureHandler"/>
<logout logout-url="/perform_logout" delete-cookies="JSESSIONID" success-handler-ref="customLogoutSuccessHandler"/>
<!-- <access-denied-handler error-page="/accessDenied"/> -->
<access-denied-handler ref="customAccessDeniedHandler"/>
</http>
<beans:bean name="customLogoutSuccessHandler" class="org.baeldung.security.CustomLogoutSuccessHandler"/>
<beans:bean name="customAccessDeniedHandler" class="org.baeldung.security.CustomAccessDeniedHandler" />
<beans:bean id="authenticationFailureHandler" name="customAuthenticationFaiureHandler" class="org.baeldung.security.CustomAuthenticationFailureHandler"/>
<authentication-manager>
<authentication-provider>
<user-service>

View File

@ -0,0 +1,63 @@
package org.baeldung.security;
import org.baeldung.spring.SecSecurityConfig;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.test.context.ContextConfiguration;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import org.springframework.test.context.web.WebAppConfiguration;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.MvcResult;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
import org.springframework.web.context.WebApplicationContext;
import javax.servlet.Filter;
import static org.junit.Assert.assertTrue;
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders.formLogin;
import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.authenticated;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@RunWith(SpringJUnit4ClassRunner.class)
@ContextConfiguration(classes = {SecSecurityConfig.class})
@WebAppConfiguration
public class FormLoginUnitTest {
@Autowired
private WebApplicationContext context;
@Autowired
private Filter springSecurityFilterChain;
private MockMvc mvc;
@Before
public void setup() {
mvc = MockMvcBuilders
.webAppContextSetup(context)
.addFilters(springSecurityFilterChain)
.build();
}
@Test
public void givenValidRequestWithValidCredentials_shouldLoginSuccessfully() throws Exception {
mvc
.perform(formLogin("/perform_login").user("user1").password("user1Pass"))
.andExpect(status().isFound())
.andExpect(authenticated().withUsername("user1"));
}
@Test
public void givenValidRequestWithInvalidCredentials_shouldFailWith401() throws Exception {
MvcResult result = mvc
.perform(formLogin("/perform_login").user("random").password("random")).andReturn();
/*.andExpect(status().isUnauthorized())
.andDo(print())
.andExpect(unauthenticated())
.andReturn();*/
assertTrue(result.getResponse().getContentAsString().contains("Bad credentials"));
}
}