#21 - Polished Spring Data REST + Spring Security example.
Removed obsolete dependency declarations from pom.xml. Rewrote test cases to use Spring MVC test support instead of a running server and RestTemplate. Fixed Security configuration to allow bootstrap in Spring MVC test context. Formatting, JavaDoc. Original pull request: #22.
This commit is contained in:
@@ -1,80 +1,53 @@
|
||||
/*
|
||||
* Copyright 2014 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package example.company;
|
||||
|
||||
import static org.hamcrest.CoreMatchers.*;
|
||||
import static org.junit.Assert.*;
|
||||
|
||||
import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
import org.junit.runner.RunWith;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.beans.factory.annotation.Value;
|
||||
import org.springframework.boot.test.IntegrationTest;
|
||||
import org.springframework.boot.test.SpringApplicationConfiguration;
|
||||
import org.springframework.http.HttpEntity;
|
||||
import org.springframework.http.HttpHeaders;
|
||||
import org.springframework.http.HttpMethod;
|
||||
import org.springframework.http.HttpStatus;
|
||||
import org.springframework.http.ResponseEntity;
|
||||
import org.springframework.security.access.AccessDeniedException;
|
||||
import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
|
||||
import org.springframework.security.core.context.SecurityContextHolder;
|
||||
import org.springframework.security.crypto.codec.Base64;
|
||||
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
|
||||
import org.springframework.test.context.web.WebAppConfiguration;
|
||||
import org.springframework.util.MultiValueMap;
|
||||
import org.springframework.web.client.RestTemplate;
|
||||
|
||||
import com.fasterxml.jackson.databind.JsonNode;
|
||||
|
||||
/**
|
||||
* Collection of test cases used to verify method-level security.
|
||||
*
|
||||
* @author Greg Turnquist
|
||||
* @author Oliver Gierke
|
||||
*/
|
||||
@RunWith(SpringJUnit4ClassRunner.class)
|
||||
@SpringApplicationConfiguration(classes = { Application.class, SecurityConfiguration.class })
|
||||
@WebAppConfiguration
|
||||
@IntegrationTest("server.port:0")
|
||||
@SpringApplicationConfiguration(classes = { Application.class, SecurityConfiguration.class })
|
||||
public class MethodLevelSecurityTests {
|
||||
|
||||
private String baseUrl;
|
||||
|
||||
@Value("${local.server.port}")
|
||||
private int port;
|
||||
|
||||
@Autowired
|
||||
ItemRepository itemRepository;
|
||||
@Autowired ItemRepository itemRepository;
|
||||
|
||||
@Before
|
||||
public void setUp() {
|
||||
|
||||
this.baseUrl = "http://localhost:" + port;
|
||||
SecurityContextHolder.clearContext();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testMethodLevelSecurityForNoCreds() {
|
||||
|
||||
HttpHeaders headers = new HttpHeaders();
|
||||
headers.set("Accept", "application/hal+json");
|
||||
String creds = new String(Base64.encode(("greg:turnquist").getBytes()));
|
||||
headers.set("Authorization", "Basic " + creds);
|
||||
|
||||
RestTemplate rest = new RestTemplate();
|
||||
HttpEntity<MultiValueMap<String, Object>> request = new HttpEntity<>(null, headers);
|
||||
|
||||
System.out.println("============= GET " + baseUrl + "/items");
|
||||
|
||||
System.out.println(SecurityContextHolder.getContext().getAuthentication());
|
||||
|
||||
ResponseEntity<JsonNode> itemsResponse = rest.exchange(baseUrl + "/items", HttpMethod.GET, request, JsonNode.class);
|
||||
itemsResponse.getHeaders().entrySet().stream()
|
||||
.map(e -> e.getKey() + ": " + e.getValue())
|
||||
.forEach(header -> System.out.println(header));
|
||||
assertThat(itemsResponse.getHeaders().get("Content-Type"), hasItems("application/hal+json"));
|
||||
assertThat(itemsResponse.getStatusCode(), equalTo(HttpStatus.OK));
|
||||
System.out.println();
|
||||
System.out.println(itemsResponse.getBody());
|
||||
public void rejectsMethodInvocationsForNoAuth() {
|
||||
|
||||
try {
|
||||
itemRepository.findAll();
|
||||
@@ -99,7 +72,7 @@ public class MethodLevelSecurityTests {
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testMethodLevelSecurityForUsers() {
|
||||
public void rejectsMethodInvocationsForAuthWithInsufficientPermissions() {
|
||||
|
||||
SecurityUtils.runAs("system", "system", "ROLE_USER");
|
||||
|
||||
@@ -120,7 +93,7 @@ public class MethodLevelSecurityTests {
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testMethodLevelSecurityForAdmins() {
|
||||
public void allowsMethodInvocationsForAuthWithSufficientPermissions() {
|
||||
|
||||
SecurityUtils.runAs("system", "system", "ROLE_USER", "ROLE_ADMIN");
|
||||
|
||||
|
||||
Reference in New Issue
Block a user