Removed obsolete dependency declarations from pom.xml. Rewrote test cases to use Spring MVC test support instead of a running server and RestTemplate. Fixed Security configuration to allow bootstrap in Spring MVC test context. Formatting, JavaDoc. Original pull request: #22.
105 lines
2.9 KiB
Java
105 lines
2.9 KiB
Java
/*
|
|
* Copyright 2014 the original author or authors.
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
package example.company;
|
|
|
|
import static org.junit.Assert.*;
|
|
|
|
import org.junit.Before;
|
|
import org.junit.Test;
|
|
import org.junit.runner.RunWith;
|
|
import org.springframework.beans.factory.annotation.Autowired;
|
|
import org.springframework.boot.test.SpringApplicationConfiguration;
|
|
import org.springframework.security.access.AccessDeniedException;
|
|
import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
|
|
import org.springframework.security.core.context.SecurityContextHolder;
|
|
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
|
|
import org.springframework.test.context.web.WebAppConfiguration;
|
|
|
|
/**
|
|
* Collection of test cases used to verify method-level security.
|
|
*
|
|
* @author Greg Turnquist
|
|
* @author Oliver Gierke
|
|
*/
|
|
@RunWith(SpringJUnit4ClassRunner.class)
|
|
@WebAppConfiguration
|
|
@SpringApplicationConfiguration(classes = { Application.class, SecurityConfiguration.class })
|
|
public class MethodLevelSecurityTests {
|
|
|
|
@Autowired ItemRepository itemRepository;
|
|
|
|
@Before
|
|
public void setUp() {
|
|
SecurityContextHolder.clearContext();
|
|
}
|
|
|
|
@Test
|
|
public void rejectsMethodInvocationsForNoAuth() {
|
|
|
|
try {
|
|
itemRepository.findAll();
|
|
fail("Expected a security error");
|
|
} catch (AuthenticationCredentialsNotFoundException e) {
|
|
// expected
|
|
}
|
|
|
|
try {
|
|
itemRepository.save(new Item("MacBook Pro"));
|
|
fail("Expected a security error");
|
|
} catch (AuthenticationCredentialsNotFoundException e) {
|
|
// expected
|
|
}
|
|
|
|
try {
|
|
itemRepository.delete(1L);
|
|
fail("Expected a security error");
|
|
} catch (AuthenticationCredentialsNotFoundException e) {
|
|
// expected
|
|
}
|
|
}
|
|
|
|
@Test
|
|
public void rejectsMethodInvocationsForAuthWithInsufficientPermissions() {
|
|
|
|
SecurityUtils.runAs("system", "system", "ROLE_USER");
|
|
|
|
itemRepository.findAll();
|
|
|
|
try {
|
|
itemRepository.save(new Item("MacBook Pro"));
|
|
fail("Expected a security error");
|
|
} catch (AccessDeniedException e) {
|
|
// expected
|
|
}
|
|
try {
|
|
itemRepository.delete(1L);
|
|
fail("Expected a security error");
|
|
} catch (AccessDeniedException e) {
|
|
// expected
|
|
}
|
|
}
|
|
|
|
@Test
|
|
public void allowsMethodInvocationsForAuthWithSufficientPermissions() {
|
|
|
|
SecurityUtils.runAs("system", "system", "ROLE_USER", "ROLE_ADMIN");
|
|
|
|
itemRepository.findAll();
|
|
itemRepository.save(new Item("MacBook Pro"));
|
|
itemRepository.delete(1L);
|
|
}
|
|
}
|