Add DeferHttpSession*Tests

Closes gh-6125
This commit is contained in:
Rob Winch
2022-08-17 10:09:37 -05:00
parent 89f8310d6c
commit 1de810a565
3 changed files with 247 additions and 0 deletions

View File

@@ -0,0 +1,120 @@
/*
* Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.config.annotation.web.configuration;
import javax.servlet.FilterChain;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.test.SpringTestContext;
import org.springframework.security.config.test.SpringTestContextExtension;
import org.springframework.security.web.DefaultSecurityFilterChain;
import org.springframework.security.web.FilterChainProxy;
import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
import org.springframework.security.web.csrf.LazyCsrfTokenRepository;
import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
import static org.mockito.ArgumentMatchers.anyBoolean;
import static org.mockito.Mockito.never;
import static org.mockito.Mockito.spy;
import static org.mockito.Mockito.verify;
@ExtendWith(SpringTestContextExtension.class)
public class DeferHttpSessionJavaConfigTests {
@Autowired
private FilterChainProxy springSecurityFilterChain;
@Autowired
private Service service;
public final SpringTestContext spring = new SpringTestContext(this);
@Test
public void explicitDeferHttpSession() throws Exception {
this.spring.register(DeferHttpSessionConfig.class).autowire();
MockHttpServletRequest request = new MockHttpServletRequest("GET", "/");
MockHttpServletRequest mockRequest = spy(request);
MockHttpServletResponse response = new MockHttpServletResponse();
FilterChain chain = (httpRequest, httpResponse) -> httpResponse.getWriter().write(this.service.getMessage());
this.springSecurityFilterChain.doFilter(mockRequest, response, chain);
verify(mockRequest, never()).getSession(anyBoolean());
verify(mockRequest, never()).getSession();
}
@Configuration
@EnableWebSecurity
@EnableMethodSecurity(prePostEnabled = true)
static class DeferHttpSessionConfig {
@Bean
Service service() {
return new Service();
}
@Bean
DefaultSecurityFilterChain springSecurity(HttpSecurity http) throws Exception {
LazyCsrfTokenRepository csrfRepository = new LazyCsrfTokenRepository(new HttpSessionCsrfTokenRepository());
csrfRepository.setDeferLoadToken(true);
HttpSessionRequestCache requestCache = new HttpSessionRequestCache();
requestCache.setMatchingRequestParameterName("continue");
// @formatter:off
http
.requestCache((cache) -> cache
.requestCache(requestCache)
)
.securityContext((securityContext) -> securityContext
.requireExplicitSave(true)
)
.authorizeHttpRequests((requests) -> requests
.anyRequest().permitAll()
)
.sessionManagement((sessions) -> sessions
.requireExplicitAuthenticationStrategy(true)
)
.csrf((csrf) -> csrf
.csrfRequestAttributeName("_csrf")
.csrfTokenRepository(csrfRepository)
);
// @formatter:on
return http.build();
}
}
public static class Service {
@PreAuthorize("permitAll")
public String getMessage() {
return "message";
}
}
}

View File

@@ -0,0 +1,81 @@
/*
* Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.config.http;
import javax.servlet.FilterChain;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.config.test.SpringTestContext;
import org.springframework.security.config.test.SpringTestContextExtension;
import org.springframework.security.web.FilterChainProxy;
import static org.mockito.ArgumentMatchers.anyBoolean;
import static org.mockito.Mockito.never;
import static org.mockito.Mockito.spy;
import static org.mockito.Mockito.verify;
/**
* @author Rob Winch
*/
@ExtendWith(SpringTestContextExtension.class)
public class DeferHttpSessionXmlConfigTests {
private static final String CONFIG_LOCATION_PREFIX = "classpath:org/springframework/security/config/http/DeferHttpSessionTests";
@Autowired
FilterChainProxy springSecurityFilterChain;
@Autowired
private Service service;
public final SpringTestContext spring = new SpringTestContext(this);
@Test
public void explicitDeferHttpSession() throws Exception {
this.spring.configLocations(xml("Explicit")).autowire();
MockHttpServletRequest request = new MockHttpServletRequest("GET", "/");
MockHttpServletRequest mockRequest = spy(request);
MockHttpServletResponse response = new MockHttpServletResponse();
FilterChain chain = (httpRequest, httpResponse) -> httpResponse.getWriter().write(this.service.getMessage());
this.springSecurityFilterChain.doFilter(mockRequest, response, chain);
verify(mockRequest, never()).getSession(anyBoolean());
verify(mockRequest, never()).getSession();
}
private static String xml(String configName) {
return CONFIG_LOCATION_PREFIX + "-" + configName + ".xml";
}
public static class Service {
@PreAuthorize("permitAll")
public String getMessage() {
return "message";
}
}
}