SEC-1998: Provide integration with WebAsyncManager#startCallableProcessing

Support integration of the Spring SecurityContext on Callable's used with
WebAsyncManager by registering SecurityContextCallableProcessingInterceptor.
This commit is contained in:
Rob Winch
2012-11-28 17:56:03 -06:00
parent 1a7aaa85c4
commit 1ed643ca1f
29 changed files with 583 additions and 35 deletions

View File

@@ -1,13 +1,23 @@
package org.springframework.security.web.authentication.rememberme;
import static org.junit.Assert.*;
import static org.mockito.Mockito.*;
import static org.powermock.api.mockito.PowerMockito.*;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertSame;
import static org.junit.Assert.assertTrue;
import static org.mockito.Mockito.mock;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.powermock.core.classloader.annotations.PrepareForTest;
import org.powermock.core.classloader.annotations.PrepareOnlyThisForTest;
import org.powermock.modules.junit4.PowerMockRunner;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.authentication.AccountStatusUserDetailsChecker;
@@ -19,17 +29,16 @@ import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices;
import org.springframework.security.web.authentication.rememberme.CookieTheftException;
import org.springframework.security.web.authentication.rememberme.InvalidCookieException;
import org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationException;
import org.springframework.test.util.ReflectionTestUtils;
import org.springframework.util.ReflectionUtils;
import org.springframework.util.StringUtils;
/**
* @author Luke Taylor
*/
@SuppressWarnings("unchecked")
@RunWith(PowerMockRunner.class)
@PrepareOnlyThisForTest(ReflectionUtils.class)
public class AbstractRememberMeServicesTests {
static User joe = new User("joe", "password", true, true,true,true, AuthorityUtils.createAuthorityList("ROLE_A"));
@@ -333,6 +342,9 @@ public class AbstractRememberMeServicesTests {
@Test
public void setHttpOnlyIgnoredForServlet25() throws Exception {
spy(ReflectionUtils.class);
when(ReflectionUtils.findMethod(Cookie.class,"setHttpOnly", boolean.class)).thenReturn(null);
MockRememberMeServices services = new MockRememberMeServices();
assertNull(ReflectionTestUtils.getField(services, "setHttpOnlyMethod"));

View File

@@ -0,0 +1,77 @@
/*
* Copyright 2002-2012 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
* an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
* specific language governing permissions and limitations under the License.
*/
package org.springframework.security.web.context.request.async;
import static org.fest.assertions.Assertions.assertThat;
import java.util.concurrent.Callable;
import org.junit.After;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.runners.MockitoJUnitRunner;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.context.request.NativeWebRequest;
/**
*
* @author Rob Winch
*
*/
@RunWith(MockitoJUnitRunner.class)
public class SecurityContextCallableProcessingInterceptorTests {
@Mock
private SecurityContext securityContext;
@Mock
private Callable<?> callable;
@Mock
private NativeWebRequest webRequest;
@After
public void clearSecurityContext() {
SecurityContextHolder.clearContext();
}
@Test(expected = IllegalArgumentException.class)
public void constructorNull() {
new SecurityContextCallableProcessingInterceptor(null);
}
@Test
public void currentSecurityContext() throws Exception {
SecurityContextCallableProcessingInterceptor interceptor = new SecurityContextCallableProcessingInterceptor();
SecurityContextHolder.setContext(securityContext);
interceptor.beforeConcurrentHandling(webRequest, callable);
SecurityContextHolder.clearContext();
interceptor.preProcess(webRequest, callable);
assertThat(SecurityContextHolder.getContext()).isSameAs(securityContext);
interceptor.afterCompletion(webRequest, callable);
assertThat(SecurityContextHolder.getContext()).isNotSameAs(securityContext);
}
@Test
public void specificSecurityContext() throws Exception {
SecurityContextCallableProcessingInterceptor interceptor = new SecurityContextCallableProcessingInterceptor(
securityContext);
interceptor.preProcess(webRequest, callable);
assertThat(SecurityContextHolder.getContext()).isSameAs(securityContext);
interceptor.afterCompletion(webRequest, callable);
assertThat(SecurityContextHolder.getContext()).isNotSameAs(securityContext);
}
}

View File

@@ -0,0 +1,127 @@
/*
* Copyright 2002-2012 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
* an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
* specific language governing permissions and limitations under the License.
*/
package org.springframework.security.web.context.request.async;
import static org.fest.assertions.Assertions.assertThat;
import static org.mockito.Mockito.when;
import java.util.concurrent.Callable;
import java.util.concurrent.ThreadFactory;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.runners.MockitoJUnitRunner;
import org.springframework.core.task.SimpleAsyncTaskExecutor;
import org.springframework.mock.web.MockFilterChain;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.context.request.async.AsyncWebRequest;
import org.springframework.web.context.request.async.WebAsyncManager;
import org.springframework.web.context.request.async.WebAsyncUtils;
/**
*
* @author Rob Winch
*
*/
@RunWith(MockitoJUnitRunner.class)
public class WebAsyncManagerIntegrationFilterTests {
@Mock
private SecurityContext securityContext;
@Mock
private HttpServletRequest request;
@Mock
private HttpServletResponse response;
@Mock
private AsyncWebRequest asyncWebRequest;
private WebAsyncManager asyncManager;
private JoinableThreadFactory threadFactory;
private MockFilterChain filterChain;
private WebAsyncManagerIntegrationFilter filter;
@Before
public void setUp() {
when(asyncWebRequest.getNativeRequest(HttpServletRequest.class)).thenReturn(request);
when(request.getRequestURI()).thenReturn("/");
filterChain = new MockFilterChain();
threadFactory = new JoinableThreadFactory();
SimpleAsyncTaskExecutor executor = new SimpleAsyncTaskExecutor();
executor.setThreadFactory(threadFactory);
asyncManager = WebAsyncUtils.getAsyncManager(request);
asyncManager.setAsyncWebRequest(asyncWebRequest);
asyncManager.setTaskExecutor(executor);
when(request.getAttribute(WebAsyncUtils.WEB_ASYNC_MANAGER_ATTRIBUTE)).thenReturn(asyncManager);
filter = new WebAsyncManagerIntegrationFilter();
}
@After
public void clearSecurityContext() {
SecurityContextHolder.clearContext();
}
@Test
public void doFilterInternalRegistersSecurityContextCallableProcessor() throws Exception {
SecurityContextHolder.setContext(securityContext);
filter.doFilterInternal(request, response, filterChain);
VerifyingCallable verifyingCallable = new VerifyingCallable();
asyncManager.startCallableProcessing(verifyingCallable);
threadFactory.join();
assertThat(asyncManager.getConcurrentResult()).isSameAs(securityContext);
}
@Test
public void doFilterInternalRegistersSecurityContextCallableProcessorContextUpdated() throws Exception {
SecurityContextHolder.setContext(SecurityContextHolder.createEmptyContext());
filter.doFilterInternal(request, response, filterChain);
SecurityContextHolder.setContext(securityContext);
VerifyingCallable verifyingCallable = new VerifyingCallable();
asyncManager.startCallableProcessing(verifyingCallable);
threadFactory.join();
assertThat(asyncManager.getConcurrentResult()).isSameAs(securityContext);
}
private static final class JoinableThreadFactory implements ThreadFactory {
private Thread t;
public Thread newThread(Runnable r) {
t = new Thread(r);
return t;
}
public void join() throws InterruptedException {
t.join();
}
}
private class VerifyingCallable implements Callable<SecurityContext> {
public SecurityContext call() throws Exception {
return SecurityContextHolder.getContext();
}
}
}