Access Denied Handling Defaults

This introduces the capability for users to wire denial handling
by request matcher, similar to how users can already do with
authentication entry points.

This is handy for when denial behavior differs based on the contents
of the request, for example, when the Authorization header indicates
an OAuth2 Bearer Token request vs Basic authentication.

Fixes: gh-5478
This commit is contained in:
Josh Cummings
2018-06-12 12:13:42 -06:00
committed by Rob Winch
parent b7ccb63dfd
commit 28afb4e3d7
4 changed files with 356 additions and 9 deletions

View File

@@ -0,0 +1,100 @@
/*
* Copyright 2002-2018 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.web.access;
import java.util.LinkedHashMap;
import javax.servlet.http.HttpServletRequest;
import org.junit.Before;
import org.junit.Test;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.security.web.util.matcher.RequestMatcher;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.never;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;
/**
* @author Josh Cummings
*/
public class RequestMatcherDelegatingAccessDeniedHandlerTests {
private RequestMatcherDelegatingAccessDeniedHandler delegator;
private LinkedHashMap<RequestMatcher, AccessDeniedHandler> deniedHandlers;
private AccessDeniedHandler accessDeniedHandler;
private HttpServletRequest request;
@Before
public void setup() {
this.accessDeniedHandler = mock(AccessDeniedHandler.class);
this.deniedHandlers = new LinkedHashMap<>();
this.request = new MockHttpServletRequest();
}
@Test
public void handleWhenNothingMatchesThenOnlyDefaultHandlerInvoked() throws Exception {
AccessDeniedHandler handler = mock(AccessDeniedHandler.class);
RequestMatcher matcher = mock(RequestMatcher.class);
when(matcher.matches(this.request)).thenReturn(false);
this.deniedHandlers.put(matcher, handler);
this.delegator = new RequestMatcherDelegatingAccessDeniedHandler(this.deniedHandlers, this.accessDeniedHandler);
this.delegator.handle(this.request, null, null);
verify(this.accessDeniedHandler).handle(this.request, null, null);
verify(handler, never()).handle(this.request, null, null);
}
@Test
public void handleWhenFirstMatchesThenOnlyFirstInvoked() throws Exception {
AccessDeniedHandler firstHandler = mock(AccessDeniedHandler.class);
RequestMatcher firstMatcher = mock(RequestMatcher.class);
AccessDeniedHandler secondHandler = mock(AccessDeniedHandler.class);
RequestMatcher secondMatcher = mock(RequestMatcher.class);
when(firstMatcher.matches(this.request)).thenReturn(true);
this.deniedHandlers.put(firstMatcher, firstHandler);
this.deniedHandlers.put(secondMatcher, secondHandler);
this.delegator = new RequestMatcherDelegatingAccessDeniedHandler(this.deniedHandlers, this.accessDeniedHandler);
this.delegator.handle(this.request, null, null);
verify(firstHandler).handle(this.request, null, null);
verify(secondHandler, never()).handle(this.request, null, null);
verify(this.accessDeniedHandler, never()).handle(this.request, null, null);
verify(secondMatcher, never()).matches(this.request);
}
@Test
public void handleWhenSecondMatchesThenOnlySecondInvoked() throws Exception {
AccessDeniedHandler firstHandler = mock(AccessDeniedHandler.class);
RequestMatcher firstMatcher = mock(RequestMatcher.class);
AccessDeniedHandler secondHandler = mock(AccessDeniedHandler.class);
RequestMatcher secondMatcher = mock(RequestMatcher.class);
when(firstMatcher.matches(this.request)).thenReturn(false);
when(secondMatcher.matches(this.request)).thenReturn(true);
this.deniedHandlers.put(firstMatcher, firstHandler);
this.deniedHandlers.put(secondMatcher, secondHandler);
this.delegator = new RequestMatcherDelegatingAccessDeniedHandler(this.deniedHandlers, this.accessDeniedHandler);
this.delegator.handle(this.request, null, null);
verify(secondHandler).handle(this.request, null, null);
verify(firstHandler, never()).handle(this.request, null, null);
verify(this.accessDeniedHandler, never()).handle(this.request, null, null);
}
}