Access Denied Handling Defaults
This introduces the capability for users to wire denial handling by request matcher, similar to how users can already do with authentication entry points. This is handy for when denial behavior differs based on the contents of the request, for example, when the Authorization header indicates an OAuth2 Bearer Token request vs Basic authentication. Fixes: gh-5478
This commit is contained in:
@@ -0,0 +1,100 @@
|
||||
/*
|
||||
* Copyright 2002-2018 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.web.access;
|
||||
|
||||
import java.util.LinkedHashMap;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
|
||||
import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
|
||||
import org.springframework.mock.web.MockHttpServletRequest;
|
||||
import org.springframework.security.web.util.matcher.RequestMatcher;
|
||||
|
||||
import static org.mockito.Mockito.mock;
|
||||
import static org.mockito.Mockito.never;
|
||||
import static org.mockito.Mockito.verify;
|
||||
import static org.mockito.Mockito.when;
|
||||
|
||||
/**
|
||||
* @author Josh Cummings
|
||||
*/
|
||||
public class RequestMatcherDelegatingAccessDeniedHandlerTests {
|
||||
private RequestMatcherDelegatingAccessDeniedHandler delegator;
|
||||
private LinkedHashMap<RequestMatcher, AccessDeniedHandler> deniedHandlers;
|
||||
private AccessDeniedHandler accessDeniedHandler;
|
||||
private HttpServletRequest request;
|
||||
|
||||
@Before
|
||||
public void setup() {
|
||||
this.accessDeniedHandler = mock(AccessDeniedHandler.class);
|
||||
this.deniedHandlers = new LinkedHashMap<>();
|
||||
this.request = new MockHttpServletRequest();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void handleWhenNothingMatchesThenOnlyDefaultHandlerInvoked() throws Exception {
|
||||
AccessDeniedHandler handler = mock(AccessDeniedHandler.class);
|
||||
RequestMatcher matcher = mock(RequestMatcher.class);
|
||||
when(matcher.matches(this.request)).thenReturn(false);
|
||||
this.deniedHandlers.put(matcher, handler);
|
||||
this.delegator = new RequestMatcherDelegatingAccessDeniedHandler(this.deniedHandlers, this.accessDeniedHandler);
|
||||
|
||||
this.delegator.handle(this.request, null, null);
|
||||
|
||||
verify(this.accessDeniedHandler).handle(this.request, null, null);
|
||||
verify(handler, never()).handle(this.request, null, null);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void handleWhenFirstMatchesThenOnlyFirstInvoked() throws Exception {
|
||||
AccessDeniedHandler firstHandler = mock(AccessDeniedHandler.class);
|
||||
RequestMatcher firstMatcher = mock(RequestMatcher.class);
|
||||
AccessDeniedHandler secondHandler = mock(AccessDeniedHandler.class);
|
||||
RequestMatcher secondMatcher = mock(RequestMatcher.class);
|
||||
when(firstMatcher.matches(this.request)).thenReturn(true);
|
||||
this.deniedHandlers.put(firstMatcher, firstHandler);
|
||||
this.deniedHandlers.put(secondMatcher, secondHandler);
|
||||
this.delegator = new RequestMatcherDelegatingAccessDeniedHandler(this.deniedHandlers, this.accessDeniedHandler);
|
||||
|
||||
this.delegator.handle(this.request, null, null);
|
||||
|
||||
verify(firstHandler).handle(this.request, null, null);
|
||||
verify(secondHandler, never()).handle(this.request, null, null);
|
||||
verify(this.accessDeniedHandler, never()).handle(this.request, null, null);
|
||||
verify(secondMatcher, never()).matches(this.request);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void handleWhenSecondMatchesThenOnlySecondInvoked() throws Exception {
|
||||
AccessDeniedHandler firstHandler = mock(AccessDeniedHandler.class);
|
||||
RequestMatcher firstMatcher = mock(RequestMatcher.class);
|
||||
AccessDeniedHandler secondHandler = mock(AccessDeniedHandler.class);
|
||||
RequestMatcher secondMatcher = mock(RequestMatcher.class);
|
||||
when(firstMatcher.matches(this.request)).thenReturn(false);
|
||||
when(secondMatcher.matches(this.request)).thenReturn(true);
|
||||
this.deniedHandlers.put(firstMatcher, firstHandler);
|
||||
this.deniedHandlers.put(secondMatcher, secondHandler);
|
||||
this.delegator = new RequestMatcherDelegatingAccessDeniedHandler(this.deniedHandlers, this.accessDeniedHandler);
|
||||
|
||||
this.delegator.handle(this.request, null, null);
|
||||
|
||||
verify(secondHandler).handle(this.request, null, null);
|
||||
verify(firstHandler, never()).handle(this.request, null, null);
|
||||
verify(this.accessDeniedHandler, never()).handle(this.request, null, null);
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user