Use AuthorizationManager in <http>

Closes gh-11305
This commit is contained in:
Josh Cummings
2022-05-31 15:10:00 -06:00
parent e125a76687
commit 2afa9313eb
24 changed files with 1013 additions and 1 deletions

View File

@@ -16,6 +16,7 @@
package org.springframework.security.config.http;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.servlet.http.HttpServletResponseWrapper;
import org.apache.http.HttpStatus;
@@ -25,12 +26,17 @@ import org.junit.jupiter.api.extension.ExtendWith;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.config.test.SpringTestContext;
import org.springframework.security.config.test.SpringTestContextExtension;
import org.springframework.security.web.FilterChainProxy;
import org.springframework.test.web.servlet.MockMvc;
import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.BDDMockito.given;
import static org.mockito.Mockito.verify;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@@ -59,6 +65,30 @@ public class HttpConfigTests {
// @formatter:on
}
@Test
public void getWhenUsingMinimalAuthorizationManagerThenRedirectsToLogin() throws Exception {
this.spring.configLocations(this.xml("MinimalAuthorizationManager")).autowire();
// @formatter:off
this.mvc.perform(get("/"))
.andExpect(status().isFound())
.andExpect(redirectedUrl("http://localhost/login"));
// @formatter:on
}
@Test
public void getWhenUsingAuthorizationManagerThenRedirectsToLogin() throws Exception {
this.spring.configLocations(this.xml("AuthorizationManager")).autowire();
AuthorizationManager<HttpServletRequest> authorizationManager = this.spring.getContext()
.getBean(AuthorizationManager.class);
given(authorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(false));
// @formatter:off
this.mvc.perform(get("/"))
.andExpect(status().isFound())
.andExpect(redirectedUrl("http://localhost/login"));
// @formatter:on
verify(authorizationManager).check(any(), any());
}
@Test
public void getWhenUsingMinimalConfigurationThenPreventsSessionAsUrlParameter() throws Exception {
this.spring.configLocations(this.xml("Minimal")).autowire();

View File

@@ -27,8 +27,10 @@ import org.mockito.stubbing.Answer;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.parsing.BeanDefinitionParsingException;
import org.springframework.mock.web.MockServletContext;
import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.config.test.SpringTestContext;
import org.springframework.security.config.test.SpringTestContextExtension;
import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.request.RequestPostProcessor;
import org.springframework.web.bind.annotation.PathVariable;
@@ -36,6 +38,7 @@ import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.context.ConfigurableWebApplicationContext;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
import static org.mockito.BDDMockito.given;
import static org.mockito.Mockito.mock;
@@ -74,6 +77,23 @@ public class InterceptUrlConfigTests {
// @formatter:on
}
/**
* sec-2256
*/
@Test
public void requestWhenMethodIsSpecifiedAndAuthorizationManagerThenItIsNotGivenPriority() throws Exception {
this.spring.configLocations(this.xml("Sec2256AuthorizationManager")).autowire();
// @formatter:off
this.mvc.perform(post("/path").with(userCredentials()))
.andExpect(status().isOk());
this.mvc.perform(get("/path").with(userCredentials()))
.andExpect(status().isOk());
// @formatter:on
assertThat(this.spring.getContext().getBeanNamesForType(FilterInvocationSecurityMetadataSource.class))
.isEmpty();
assertThat(this.spring.getContext().getBean(AuthorizationManager.class)).isNotNull();
}
/**
* sec-2355
*/
@@ -90,6 +110,25 @@ public class InterceptUrlConfigTests {
// @formatter:on
}
/**
* sec-2355
*/
@Test
public void requestWhenUsingPatchAndAuthorizationManagerThenAuthorizesRequestsAccordingly() throws Exception {
this.spring.configLocations(this.xml("PatchMethodAuthorizationManager")).autowire();
// @formatter:off
this.mvc.perform(get("/path").with(userCredentials()))
.andExpect(status().isOk());
this.mvc.perform(patch("/path").with(userCredentials()))
.andExpect(status().isForbidden());
this.mvc.perform(patch("/path").with(adminCredentials()))
.andExpect(status().isOk());
// @formatter:on
assertThat(this.spring.getContext().getBeanNamesForType(FilterInvocationSecurityMetadataSource.class))
.isEmpty();
assertThat(this.spring.getContext().getBean(AuthorizationManager.class)).isNotNull();
}
@Test
public void requestWhenUsingHasAnyRoleThenAuthorizesRequestsAccordingly() throws Exception {
this.spring.configLocations(this.xml("HasAnyRole")).autowire();
@@ -101,6 +140,20 @@ public class InterceptUrlConfigTests {
// @formatter:on
}
@Test
public void requestWhenUsingHasAnyRoleAndAuthorizationManagerThenAuthorizesRequestsAccordingly() throws Exception {
this.spring.configLocations(this.xml("HasAnyRoleAuthorizationManager")).autowire();
// @formatter:off
this.mvc.perform(get("/path").with(userCredentials()))
.andExpect(status().isOk());
this.mvc.perform(get("/path").with(adminCredentials()))
.andExpect(status().isForbidden());
// @formatter:on
assertThat(this.spring.getContext().getBeanNamesForType(FilterInvocationSecurityMetadataSource.class))
.isEmpty();
assertThat(this.spring.getContext().getBean(AuthorizationManager.class)).isNotNull();
}
/**
* sec-2059
*/
@@ -117,6 +170,26 @@ public class InterceptUrlConfigTests {
// @formatter:on
}
/**
* sec-2059
*/
@Test
public void requestWhenUsingPathVariablesAndAuthorizationManagerThenAuthorizesRequestsAccordingly()
throws Exception {
this.spring.configLocations(this.xml("PathVariablesAuthorizationManager")).autowire();
// @formatter:off
this.mvc.perform(get("/path/user/path").with(userCredentials()))
.andExpect(status().isOk());
this.mvc.perform(get("/path/otheruser/path").with(userCredentials()))
.andExpect(status().isForbidden());
this.mvc.perform(get("/path").with(userCredentials()))
.andExpect(status().isForbidden());
// @formatter:on
assertThat(this.spring.getContext().getBeanNamesForType(FilterInvocationSecurityMetadataSource.class))
.isEmpty();
assertThat(this.spring.getContext().getBean(AuthorizationManager.class)).isNotNull();
}
/**
* gh-3786
*/
@@ -133,6 +206,26 @@ public class InterceptUrlConfigTests {
// @formatter:on
}
/**
* gh-3786
*/
@Test
public void requestWhenUsingCamelCasePathVariablesAndAuthorizationManagerThenAuthorizesRequestsAccordingly()
throws Exception {
this.spring.configLocations(this.xml("CamelCasePathVariablesAuthorizationManager")).autowire();
// @formatter:off
this.mvc.perform(get("/path/user/path").with(userCredentials()))
.andExpect(status().isOk());
this.mvc.perform(get("/path/otheruser/path").with(userCredentials()))
.andExpect(status().isForbidden());
this.mvc.perform(get("/PATH/user/path").with(userCredentials()))
.andExpect(status().isForbidden());
// @formatter:on
assertThat(this.spring.getContext().getBeanNamesForType(FilterInvocationSecurityMetadataSource.class))
.isEmpty();
assertThat(this.spring.getContext().getBean(AuthorizationManager.class)).isNotNull();
}
/**
* sec-2059
*/
@@ -147,6 +240,24 @@ public class InterceptUrlConfigTests {
// @formatter:on
}
/**
* sec-2059
*/
@Test
public void requestWhenUsingPathVariablesAndTypeConversionAndAuthorizationManagerThenAuthorizesRequestsAccordingly()
throws Exception {
this.spring.configLocations(this.xml("TypeConversionPathVariablesAuthorizationManager")).autowire();
// @formatter:off
this.mvc.perform(get("/path/1/path").with(userCredentials()))
.andExpect(status().isOk());
this.mvc.perform(get("/path/2/path").with(userCredentials()))
.andExpect(status().isForbidden());
// @formatter:on
assertThat(this.spring.getContext().getBeanNamesForType(FilterInvocationSecurityMetadataSource.class))
.isEmpty();
assertThat(this.spring.getContext().getBean(AuthorizationManager.class)).isNotNull();
}
@Test
public void requestWhenUsingMvcMatchersThenAuthorizesRequestsAccordingly() throws Exception {
this.spring.configLocations(this.xml("MvcMatchers")).autowire();
@@ -155,6 +266,17 @@ public class InterceptUrlConfigTests {
this.mvc.perform(get("/path/")).andExpect(status().isUnauthorized());
}
@Test
public void requestWhenUsingMvcMatchersAndAuthorizationManagerThenAuthorizesRequestsAccordingly() throws Exception {
this.spring.configLocations(this.xml("MvcMatchersAuthorizationManager")).autowire();
this.mvc.perform(get("/path")).andExpect(status().isUnauthorized());
this.mvc.perform(get("/path.html")).andExpect(status().isUnauthorized());
this.mvc.perform(get("/path/")).andExpect(status().isUnauthorized());
assertThat(this.spring.getContext().getBeanNamesForType(FilterInvocationSecurityMetadataSource.class))
.isEmpty();
assertThat(this.spring.getContext().getBean(AuthorizationManager.class)).isNotNull();
}
@Test
public void requestWhenUsingMvcMatchersAndPathVariablesThenAuthorizesRequestsAccordingly() throws Exception {
this.spring.configLocations(this.xml("MvcMatchersPathVariables")).autowire();
@@ -168,6 +290,23 @@ public class InterceptUrlConfigTests {
// @formatter:on
}
@Test
public void requestWhenUsingMvcMatchersAndPathVariablesAndAuthorizationManagerThenAuthorizesRequestsAccordingly()
throws Exception {
this.spring.configLocations(this.xml("MvcMatchersPathVariablesAuthorizationManager")).autowire();
// @formatter:off
this.mvc.perform(get("/path/user/path").with(userCredentials()))
.andExpect(status().isOk());
this.mvc.perform(get("/path/otheruser/path").with(userCredentials()))
.andExpect(status().isForbidden());
this.mvc.perform(get("/PATH/user/path").with(userCredentials()))
.andExpect(status().isForbidden());
// @formatter:on
assertThat(this.spring.getContext().getBeanNamesForType(FilterInvocationSecurityMetadataSource.class))
.isEmpty();
assertThat(this.spring.getContext().getBean(AuthorizationManager.class)).isNotNull();
}
@Test
public void requestWhenUsingMvcMatchersAndServletPathThenAuthorizesRequestsAccordingly() throws Exception {
this.spring.configLocations(this.xml("MvcMatchersServletPath")).autowire();
@@ -184,30 +323,74 @@ public class InterceptUrlConfigTests {
// @formatter:on
}
@Test
public void requestWhenUsingMvcMatchersAndServletPathAndAuthorizationManagerThenAuthorizesRequestsAccordingly()
throws Exception {
this.spring.configLocations(this.xml("MvcMatchersServletPathAuthorizationManager")).autowire();
MockServletContext servletContext = mockServletContext("/spring");
ConfigurableWebApplicationContext context = this.spring.getContext();
context.setServletContext(servletContext);
// @formatter:off
this.mvc.perform(get("/spring/path").servletPath("/spring"))
.andExpect(status().isUnauthorized());
this.mvc.perform(get("/spring/path.html").servletPath("/spring"))
.andExpect(status().isUnauthorized());
this.mvc.perform(get("/spring/path/").servletPath("/spring"))
.andExpect(status().isUnauthorized());
// @formatter:on
assertThat(this.spring.getContext().getBeanNamesForType(FilterInvocationSecurityMetadataSource.class))
.isEmpty();
assertThat(this.spring.getContext().getBean(AuthorizationManager.class)).isNotNull();
}
@Test
public void configureWhenUsingAntMatcherAndServletPathThenThrowsException() {
assertThatExceptionOfType(BeanDefinitionParsingException.class)
.isThrownBy(() -> this.spring.configLocations(this.xml("AntMatcherServletPath")).autowire());
}
@Test
public void configureWhenUsingAntMatcherAndServletPathAndAuthorizationManagerThenThrowsException() {
assertThatExceptionOfType(BeanDefinitionParsingException.class).isThrownBy(
() -> this.spring.configLocations(this.xml("AntMatcherServletPathAuthorizationManager")).autowire());
}
@Test
public void configureWhenUsingRegexMatcherAndServletPathThenThrowsException() {
assertThatExceptionOfType(BeanDefinitionParsingException.class)
.isThrownBy(() -> this.spring.configLocations(this.xml("RegexMatcherServletPath")).autowire());
}
@Test
public void configureWhenUsingRegexMatcherAndServletPathAndAuthorizationManagerThenThrowsException() {
assertThatExceptionOfType(BeanDefinitionParsingException.class).isThrownBy(
() -> this.spring.configLocations(this.xml("RegexMatcherServletPathAuthorizationManager")).autowire());
}
@Test
public void configureWhenUsingCiRegexMatcherAndServletPathThenThrowsException() {
assertThatExceptionOfType(BeanDefinitionParsingException.class)
.isThrownBy(() -> this.spring.configLocations(this.xml("CiRegexMatcherServletPath")).autowire());
}
@Test
public void configureWhenUsingCiRegexMatcherAndServletPathAndAuthorizationManagerThenThrowsException() {
assertThatExceptionOfType(BeanDefinitionParsingException.class).isThrownBy(() -> this.spring
.configLocations(this.xml("CiRegexMatcherServletPathAuthorizationManager")).autowire());
}
@Test
public void configureWhenUsingDefaultMatcherAndServletPathThenThrowsException() {
assertThatExceptionOfType(BeanDefinitionParsingException.class)
.isThrownBy(() -> this.spring.configLocations(this.xml("DefaultMatcherServletPath")).autowire());
}
@Test
public void configureWhenUsingDefaultMatcherAndServletPathAndAuthorizationManagerThenThrowsException() {
assertThatExceptionOfType(BeanDefinitionParsingException.class).isThrownBy(() -> this.spring
.configLocations(this.xml("DefaultMatcherServletPathAuthorizationManager")).autowire());
}
private static RequestPostProcessor adminCredentials() {
return httpBasic("admin", "password");
}