Add SecurityContextHolderStrategy to Default Components
Issue gh-11060
This commit is contained in:
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2016 the original author or authors.
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -36,6 +36,7 @@ import org.springframework.mock.web.MockHttpServletRequest;
|
||||
import org.springframework.mock.web.MockHttpServletResponse;
|
||||
import org.springframework.security.authentication.TestingAuthenticationToken;
|
||||
import org.springframework.security.core.context.SecurityContextHolder;
|
||||
import org.springframework.security.core.context.SecurityContextHolderStrategy;
|
||||
import org.springframework.security.web.firewall.FirewalledRequest;
|
||||
import org.springframework.security.web.firewall.HttpFirewall;
|
||||
import org.springframework.security.web.firewall.RequestRejectedException;
|
||||
@@ -198,6 +199,15 @@ public class FilterChainProxyTests {
|
||||
assertThat(SecurityContextHolder.getContext().getAuthentication()).isNull();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void doFilterWhenCustomSecurityContextHolderStrategyClearsSecurityContext() throws Exception {
|
||||
SecurityContextHolderStrategy strategy = mock(SecurityContextHolderStrategy.class);
|
||||
this.fcp.setSecurityContextHolderStrategy(strategy);
|
||||
given(this.matcher.matches(any(HttpServletRequest.class))).willReturn(true);
|
||||
this.fcp.doFilter(this.request, this.response, this.chain);
|
||||
verify(strategy).clearContext();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void doFilterClearsSecurityContextHolderWithException() throws Exception {
|
||||
given(this.matcher.matches(any(HttpServletRequest.class))).willReturn(true);
|
||||
|
||||
@@ -38,6 +38,7 @@ import org.springframework.security.authorization.AuthorizationManager;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.context.SecurityContext;
|
||||
import org.springframework.security.core.context.SecurityContextHolder;
|
||||
import org.springframework.security.core.context.SecurityContextHolderStrategy;
|
||||
import org.springframework.security.core.context.SecurityContextImpl;
|
||||
import org.springframework.web.util.WebUtils;
|
||||
|
||||
@@ -72,9 +73,9 @@ public class AuthorizationFilterTests {
|
||||
AuthorizationFilter filter = new AuthorizationFilter(mockAuthorizationManager);
|
||||
TestingAuthenticationToken authenticationToken = new TestingAuthenticationToken("user", "password");
|
||||
|
||||
SecurityContext securityContext = new SecurityContextImpl();
|
||||
securityContext.setAuthentication(authenticationToken);
|
||||
SecurityContextHolder.setContext(securityContext);
|
||||
SecurityContextHolderStrategy strategy = mock(SecurityContextHolderStrategy.class);
|
||||
given(strategy.getContext()).willReturn(new SecurityContextImpl(authenticationToken));
|
||||
filter.setSecurityContextHolderStrategy(strategy);
|
||||
|
||||
MockHttpServletRequest mockRequest = new MockHttpServletRequest(null, "/path");
|
||||
MockHttpServletResponse mockResponse = new MockHttpServletResponse();
|
||||
@@ -88,6 +89,7 @@ public class AuthorizationFilterTests {
|
||||
assertThat(authentication.get()).isEqualTo(authenticationToken);
|
||||
|
||||
verify(mockFilterChain).doFilter(mockRequest, mockResponse);
|
||||
verify(strategy).getContext();
|
||||
}
|
||||
|
||||
@Test
|
||||
|
||||
@@ -35,11 +35,17 @@ import org.springframework.security.authentication.TestingAuthenticationToken;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.authority.AuthorityUtils;
|
||||
import org.springframework.security.core.context.SecurityContextHolder;
|
||||
import org.springframework.security.core.context.SecurityContextHolderStrategy;
|
||||
import org.springframework.security.core.context.SecurityContextImpl;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
|
||||
import static org.assertj.core.api.Assertions.fail;
|
||||
import static org.mockito.ArgumentMatchers.any;
|
||||
import static org.mockito.BDDMockito.given;
|
||||
import static org.mockito.Mockito.mock;
|
||||
import static org.mockito.Mockito.never;
|
||||
import static org.mockito.Mockito.verify;
|
||||
|
||||
/**
|
||||
* Tests {@link AnonymousAuthenticationFilter}.
|
||||
@@ -74,16 +80,19 @@ public class AnonymousAuthenticationFilterTests {
|
||||
public void testOperationWhenAuthenticationExistsInContextHolder() throws Exception {
|
||||
// Put an Authentication object into the SecurityContextHolder
|
||||
Authentication originalAuth = new TestingAuthenticationToken("user", "password", "ROLE_A");
|
||||
SecurityContextHolder.getContext().setAuthentication(originalAuth);
|
||||
SecurityContextHolderStrategy strategy = mock(SecurityContextHolderStrategy.class);
|
||||
given(strategy.getContext()).willReturn(new SecurityContextImpl(originalAuth));
|
||||
AnonymousAuthenticationFilter filter = new AnonymousAuthenticationFilter("qwerty", "anonymousUsername",
|
||||
AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
|
||||
filter.setSecurityContextHolderStrategy(strategy);
|
||||
// Test
|
||||
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||
request.setRequestURI("x");
|
||||
executeFilterInContainerSimulator(mock(FilterConfig.class), filter, request, new MockHttpServletResponse(),
|
||||
new MockFilterChain(true));
|
||||
// Ensure filter didn't change our original object
|
||||
assertThat(SecurityContextHolder.getContext().getAuthentication()).isEqualTo(originalAuth);
|
||||
verify(strategy).getContext();
|
||||
verify(strategy, never()).setContext(any());
|
||||
}
|
||||
|
||||
@Test
|
||||
|
||||
@@ -17,20 +17,28 @@
|
||||
package org.springframework.security.web.authentication;
|
||||
|
||||
import org.junit.jupiter.api.Test;
|
||||
import org.mockito.ArgumentCaptor;
|
||||
import org.mockito.stubbing.Answer;
|
||||
|
||||
import org.springframework.mock.web.MockFilterChain;
|
||||
import org.springframework.mock.web.MockHttpServletRequest;
|
||||
import org.springframework.mock.web.MockHttpServletResponse;
|
||||
import org.springframework.security.authentication.AuthenticationManager;
|
||||
import org.springframework.security.authentication.BadCredentialsException;
|
||||
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.AuthenticationException;
|
||||
import org.springframework.security.core.context.SecurityContext;
|
||||
import org.springframework.security.core.context.SecurityContextHolder;
|
||||
import org.springframework.security.core.context.SecurityContextHolderStrategy;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
|
||||
import static org.mockito.ArgumentMatchers.any;
|
||||
import static org.mockito.BDDMockito.given;
|
||||
import static org.mockito.Mockito.mock;
|
||||
import static org.mockito.Mockito.spy;
|
||||
import static org.mockito.Mockito.verify;
|
||||
|
||||
/**
|
||||
* Tests {@link UsernamePasswordAuthenticationFilter}.
|
||||
@@ -118,6 +126,22 @@ public class UsernamePasswordAuthenticationFilterTests {
|
||||
.isThrownBy(() -> filter.attemptAuthentication(request, new MockHttpServletResponse()));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testSecurityContextHolderStrategyUsed() throws Exception {
|
||||
MockHttpServletRequest request = new MockHttpServletRequest("POST", "/login");
|
||||
request.setServletPath("/login");
|
||||
request.addParameter(UsernamePasswordAuthenticationFilter.SPRING_SECURITY_FORM_USERNAME_KEY, "rod");
|
||||
request.addParameter(UsernamePasswordAuthenticationFilter.SPRING_SECURITY_FORM_PASSWORD_KEY, "koala");
|
||||
UsernamePasswordAuthenticationFilter filter = new UsernamePasswordAuthenticationFilter();
|
||||
filter.setAuthenticationManager(createAuthenticationManager());
|
||||
SecurityContextHolderStrategy strategy = spy(SecurityContextHolder.getContextHolderStrategy());
|
||||
filter.setSecurityContextHolderStrategy(strategy);
|
||||
filter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain());
|
||||
ArgumentCaptor<SecurityContext> captor = ArgumentCaptor.forClass(SecurityContext.class);
|
||||
verify(strategy).setContext(captor.capture());
|
||||
assertThat(captor.getValue().getAuthentication()).isInstanceOf(UsernamePasswordAuthenticationToken.class);
|
||||
}
|
||||
|
||||
/**
|
||||
* SEC-571
|
||||
*/
|
||||
|
||||
@@ -28,6 +28,7 @@ import org.junit.jupiter.api.BeforeEach;
|
||||
import org.junit.jupiter.api.Test;
|
||||
import org.mockito.ArgumentCaptor;
|
||||
|
||||
import org.springframework.mock.web.MockFilterChain;
|
||||
import org.springframework.mock.web.MockHttpServletRequest;
|
||||
import org.springframework.mock.web.MockHttpServletResponse;
|
||||
import org.springframework.mock.web.MockHttpSession;
|
||||
@@ -38,6 +39,7 @@ import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.authority.AuthorityUtils;
|
||||
import org.springframework.security.core.context.SecurityContext;
|
||||
import org.springframework.security.core.context.SecurityContextHolder;
|
||||
import org.springframework.security.core.context.SecurityContextHolderStrategy;
|
||||
import org.springframework.security.test.web.CodecTestUtils;
|
||||
import org.springframework.security.web.authentication.WebAuthenticationDetails;
|
||||
import org.springframework.security.web.context.SecurityContextRepository;
|
||||
@@ -51,6 +53,7 @@ import static org.mockito.ArgumentMatchers.eq;
|
||||
import static org.mockito.BDDMockito.given;
|
||||
import static org.mockito.Mockito.mock;
|
||||
import static org.mockito.Mockito.never;
|
||||
import static org.mockito.Mockito.spy;
|
||||
import static org.mockito.Mockito.verify;
|
||||
|
||||
/**
|
||||
@@ -146,6 +149,19 @@ public class BasicAuthenticationFilterTests {
|
||||
assertThat(SecurityContextHolder.getContext().getAuthentication().getName()).isEqualTo("rod");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testSecurityContextHolderStrategyUsed() throws Exception {
|
||||
String token = "rod:koala";
|
||||
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||
request.addHeader("Authorization", "Basic " + CodecTestUtils.encodeBase64(token.getBytes()));
|
||||
SecurityContextHolderStrategy strategy = spy(SecurityContextHolder.getContextHolderStrategy());
|
||||
this.filter.setSecurityContextHolderStrategy(strategy);
|
||||
this.filter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain());
|
||||
ArgumentCaptor<SecurityContext> captor = ArgumentCaptor.forClass(SecurityContext.class);
|
||||
verify(strategy).setContext(captor.capture());
|
||||
assertThat(captor.getValue().getAuthentication()).isInstanceOf(UsernamePasswordAuthenticationToken.class);
|
||||
}
|
||||
|
||||
// gh-5586
|
||||
@Test
|
||||
public void doFilterWhenSchemeLowercaseThenCaseInsensitveMatchWorks() throws Exception {
|
||||
|
||||
@@ -33,10 +33,12 @@ import org.springframework.security.authentication.TestAuthentication;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.context.SecurityContext;
|
||||
import org.springframework.security.core.context.SecurityContextHolder;
|
||||
import org.springframework.security.core.context.SecurityContextHolderStrategy;
|
||||
import org.springframework.security.core.context.SecurityContextImpl;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.mockito.BDDMockito.given;
|
||||
import static org.mockito.Mockito.verify;
|
||||
|
||||
@ExtendWith(MockitoExtension.class)
|
||||
class SecurityContextHolderFilterTests {
|
||||
@@ -44,6 +46,9 @@ class SecurityContextHolderFilterTests {
|
||||
@Mock
|
||||
private SecurityContextRepository repository;
|
||||
|
||||
@Mock
|
||||
private SecurityContextHolderStrategy strategy;
|
||||
|
||||
@Mock
|
||||
private HttpServletRequest request;
|
||||
|
||||
@@ -78,6 +83,21 @@ class SecurityContextHolderFilterTests {
|
||||
assertThat(SecurityContextHolder.getContext()).isEqualTo(SecurityContextHolder.createEmptyContext());
|
||||
}
|
||||
|
||||
@Test
|
||||
void doFilterThenSetsAndClearsSecurityContextHolderStrategy() throws Exception {
|
||||
Authentication authentication = TestAuthentication.authenticatedUser();
|
||||
SecurityContext expectedContext = new SecurityContextImpl(authentication);
|
||||
given(this.repository.loadContext(this.requestArg.capture())).willReturn(() -> expectedContext);
|
||||
FilterChain filterChain = (request, response) -> {
|
||||
};
|
||||
|
||||
this.filter.setSecurityContextHolderStrategy(this.strategy);
|
||||
this.filter.doFilter(this.request, this.response, filterChain);
|
||||
|
||||
verify(this.strategy).setContext(expectedContext);
|
||||
verify(this.strategy).clearContext();
|
||||
}
|
||||
|
||||
@Test
|
||||
void shouldNotFilterErrorDispatchWhenDefault() {
|
||||
assertThat(this.filter.shouldNotFilterErrorDispatch()).isFalse();
|
||||
|
||||
Reference in New Issue
Block a user