SEC-2781: Remove deprecations

This commit is contained in:
Rob Winch
2014-12-03 13:34:15 -06:00
parent 5bb0ce9a8f
commit 6e204fff72
177 changed files with 536 additions and 5022 deletions

View File

@@ -81,15 +81,6 @@ public class FilterChainProxyTests {
verify(chain).doFilter(any(HttpServletRequest.class), any(HttpServletResponse.class));
}
@Test
@Deprecated
public void filterChainMapIsCorrect() throws Exception {
fcp.setFilterChainMap(fcp.getFilterChainMap());
Map<RequestMatcher, List<Filter>> filterChainMap = fcp.getFilterChainMap();
assertEquals(1, filterChainMap.size());
assertSame(filter, filterChainMap.get(matcher).get(0));
}
@Test
public void originalChainIsInvokedAfterSecurityChainIfMatchSucceeds() throws Exception {
when(matcher.matches(any(HttpServletRequest.class))).thenReturn(true);

View File

@@ -93,8 +93,7 @@ public class ExceptionTranslationFilterTests {
new AnonymousAuthenticationToken("ignored", "ignored", AuthorityUtils.createAuthorityList("IGNORED")));
// Test
ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
filter.setAuthenticationEntryPoint(mockEntryPoint);
ExceptionTranslationFilter filter = new ExceptionTranslationFilter(mockEntryPoint);
filter.setAuthenticationTrustResolver(new AuthenticationTrustResolverImpl());
assertNotNull(filter.getAuthenticationTrustResolver());
@@ -123,8 +122,7 @@ public class ExceptionTranslationFilterTests {
adh.setErrorPage("/error.jsp");
// Test
ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
filter.setAuthenticationEntryPoint(mockEntryPoint);
ExceptionTranslationFilter filter = new ExceptionTranslationFilter(mockEntryPoint);
filter.setAccessDeniedHandler(adh);
MockHttpServletResponse response = new MockHttpServletResponse();
@@ -149,8 +147,7 @@ public class ExceptionTranslationFilterTests {
doThrow(new BadCredentialsException("")).when(fc).doFilter(any(HttpServletRequest.class), any(HttpServletResponse.class));
// Test
ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
filter.setAuthenticationEntryPoint(mockEntryPoint);
ExceptionTranslationFilter filter = new ExceptionTranslationFilter(mockEntryPoint);
filter.afterPropertiesSet();
MockHttpServletResponse response = new MockHttpServletResponse();
filter.doFilter(request, response, fc);
@@ -175,11 +172,9 @@ public class ExceptionTranslationFilterTests {
doThrow(new BadCredentialsException("")).when(fc).doFilter(any(HttpServletRequest.class), any(HttpServletResponse.class));
// Test
ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
filter.setAuthenticationEntryPoint(mockEntryPoint);
HttpSessionRequestCache requestCache = new HttpSessionRequestCache();
ExceptionTranslationFilter filter = new ExceptionTranslationFilter(mockEntryPoint, requestCache);
requestCache.setPortResolver(new MockPortResolver(8080, 8443));
filter.setRequestCache(requestCache);
filter.afterPropertiesSet();
MockHttpServletResponse response = new MockHttpServletResponse();
filter.doFilter(request, response, fc);
@@ -189,18 +184,12 @@ public class ExceptionTranslationFilterTests {
@Test(expected=IllegalArgumentException.class)
public void startupDetectsMissingAuthenticationEntryPoint() throws Exception {
ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
filter.setThrowableAnalyzer(mock(ThrowableAnalyzer.class));
filter.afterPropertiesSet();
new ExceptionTranslationFilter(null);
}
@Test(expected=IllegalArgumentException.class)
public void startupDetectsMissingRequestCache() throws Exception {
ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
filter.setAuthenticationEntryPoint(mockEntryPoint);
filter.setRequestCache(null);
new ExceptionTranslationFilter(mockEntryPoint, null);
}
@Test
@@ -210,8 +199,7 @@ public class ExceptionTranslationFilterTests {
request.setServletPath("/secure/page.html");
// Test
ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
filter.setAuthenticationEntryPoint(mockEntryPoint);
ExceptionTranslationFilter filter = new ExceptionTranslationFilter(mockEntryPoint);
assertSame(mockEntryPoint, filter.getAuthenticationEntryPoint());
MockHttpServletResponse response = new MockHttpServletResponse();
@@ -220,9 +208,8 @@ public class ExceptionTranslationFilterTests {
@Test
public void thrownIOExceptionServletExceptionAndRuntimeExceptionsAreRethrown() throws Exception {
ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
ExceptionTranslationFilter filter = new ExceptionTranslationFilter(mockEntryPoint);
filter.setAuthenticationEntryPoint(mockEntryPoint);
filter.afterPropertiesSet();
Exception[] exceptions = {new IOException(), new ServletException(), new RuntimeException()};
for (Exception e : exceptions) {

View File

@@ -15,8 +15,26 @@
package org.springframework.security.web.authentication;
import static org.junit.Assert.*;
import static org.mockito.Mockito.*;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
import static org.mockito.Matchers.any;
import static org.mockito.Matchers.anyString;
import static org.mockito.Matchers.eq;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify;
import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.logging.Log;
import org.junit.After;
@@ -33,19 +51,12 @@ import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServicesTests;
import org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices;
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
import org.springframework.security.web.firewall.DefaultHttpFirewall;
import org.springframework.test.util.ReflectionTestUtils;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.IOException;
/**
* Tests {@link AbstractAuthenticationProcessingFilter}.
@@ -94,8 +105,12 @@ public class AbstractAuthenticationProcessingFilterTests {
MockAuthenticationFilter filter = new MockAuthenticationFilter();
filter.setFilterProcessesUrl("/j_spring_security_check");
request.setRequestURI("/mycontext/j_spring_security_check;jsessionid=I8MIONOSTHOR");
assertTrue(filter.requiresAuthentication(request, response));
DefaultHttpFirewall firewall = new DefaultHttpFirewall();
request.setServletPath("/j_spring_security_check;jsessionid=I8MIONOSTHOR");
// the firewall ensures that path parameters are ignored
HttpServletRequest firewallRequest = firewall.getFirewalledRequest(request);
assertTrue(filter.requiresAuthentication(firewallRequest, response));
}
@Test
@@ -132,10 +147,9 @@ public class AbstractAuthenticationProcessingFilterTests {
filter.afterPropertiesSet();
assertNotNull(filter.getRememberMeServices());
filter.setRememberMeServices(new TokenBasedRememberMeServices());
filter.setRememberMeServices(new TokenBasedRememberMeServices("key", new AbstractRememberMeServicesTests.MockUserDetailsService()));
assertEquals(TokenBasedRememberMeServices.class, filter.getRememberMeServices().getClass());
assertTrue(filter.getAuthenticationManager() != null);
assertEquals("/p", filter.getFilterProcessesUrl());
}
@Test
@@ -218,7 +232,7 @@ public class AbstractAuthenticationProcessingFilterTests {
filter.setFilterProcessesUrl(null);
fail("Should have thrown IllegalArgumentException");
} catch (IllegalArgumentException expected) {
assertEquals("filterProcessesUrl must be specified", expected.getMessage());
assertEquals("Pattern cannot be null or empty", expected.getMessage());
}
}
@@ -402,10 +416,6 @@ public class AbstractAuthenticationProcessingFilterTests {
throw exceptionToThrow;
}
}
public boolean requiresAuthentication(HttpServletRequest request, HttpServletResponse response) {
return super.requiresAuthentication(request, response);
}
}
private class MockFilterChain implements FilterChain {

View File

@@ -24,9 +24,7 @@ import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.memory.UserAttribute;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
@@ -59,20 +57,12 @@ public class AnonymousAuthenticationFilterTests {
@Test(expected=IllegalArgumentException.class)
public void testDetectsMissingKey() throws Exception {
UserAttribute user = new UserAttribute();
user.setPassword("anonymousUsername");
user.addAuthority(new SimpleGrantedAuthority("ROLE_ANONYMOUS"));
AnonymousAuthenticationFilter filter = new AnonymousAuthenticationFilter();
filter.setUserAttribute(user);
filter.afterPropertiesSet();
new AnonymousAuthenticationFilter(null);
}
@Test(expected=IllegalArgumentException.class)
public void testDetectsUserAttribute() throws Exception {
AnonymousAuthenticationFilter filter = new AnonymousAuthenticationFilter();
filter.setKey("qwerty");
filter.afterPropertiesSet();
new AnonymousAuthenticationFilter("qwerty", null, null);
}
@Test
@@ -96,13 +86,7 @@ public class AnonymousAuthenticationFilterTests {
@Test
public void testOperationWhenNoAuthenticationInSecurityContextHolder() throws Exception {
UserAttribute user = new UserAttribute();
user.setPassword("anonymousUsername");
user.addAuthority(new SimpleGrantedAuthority("ROLE_ANONYMOUS"));
AnonymousAuthenticationFilter filter = new AnonymousAuthenticationFilter();
filter.setKey("qwerty");
filter.setUserAttribute(user);
AnonymousAuthenticationFilter filter = new AnonymousAuthenticationFilter("qwerty", "anonymousUsername", AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
filter.afterPropertiesSet();
MockHttpServletRequest request = new MockHttpServletRequest();

View File

@@ -67,7 +67,6 @@ public class DefaultLoginPageGeneratingFilterTests {
MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();
String message = messages.getMessage(
"AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials", Locale.KOREA);
System.out.println("Message: " + message);
request.getSession().setAttribute(WebAttributes.AUTHENTICATION_EXCEPTION, new BadCredentialsException(message));
filter.doFilter(request, new MockHttpServletResponse(), chain);

View File

@@ -37,34 +37,24 @@ public class LoginUrlAuthenticationEntryPointTests {
@Test(expected=IllegalArgumentException.class)
public void testDetectsMissingLoginFormUrl() throws Exception {
LoginUrlAuthenticationEntryPoint ep = new LoginUrlAuthenticationEntryPoint();
ep.setPortMapper(new PortMapperImpl());
ep.setPortResolver(new MockPortResolver(80, 443));
ep.afterPropertiesSet();
new LoginUrlAuthenticationEntryPoint(null);
}
@Test(expected=IllegalArgumentException.class)
public void testDetectsMissingPortMapper() throws Exception {
LoginUrlAuthenticationEntryPoint ep = new LoginUrlAuthenticationEntryPoint();
ep.setLoginFormUrl("xxx");
LoginUrlAuthenticationEntryPoint ep = new LoginUrlAuthenticationEntryPoint("/login");
ep.setPortMapper(null);
ep.afterPropertiesSet();
}
@Test(expected=IllegalArgumentException.class)
public void testDetectsMissingPortResolver() throws Exception {
LoginUrlAuthenticationEntryPoint ep = new LoginUrlAuthenticationEntryPoint();
ep.setLoginFormUrl("xxx");
LoginUrlAuthenticationEntryPoint ep = new LoginUrlAuthenticationEntryPoint("/login");
ep.setPortResolver(null);
ep.afterPropertiesSet();
}
@Test
public void testGettersSetters() {
LoginUrlAuthenticationEntryPoint ep = new LoginUrlAuthenticationEntryPoint();
ep.setLoginFormUrl("/hello");
LoginUrlAuthenticationEntryPoint ep = new LoginUrlAuthenticationEntryPoint("/hello");
ep.setPortMapper(new PortMapperImpl());
ep.setPortResolver(new MockPortResolver(8080, 8443));
assertEquals("/hello", ep.getLoginFormUrl());
@@ -91,8 +81,7 @@ public class LoginUrlAuthenticationEntryPointTests {
MockHttpServletResponse response = new MockHttpServletResponse();
LoginUrlAuthenticationEntryPoint ep = new LoginUrlAuthenticationEntryPoint();
ep.setLoginFormUrl("/hello");
LoginUrlAuthenticationEntryPoint ep = new LoginUrlAuthenticationEntryPoint("/hello");
ep.setPortMapper(new PortMapperImpl());
ep.setForceHttps(true);
ep.setPortMapper(new PortMapperImpl());
@@ -120,8 +109,7 @@ public class LoginUrlAuthenticationEntryPointTests {
portMapper.setPortMappings(map);
response = new MockHttpServletResponse();
ep = new LoginUrlAuthenticationEntryPoint();
ep.setLoginFormUrl("/hello");
ep = new LoginUrlAuthenticationEntryPoint("/hello");
ep.setPortMapper(new PortMapperImpl());
ep.setForceHttps(true);
ep.setPortMapper(portMapper);
@@ -143,8 +131,7 @@ public class LoginUrlAuthenticationEntryPointTests {
MockHttpServletResponse response = new MockHttpServletResponse();
LoginUrlAuthenticationEntryPoint ep = new LoginUrlAuthenticationEntryPoint();
ep.setLoginFormUrl("/hello");
LoginUrlAuthenticationEntryPoint ep = new LoginUrlAuthenticationEntryPoint("/hello");
ep.setPortMapper(new PortMapperImpl());
ep.setForceHttps(true);
ep.setPortMapper(new PortMapperImpl());
@@ -163,8 +150,7 @@ public class LoginUrlAuthenticationEntryPointTests {
@Test
public void testNormalOperation() throws Exception {
LoginUrlAuthenticationEntryPoint ep = new LoginUrlAuthenticationEntryPoint();
ep.setLoginFormUrl("/hello");
LoginUrlAuthenticationEntryPoint ep = new LoginUrlAuthenticationEntryPoint("/hello");
ep.setPortMapper(new PortMapperImpl());
ep.setPortResolver(new MockPortResolver(80, 443));
ep.afterPropertiesSet();
@@ -185,8 +171,7 @@ public class LoginUrlAuthenticationEntryPointTests {
@Test
public void testOperationWhenHttpsRequestsButHttpsPortUnknown() throws Exception {
LoginUrlAuthenticationEntryPoint ep = new LoginUrlAuthenticationEntryPoint();
ep.setLoginFormUrl("/hello");
LoginUrlAuthenticationEntryPoint ep = new LoginUrlAuthenticationEntryPoint("/hello");
ep.setPortResolver(new MockPortResolver(8888, 1234));
ep.setForceHttps(true);
ep.afterPropertiesSet();
@@ -209,8 +194,7 @@ public class LoginUrlAuthenticationEntryPointTests {
@Test
public void testServerSideRedirectWithoutForceHttpsForwardsToLoginPage() throws Exception {
LoginUrlAuthenticationEntryPoint ep = new LoginUrlAuthenticationEntryPoint();
ep.setLoginFormUrl("/hello");
LoginUrlAuthenticationEntryPoint ep = new LoginUrlAuthenticationEntryPoint("/hello");
ep.setUseForward(true);
ep.afterPropertiesSet();
MockHttpServletRequest request = new MockHttpServletRequest();
@@ -230,8 +214,7 @@ public class LoginUrlAuthenticationEntryPointTests {
@Test
public void testServerSideRedirectWithForceHttpsRedirectsCurrentRequest() throws Exception {
LoginUrlAuthenticationEntryPoint ep = new LoginUrlAuthenticationEntryPoint();
ep.setLoginFormUrl("/hello");
LoginUrlAuthenticationEntryPoint ep = new LoginUrlAuthenticationEntryPoint("/hello");
ep.setUseForward(true);
ep.setForceHttps(true);
ep.afterPropertiesSet();
@@ -253,9 +236,8 @@ public class LoginUrlAuthenticationEntryPointTests {
// SEC-1498
@Test
public void absoluteLoginFormUrlIsSupported() throws Exception {
LoginUrlAuthenticationEntryPoint ep = new LoginUrlAuthenticationEntryPoint();
final String loginFormUrl = "http://somesite.com/login";
ep.setLoginFormUrl(loginFormUrl);
LoginUrlAuthenticationEntryPoint ep = new LoginUrlAuthenticationEntryPoint(loginFormUrl);
ep.afterPropertiesSet();
MockHttpServletResponse response = new MockHttpServletResponse();
ep.commence(new MockHttpServletRequest("GET", "/someUrl"), response, null);
@@ -264,9 +246,8 @@ public class LoginUrlAuthenticationEntryPointTests {
@Test(expected=IllegalArgumentException.class)
public void absoluteLoginFormUrlCantBeUsedWithForwarding() throws Exception {
LoginUrlAuthenticationEntryPoint ep = new LoginUrlAuthenticationEntryPoint();
final String loginFormUrl = "http://somesite.com/login";
ep.setLoginFormUrl(loginFormUrl);
LoginUrlAuthenticationEntryPoint ep = new LoginUrlAuthenticationEntryPoint("http://somesite.com/login");
ep.setUseForward(true);
ep.afterPropertiesSet();
}

View File

@@ -49,7 +49,6 @@ public class UsernamePasswordAuthenticationFilterTests extends TestCase {
request.addParameter(UsernamePasswordAuthenticationFilter.SPRING_SECURITY_FORM_PASSWORD_KEY, "koala");
UsernamePasswordAuthenticationFilter filter = new UsernamePasswordAuthenticationFilter();
assertEquals("/j_spring_security_check", filter.getFilterProcessesUrl());
filter.setAuthenticationManager(createAuthenticationManager());
// filter.init(null);

View File

@@ -6,6 +6,7 @@ import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.web.authentication.logout.LogoutFilter;
import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
import org.springframework.security.web.firewall.DefaultHttpFirewall;
/**
* @author Luke Taylor
@@ -21,9 +22,12 @@ public class LogoutHandlerTests extends TestCase {
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletResponse response = new MockHttpServletResponse();
request.setRequestURI("/j_spring_security_logout;someparam=blah?otherparam=blah");
request.setRequestURI("/context/j_spring_security_logout;someparam=blah?param=blah");
request.setServletPath("/j_spring_security_logout;someparam=blah");
request.setQueryString("otherparam=blah");
assertTrue(filter.requiresLogout(request, response));
DefaultHttpFirewall fw = new DefaultHttpFirewall();
assertTrue(filter.requiresLogout(fw.getFirewalledRequest(request), response));
}
public void testRequiresLogoutUrlWorksWithQueryParams() {
@@ -31,7 +35,9 @@ public class LogoutHandlerTests extends TestCase {
request.setContextPath("/context");
MockHttpServletResponse response = new MockHttpServletResponse();
request.setServletPath("/j_spring_security_logout");
request.setRequestURI("/context/j_spring_security_logout?param=blah");
request.setQueryString("otherparam=blah");
assertTrue(filter.requiresLogout(request, response));
}

View File

@@ -1,68 +0,0 @@
package org.springframework.security.web.authentication.preauth.websphere;
import static org.junit.Assert.*;
import static org.mockito.Mockito.*;
import org.aopalliance.intercept.MethodInvocation;
import org.junit.After;
import org.junit.Test;
import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.context.SecurityContextImpl;
import org.springframework.security.core.userdetails.AuthenticationUserDetailsService;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsChecker;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider;
import java.util.List;
/**
*
* @author Luke Taylor
* @since 3.0
*/
public class WebSphere2SpringSecurityPropagationInterceptorTests {
@After
public void clearContext() {
SecurityContextHolder.clearContext();
}
/** SEC-1078 */
@SuppressWarnings("unchecked")
@Test
public void createdAuthenticationTokenIsAcceptableToPreauthProvider () throws Throwable {
WASUsernameAndGroupsExtractor helper = mock(WASUsernameAndGroupsExtractor.class);
when(helper.getCurrentUserName()).thenReturn("joe");
WebSphere2SpringSecurityPropagationInterceptor interceptor =
new WebSphere2SpringSecurityPropagationInterceptor(helper);
final SecurityContext context = new SecurityContextImpl();
interceptor.setAuthenticationManager(new AuthenticationManager() {
public Authentication authenticate(Authentication authentication) {
// Store the auth object
context.setAuthentication(authentication);
return null;
}
});
interceptor.setAuthenticationDetailsSource(mock(AuthenticationDetailsSource.class));
interceptor.invoke(mock(MethodInvocation.class));
PreAuthenticatedAuthenticationProvider provider = new PreAuthenticatedAuthenticationProvider();
AuthenticationUserDetailsService uds = mock(AuthenticationUserDetailsService.class);
UserDetails user = mock(UserDetails.class);
List authorities = AuthorityUtils.createAuthorityList("SOME_ROLE");
when(user.getAuthorities()).thenReturn(authorities);
when(uds.loadUserDetails(any(Authentication.class))).thenReturn(user);
provider.setPreAuthenticatedUserDetailsService(uds);
provider.setUserDetailsChecker(mock(UserDetailsChecker.class));
assertNotNull(provider.authenticate(context.getAuthentication()));
}
}

View File

@@ -13,8 +13,10 @@ import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.powermock.core.classloader.annotations.PrepareForTest;
import org.powermock.core.classloader.annotations.PrepareOnlyThisForTest;
import org.powermock.modules.junit4.PowerMockRunner;
@@ -42,17 +44,23 @@ import org.springframework.util.StringUtils;
public class AbstractRememberMeServicesTests {
static User joe = new User("joe", "password", true, true,true,true, AuthorityUtils.createAuthorityList("ROLE_A"));
MockUserDetailsService uds;
@Before
public void setup() {
uds = new MockUserDetailsService(joe, false);
}
@Test(expected = InvalidCookieException.class)
public void nonBase64CookieShouldBeDetected() {
new MockRememberMeServices().decodeCookie("nonBase64CookieValue%");
new MockRememberMeServices(uds).decodeCookie("nonBase64CookieValue%");
}
@Test
public void setAndGetAreConsistent() throws Exception {
MockRememberMeServices services = new MockRememberMeServices();
MockRememberMeServices services = new MockRememberMeServices(uds);
assertNotNull(services.getCookieName());
assertNotNull(services.getParameter());
services.setKey("xxxx");
assertEquals("xxxx", services.getKey());
services.setParameter("rm");
assertEquals("rm", services.getParameter());
@@ -60,8 +68,6 @@ public class AbstractRememberMeServicesTests {
assertEquals("kookie", services.getCookieName());
services.setTokenValiditySeconds(600);
assertEquals(600, services.getTokenValiditySeconds());
UserDetailsService uds = mock(UserDetailsService.class);
services.setUserDetailsService(uds);
assertSame(uds, services.getUserDetailsService());
AuthenticationDetailsSource ads = mock(AuthenticationDetailsSource.class);
services.setAuthenticationDetailsSource(ads);
@@ -72,7 +78,7 @@ public class AbstractRememberMeServicesTests {
@Test
public void cookieShouldBeCorrectlyEncodedAndDecoded() throws Exception {
String[] cookie = new String[] {"name", "cookie", "tokens", "blah"};
MockRememberMeServices services = new MockRememberMeServices();
MockRememberMeServices services = new MockRememberMeServices(uds);
String encoded = services.encodeCookie(cookie);
// '=' aren't allowed in version 0 cookies.
@@ -89,7 +95,7 @@ public class AbstractRememberMeServicesTests {
@Test
public void cookieWithOpenIDidentifierAsNameIsEncodedAndDecoded() throws Exception {
String[] cookie = new String[] {"http://id.openid.zz", "cookie", "tokens", "blah"};
MockRememberMeServices services = new MockRememberMeServices();
MockRememberMeServices services = new MockRememberMeServices(uds);
String[] decoded = services.decodeCookie(services.encodeCookie(cookie));
assertEquals(4, decoded.length);
@@ -104,7 +110,7 @@ public class AbstractRememberMeServicesTests {
@Test
public void autoLoginShouldReturnNullIfNoLoginCookieIsPresented() {
MockRememberMeServices services = new MockRememberMeServices();
MockRememberMeServices services = new MockRememberMeServices(uds);
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletResponse response = new MockHttpServletResponse();
@@ -123,8 +129,7 @@ public class AbstractRememberMeServicesTests {
@Test
public void successfulAutoLoginReturnsExpectedAuthentication() throws Exception {
MockRememberMeServices services = new MockRememberMeServices();
services.setUserDetailsService(new MockUserDetailsService(joe, false));
MockRememberMeServices services = new MockRememberMeServices(uds);
services.afterPropertiesSet();
assertNotNull(services.getUserDetailsService());
@@ -140,7 +145,7 @@ public class AbstractRememberMeServicesTests {
@Test
public void autoLoginShouldFailIfCookieIsNotBase64() throws Exception {
MockRememberMeServices services = new MockRememberMeServices();
MockRememberMeServices services = new MockRememberMeServices(uds);
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletResponse response = new MockHttpServletResponse();
@@ -152,7 +157,7 @@ public class AbstractRememberMeServicesTests {
@Test
public void autoLoginShouldFailIfCookieIsEmpty() throws Exception {
MockRememberMeServices services = new MockRememberMeServices();
MockRememberMeServices services = new MockRememberMeServices(uds);
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletResponse response = new MockHttpServletResponse();
@@ -164,8 +169,7 @@ public class AbstractRememberMeServicesTests {
@Test
public void autoLoginShouldFailIfInvalidCookieExceptionIsRaised() {
MockRememberMeServices services = new MockRememberMeServices();
// services.setUserDetailsService(new MockUserDetailsService(joe, true));
MockRememberMeServices services = new MockRememberMeServices(new MockUserDetailsService(joe, true));
MockHttpServletRequest request = new MockHttpServletRequest();
// Wrong number of tokens
@@ -181,8 +185,8 @@ public class AbstractRememberMeServicesTests {
@Test
public void autoLoginShouldFailIfUserNotFound() {
MockRememberMeServices services = new MockRememberMeServices();
services.setUserDetailsService(new MockUserDetailsService(joe, true));
uds.setThrowException(true);
MockRememberMeServices services = new MockRememberMeServices(uds);
MockHttpServletRequest request = new MockHttpServletRequest();
request.setCookies(createLoginCookie("cookie:1:2"));
@@ -197,10 +201,9 @@ public class AbstractRememberMeServicesTests {
@Test
public void autoLoginShouldFailIfUserAccountIsLocked() {
MockRememberMeServices services = new MockRememberMeServices();
MockRememberMeServices services = new MockRememberMeServices(uds);
services.setUserDetailsChecker(new AccountStatusUserDetailsChecker());
User joeLocked = new User("joe", "password",false,true,true,true,joe.getAuthorities());
services.setUserDetailsService(new MockUserDetailsService(joeLocked, false));
uds.toReturn = new User("joe", "password",false,true,true,true,joe.getAuthorities());
MockHttpServletRequest request = new MockHttpServletRequest();
request.setCookies(createLoginCookie("cookie:1:2"));
@@ -215,8 +218,8 @@ public class AbstractRememberMeServicesTests {
@Test
public void loginFailShouldCancelCookie() {
MockRememberMeServices services = new MockRememberMeServices();
services.setUserDetailsService(new MockUserDetailsService(joe, true));
uds.setThrowException(true);
MockRememberMeServices services = new MockRememberMeServices(uds);
MockHttpServletRequest request = new MockHttpServletRequest();
request.setContextPath("contextpath");
@@ -230,7 +233,7 @@ public class AbstractRememberMeServicesTests {
@Test
public void logoutShouldCancelCookie() throws Exception {
MockRememberMeServices services = new MockRememberMeServices();
MockRememberMeServices services = new MockRememberMeServices(uds);
MockHttpServletRequest request = new MockHttpServletRequest();
request.setContextPath("contextpath");
request.setCookies(createLoginCookie("cookie:1:2"));
@@ -247,13 +250,12 @@ public class AbstractRememberMeServicesTests {
@Test(expected = CookieTheftException.class)
public void cookieTheftExceptionShouldBeRethrown() {
MockRememberMeServices services = new MockRememberMeServices() {
MockRememberMeServices services = new MockRememberMeServices(uds) {
protected UserDetails processAutoLoginCookie(String[] cookieTokens, HttpServletRequest request, HttpServletResponse response) {
throw new CookieTheftException("Pretending cookie was stolen");
}
};
services.setUserDetailsService(new MockUserDetailsService(joe, false));
MockHttpServletRequest request = new MockHttpServletRequest();
request.setCookies(createLoginCookie("cookie:1:2"));
@@ -264,25 +266,24 @@ public class AbstractRememberMeServicesTests {
@Test
public void loginSuccessCallsOnLoginSuccessCorrectly() {
MockRememberMeServices services = new MockRememberMeServices();
MockRememberMeServices services = new MockRememberMeServices(uds);
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletResponse response = new MockHttpServletResponse();
Authentication auth = new UsernamePasswordAuthenticationToken("joe","password");
// No parameter set
services = new MockRememberMeServices();
services.loginSuccess(request, response, auth);
assertFalse(services.loginSuccessCalled);
// Parameter set to true
services = new MockRememberMeServices();
services = new MockRememberMeServices(uds);
request.setParameter(MockRememberMeServices.DEFAULT_PARAMETER, "true");
services.loginSuccess(request, response, auth);
assertTrue(services.loginSuccessCalled);
// Different parameter name, set to true
services = new MockRememberMeServices();
services = new MockRememberMeServices(uds);
services.setParameter("my_parameter");
request.setParameter("my_parameter", "true");
services.loginSuccess(request, response, auth);
@@ -290,13 +291,13 @@ public class AbstractRememberMeServicesTests {
// Parameter set to false
services = new MockRememberMeServices();
services = new MockRememberMeServices(uds);
request.setParameter(MockRememberMeServices.DEFAULT_PARAMETER, "false");
services.loginSuccess(request, response, auth);
assertFalse(services.loginSuccessCalled);
// alwaysRemember set to true
services = new MockRememberMeServices();
services = new MockRememberMeServices(uds);
services.setAlwaysRemember(true);
services.loginSuccess(request, response, auth);
assertTrue(services.loginSuccessCalled);
@@ -307,7 +308,7 @@ public class AbstractRememberMeServicesTests {
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletResponse response = new MockHttpServletResponse();
request.setContextPath("contextpath");
MockRememberMeServices services = new MockRememberMeServices() {
MockRememberMeServices services = new MockRememberMeServices(uds) {
protected String encodeCookie(String[] cookieTokens) {
return cookieTokens[0];
}
@@ -329,7 +330,7 @@ public class AbstractRememberMeServicesTests {
MockHttpServletResponse response = new MockHttpServletResponse();
request.setContextPath("contextpath");
MockRememberMeServices services = new MockRememberMeServices() {
MockRememberMeServices services = new MockRememberMeServices(uds) {
protected String encodeCookie(String[] cookieTokens) {
return cookieTokens[0];
}
@@ -345,7 +346,7 @@ public class AbstractRememberMeServicesTests {
spy(ReflectionUtils.class);
when(ReflectionUtils.findMethod(Cookie.class,"setHttpOnly", boolean.class)).thenReturn(null);
MockRememberMeServices services = new MockRememberMeServices();
MockRememberMeServices services = new MockRememberMeServices(uds);
assertNull(ReflectionTestUtils.getField(services, "setHttpOnlyMethod"));
services = new MockRememberMeServices("key",new MockUserDetailsService(joe, false));
@@ -353,7 +354,7 @@ public class AbstractRememberMeServicesTests {
}
private Cookie[] createLoginCookie(String cookieToken) {
MockRememberMeServices services = new MockRememberMeServices();
MockRememberMeServices services = new MockRememberMeServices(uds);
Cookie cookie = new Cookie(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
services.encodeCookie(StringUtils.delimitedListToStringArray(cookieToken, ":")));
@@ -372,11 +373,15 @@ public class AbstractRememberMeServicesTests {
boolean loginSuccessCalled;
MockRememberMeServices(String key, UserDetailsService userDetailsService) {
super(key,userDetailsService);
super(key, userDetailsService);
}
MockRememberMeServices(UserDetailsService userDetailsService) {
super("xxxx", userDetailsService);
}
MockRememberMeServices() {
setKey("key");
this(new MockUserDetailsService(null,false));
}
protected void onLoginSuccess(HttpServletRequest request, HttpServletResponse response, Authentication successfulAuthentication) {
@@ -398,6 +403,10 @@ public class AbstractRememberMeServicesTests {
private UserDetails toReturn;
private boolean throwException;
public MockUserDetailsService() {
this(null, false);
}
public MockUserDetailsService(UserDetails toReturn, boolean throwException) {
this.toReturn = toReturn;
this.throwException = throwException;
@@ -410,5 +419,9 @@ public class AbstractRememberMeServicesTests {
return toReturn;
}
public void setThrowException(boolean value) {
this.throwException = value;
}
}
}

View File

@@ -3,6 +3,7 @@ package org.springframework.security.web.authentication.rememberme;
import static org.junit.Assert.*;
import java.util.Date;
import java.util.concurrent.TimeUnit;
import javax.servlet.http.Cookie;
@@ -18,6 +19,7 @@ import org.springframework.security.web.authentication.rememberme.PersistentReme
import org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices;
import org.springframework.security.web.authentication.rememberme.PersistentTokenRepository;
import org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationException;
import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServicesTests.*;
/**
* @author Luke Taylor
@@ -25,6 +27,8 @@ import org.springframework.security.web.authentication.rememberme.RememberMeAuth
public class PersistentTokenBasedRememberMeServicesTests {
private PersistentTokenBasedRememberMeServices services;
private MockTokenRepository repo;
@Before
public void setUpData() throws Exception {
services = new PersistentTokenBasedRememberMeServices("key",
@@ -44,22 +48,15 @@ public class PersistentTokenBasedRememberMeServicesTests {
@Test(expected = RememberMeAuthenticationException.class)
public void loginIsRejectedWhenNoTokenMatchingSeriesIsFound() {
services.setTokenRepository(new MockTokenRepository(null));
services = create(null);
services.processAutoLoginCookie(new String[] {"series", "token"}, new MockHttpServletRequest(),
new MockHttpServletResponse());
}
@Test(expected = RememberMeAuthenticationException.class)
public void loginIsRejectedWhenTokenIsExpired() {
MockTokenRepository repo =
new MockTokenRepository(new PersistentRememberMeToken("joe", "series","token", new Date()));
services.setTokenRepository(repo);
services = create(new PersistentRememberMeToken("joe", "series","token", new Date(System.currentTimeMillis() - TimeUnit.SECONDS.toMillis(1) - 100)));
services.setTokenValiditySeconds(1);
try {
Thread.sleep(1100);
} catch (InterruptedException e) {
}
services.setTokenRepository(repo);
services.processAutoLoginCookie(new String[] {"series", "token"}, new MockHttpServletRequest(),
new MockHttpServletResponse());
@@ -67,17 +64,14 @@ public class PersistentTokenBasedRememberMeServicesTests {
@Test(expected = CookieTheftException.class)
public void cookieTheftIsDetectedWhenSeriesAndTokenDontMatch() {
PersistentRememberMeToken token = new PersistentRememberMeToken("joe", "series","wrongtoken", new Date());
services.setTokenRepository(new MockTokenRepository(token));
services = create(new PersistentRememberMeToken("joe", "series","wrongtoken", new Date()));
services.processAutoLoginCookie(new String[] {"series", "token"}, new MockHttpServletRequest(),
new MockHttpServletResponse());
}
@Test
public void successfulAutoLoginCreatesNewTokenAndCookieWithSameSeries() {
MockTokenRepository repo =
new MockTokenRepository(new PersistentRememberMeToken("joe", "series","token", new Date()));
services.setTokenRepository(repo);
services = create(new PersistentRememberMeToken("joe", "series","token", new Date()));
// 12 => b64 length will be 16
services.setTokenLength(12);
MockHttpServletResponse response = new MockHttpServletResponse();
@@ -91,9 +85,8 @@ public class PersistentTokenBasedRememberMeServicesTests {
@Test
public void loginSuccessCreatesNewTokenAndCookieWithNewSeries() {
services = create(null);
services.setAlwaysRemember(true);
MockTokenRepository repo = new MockTokenRepository(null);
services.setTokenRepository(repo);
services.setTokenLength(12);
services.setSeriesLength(12);
MockHttpServletResponse response = new MockHttpServletResponse();
@@ -114,9 +107,7 @@ public class PersistentTokenBasedRememberMeServicesTests {
MockHttpServletRequest request = new MockHttpServletRequest();
request.setCookies(cookie);
MockHttpServletResponse response = new MockHttpServletResponse();
MockTokenRepository repo =
new MockTokenRepository(new PersistentRememberMeToken("joe", "series","token", new Date()));
services.setTokenRepository(repo);
services = create(new PersistentRememberMeToken("joe", "series","token", new Date()));
services.logout(request, response, new TestingAuthenticationToken("joe","somepass","SOME_AUTH"));
Cookie returnedCookie = response.getCookie("mycookiename");
assertNotNull(returnedCookie);
@@ -126,6 +117,16 @@ public class PersistentTokenBasedRememberMeServicesTests {
services.logout(request, response, null);
}
private PersistentTokenBasedRememberMeServices create(PersistentRememberMeToken token) {
repo = new MockTokenRepository(token);
PersistentTokenBasedRememberMeServices services = new PersistentTokenBasedRememberMeServices("key",
new AbstractRememberMeServicesTests.MockUserDetailsService(AbstractRememberMeServicesTests.joe, false),
repo);
services.setCookieName("mycookiename");
return services;
}
private class MockTokenRepository implements PersistentTokenRepository {
private PersistentRememberMeToken storedToken;

View File

@@ -60,33 +60,12 @@ public class RememberMeAuthenticationFilterTests {
@Test(expected = IllegalArgumentException.class)
public void testDetectsAuthenticationManagerProperty() {
RememberMeAuthenticationFilter filter = new RememberMeAuthenticationFilter();
filter.setAuthenticationManager(mock(AuthenticationManager.class));
filter.setRememberMeServices(new NullRememberMeServices());
filter.afterPropertiesSet();
filter.setAuthenticationManager(null);
filter.afterPropertiesSet();
new RememberMeAuthenticationFilter(null, new NullRememberMeServices());
}
@Test(expected = IllegalArgumentException.class)
public void testDetectsRememberMeServicesProperty() {
RememberMeAuthenticationFilter filter = new RememberMeAuthenticationFilter();
filter.setAuthenticationManager(mock(AuthenticationManager.class));
// check default is NullRememberMeServices
// assertEquals(NullRememberMeServices.class, filter.getRememberMeServices().getClass());
// check getter/setter
filter.setRememberMeServices(new TokenBasedRememberMeServices());
assertEquals(TokenBasedRememberMeServices.class, filter.getRememberMeServices().getClass());
// check detects if made null
filter.setRememberMeServices(null);
filter.afterPropertiesSet();
new RememberMeAuthenticationFilter(mock(AuthenticationManager.class), null);
}
@Test
@@ -96,9 +75,7 @@ public class RememberMeAuthenticationFilterTests {
SecurityContextHolder.getContext().setAuthentication(originalAuth);
// Setup our filter correctly
RememberMeAuthenticationFilter filter = new RememberMeAuthenticationFilter();
filter.setAuthenticationManager(mock(AuthenticationManager.class));
filter.setRememberMeServices(new MockRememberMeServices(remembered));
RememberMeAuthenticationFilter filter = new RememberMeAuthenticationFilter(mock(AuthenticationManager.class), new MockRememberMeServices(remembered));
filter.afterPropertiesSet();
// Test
@@ -114,12 +91,10 @@ public class RememberMeAuthenticationFilterTests {
@Test
public void testOperationWhenNoAuthenticationInContextHolder() throws Exception {
RememberMeAuthenticationFilter filter = new RememberMeAuthenticationFilter();
AuthenticationManager am = mock(AuthenticationManager.class);
when(am.authenticate(remembered)).thenReturn(remembered);
filter.setAuthenticationManager(am);
filter.setRememberMeServices(new MockRememberMeServices(remembered));
RememberMeAuthenticationFilter filter = new RememberMeAuthenticationFilter(am, new MockRememberMeServices(remembered));
filter.afterPropertiesSet();
MockHttpServletRequest request = new MockHttpServletRequest();
@@ -135,17 +110,16 @@ public class RememberMeAuthenticationFilterTests {
@Test
public void onUnsuccessfulLoginIsCalledWhenProviderRejectsAuth() throws Exception {
final Authentication failedAuth = new TestingAuthenticationToken("failed", "");
AuthenticationManager am = mock(AuthenticationManager.class);
when(am.authenticate(any(Authentication.class))).thenThrow(new BadCredentialsException(""));
RememberMeAuthenticationFilter filter = new RememberMeAuthenticationFilter() {
RememberMeAuthenticationFilter filter = new RememberMeAuthenticationFilter(am, new MockRememberMeServices(remembered)) {
protected void onUnsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed) {
super.onUnsuccessfulAuthentication(request, response, failed);
SecurityContextHolder.getContext().setAuthentication(failedAuth);
}
};
AuthenticationManager am = mock(AuthenticationManager.class);
when(am.authenticate(any(Authentication.class))).thenThrow(new BadCredentialsException(""));
filter.setAuthenticationManager(am);
filter.setRememberMeServices(new MockRememberMeServices(remembered));
filter.setApplicationEventPublisher(mock(ApplicationEventPublisher.class));
filter.afterPropertiesSet();
@@ -160,11 +134,9 @@ public class RememberMeAuthenticationFilterTests {
@Test
public void authenticationSuccessHandlerIsInvokedOnSuccessfulAuthenticationIfSet() throws Exception {
RememberMeAuthenticationFilter filter = new RememberMeAuthenticationFilter();
AuthenticationManager am = mock(AuthenticationManager.class);
when(am.authenticate(remembered)).thenReturn(remembered);
filter.setAuthenticationManager(am);
filter.setRememberMeServices(new MockRememberMeServices(remembered));
RememberMeAuthenticationFilter filter = new RememberMeAuthenticationFilter(am, new MockRememberMeServices(remembered));
filter.setAuthenticationSuccessHandler(new SimpleUrlAuthenticationSuccessHandler("/target"));
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletResponse response = new MockHttpServletResponse();

View File

@@ -53,10 +53,8 @@ public class TokenBasedRememberMeServicesTests {
@Before
public void createTokenBasedRememberMeServices() {
services = new TokenBasedRememberMeServices();
uds = mock(UserDetailsService.class);
services.setKey("key");
services.setUserDetailsService(uds);
services = new TokenBasedRememberMeServices("key",uds);
}
void udsWillReturnUser() {
@@ -227,8 +225,7 @@ public class TokenBasedRememberMeServicesTests {
public void testGettersSetters() {
assertEquals(uds, services.getUserDetailsService());
services.setKey("d");
assertEquals("d", services.getKey());
assertEquals("key", services.getKey());
assertEquals(DEFAULT_PARAMETER, services.getParameter());
services.setParameter("some_param");
@@ -251,7 +248,7 @@ public class TokenBasedRememberMeServicesTests {
@Test
public void loginSuccessIgnoredIfParameterNotSetOrFalse() {
TokenBasedRememberMeServices services = new TokenBasedRememberMeServices();
TokenBasedRememberMeServices services = new TokenBasedRememberMeServices("key",new AbstractRememberMeServicesTests.MockUserDetailsService(null, false));
MockHttpServletRequest request = new MockHttpServletRequest();
request.addParameter(DEFAULT_PARAMETER, "false");

View File

@@ -1,116 +0,0 @@
/*
* Copyright 2002-2013 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.web.authentication.session;
import static org.junit.Assert.*;
import static org.mockito.AdditionalMatchers.not;
import static org.mockito.Matchers.anyObject;
import static org.mockito.Matchers.anyString;
import static org.mockito.Matchers.eq;
import static org.mockito.Mockito.*;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.ArgumentCaptor;
import org.mockito.Mock;
import org.mockito.runners.MockitoJUnitRunner;
import org.springframework.context.ApplicationEvent;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.session.SessionRegistry;
/**
*
* @author Rob Winch
*
*/
@RunWith(MockitoJUnitRunner.class)
public class ConcurrentSessionControlStrategyTests {
@Mock
private SessionRegistry sessionRegistry;
@Mock
private Authentication authentication;
private MockHttpServletRequest request;
private MockHttpServletResponse response;
private ConcurrentSessionControlStrategy strategy;
@Before
public void setup() throws Exception {
request = new MockHttpServletRequest();
response = new MockHttpServletResponse();
strategy = new ConcurrentSessionControlStrategy(sessionRegistry);
}
@Test
public void onAuthenticationNewSession() {
strategy.onAuthentication(authentication, request, response);
verify(sessionRegistry,times(0)).removeSessionInformation(anyString());
verify(sessionRegistry).registerNewSession(anyString(), anyObject());
}
// SEC-1875
@Test
public void onAuthenticationChangeSession() {
String originalSessionId = request.getSession().getId();
strategy.onAuthentication(authentication, request, response);
verify(sessionRegistry,times(0)).removeSessionInformation(anyString());
verify(sessionRegistry).registerNewSession(not(eq(originalSessionId)), anyObject());
}
// SEC-2002
@Test
public void onAuthenticationChangeSessionWithEventPublisher() {
String originalSessionId = request.getSession().getId();
ApplicationEventPublisher eventPublisher = mock(ApplicationEventPublisher.class);
strategy.setApplicationEventPublisher(eventPublisher);
strategy.onAuthentication(authentication, request, response);
verify(sessionRegistry,times(0)).removeSessionInformation(anyString());
verify(sessionRegistry).registerNewSession(not(eq(originalSessionId)), anyObject());
ArgumentCaptor<ApplicationEvent> eventArgumentCaptor = ArgumentCaptor.forClass(ApplicationEvent.class);
verify(eventPublisher).publishEvent(eventArgumentCaptor.capture());
assertNotNull(eventArgumentCaptor.getValue());
assertTrue(eventArgumentCaptor.getValue() instanceof SessionFixationProtectionEvent);
SessionFixationProtectionEvent event = (SessionFixationProtectionEvent)eventArgumentCaptor.getValue();
assertEquals(originalSessionId, event.getOldSessionId());
assertEquals(request.getSession().getId(), event.getNewSessionId());
assertSame(authentication, event.getAuthentication());
}
@Test(expected=IllegalArgumentException.class)
public void setApplicationEventPublisherForbidsNulls() {
strategy.setApplicationEventPublisher(null);
}
@Test
public void onAuthenticationNoExceptionWhenRequireApplicationEventPublisherSet() {
strategy.onAuthentication(authentication, request, response);
}
}

View File

@@ -67,9 +67,7 @@ public class BasicAuthenticationFilterTests {
when(manager.authenticate(rodRequest)).thenReturn(rod);
when(manager.authenticate(not(eq(rodRequest)))).thenThrow(new BadCredentialsException(""));
filter = new BasicAuthenticationFilter();
filter.setAuthenticationManager(manager);
filter.setAuthenticationEntryPoint(new BasicAuthenticationEntryPoint());
filter = new BasicAuthenticationFilter(manager,new BasicAuthenticationEntryPoint());
}
@After
@@ -95,11 +93,7 @@ public class BasicAuthenticationFilterTests {
@Test
public void testGettersSetters() {
BasicAuthenticationFilter filter = new BasicAuthenticationFilter();
filter.setAuthenticationManager(manager);
assertThat(filter.getAuthenticationManager()).isNotNull();
filter.setAuthenticationEntryPoint(mock(AuthenticationEntryPoint.class));
assertThat(filter.getAuthenticationEntryPoint()).isNotNull();
}
@@ -168,16 +162,12 @@ public class BasicAuthenticationFilterTests {
@Test(expected=IllegalArgumentException.class)
public void testStartupDetectsMissingAuthenticationEntryPoint() throws Exception {
BasicAuthenticationFilter filter = new BasicAuthenticationFilter();
filter.setAuthenticationManager(manager);
filter.afterPropertiesSet();
new BasicAuthenticationFilter(manager, null);
}
@Test(expected=IllegalArgumentException.class)
public void testStartupDetectsMissingAuthenticationManager() throws Exception {
BasicAuthenticationFilter filter = new BasicAuthenticationFilter();
filter.setAuthenticationEntryPoint(mock(AuthenticationEntryPoint.class));
filter.afterPropertiesSet();
BasicAuthenticationFilter filter = new BasicAuthenticationFilter(null);
}
@Test
@@ -225,7 +215,7 @@ public class BasicAuthenticationFilterTests {
request.setServletPath("/some_file.html");
request.setSession(new MockHttpSession());
filter.setIgnoreFailure(true);
filter = new BasicAuthenticationFilter(manager);
assertThat(filter.isIgnoreFailure()).isTrue();
FilterChain chain = mock(FilterChain.class);
filter.doFilter(request, new MockHttpServletResponse(), chain);

View File

@@ -51,16 +51,14 @@ public class ConcurrentSessionFilterTests {
MockHttpServletResponse response = new MockHttpServletResponse();
// Setup our test fixture and registry to want this session to be expired
ConcurrentSessionFilter filter = new ConcurrentSessionFilter();
filter.setRedirectStrategy(new DefaultRedirectStrategy());
filter.setLogoutHandlers(new LogoutHandler[] {new SecurityContextLogoutHandler()});
SessionRegistry registry = new SessionRegistryImpl();
registry.registerNewSession(session.getId(), "principal");
registry.getSessionInformation(session.getId()).expireNow();
filter.setSessionRegistry(registry);
filter.setExpiredUrl("/expired.jsp");
// Setup our test fixture and registry to want this session to be expired
ConcurrentSessionFilter filter = new ConcurrentSessionFilter(registry,"/expired.jsp");
filter.setRedirectStrategy(new DefaultRedirectStrategy());
filter.setLogoutHandlers(new LogoutHandler[]{new SecurityContextLogoutHandler()});
filter.afterPropertiesSet();
FilterChain fc = mock(FilterChain.class);
@@ -80,11 +78,10 @@ public class ConcurrentSessionFilterTests {
MockHttpServletResponse response = new MockHttpServletResponse();
ConcurrentSessionFilter filter = new ConcurrentSessionFilter();
SessionRegistry registry = new SessionRegistryImpl();
registry.registerNewSession(session.getId(), "principal");
registry.getSessionInformation(session.getId()).expireNow();
filter.setSessionRegistry(registry);
ConcurrentSessionFilter filter = new ConcurrentSessionFilter(registry);
FilterChain fc = mock(FilterChain.class);
filter.doFilter(request, response, fc);
@@ -96,15 +93,12 @@ public class ConcurrentSessionFilterTests {
@Test(expected=IllegalArgumentException.class)
public void detectsMissingSessionRegistry() throws Exception {
ConcurrentSessionFilter filter = new ConcurrentSessionFilter();
filter.afterPropertiesSet();
new ConcurrentSessionFilter(null);
}
@Test(expected=IllegalArgumentException.class)
public void detectsInvalidUrl() throws Exception {
ConcurrentSessionFilter filter = new ConcurrentSessionFilter();
filter.setExpiredUrl("ImNotValid");
filter.afterPropertiesSet();
new ConcurrentSessionFilter(new SessionRegistryImpl(), "ImNotValid");
}
@Test
@@ -118,13 +112,11 @@ public class ConcurrentSessionFilterTests {
FilterChain fc = mock(FilterChain.class);
// Setup our test fixture
ConcurrentSessionFilter filter = new ConcurrentSessionFilter();
SessionRegistry registry = new SessionRegistryImpl();
registry.registerNewSession(session.getId(), "principal");
ConcurrentSessionFilter filter = new ConcurrentSessionFilter(registry, "/expired.jsp");
Date lastRequest = registry.getSessionInformation(session.getId()).getLastRequest();
filter.setSessionRegistry(registry);
filter.setExpiredUrl("/expired.jsp");
Thread.sleep(1000);

View File

@@ -61,14 +61,13 @@ public class SecurityContextPersistenceFilterTests {
public void loadedContextContextIsCopiedToSecurityContextHolderAndUpdatedContextIsStored() throws Exception {
final MockHttpServletRequest request = new MockHttpServletRequest();
final MockHttpServletResponse response = new MockHttpServletResponse();
SecurityContextPersistenceFilter filter = new SecurityContextPersistenceFilter();
final TestingAuthenticationToken beforeAuth = new TestingAuthenticationToken("someoneelse", "passwd", "ROLE_B");
final SecurityContext scBefore = new SecurityContextImpl();
final SecurityContext scExpectedAfter = new SecurityContextImpl();
scExpectedAfter.setAuthentication(testToken);
scBefore.setAuthentication(beforeAuth);
final SecurityContextRepository repo = mock(SecurityContextRepository.class);
filter.setSecurityContextRepository(repo);
SecurityContextPersistenceFilter filter = new SecurityContextPersistenceFilter(repo);
when(repo.loadContext(any(HttpRequestResponseHolder.class))).thenReturn(scBefore);
@@ -90,8 +89,7 @@ public class SecurityContextPersistenceFilterTests {
final FilterChain chain = mock(FilterChain.class);
final MockHttpServletRequest request = new MockHttpServletRequest();
final MockHttpServletResponse response = new MockHttpServletResponse();
SecurityContextPersistenceFilter filter = new SecurityContextPersistenceFilter();
filter.setSecurityContextRepository(mock(SecurityContextRepository.class));
SecurityContextPersistenceFilter filter = new SecurityContextPersistenceFilter(mock(SecurityContextRepository.class));
request.setAttribute(SecurityContextPersistenceFilter.FILTER_APPLIED, Boolean.TRUE);
filter.doFilter(request, response, chain);
@@ -114,9 +112,8 @@ public class SecurityContextPersistenceFilterTests {
final FilterChain chain = mock(FilterChain.class);
final MockHttpServletRequest request = new MockHttpServletRequest();
final MockHttpServletResponse response = new MockHttpServletResponse();
SecurityContextPersistenceFilter filter = new SecurityContextPersistenceFilter();
SecurityContextRepository repo = new NullSecurityContextRepository();
filter.setSecurityContextRepository(repo);
SecurityContextPersistenceFilter filter = new SecurityContextPersistenceFilter(repo);
filter.doFilter(request, response, chain);
assertFalse(repo.containsContext(request));
assertNull(request.getSession(false));

View File

@@ -66,8 +66,7 @@ public class SessionManagementFilterTests {
SessionAuthenticationStrategy strategy = mock(SessionAuthenticationStrategy.class);
// mock that repo contains a security context
when(repo.containsContext(any(HttpServletRequest.class))).thenReturn(true);
SessionManagementFilter filter = new SessionManagementFilter(repo);
filter.setSessionAuthenticationStrategy(strategy);
SessionManagementFilter filter = new SessionManagementFilter(repo,strategy);
HttpServletRequest request = new MockHttpServletRequest();
authenticateUser();
@@ -80,8 +79,7 @@ public class SessionManagementFilterTests {
public void strategyIsNotInvokedIfAuthenticationIsNull() throws Exception {
SecurityContextRepository repo = mock(SecurityContextRepository.class);
SessionAuthenticationStrategy strategy = mock(SessionAuthenticationStrategy.class);
SessionManagementFilter filter = new SessionManagementFilter(repo);
filter.setSessionAuthenticationStrategy(strategy);
SessionManagementFilter filter = new SessionManagementFilter(repo,strategy);
HttpServletRequest request = new MockHttpServletRequest();
filter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain());
@@ -94,8 +92,7 @@ public class SessionManagementFilterTests {
SecurityContextRepository repo = mock(SecurityContextRepository.class);
// repo will return false to containsContext()
SessionAuthenticationStrategy strategy = mock(SessionAuthenticationStrategy.class);
SessionManagementFilter filter = new SessionManagementFilter(repo);
filter.setSessionAuthenticationStrategy(strategy);
SessionManagementFilter filter = new SessionManagementFilter(repo,strategy);
HttpServletRequest request = new MockHttpServletRequest();
authenticateUser();
@@ -114,9 +111,8 @@ public class SessionManagementFilterTests {
SessionAuthenticationStrategy strategy = mock(SessionAuthenticationStrategy.class);
AuthenticationFailureHandler failureHandler = mock(AuthenticationFailureHandler.class);
SessionManagementFilter filter = new SessionManagementFilter(repo);
SessionManagementFilter filter = new SessionManagementFilter(repo,strategy);
filter.setAuthenticationFailureHandler(failureHandler);
filter.setSessionAuthenticationStrategy(strategy);
HttpServletRequest request = new MockHttpServletRequest();
HttpServletResponse response = new MockHttpServletResponse();
FilterChain fc = mock(FilterChain.class);
@@ -135,8 +131,7 @@ public class SessionManagementFilterTests {
SecurityContextRepository repo = mock(SecurityContextRepository.class);
// repo will return false to containsContext()
SessionAuthenticationStrategy strategy = mock(SessionAuthenticationStrategy.class);
SessionManagementFilter filter = new SessionManagementFilter(repo);
filter.setSessionAuthenticationStrategy(strategy);
SessionManagementFilter filter = new SessionManagementFilter(repo,strategy);
MockHttpServletRequest request = new MockHttpServletRequest();
request.setRequestedSessionId("xxx");
request.setRequestedSessionIdValid(false);