RequestMatcherDelegatingAuthorizationManager defaults to deny
Closes gh-11958
This commit is contained in:
@@ -358,7 +358,7 @@ public class AuthorizeHttpRequestsConfigurerTests {
|
||||
}
|
||||
|
||||
@Test
|
||||
public void getWhenServletPathRoleAdminConfiguredAndRoleIsUserAndWithoutServletPathThenRespondsWithOk()
|
||||
public void getWhenServletPathRoleAdminConfiguredAndRoleIsUserAndWithoutServletPathThenRespondsWithForbidden()
|
||||
throws Exception {
|
||||
this.spring.register(ServletPathConfig.class, BasicController.class).autowire();
|
||||
// @formatter:off
|
||||
@@ -366,7 +366,7 @@ public class AuthorizeHttpRequestsConfigurerTests {
|
||||
.with(user("user")
|
||||
.roles("USER"));
|
||||
// @formatter:on
|
||||
this.mvc.perform(requestWithUser).andExpect(status().isOk());
|
||||
this.mvc.perform(requestWithUser).andExpect(status().isForbidden());
|
||||
}
|
||||
|
||||
@Test
|
||||
|
||||
@@ -139,7 +139,10 @@ public class AuthenticationManagerBeanDefinitionParserTests {
|
||||
+ "<user-service>"
|
||||
+ " <user name='user' password='password' authorities='ROLE_A,ROLE_B' />"
|
||||
+ "</user-service>"
|
||||
+ "<http/>")
|
||||
+ "<http>"
|
||||
+ " <intercept-url pattern=\"/**\" access=\"authenticated\"/>"
|
||||
+ " <http-basic />"
|
||||
+ "</http>")
|
||||
.mockMvcAfterSpringSecurityOk()
|
||||
.autowire();
|
||||
this.mockMvc.perform(get("/").with(httpBasic("user", "password")))
|
||||
|
||||
@@ -120,7 +120,7 @@ public class InterceptUrlConfigTests {
|
||||
this.spring.configLocations(this.xml("PatchMethodAuthorizationManager")).autowire();
|
||||
// @formatter:off
|
||||
this.mvc.perform(get("/path").with(userCredentials()))
|
||||
.andExpect(status().isOk());
|
||||
.andExpect(status().isForbidden());
|
||||
this.mvc.perform(patch("/path").with(userCredentials()))
|
||||
.andExpect(status().isForbidden());
|
||||
this.mvc.perform(patch("/path").with(adminCredentials()))
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2013 the original author or authors.
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -85,6 +85,7 @@ public class SessionManagementConfigServlet31Tests {
|
||||
String id = request.getSession().getId();
|
||||
// @formatter:off
|
||||
loadContext("<http>\n"
|
||||
+ " <intercept-url pattern=\"/**\" access=\"authenticated\"/>\n"
|
||||
+ " <form-login/>\n"
|
||||
+ " <session-management/>\n"
|
||||
+ " <csrf disabled='true'/>\n"
|
||||
@@ -107,6 +108,7 @@ public class SessionManagementConfigServlet31Tests {
|
||||
String id = request.getSession().getId();
|
||||
// @formatter:off
|
||||
loadContext("<http>\n"
|
||||
+ " <intercept-url pattern=\"/**\" access=\"authenticated\"/>\n"
|
||||
+ " <form-login/>\n"
|
||||
+ " <session-management session-fixation-protection='changeSessionId'/>\n"
|
||||
+ " <csrf disabled='true'/>\n"
|
||||
|
||||
Reference in New Issue
Block a user