SEC-3020: SecurityContextHolderAwareRequestWrapper conditional rolePrefix
Previously SecurityContextHolderAwareRequestWrapper always prefixed with rolePrefix. This meant the defaults would never return true for a role that started with the prefix (i.e. ROLE_). We no longer apply the rolePrefix if the value passed in already starts with rolePrefix.
This commit is contained in:
@@ -114,4 +114,33 @@ public class SecurityContextHolderAwareRequestWrapperTests extends TestCase {
|
||||
assertFalse(wrapper.isUserInRole("ROLE_FOOBAR")); // principal is null, so reject
|
||||
assertNull(wrapper.getUserPrincipal());
|
||||
}
|
||||
|
||||
public void testRolePrefix() {
|
||||
Authentication auth = new TestingAuthenticationToken("user", "koala", "ROLE_HELLO",
|
||||
"ROLE_FOOBAR");
|
||||
SecurityContextHolder.getContext().setAuthentication(auth);
|
||||
|
||||
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||
|
||||
SecurityContextHolderAwareRequestWrapper wrapper = new SecurityContextHolderAwareRequestWrapper(
|
||||
request, "ROLE_");
|
||||
|
||||
assertTrue(wrapper.isUserInRole("HELLO"));
|
||||
assertTrue(wrapper.isUserInRole("FOOBAR"));
|
||||
}
|
||||
|
||||
// SEC-3020
|
||||
public void testRolePrefixNotAppliedIfRoleStartsWith() {
|
||||
Authentication auth = new TestingAuthenticationToken("user", "koala", "ROLE_HELLO",
|
||||
"ROLE_FOOBAR");
|
||||
SecurityContextHolder.getContext().setAuthentication(auth);
|
||||
|
||||
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||
|
||||
SecurityContextHolderAwareRequestWrapper wrapper = new SecurityContextHolderAwareRequestWrapper(
|
||||
request, "ROLE_");
|
||||
|
||||
assertTrue(wrapper.isUserInRole("ROLE_HELLO"));
|
||||
assertTrue(wrapper.isUserInRole("ROLE_FOOBAR"));
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user