Add Multiple Reactive HttpSecurity

Fixes gh-4395
This commit is contained in:
Rob Winch
2017-06-14 14:05:52 -05:00
parent 406e1e6951
commit 9141a8a7c0
10 changed files with 281 additions and 15 deletions

View File

@@ -0,0 +1,98 @@
/*
*
* * Copyright 2002-2017 the original author or authors.
* *
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
*
*/
package org.springframework.security.config.annotation.web.reactive;
import org.junit.Test;
import org.junit.experimental.runners.Enclosed;
import org.junit.runner.RunWith;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.core.Ordered;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.web.server.HttpSecurity;
import org.springframework.security.core.userdetails.MapUserDetailsRepository;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetailsRepository;
import org.springframework.security.test.web.reactive.server.WebTestClientBuilder;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.security.web.server.WebFilterChainFilter;
import org.springframework.security.web.server.util.matcher.PathMatcherServerWebExchangeMatcher;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
import org.springframework.test.context.junit4.SpringRunner;
import org.springframework.test.web.reactive.server.WebTestClient;
import static org.mockito.Mockito.mock;
/**
* @author Rob Winch
* @since 5.0
*/
@RunWith(Enclosed.class)
public class EnableWebFluxSecurityTests {
@RunWith(SpringRunner.class)
public static class MultiHttpSecurity {
@Autowired
WebFilterChainFilter springSecurityFilterChain;
@Test
public void multiWorks() {
WebTestClient client = WebTestClientBuilder.bindToWebFilters(springSecurityFilterChain).build();
client.get()
.uri("/api/test")
.exchange()
.expectStatus().isUnauthorized()
.expectBody().isEmpty();
client.get()
.uri("/test")
.exchange()
.expectStatus().isOk();
}
@EnableWebFluxSecurity
static class Config {
@Order(Ordered.HIGHEST_PRECEDENCE)
@Bean
public SecurityWebFilterChain apiHttpSecurity(HttpSecurity http) {
http
.securityMatcher(new PathMatcherServerWebExchangeMatcher("/api/**"))
.authorizeExchange()
.anyExchange().denyAll();
return http.build();
}
@Bean
public SecurityWebFilterChain httpSecurity(HttpSecurity http) {
return http.build();
}
@Bean
public UserDetailsRepository userDetailsRepository() {
return new MapUserDetailsRepository(User.withUsername("user")
.password("password")
.roles("USER")
.build()
);
}
}
}
}

View File

@@ -27,12 +27,12 @@ import org.mockito.runners.MockitoJUnitRunner;
import org.springframework.security.authentication.ReactiveAuthenticationManager;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.test.web.reactive.server.WebTestClientBuilder;
import org.springframework.security.web.server.WebFilterChainFilter;
import org.springframework.security.web.server.context.SecurityContextRepository;
import org.springframework.security.web.server.context.WebSessionSecurityContextRepository;
import org.springframework.test.web.reactive.server.EntityExchangeResult;
import org.springframework.test.web.reactive.server.FluxExchangeResult;
import org.springframework.test.web.reactive.server.WebTestClient;
import org.springframework.web.server.WebSession;
import reactor.core.publisher.Mono;
import static org.assertj.core.api.Assertions.assertThat;
@@ -101,7 +101,22 @@ public class HttpSecurityTests {
assertThat(result.getResponseCookies().getFirst("SESSION")).isNotNull();
}
@Test
public void basicWhenNoCredentialsThenUnauthorized() {
http.authorizeExchange().anyExchange().authenticated();
WebTestClient client = buildClient();
client
.get()
.uri("/")
.exchange()
.expectStatus().isUnauthorized()
.expectHeader().valueMatches(HttpHeaders.CACHE_CONTROL, ".+")
.expectBody().isEmpty();
}
private WebTestClient buildClient() {
return WebTestClientBuilder.bindToWebFilters(http.build()).build();
WebFilterChainFilter springSecurityFilterChain = WebFilterChainFilter.fromSecurityWebFilterChains(http.build());
return WebTestClientBuilder.bindToWebFilters(springSecurityFilterChain).build();
}
}