SEC-1201: PropertyPlaceholderConfigurer does not work for intercept-url attributes. Added use of ManagedMaps and BeanDefinitions to support placeholders in the pattern and access attributes.

This commit is contained in:
Luke Taylor
2009-08-22 21:09:34 +00:00
parent 0b5160d155
commit 9bf8656d66
5 changed files with 190 additions and 71 deletions

View File

@@ -58,6 +58,23 @@ public class FilterSecurityMetadataSourceBeanDefinitionParserTests {
assertTrue(cad.contains(new SecurityConfig("ROLE_A")));
}
// SEC-1201
@Test
public void interceptUrlsSupportPropertyPlaceholders() {
System.setProperty("secure.url", "/secure");
System.setProperty("secure.role", "ROLE_A");
setContext(
"<b:bean class='org.springframework.beans.factory.config.PropertyPlaceholderConfigurer'/>" +
"<filter-security-metadata-source id='fids'>" +
" <intercept-url pattern='${secure.url}' access='${secure.role}'/>" +
"</filter-security-metadata-source>");
DefaultFilterInvocationSecurityMetadataSource fids = (DefaultFilterInvocationSecurityMetadataSource) appContext.getBean("fids");
List<ConfigAttribute> cad = fids.getAttributes(createFilterInvocation("/secure", "GET"));
assertNotNull(cad);
assertEquals(1, cad.size());
assertEquals("ROLE_A", cad.get(0).getAttribute());
}
@Test
public void parsingWithinFilterSecurityInterceptorIsSuccessful() {
setContext(
@@ -72,11 +89,8 @@ public class FilterSecurityMetadataSourceBeanDefinitionParserTests {
" </b:property>" +
" <b:property name='authenticationManager' ref='" + BeanIds.AUTHENTICATION_MANAGER +"'/>"+
"</b:bean>" + ConfigTestUtils.AUTH_PROVIDER_XML);
}
private FilterInvocation createFilterInvocation(String path, String method) {
MockHttpServletRequest request = new MockHttpServletRequest();
request.setRequestURI(null);

View File

@@ -149,7 +149,7 @@ public class HttpSecurityBeanDefinitionParserTests {
}
@Test
public void filterListShouldBeEmptyForUnprotectedUrl() throws Exception {
public void filterListShouldBeEmptyForPatternWithNoFilters() throws Exception {
setContext(
" <http auto-config='true'>" +
" <intercept-url pattern='/unprotected' filters='none' />" +
@@ -160,6 +160,22 @@ public class HttpSecurityBeanDefinitionParserTests {
assertTrue(filters.size() == 0);
}
@Test
public void filtersEqualsNoneSupportsPlaceholderForPattern() throws Exception {
System.setProperty("pattern.nofilters", "/unprotected");
setContext(
" <b:bean class='org.springframework.beans.factory.config.PropertyPlaceholderConfigurer'/>" +
" <http auto-config='true'>" +
" <intercept-url pattern='${pattern.nofilters}' filters='none' />" +
" <intercept-url pattern='/**' access='ROLE_A' />" +
" </http>" + AUTH_PROVIDER_XML);
List<Filter> filters = getFilters("/unprotected");
assertTrue(filters.size() == 0);
}
@Test
public void regexPathsWorkCorrectly() throws Exception {
setContext(
@@ -274,7 +290,7 @@ public class HttpSecurityBeanDefinitionParserTests {
FilterSecurityInterceptor fis = (FilterSecurityInterceptor) getFilter(FilterSecurityInterceptor.class);
FilterInvocationSecurityMetadataSource fids = fis.getSecurityMetadataSource();
List<? extends ConfigAttribute> attrDef = fids.getAttributes(createFilterinvocation("/Secure", null));
List<ConfigAttribute> attrDef = fids.getAttributes(createFilterinvocation("/Secure", null));
assertEquals(2, attrDef.size());
assertTrue(attrDef.contains(new SecurityConfig("ROLE_A")));
assertTrue(attrDef.contains(new SecurityConfig("ROLE_B")));
@@ -283,6 +299,40 @@ public class HttpSecurityBeanDefinitionParserTests {
assertTrue(attrDef.contains(new SecurityConfig("ROLE_C")));
}
// SEC-1201
@Test
public void interceptUrlsAndFormLoginSupportPropertyPlaceholders() throws Exception {
System.setProperty("secure.url", "/secure");
System.setProperty("secure.role", "ROLE_A");
System.setProperty("login.page", "/loginPage");
System.setProperty("default.target", "/defaultTarget");
System.setProperty("auth.failure", "/authFailure");
setContext(
"<b:bean class='org.springframework.beans.factory.config.PropertyPlaceholderConfigurer'/>" +
"<http>" +
" <intercept-url pattern='${secure.url}' access='${secure.role}' />" +
" <form-login login-page='${login.page}' default-target-url='${default.target}' " +
" authentication-failure-url='${auth.failure}' />" +
"</http>" + AUTH_PROVIDER_XML);
// Check the security attribute
FilterSecurityInterceptor fis = (FilterSecurityInterceptor) getFilter(FilterSecurityInterceptor.class);
FilterInvocationSecurityMetadataSource fids = fis.getSecurityMetadataSource();
List<ConfigAttribute> attrs = fids.getAttributes(createFilterinvocation("/secure", null));
assertNotNull(attrs);
assertEquals(1, attrs.size());
assertEquals("ROLE_A",attrs.get(0).getAttribute());
// Check the form login properties are set
UsernamePasswordAuthenticationProcessingFilter apf = (UsernamePasswordAuthenticationProcessingFilter)
getFilter(UsernamePasswordAuthenticationProcessingFilter.class);
assertEquals("/defaultTarget", FieldUtils.getFieldValue(apf, "successHandler.defaultTargetUrl"));
assertEquals("/authFailure", FieldUtils.getFieldValue(apf, "failureHandler.defaultFailureUrl"));
ExceptionTranslationFilter etf = (ExceptionTranslationFilter) getFilter(ExceptionTranslationFilter.class);
assertEquals("/loginPage", FieldUtils.getFieldValue(etf, "authenticationEntryPoint.loginFormUrl"));
}
@Test
public void httpMethodMatchIsSupported() throws Exception {
setContext(
@@ -338,6 +388,19 @@ public class HttpSecurityBeanDefinitionParserTests {
assertTrue(filters.get(0) instanceof ChannelProcessingFilter);
}
@Test
public void requiresChannelSupportsPlaceholder() throws Exception {
setContext(
" <http auto-config='true'>" +
" <intercept-url pattern='/**' requires-channel='https' />" +
" </http>" + AUTH_PROVIDER_XML);
List<Filter> filters = getFilters("/someurl");
assertEquals("Expected " + (AUTO_CONFIG_FILTERS + 1) +" filters in chain", AUTO_CONFIG_FILTERS + 1, filters.size());
assertTrue(filters.get(0) instanceof ChannelProcessingFilter);
}
@Test
public void portMappingsAreParsedCorrectly() throws Exception {
setContext(