This interceptor is responsible for processing portlet authentication requests. This
- * is the portlet equivalent of the UsernamePasswordAuthenticationProcessingFilter used for
- * traditional servlet-based web applications. It is applied to both ActionRequests
- * and RenderRequests alike. If authentication is successful, the resulting
- * {@link Authentication} object will be placed into the SecurityContext, which
- * is guaranteed to have already been created by an earlier interceptor. If authentication
- * fails, the AuthenticationException will be placed into the
- * APPLICATION_SCOPE of the PortletSession with the attribute defined
- * by {@link AbstractAuthenticationProcessingFilter#SPRING_SECURITY_LAST_EXCEPTION_KEY}.
Some portals do not properly provide the identity of the current user via the
- * getRemoteUser() or getUserPrincipal() methods of the
- * PortletRequest. In these cases they sometimes make it available in the
- * USER_INFO map provided as one of the attributes of the request. If this is
- * the case in your portal, you can specify a list of USER_INFO attributes
- * to check for the username via the userNameAttributes property of this bean.
- * You can also completely override the {@link #getPrincipalFromRequest(PortletRequest)}
- * and {@link #getCredentialsFromRequest(PortletRequest)} methods to suit the particular
- * behavior of your portal.
This interceptor will put the Unfortunately, some portals do not properly return these values for authenticated
- * users. So, if neither of those succeeds and if the This method can be overridden by subclasses to provide special handling
- * for portals with weak support for the JSR 168 spec. This method can be overridden by subclasses to provide special handling
- * for portals with weak support for the JSR 168 spec. If that is done,
- * be sure the value is non-null for authenticated users and null for
- * non-authenticated users. This interceptor populates the {@link SecurityContextHolder} with information obtained from the
- * The If a valid A If for whatever reason no This interceptor must be executed before An important nuance to this interceptor is that (by default) the Unlike PortletRequest object into the
- * details property of the Authentication object that is sent
- * as a request to the AuthenticationManager.
- *
- * @see org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
- * @see org.springframework.security.web.authentication.UsernamePasswordAuthenticationProcessingFilter
- * @author John A. Lewis
- * @since 2.0
- * @version $Id$
- */
-@SuppressWarnings("unchecked")
-public class PortletProcessingInterceptor implements HandlerInterceptor, InitializingBean {
-
- //~ Static fields/initializers =====================================================================================
-
- private static final Log logger = LogFactory.getLog(PortletProcessingInterceptor.class);
-
- //~ Instance fields ================================================================================================
-
- private AuthenticationManager authenticationManager;
-
- private List userNameAttributes;
-
- private AuthenticationDetailsSource authenticationDetailsSource;
-
- private boolean useAuthTypeAsCredentials = false;
-
- public PortletProcessingInterceptor() {
- authenticationDetailsSource = new AuthenticationDetailsSourceImpl();
- ((AuthenticationDetailsSourceImpl)authenticationDetailsSource).setClazz(PortletAuthenticationDetails.class);
- }
-
- //~ Methods ========================================================================================================
-
- public void afterPropertiesSet() throws Exception {
- Assert.notNull(authenticationManager, "An AuthenticationManager must be set");
- }
-
- public boolean preHandleAction(ActionRequest request, ActionResponse response,
- Object handler) throws Exception {
- return preHandle(request, response, handler);
- }
-
- public boolean preHandleRender(RenderRequest request,
- RenderResponse response, Object handler) throws Exception {
- return preHandle(request, response, handler);
- }
-
- public void postHandleRender(RenderRequest request, RenderResponse response,
- Object handler, ModelAndView modelAndView) throws Exception {
- }
-
- public void afterActionCompletion(ActionRequest request, ActionResponse response,
- Object handler, Exception ex) throws Exception {
- }
-
- public void afterRenderCompletion(RenderRequest request, RenderResponse response,
- Object handler, Exception ex) throws Exception {
- }
-
- /**
- * {@inheritDoc}
- */
- public boolean preHandleResource(ResourceRequest request, ResourceResponse response, Object handler) throws Exception {
- return preHandle(request, response, handler);
- }
-
- /**
- * {@inheritDoc}
- */
- public void postHandleResource(ResourceRequest request, ResourceResponse response, Object handler, ModelAndView modelAndView) throws Exception {
- }
-
- public void afterResourceCompletion(ResourceRequest request, ResourceResponse response, Object handler, Exception ex) throws Exception {
- }
-
- /**
- * {@inheritDoc}
- */
- public boolean preHandleEvent(EventRequest request, EventResponse response, Object handler) throws Exception {
- return preHandle(request, response, handler);
- }
-
- /**
- * {@inheritDoc}
- */
- public void afterEventCompletion(EventRequest request, EventResponse response, Object handler, Exception ex) throws Exception {
- }
-
- /**
- * Common preHandle method for both the action and render phases of the interceptor.
- */
- private boolean preHandle(PortletRequest request, PortletResponse response,
- Object handler) throws Exception {
-
- // get the SecurityContext
- SecurityContext ctx = SecurityContextHolder.getContext();
-
- if (logger.isDebugEnabled())
- logger.debug("Checking secure context token: " + ctx.getAuthentication());
-
- // if there is no existing Authentication object, then lets create one
- if (ctx.getAuthentication() == null) {
-
- try {
-
- // build the authentication request from the PortletRequest
- PreAuthenticatedAuthenticationToken authRequest = new PreAuthenticatedAuthenticationToken(
- getPrincipalFromRequest(request),
- getCredentialsFromRequest(request));
-
- // put the PortletRequest into the authentication request as the "details"
- authRequest.setDetails(authenticationDetailsSource.buildDetails(request));
-
- if (logger.isDebugEnabled())
- logger.debug("Beginning authentication request for user '" + authRequest.getName() + "'");
-
- onPreAuthentication(request, response);
-
- // ask the authentication manager to authenticate the request
- // it will throw an AuthenticationException if it fails, otherwise it succeeded
- Authentication authResult = authenticationManager.authenticate(authRequest);
-
- // process a successful authentication
- if (logger.isDebugEnabled()) {
- logger.debug("Authentication success: " + authResult);
- }
-
- ctx.setAuthentication(authResult);
- onSuccessfulAuthentication(request, response, authResult);
-
- } catch (AuthenticationException failed) {
- // process an unsuccessful authentication
- if (logger.isDebugEnabled()) {
- logger.debug("Authentication failed - updating ContextHolder to contain null Authentication", failed);
- }
- ctx.setAuthentication(null);
- request.getPortletSession().setAttribute(
- AbstractAuthenticationProcessingFilter.SPRING_SECURITY_LAST_EXCEPTION_KEY,
- failed, PortletSession.APPLICATION_SCOPE);
- onUnsuccessfulAuthentication(request, response, failed);
- }
- }
-
- return true;
- }
-
- /**
- * This method attempts to extract a principal from the portlet request.
- * According to the JSR 168 spec, the PortletRequest.
- * This allows it to be shared between the portlets in the webapp and
- * potentially with servlets in the webapp as well. If this is set to
- * should return the name
- * of the user in the truegetRemoteUser() method. It should also provide a
- * java.security.Principal object from the getUserPrincipal()
- * method. We will first try these to come up with a valid username.
- * userNameAttributes
- * property has been populated, then we will search through the USER_INFO
- * map from the request to see if we can find a valid username.
- * PortletSession. It is applied to both ActionRequests and
- * RenderRequestsPortletSession will be queried to retrieve the SecurityContext that should
- * be stored against the SecurityContextHolder for the duration of the portlet request. At the
- * end of the request, any updates made to the SecurityContextHolder will be persisted back to the
- * PortletSession by this interceptor.SecurityContext cannot be obtained from the PortletSession for
- * whatever reason, a fresh SecurityContext will be created and used instead. The created object
- * will be of the instance defined by the {@link #setContext(Class)} method. If this hasn't been set, a call to
- * {@link SecurityContextHolder#createEmptyContext()} will be used to create the instance.
- *
- * PortletSession may be created by this interceptor if one does not already exist. If at the
- * end of the portlet request the PortletSession does not exist, one will only be created if
- * the current contents of the SecurityContextHolder are not the {@link java.lang.Object#equals}
- * to a new instance of {@link #contextClass}. This avoids needless PortletSession creation,
- * and automates the storage of changes made to the SecurityContextHolder. There is one exception to
- * this rule, that is if the {@link #forceEagerSessionCreation} property is true, in which case
- * sessions will always be created irrespective of normal session-minimization logic (the default is
- * false, as this is resource intensive and not recommended).PortletSession should ever be created, the
- * {@link #allowSessionCreation} property should be set to false. Only do this if you really need
- * to conserve server memory and ensure all classes using the SecurityContextHolder are designed to
- * have no persistence of the SecurityContext between web requests. Please note that if
- * {@link #forceEagerSessionCreation} is true, the allowSessionCreation must also be
- * true (setting it to false will cause a startup-time error).SecurityContextHolder to contain a valid SecurityContext by the time they execute.SecurityContext is stored
- * into the APPLICATION_SCOPE of the PortletSession. This doesn't just mean you will be
- * sharing it with all the other portlets in your webapp (which is generally a good idea). It also means that (if
- * you have done all the other appropriate magic), you will share this SecurityContext with servlets in
- * your webapp. This is very useful if you have servlets serving images or processing AJAX calls from your portlets
- * since they can now use the {@link SecurityContextPersistenceFilter} to access the same SecurityContext
- * object from the session. This allows these calls to be secured as well as the portlet calls.HttpSessionContextIntegrationFilter, this interceptor does not check to see if it is
- * getting applied multiple times. This shouldn't be a problem since the application of interceptors is under the
- * control of the Spring Portlet MVC framework and tends to be more explicit and more predictable than the application
- * of filters. However, you should still be careful to only apply this inteceptor to your request once.PortletSession if
- * needed (sessions are always created sparingly, but setting this value to
- * false will prohibit sessions from ever being created).
- * Defaults to true. Do not set to false if
- * you are have set {@link #forceEagerSessionCreation} to true,
- * as the properties would be in conflict.
- */
- private boolean allowSessionCreation = true;
-
- /**
- * Indicates if this interceptor is required to create a PortletSession
- * for every request before proceeding through the request process, even if the
- * PortletSession would not ordinarily have been created. By
- * default this is false, which is entirely appropriate for
- * most circumstances as you do not want a PortletSession
- * created unless the interceptor actually needs one. It is envisaged the main
- * situation in which this property would be set to true is
- * if using other interceptors that depend on a PortletSession
- * already existing. This is only required in specialized cases, so leave it set to
- * false unless you have an actual requirement and aware of the
- * session creation overhead.
- */
- private boolean forceEagerSessionCreation = false;
-
- /**
- * Indicates whether the SecurityContext will be cloned from
- * the PortletSession. The default is to simply reference
- * (the default is false). The default may cause issues if
- * concurrent threads need to have a different security identity from other
- * threads being concurrently processed that share the same
- * PortletSession. In most normal environments this does not
- * represent an issue, as changes to the security identity in one thread is
- * allowed to affect the security identity in other threads associated with
- * the same PortletSession. For unusual cases where this is not
- * permitted, change this value to true and ensure the
- * {@link #contextClass} is set to a SecurityContext that
- * implements {@link Cloneable} and overrides the clone()
- * method.
- */
- private boolean cloneFromPortletSession = false;
-
- /**
- * Indicates wether the APPLICATION_SCOPE mode of the
- * PortletSession should be used for storing the
- * SecurityContext. The default is false, then the PORTLET_SCOPE will be used
- * instead.
- */
- private boolean useApplicationScopePortletSession = true;
-
-
- //~ Constructors ===================================================================================================
-
- public PortletSessionContextIntegrationInterceptor() throws PortletException {
- this.contextObject = generateNewContext();
- }
-
- //~ Methods ========================================================================================================
-
- public void afterPropertiesSet() throws Exception {
- // check that session creation options make sense
- if ((forceEagerSessionCreation == true) && (allowSessionCreation == false)) {
- throw new IllegalArgumentException(
- "If using forceEagerSessionCreation, you must set allowSessionCreation to also be true");
- }
- }
-
- public boolean preHandleAction(ActionRequest request, ActionResponse response,
- Object handler) throws Exception {
- // call to common preHandle method
- return preHandle(request, response, handler);
- }
-
- public boolean preHandleRender(RenderRequest request, RenderResponse response,
- Object handler) throws Exception {
- // call to common preHandle method
- return preHandle(request, response, handler);
- }
-
- public void postHandleRender(RenderRequest request, RenderResponse response,
- Object handler, ModelAndView modelAndView) throws Exception {
- // no-op
- }
-
- public void afterActionCompletion(ActionRequest request, ActionResponse response,
- Object handler, Exception ex) throws Exception {
- // call to common afterCompletion method
- afterCompletion(request, response, handler, ex);
- }
-
- public void afterRenderCompletion(RenderRequest request, RenderResponse response,
- Object handler, Exception ex) throws Exception {
- // call to common afterCompletion method
- afterCompletion(request, response, handler, ex);
- }
-
- /**
- * {@inheritDoc}
- */
- public boolean preHandleResource(ResourceRequest request, ResourceResponse response, Object handler) throws Exception {
- return preHandle(request, response, handler);
- }
-
- /**
- * {@inheritDoc}
- */
- public void postHandleResource(ResourceRequest request, ResourceResponse response, Object handler, ModelAndView modelAndView) throws Exception {
- // no-op
- }
-
- /**
- * {@inheritDoc}
- */
- public void afterResourceCompletion(ResourceRequest request, ResourceResponse response, Object handler, Exception ex) throws Exception {
- // call to common afterCompletion method
- afterCompletion(request, response, handler, ex);
- }
-
- /**
- * {@inheritDoc}
- */
- public boolean preHandleEvent(EventRequest request, EventResponse response, Object handler) throws Exception {
- return preHandle(request, response, handler);
- }
-
- /**
- * {@inheritDoc}
- */
- public void afterEventCompletion(EventRequest request, EventResponse response, Object handler, Exception ex) throws Exception {
- // call to common afterCompletion method
- afterCompletion(request, response, handler, ex);
- }
-
- private boolean preHandle(PortletRequest request, PortletResponse response,
- Object handler) throws Exception {
-
- PortletSession portletSession = null;
- boolean portletSessionExistedAtStartOfRequest = false;
-
- // see if the portlet session already exists (or should be eagerly created)
- try {
- portletSession = request.getPortletSession(forceEagerSessionCreation);
- } catch (IllegalStateException ignored) {}
-
- // if there is a session, then see if there is a contextClass to bring in
- if (portletSession != null) {
-
- // remember that the session already existed
- portletSessionExistedAtStartOfRequest = true;
-
- // attempt to retrieve the contextClass from the session
- Object contextFromSessionObject = portletSession.getAttribute(SPRING_SECURITY_CONTEXT_KEY, portletSessionScope());
-
- // if we got a contextClass then place it into the holder
- if (contextFromSessionObject != null) {
-
- // if we are supposed to clone it, then do so
- if (cloneFromPortletSession) {
- Assert.isInstanceOf(Cloneable.class, contextFromSessionObject,
- "Context must implement Clonable and provide a Object.clone() method");
- try {
- Method m = contextFromSessionObject.getClass().getMethod("clone", new Class[] {});
- if (!m.isAccessible()) {
- m.setAccessible(true);
- }
- contextFromSessionObject = m.invoke(contextFromSessionObject, new Object[] {});
- }
- catch (Exception ex) {
- ReflectionUtils.handleReflectionException(ex);
- }
- }
-
- // if what we got is a valid contextClass then place it into the holder, otherwise create a new one
- if (contextFromSessionObject instanceof SecurityContext) {
- if (logger.isDebugEnabled())
- logger.debug("Obtained from SPRING_SECURITY_CONTEXT a valid SecurityContext and "
- + "set to SecurityContextHolder: '" + contextFromSessionObject + "'");
- SecurityContextHolder.setContext((SecurityContext) contextFromSessionObject);
- } else {
- if (logger.isWarnEnabled())
- logger.warn("SPRING_SECURITY_CONTEXT did not contain a SecurityContext but contained: '"
- + contextFromSessionObject
- + "'; are you improperly modifying the PortletSession directly "
- + "(you should always use SecurityContextHolder) or using the PortletSession attribute "
- + "reserved for this class? - new SecurityContext instance associated with "
- + "SecurityContextHolder");
- SecurityContextHolder.setContext(generateNewContext());
- }
-
- } else {
-
- // there was no contextClass in the session, so create a new contextClass and put it in the holder
- if (logger.isDebugEnabled())
- logger.debug("PortletSession returned null object for SPRING_SECURITY_CONTEXT - new "
- + "SecurityContext instance associated with SecurityContextHolder");
- SecurityContextHolder.setContext(generateNewContext());
- }
-
- } else {
-
- // there was no session, so create a new contextClass and place it in the holder
- if (logger.isDebugEnabled())
- logger.debug("No PortletSession currently exists - new SecurityContext instance "
- + "associated with SecurityContextHolder");
- SecurityContextHolder.setContext(generateNewContext());
-
- }
-
- // place attributes onto the request to remember if the session existed and the hashcode of the contextClass
- request.setAttribute(SESSION_EXISTED, new Boolean(portletSessionExistedAtStartOfRequest));
- request.setAttribute(CONTEXT_HASHCODE, new Integer(SecurityContextHolder.getContext().hashCode()));
-
- return true;
- }
-
- private void afterCompletion(PortletRequest request, PortletResponse response,
- Object handler, Exception ex) throws Exception {
-
- PortletSession portletSession = null;
-
- // retrieve the attributes that remember if the session existed and the hashcode of the contextClass
- boolean portletSessionExistedAtStartOfRequest = ((Boolean)request.getAttribute(SESSION_EXISTED)).booleanValue();
- int oldContextHashCode = ((Integer)request.getAttribute(CONTEXT_HASHCODE)).intValue();
-
- // try to retrieve an existing portlet session
- try {
- portletSession = request.getPortletSession(false);
- } catch (IllegalStateException ignored) {}
-
- // if there is now no session but there was one at the beginning then it must have been invalidated
- if ((portletSession == null) && portletSessionExistedAtStartOfRequest) {
- if (logger.isDebugEnabled())
- logger.debug("PortletSession is now null, but was not null at start of request; "
- + "session was invalidated, so do not create a new session");
- }
-
- // create a new portlet session if we need to
- if ((portletSession == null) && !portletSessionExistedAtStartOfRequest) {
-
- // if we're not allowed to create a new session, then report that
- if (!allowSessionCreation) {
- if (logger.isDebugEnabled())
- logger.debug("The PortletSession is currently null, and the "
- + "PortletSessionContextIntegrationInterceptor is prohibited from creating a PortletSession "
- + "(because the allowSessionCreation property is false) - SecurityContext thus not "
- + "stored for next request");
- }
- // if the contextClass was changed during the request, then go ahead and create a session
- else if (!contextObject.equals(SecurityContextHolder.getContext())) {
- if (logger.isDebugEnabled())
- logger.debug("PortletSession being created as SecurityContextHolder contents are non-default");
- try {
- portletSession = request.getPortletSession(true);
- } catch (IllegalStateException ignored) {}
- }
- // if nothing in the contextClass changed, then don't bother to create a session
- else {
- if (logger.isDebugEnabled())
- logger.debug("PortletSession is null, but SecurityContextHolder has not changed from default: ' "
- + SecurityContextHolder.getContext()
- + "'; not creating PortletSession or storing SecurityContextHolder contents");
- }
- }
-
- // if the session exists and the contextClass has changes, then store the contextClass back into the session
- if ((portletSession != null)
- && (SecurityContextHolder.getContext().hashCode() != oldContextHashCode)) {
- portletSession.setAttribute(SPRING_SECURITY_CONTEXT_KEY, SecurityContextHolder.getContext(), portletSessionScope());
- if (logger.isDebugEnabled())
- logger.debug("SecurityContext stored to PortletSession: '"
- + SecurityContextHolder.getContext() + "'");
- }
-
- // remove the contents of the holder
- SecurityContextHolder.clearContext();
- if (logger.isDebugEnabled())
- logger.debug("SecurityContextHolder set to new contextClass, as request processing completed");
-
- }
-
- /**
- * Creates a new SecurityContext object. The specific class is
- * determined by the setting of the {@link #contextClass} property.
- * @return the new SecurityContext
- * @throws PortletException if the creation throws an InstantiationException or
- * an IllegalAccessException, then this method will wrap them in a
- * PortletException
- */
- SecurityContext generateNewContext() throws PortletException {
- if (contextClass == null) {
- return SecurityContextHolder.createEmptyContext();
- }
-
- try {
- return this.contextClass.newInstance();
- } catch (InstantiationException ie) {
- throw new PortletException(ie);
- } catch (IllegalAccessException iae) {
- throw new PortletException(iae);
- }
- }
-
-
- private int portletSessionScope() {
- // return the appropriate scope setting based on our property value
- return (this.useApplicationScopePortletSession ?
- PortletSession.APPLICATION_SCOPE : PortletSession.PORTLET_SCOPE);
- }
-
-
- public Class extends SecurityContext> getContext() {
- return contextClass;
- }
-
- public void setContext(Class extends SecurityContext> secureContext) {
- this.contextClass = secureContext;
- }
-
- public boolean isAllowSessionCreation() {
- return allowSessionCreation;
- }
-
- public void setAllowSessionCreation(boolean allowSessionCreation) {
- this.allowSessionCreation = allowSessionCreation;
- }
-
- public boolean isForceEagerSessionCreation() {
- return forceEagerSessionCreation;
- }
-
- public void setForceEagerSessionCreation(boolean forceEagerSessionCreation) {
- this.forceEagerSessionCreation = forceEagerSessionCreation;
- }
-
- public boolean isCloneFromPortletSession() {
- return cloneFromPortletSession;
- }
-
- public void setCloneFromPortletSession(boolean cloneFromPortletSession) {
- this.cloneFromPortletSession = cloneFromPortletSession;
- }
-
- public boolean isUseApplicationScopePortletSession() {
- return useApplicationScopePortletSession;
- }
-
- public void setUseApplicationScopePortletSession(
- boolean useApplicationScopePortletSession) {
- this.useApplicationScopePortletSession = useApplicationScopePortletSession;
- }
-
-}
diff --git a/portlet/src/main/java/org/springframework/security/portlet/package.html b/portlet/src/main/java/org/springframework/security/portlet/package.html
deleted file mode 100644
index 3f8c54970a..0000000000
--- a/portlet/src/main/java/org/springframework/security/portlet/package.html
+++ /dev/null
@@ -1,5 +0,0 @@
-
-
-Authentication interceptor (and related classes) for use with the Portlet 1.0 (JSR 168) Specification.
-
-
diff --git a/portlet/src/test/java/org/springframework/security/portlet/PortletProcessingInterceptorTests.java b/portlet/src/test/java/org/springframework/security/portlet/PortletProcessingInterceptorTests.java
deleted file mode 100644
index 486eadaf22..0000000000
--- a/portlet/src/test/java/org/springframework/security/portlet/PortletProcessingInterceptorTests.java
+++ /dev/null
@@ -1,279 +0,0 @@
-/*
- * Copyright 2005-2007 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.springframework.security.portlet;
-
-import static org.junit.Assert.*;
-
-import java.util.ArrayList;
-import java.util.HashMap;
-
-import javax.portlet.PortletRequest;
-import javax.portlet.PortletSession;
-
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
-import org.springframework.mock.web.portlet.MockActionRequest;
-import org.springframework.mock.web.portlet.MockActionResponse;
-import org.springframework.mock.web.portlet.MockRenderRequest;
-import org.springframework.mock.web.portlet.MockRenderResponse;
-import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
-import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
-import org.springframework.security.authentication.AuthenticationManager;
-import org.springframework.security.authentication.BadCredentialsException;
-import org.springframework.security.authentication.TestingAuthenticationToken;
-import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.authority.AuthorityUtils;
-import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.security.core.userdetails.User;
-import org.springframework.security.portlet.PortletProcessingInterceptor;
-
-/**
- * Tests {@link PortletProcessingInterceptor}.
- *
- * @author John A. Lewis
- * @since 2.0
- * @version $Id$
- */
-@SuppressWarnings("unchecked")
-public class PortletProcessingInterceptorTests {
- public static final String SPRING_SECURITY_LAST_EXCEPTION_KEY = "SPRING_SECURITY_LAST_EXCEPTION";
- //~ Methods ========================================================================================================
-
- @Before
- public void setUp() throws Exception {
- SecurityContextHolder.clearContext();
- }
-
- @After
- public void tearDown() throws Exception {
- SecurityContextHolder.clearContext();
- }
-
- @Test(expected=IllegalArgumentException.class)
- public void testRequiresAuthenticationManager() throws Exception {
- PortletProcessingInterceptor interceptor = new PortletProcessingInterceptor();
- interceptor.afterPropertiesSet();
- }
-
- @Test
- public void testNormalRenderRequestProcessing() throws Exception {
-
- // Build mock request and response
- MockRenderRequest request = PortletTestUtils.createRenderRequest();
- MockRenderResponse response = PortletTestUtils.createRenderResponse();
-
- // Prepare interceptor
- PortletProcessingInterceptor interceptor = new PortletProcessingInterceptor();
- interceptor.setAuthenticationManager(new MockPortletAuthenticationManager());
- interceptor.afterPropertiesSet();
-
- // Execute preHandlerRender phase and verify results
- interceptor.preHandleRender(request, response, null);
- assertEquals(PortletTestUtils.createAuthenticatedToken(),
- SecurityContextHolder.getContext().getAuthentication());
-
- // Execute postHandlerRender phase and verify nothing changed
- interceptor.postHandleRender(request, response, null, null);
- assertEquals(PortletTestUtils.createAuthenticatedToken(),
- SecurityContextHolder.getContext().getAuthentication());
-
- // Execute afterRenderCompletion phase and verify nothing changed
- interceptor.afterRenderCompletion(request, response, null, null);
- assertEquals(PortletTestUtils.createAuthenticatedToken(),
- SecurityContextHolder.getContext().getAuthentication());
- }
-
- @Test
- public void testNormalActionRequestProcessing() throws Exception {
-
- // Build mock request and response
- MockActionRequest request = PortletTestUtils.createActionRequest();
- MockActionResponse response = PortletTestUtils.createActionResponse();
-
- // Prepare interceptor
- PortletProcessingInterceptor interceptor = new PortletProcessingInterceptor();
- interceptor.setAuthenticationManager(new MockPortletAuthenticationManager());
- interceptor.afterPropertiesSet();
-
- // Execute preHandlerAction phase and verify results
- interceptor.preHandleAction(request, response, null);
- assertEquals(PortletTestUtils.createAuthenticatedToken(),
- SecurityContextHolder.getContext().getAuthentication());
-
- // Execute afterActionCompletion phase and verify nothing changed
- interceptor.afterActionCompletion(request, response, null, null);
- assertEquals(PortletTestUtils.createAuthenticatedToken(),
- SecurityContextHolder.getContext().getAuthentication());
- }
-
- @Test
- public void testAuthenticationFailsWithNoCredentials() throws Exception {
-
- // Build mock request and response
- MockActionRequest request = new MockActionRequest();
- MockActionResponse response = new MockActionResponse();
-
- // Prepare and execute interceptor
- PortletProcessingInterceptor interceptor = new PortletProcessingInterceptor();
- interceptor.setAuthenticationManager(new MockPortletAuthenticationManager());
- interceptor.afterPropertiesSet();
- interceptor.preHandleAction(request, response, null);
-
- // Verify that authentication is empty
- assertNull(SecurityContextHolder.getContext().getAuthentication());
-
- // Verify that proper exception was thrown
- assertTrue(request.getPortletSession().getAttribute(
- AbstractAuthenticationProcessingFilter.SPRING_SECURITY_LAST_EXCEPTION_KEY,
- PortletSession.APPLICATION_SCOPE)
- instanceof BadCredentialsException);
- }
-
- @Test
- public void testExistingAuthenticationIsLeftAlone() throws Exception {
-
- // Build mock request and response
- MockActionRequest request = PortletTestUtils.createActionRequest();
- MockActionResponse response = PortletTestUtils.createActionResponse();
-
- // Prepare interceptor
- PortletProcessingInterceptor interceptor = new PortletProcessingInterceptor();
- interceptor.setAuthenticationManager(new MockPortletAuthenticationManager());
- interceptor.afterPropertiesSet();
-
- UsernamePasswordAuthenticationToken testingToken = new UsernamePasswordAuthenticationToken("dummy", "dummy");
- UsernamePasswordAuthenticationToken baselineToken = new UsernamePasswordAuthenticationToken("dummy", "dummy");
- SecurityContextHolder.getContext().setAuthentication(testingToken);
-
- // Execute preHandlerAction phase and verify results
- interceptor.preHandleAction(request, response, null);
- assertTrue(SecurityContextHolder.getContext().getAuthentication() == testingToken);
- assertEquals(baselineToken, SecurityContextHolder.getContext().getAuthentication());
-
- // Execute afterActionCompletion phase and verify nothing changed
- interceptor.afterActionCompletion(request, response, null, null);
- assertTrue(SecurityContextHolder.getContext().getAuthentication() == testingToken);
- assertEquals(baselineToken, SecurityContextHolder.getContext().getAuthentication());
- }
-
- @Test
- public void testUsernameFromRemoteUser() throws Exception {
-
- // Build mock request and response
- MockActionRequest request = new MockActionRequest();
- MockActionResponse response = new MockActionResponse();
- request.setRemoteUser(PortletTestUtils.TESTUSER);
- request.setAuthType(PortletRequest.FORM_AUTH);
-
- // Prepare and execute interceptor
- PortletProcessingInterceptor interceptor = new PortletProcessingInterceptor();
- interceptor.setAuthenticationManager(new MockPortletAuthenticationManager());
- interceptor.afterPropertiesSet();
- interceptor.preHandleAction(request, response, null);
-
- // Verify username
- assertEquals(PortletTestUtils.TESTUSER,
- SecurityContextHolder.getContext().getAuthentication().getName());
- }
-
- @Test
- public void testUsernameFromPrincipal() throws Exception {
-
- // Build mock request and response
- MockActionRequest request = new MockActionRequest();
- MockActionResponse response = new MockActionResponse();
- request.setUserPrincipal(new TestingAuthenticationToken(PortletTestUtils.TESTUSER, PortletTestUtils.TESTCRED));
- request.setAuthType(PortletRequest.FORM_AUTH);
-
- // Prepare and execute interceptor
- PortletProcessingInterceptor interceptor = new PortletProcessingInterceptor();
- interceptor.setAuthenticationManager(new MockPortletAuthenticationManager());
- interceptor.afterPropertiesSet();
- interceptor.preHandleAction(request, response, null);
-
- // Verify username
- assertEquals(PortletTestUtils.TESTUSER,
- SecurityContextHolder.getContext().getAuthentication().getName());
- }
-
- @Test
- public void testUsernameFromUserInfo() throws Exception {
-
- // Build mock request and response
- MockActionRequest request = new MockActionRequest();
- MockActionResponse response = new MockActionResponse();
- HashMap userInfo = new HashMap();
- userInfo.put("user.name.given", "Test");
- userInfo.put("user.name.family", "User");
- userInfo.put("user.id", "mytestuser");
- request.setAttribute(PortletRequest.USER_INFO, userInfo);
- request.setAuthType(PortletRequest.FORM_AUTH);
-
- // Prepare and execute interceptor
- PortletProcessingInterceptor interceptor = new PortletProcessingInterceptor();
- interceptor.setAuthenticationManager(new MockPortletAuthenticationManager());
- ArrayList userNameAttributes = new ArrayList();
- userNameAttributes.add("user.name");
- userNameAttributes.add("user.id");
- interceptor.setUserNameAttributes(userNameAttributes);
- interceptor.afterPropertiesSet();
- interceptor.preHandleAction(request, response, null);
-
- // Verify username
- assertEquals("mytestuser", SecurityContextHolder.getContext().getAuthentication().getName());
- }
-
- //~ Inner Classes ==================================================================================================
-
- private static class MockPortletAuthenticationManager implements AuthenticationManager {
-
- public Authentication authenticate(Authentication token) {
-
- // Make sure we got a valid token
- if (!(token instanceof PreAuthenticatedAuthenticationToken)) {
- fail("Expected PreAuthenticatedAuthenticationToken object-- got: " + token);
- }
-
- // Make sure the token details are the PortletRequest
-// if (!(token.getDetails() instanceof PortletRequest)) {
-// TestCase.fail("Expected Authentication.getDetails to be a PortletRequest object -- got: " + token.getDetails());
-// }
-
- // Make sure it's got a principal
- if (token.getPrincipal() == null) {
- throw new BadCredentialsException("Mock authentication manager rejecting null principal");
- }
-
- // Make sure it's got credentials
- if (token.getCredentials() == null) {
- throw new BadCredentialsException("Mock authentication manager rejecting null credentials");
- }
-
- // create resulting Authentication object
- User user = new User(token.getName(), token.getCredentials().toString(), true, true, true, true,
- AuthorityUtils.createAuthorityList(PortletTestUtils.TESTROLE1, PortletTestUtils.TESTROLE2));
- PreAuthenticatedAuthenticationToken result = new PreAuthenticatedAuthenticationToken(
- user, user.getPassword(), user.getAuthorities());
- result.setAuthenticated(true);
- return result;
- }
-
- }
-
-}
diff --git a/portlet/src/test/java/org/springframework/security/portlet/PortletSessionContextIntegrationInterceptorTests.java b/portlet/src/test/java/org/springframework/security/portlet/PortletSessionContextIntegrationInterceptorTests.java
deleted file mode 100644
index 8a7180f845..0000000000
--- a/portlet/src/test/java/org/springframework/security/portlet/PortletSessionContextIntegrationInterceptorTests.java
+++ /dev/null
@@ -1,344 +0,0 @@
-/*
- * Copyright 2005-2007 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.springframework.security.portlet;
-
-import javax.portlet.PortletSession;
-
-import junit.framework.TestCase;
-
-import org.springframework.mock.web.portlet.MockActionRequest;
-import org.springframework.mock.web.portlet.MockActionResponse;
-import org.springframework.mock.web.portlet.MockRenderRequest;
-import org.springframework.mock.web.portlet.MockRenderResponse;
-import org.springframework.security.core.authority.AuthorityUtils;
-import org.springframework.security.core.context.SecurityContext;
-import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.security.core.context.SecurityContextImpl;
-import org.springframework.security.core.userdetails.User;
-import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
-
-/**
- * Tests {@link PortletSessionContextIntegrationInterceptor}.
- *
- * @author John A. Lewis
- * @since 2.0
- * @version $Id$
- */
-public class PortletSessionContextIntegrationInterceptorTests extends TestCase {
-
- //~ Methods ========================================================================================================
-
- public void setUp() throws Exception {
- super.setUp();
- SecurityContextHolder.clearContext();
- }
-
- public void tearDown() throws Exception {
- super.tearDown();
- SecurityContextHolder.clearContext();
- }
-
- public void testDetectsIncompatibleSessionProperties() throws Exception {
- PortletSessionContextIntegrationInterceptor interceptor = new PortletSessionContextIntegrationInterceptor();
- try {
- interceptor.setAllowSessionCreation(false);
- interceptor.setForceEagerSessionCreation(true);
- interceptor.afterPropertiesSet();
- fail("Shown have thrown IllegalArgumentException");
- } catch (IllegalArgumentException expected) {
- // ignore
- }
- interceptor.setAllowSessionCreation(true);
- interceptor.afterPropertiesSet();
- }
-
- public void testNormalRenderRequestProcessing() throws Exception {
-
- // Build an Authentication object we simulate came from PortletSession
- PreAuthenticatedAuthenticationToken sessionPrincipal = PortletTestUtils.createAuthenticatedToken();
- PreAuthenticatedAuthenticationToken baselinePrincipal = PortletTestUtils.createAuthenticatedToken();
-
- // Build a Context to store in PortletSession (simulating prior request)
- SecurityContext sc = new SecurityContextImpl();
- sc.setAuthentication(sessionPrincipal);
-
- // Build mock request and response
- MockRenderRequest request = PortletTestUtils.createRenderRequest();
- MockRenderResponse response = PortletTestUtils.createRenderResponse();
- request.getPortletSession().setAttribute(
- PortletSessionContextIntegrationInterceptor.SPRING_SECURITY_CONTEXT_KEY,
- sc, PortletSession.APPLICATION_SCOPE);
-
- // Prepare interceptor
- PortletSessionContextIntegrationInterceptor interceptor = new PortletSessionContextIntegrationInterceptor();
- interceptor.afterPropertiesSet();
-
- // Verify the SecurityContextHolder starts empty
- assertNull(SecurityContextHolder.getContext().getAuthentication());
-
- // Run preHandleRender phase and verify SecurityContextHolder contains our Authentication
- interceptor.preHandleRender(request, response, null);
- assertEquals(baselinePrincipal, SecurityContextHolder.getContext().getAuthentication());
-
- // Run postHandleRender phase and verify the SecurityContextHolder still contains our Authentication
- interceptor.postHandleRender(request, response, null, null);
- assertEquals(baselinePrincipal, SecurityContextHolder.getContext().getAuthentication());
-
- // Run afterRenderCompletion phase and verify the SecurityContextHolder is empty
- interceptor.afterRenderCompletion(request, response, null, null);
- assertNull(SecurityContextHolder.getContext().getAuthentication());
- }
-
- public void testNormalActionRequestProcessing() throws Exception {
-
- // Build an Authentication object we simulate came from PortletSession
- PreAuthenticatedAuthenticationToken sessionPrincipal = PortletTestUtils.createAuthenticatedToken();
- PreAuthenticatedAuthenticationToken baselinePrincipal = PortletTestUtils.createAuthenticatedToken();
-
- // Build a Context to store in PortletSession (simulating prior request)
- SecurityContext sc = new SecurityContextImpl();
- sc.setAuthentication(sessionPrincipal);
-
- // Build mock request and response
- MockActionRequest request = PortletTestUtils.createActionRequest();
- MockActionResponse response = PortletTestUtils.createActionResponse();
- request.getPortletSession().setAttribute(
- PortletSessionContextIntegrationInterceptor.SPRING_SECURITY_CONTEXT_KEY,
- sc, PortletSession.APPLICATION_SCOPE);
-
- // Prepare interceptor
- PortletSessionContextIntegrationInterceptor interceptor = new PortletSessionContextIntegrationInterceptor();
- interceptor.afterPropertiesSet();
-
- // Verify the SecurityContextHolder starts empty
- assertNull(SecurityContextHolder.getContext().getAuthentication());
-
- // Run preHandleAction phase and verify SecurityContextHolder contains our Authentication
- interceptor.preHandleAction(request, response, null);
- assertEquals(baselinePrincipal, SecurityContextHolder.getContext().getAuthentication());
-
- // Run afterActionCompletion phase and verify the SecurityContextHolder is empty
- interceptor.afterActionCompletion(request, response, null, null);
- assertNull(SecurityContextHolder.getContext().getAuthentication());
- }
-
- public void testUpdatesCopiedBackIntoSession() throws Exception {
-
- // Build an Authentication object we simulate came from PortletSession
- PreAuthenticatedAuthenticationToken sessionPrincipal = PortletTestUtils.createAuthenticatedToken();
- PreAuthenticatedAuthenticationToken baselinePrincipal = PortletTestUtils.createAuthenticatedToken();
-
- // Build a Context to store in PortletSession (simulating prior request)
- SecurityContext sc = new SecurityContextImpl();
- sc.setAuthentication(sessionPrincipal);
-
- // Build mock request and response
- MockActionRequest request = PortletTestUtils.createActionRequest();
- MockActionResponse response = PortletTestUtils.createActionResponse();
- request.getPortletSession().setAttribute(
- PortletSessionContextIntegrationInterceptor.SPRING_SECURITY_CONTEXT_KEY,
- sc, PortletSession.APPLICATION_SCOPE);
-
- // Prepare interceptor
- PortletSessionContextIntegrationInterceptor interceptor = new PortletSessionContextIntegrationInterceptor();
- interceptor.afterPropertiesSet();
-
- // Verify the SecurityContextHolder starts empty
- assertNull(SecurityContextHolder.getContext().getAuthentication());
-
- // Run preHandleAction phase and verify SecurityContextHolder contains our Authentication
- interceptor.preHandleAction(request, response, null);
- assertEquals(baselinePrincipal, SecurityContextHolder.getContext().getAuthentication());
-
- // Perform updates to principal
- sessionPrincipal = PortletTestUtils.createAuthenticatedToken(
- new User(PortletTestUtils.TESTUSER, PortletTestUtils.TESTCRED, true, true, true, true,
- AuthorityUtils.createAuthorityList("UPDATEDROLE1")));
- baselinePrincipal = PortletTestUtils.createAuthenticatedToken(
- new User(PortletTestUtils.TESTUSER, PortletTestUtils.TESTCRED, true, true, true, true,
- AuthorityUtils.createAuthorityList("UPDATEDROLE1")));
-
- // Store updated principal into SecurityContextHolder
- SecurityContextHolder.getContext().setAuthentication(sessionPrincipal);
-
- // Run afterActionCompletion phase and verify the SecurityContextHolder is empty
- interceptor.afterActionCompletion(request, response, null, null);
- assertNull(SecurityContextHolder.getContext().getAuthentication());
-
- // Verify the new principal is stored in the session
- sc = (SecurityContext)request.getPortletSession().getAttribute(
- PortletSessionContextIntegrationInterceptor.SPRING_SECURITY_CONTEXT_KEY,
- PortletSession.APPLICATION_SCOPE);
- assertEquals(baselinePrincipal, sc.getAuthentication());
- }
-
- public void testPortletSessionCreatedWhenContextHolderChanges() throws Exception {
-
- // Build mock request and response
- MockActionRequest request = PortletTestUtils.createActionRequest();
- MockActionResponse response = PortletTestUtils.createActionResponse();
-
- // Prepare the interceptor
- PortletSessionContextIntegrationInterceptor interceptor = new PortletSessionContextIntegrationInterceptor();
- interceptor.afterPropertiesSet();
-
- // Execute the interceptor
- interceptor.preHandleAction(request, response, null);
- PreAuthenticatedAuthenticationToken principal = PortletTestUtils.createAuthenticatedToken();
- SecurityContextHolder.getContext().setAuthentication(principal);
- interceptor.afterActionCompletion(request, response, null, null);
-
- // Verify Authentication is in the PortletSession
- SecurityContext sc = (SecurityContext)request.getPortletSession(false).
- getAttribute(PortletSessionContextIntegrationInterceptor.SPRING_SECURITY_CONTEXT_KEY, PortletSession.APPLICATION_SCOPE);
- assertEquals(principal, ((SecurityContext)sc).getAuthentication());
- }
-
- public void testPortletSessionEagerlyCreatedWhenDirected() throws Exception {
-
- // Build mock request and response
- MockActionRequest request = PortletTestUtils.createActionRequest();
- MockActionResponse response = PortletTestUtils.createActionResponse();
-
- // Prepare the interceptor
- PortletSessionContextIntegrationInterceptor interceptor = new PortletSessionContextIntegrationInterceptor();
- interceptor.setForceEagerSessionCreation(true); // non-default
- interceptor.afterPropertiesSet();
-
- // Execute the interceptor
- interceptor.preHandleAction(request, response, null);
- interceptor.afterActionCompletion(request, response, null, null);
-
- // Check the session is not null
- assertNotNull(request.getPortletSession(false));
- }
-
- public void testPortletSessionNotCreatedUnlessContextHolderChanges() throws Exception {
-
- // Build mock request and response
- MockActionRequest request = PortletTestUtils.createActionRequest();
- MockActionResponse response = PortletTestUtils.createActionResponse();
-
- // Prepare the interceptor
- PortletSessionContextIntegrationInterceptor interceptor = new PortletSessionContextIntegrationInterceptor();
- interceptor.afterPropertiesSet();
-
- // Execute the interceptor
- interceptor.preHandleAction(request, response, null);
- interceptor.afterActionCompletion(request, response, null, null);
-
- // Check the session is null
- assertNull(request.getPortletSession(false));
- }
-
- public void testPortletSessionWithNonContextInWellKnownLocationIsOverwritten()
- throws Exception {
-
- // Build mock request and response
- MockActionRequest request = PortletTestUtils.createActionRequest();
- MockActionResponse response = PortletTestUtils.createActionResponse();
- request.getPortletSession().setAttribute(
- PortletSessionContextIntegrationInterceptor.SPRING_SECURITY_CONTEXT_KEY,
- "NOT_A_CONTEXT_OBJECT", PortletSession.APPLICATION_SCOPE);
-
- // Prepare the interceptor
- PortletSessionContextIntegrationInterceptor interceptor = new PortletSessionContextIntegrationInterceptor();
- interceptor.afterPropertiesSet();
-
- // Execute the interceptor
- interceptor.preHandleAction(request, response, null);
- PreAuthenticatedAuthenticationToken principal = PortletTestUtils.createAuthenticatedToken();
- SecurityContextHolder.getContext().setAuthentication(principal);
- interceptor.afterActionCompletion(request, response, null, null);
-
- // Verify Authentication is in the PortletSession
- SecurityContext sc = (SecurityContext)request.getPortletSession(false).
- getAttribute(PortletSessionContextIntegrationInterceptor.SPRING_SECURITY_CONTEXT_KEY, PortletSession.APPLICATION_SCOPE);
- assertEquals(principal, ((SecurityContext)sc).getAuthentication());
- }
-
- public void testPortletSessionCreationNotAllowed() throws Exception {
-
- // Build mock request and response
- MockActionRequest request = PortletTestUtils.createActionRequest();
- MockActionResponse response = PortletTestUtils.createActionResponse();
-
- // Prepare the interceptor
- PortletSessionContextIntegrationInterceptor interceptor = new PortletSessionContextIntegrationInterceptor();
- interceptor.setAllowSessionCreation(false); // non-default
- interceptor.afterPropertiesSet();
-
- // Execute the interceptor
- interceptor.preHandleAction(request, response, null);
- PreAuthenticatedAuthenticationToken principal = PortletTestUtils.createAuthenticatedToken();
- SecurityContextHolder.getContext().setAuthentication(principal);
- interceptor.afterActionCompletion(request, response, null, null);
-
- // Check the session is null
- assertNull(request.getPortletSession(false));
- }
-
- public void testUsePortletScopeSession() throws Exception {
-
- // Build an Authentication object we simulate came from PortletSession
- PreAuthenticatedAuthenticationToken sessionPrincipal = PortletTestUtils.createAuthenticatedToken();
- PreAuthenticatedAuthenticationToken baselinePrincipal = PortletTestUtils.createAuthenticatedToken();
-
- // Build a Context to store in PortletSession (simulating prior request)
- SecurityContext sc = new SecurityContextImpl();
- sc.setAuthentication(sessionPrincipal);
-
- // Build mock request and response
- MockActionRequest request = PortletTestUtils.createActionRequest();
- MockActionResponse response = PortletTestUtils.createActionResponse();
- request.getPortletSession().setAttribute(
- PortletSessionContextIntegrationInterceptor.SPRING_SECURITY_CONTEXT_KEY,
- sc, PortletSession.PORTLET_SCOPE);
-
- // Prepare interceptor
- PortletSessionContextIntegrationInterceptor interceptor = new PortletSessionContextIntegrationInterceptor();
- interceptor.setUseApplicationScopePortletSession(false); // non-default
- interceptor.afterPropertiesSet();
-
- // Run preHandleAction phase and verify SecurityContextHolder contains our Authentication
- interceptor.preHandleAction(request, response, null);
- assertEquals(baselinePrincipal, SecurityContextHolder.getContext().getAuthentication());
-
- // Perform updates to principal
- sessionPrincipal = PortletTestUtils.createAuthenticatedToken(
- new User(PortletTestUtils.TESTUSER, PortletTestUtils.TESTCRED, true, true, true, true,
- AuthorityUtils.createAuthorityList("UPDATEDROLE1")));
- baselinePrincipal = PortletTestUtils.createAuthenticatedToken(
- new User(PortletTestUtils.TESTUSER, PortletTestUtils.TESTCRED, true, true, true, true,
- AuthorityUtils.createAuthorityList("UPDATEDROLE1")));
-
- // Store updated principal into SecurityContextHolder
- SecurityContextHolder.getContext().setAuthentication(sessionPrincipal);
-
- // Run afterActionCompletion phase and verify the SecurityContextHolder is empty
- interceptor.afterActionCompletion(request, response, null, null);
- assertNull(SecurityContextHolder.getContext().getAuthentication());
-
- // Verify the new principal is stored in the session
- sc = (SecurityContext)request.getPortletSession().getAttribute(
- PortletSessionContextIntegrationInterceptor.SPRING_SECURITY_CONTEXT_KEY,
- PortletSession.PORTLET_SCOPE);
- assertEquals(baselinePrincipal, sc.getAuthentication());
- }
-
-
-}
diff --git a/portlet/src/test/java/org/springframework/security/portlet/PortletTestUtils.java b/portlet/src/test/java/org/springframework/security/portlet/PortletTestUtils.java
deleted file mode 100644
index 13ec038065..0000000000
--- a/portlet/src/test/java/org/springframework/security/portlet/PortletTestUtils.java
+++ /dev/null
@@ -1,110 +0,0 @@
-/*
- * Copyright 2005-2007 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.springframework.security.portlet;
-
-import javax.portlet.PortletRequest;
-
-import org.springframework.mock.web.portlet.MockActionRequest;
-import org.springframework.mock.web.portlet.MockActionResponse;
-import org.springframework.mock.web.portlet.MockPortletRequest;
-import org.springframework.mock.web.portlet.MockRenderRequest;
-import org.springframework.mock.web.portlet.MockRenderResponse;
-import org.springframework.security.authentication.TestingAuthenticationToken;
-import org.springframework.security.core.authority.AuthorityUtils;
-import org.springframework.security.core.userdetails.User;
-import org.springframework.security.core.userdetails.UserDetails;
-import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
-
-/**
- * Utilities for testing Portlet (JSR 168) based security.
- *
- * @author John A. Lewis
- * @since 2.0
- * @version $Id$
- */
-public class PortletTestUtils {
-
- //~ Static fields/initializers =====================================================================================
-
- public static final String PORTALROLE1 = "ONE";
- public static final String PORTALROLE2 = "TWO";
-
- public static final String TESTUSER = "testuser";
- public static final String TESTCRED = PortletRequest.FORM_AUTH;
- public static final String TESTROLE1 = "ROLE_" + PORTALROLE1;
- public static final String TESTROLE2 = "ROLE_" + PORTALROLE2;
-
- //~ Methods ========================================================================================================
-
- public static UserDetails createUser() {
- return new User(PortletTestUtils.TESTUSER, "dummy", true, true, true, true,
- AuthorityUtils.createAuthorityList(TESTROLE1, TESTROLE2));
- }
-
- public static void applyPortletRequestSecurity(MockPortletRequest request) {
- request.setRemoteUser(TESTUSER);
- request.setUserPrincipal(new TestingAuthenticationToken(TESTUSER, TESTCRED));
- request.addUserRole(PORTALROLE1);
- request.addUserRole(PORTALROLE2);
-// request.setAuthType(PortletRequest.FORM_AUTH);
- }
-
- public static MockRenderRequest createRenderRequest() {
- MockRenderRequest request = new MockRenderRequest();
- applyPortletRequestSecurity(request);
- return request;
- }
-
- public static MockRenderResponse createRenderResponse() {
- MockRenderResponse response = new MockRenderResponse();
- return response;
- }
-
- public static MockActionRequest createActionRequest() {
- MockActionRequest request = new MockActionRequest();
- applyPortletRequestSecurity(request);
- return request;
- }
-
- public static MockActionResponse createActionResponse() {
- MockActionResponse response = new MockActionResponse();
- return response;
- }
-
- public static PreAuthenticatedAuthenticationToken createToken(PortletRequest request) {
- PreAuthenticatedAuthenticationToken token = new PreAuthenticatedAuthenticationToken(TESTUSER, TESTCRED);
- token.setDetails(new PortletAuthenticationDetails(request));
- return token;
- }
-
- public static PreAuthenticatedAuthenticationToken createToken() {
- MockRenderRequest request = createRenderRequest();
- return createToken(request);
- }
-
- public static PreAuthenticatedAuthenticationToken createAuthenticatedToken(UserDetails user) {
- PreAuthenticatedAuthenticationToken result = new PreAuthenticatedAuthenticationToken(
- user, user.getPassword(), user.getAuthorities());
- result.setAuthenticated(true);
- return result;
- }
-
- public static PreAuthenticatedAuthenticationToken createAuthenticatedToken() {
- return createAuthenticatedToken(createUser());
- }
-
-}