SEC-1950: Defensively invoke SecurityContextHolder.clearContext() in FilterChainProxy
This commit is contained in:
@@ -3,18 +3,22 @@ package org.springframework.security.web;
|
||||
import static org.junit.Assert.*;
|
||||
import static org.mockito.Mockito.*;
|
||||
|
||||
import org.junit.After;
|
||||
import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
import org.mockito.invocation.InvocationOnMock;
|
||||
import org.mockito.stubbing.Answer;
|
||||
import org.springframework.mock.web.MockHttpServletRequest;
|
||||
import org.springframework.mock.web.MockHttpServletResponse;
|
||||
import org.springframework.security.authentication.TestingAuthenticationToken;
|
||||
import org.springframework.security.core.context.SecurityContextHolder;
|
||||
import org.springframework.security.web.firewall.FirewalledRequest;
|
||||
import org.springframework.security.web.firewall.HttpFirewall;
|
||||
import org.springframework.security.web.util.RequestMatcher;
|
||||
|
||||
import javax.servlet.Filter;
|
||||
import javax.servlet.FilterChain;
|
||||
import javax.servlet.ServletException;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletRequestWrapper;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
@@ -55,6 +59,11 @@ public class FilterChainProxyTests {
|
||||
chain = mock(FilterChain.class);
|
||||
}
|
||||
|
||||
@After
|
||||
public void teardown() {
|
||||
SecurityContextHolder.clearContext();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void toStringCallSucceeds() throws Exception {
|
||||
fcp.afterPropertiesSet();
|
||||
@@ -155,4 +164,37 @@ public class FilterChainProxyTests {
|
||||
verify(firstFwr).reset();
|
||||
verify(fwr).reset();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void doFilterClearsSecurityContextHolder() throws Exception {
|
||||
when(matcher.matches(any(HttpServletRequest.class))).thenReturn(true);
|
||||
doAnswer(new Answer<Object>() {
|
||||
public Object answer(InvocationOnMock inv) throws Throwable {
|
||||
SecurityContextHolder.getContext().setAuthentication(new TestingAuthenticationToken("username", "password"));
|
||||
return null;
|
||||
}
|
||||
}).when(filter).doFilter(any(HttpServletRequest.class), any(HttpServletResponse.class), any(FilterChain.class));
|
||||
|
||||
fcp.doFilter(request, response, chain);
|
||||
|
||||
assertNull(SecurityContextHolder.getContext().getAuthentication());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void doFilterClearsSecurityContextHolderWithException() throws Exception {
|
||||
when(matcher.matches(any(HttpServletRequest.class))).thenReturn(true);
|
||||
doAnswer(new Answer<Object>() {
|
||||
public Object answer(InvocationOnMock inv) throws Throwable {
|
||||
SecurityContextHolder.getContext().setAuthentication(new TestingAuthenticationToken("username", "password"));
|
||||
throw new ServletException("oops");
|
||||
}
|
||||
}).when(filter).doFilter(any(HttpServletRequest.class), any(HttpServletResponse.class), any(FilterChain.class));
|
||||
|
||||
try {
|
||||
fcp.doFilter(request, response, chain);
|
||||
fail("Expected Exception");
|
||||
}catch(ServletException success) {}
|
||||
|
||||
assertNull(SecurityContextHolder.getContext().getAuthentication());
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user