SEC-1152: Changes to add anonymous filter to default namespace configuration and added enabled flag to allow overriding of the behaviour.

This commit is contained in:
Luke Taylor
2009-05-05 07:23:31 +00:00
parent 331a04c07c
commit cef089376c
4 changed files with 1627 additions and 1584 deletions

View File

@@ -1,6 +1,7 @@
package org.springframework.security.config;
import static org.junit.Assert.*;
import static org.hamcrest.Matchers.*;
import static org.springframework.security.config.ConfigTestUtils.AUTH_PROVIDER_XML;
import static org.springframework.security.config.HttpSecurityBeanDefinitionParser.*;
@@ -122,15 +123,9 @@ public class HttpSecurityBeanDefinitionParserTests {
assertTrue(filters.next() instanceof LogoutFilter);
Object authProcFilter = filters.next();
assertTrue(authProcFilter instanceof AuthenticationProcessingFilter);
// Check RememberMeServices has been set on AuthenticationProcessingFilter
//Object rms = FieldUtils.getFieldValue(authProcFilter, "rememberMeServices");
//assertNotNull(rms);
//assertTrue(rms instanceof RememberMeServices);
//assertFalse(rms instanceof NullRememberMeServices);
assertTrue(filters.next() instanceof DefaultLoginPageGeneratingFilter);
assertTrue(filters.next() instanceof BasicProcessingFilter);
assertTrue(filters.next() instanceof SecurityContextHolderAwareRequestFilter);
//assertTrue(filters.next() instanceof RememberMeProcessingFilter);
assertTrue(filters.next() instanceof AnonymousProcessingFilter);
assertTrue(filters.next() instanceof ExceptionTranslationFilter);
assertTrue(filters.next() instanceof SessionFixationProtectionFilter);
@@ -200,6 +195,27 @@ public class HttpSecurityBeanDefinitionParserTests {
assertEquals(Boolean.TRUE, FieldUtils.getFieldValue(filter, "successHandler.alwaysUseDefaultTargetUrl"));
}
// SEC-1152
@Test
public void anonymousFilterIsAddedByDefault() throws Exception {
setContext(
"<http>" +
" <form-login />" +
"</http>" + AUTH_PROVIDER_XML);
assertThat(getFilters("/anything").get(4), instanceOf(AnonymousProcessingFilter.class));
}
@Test
public void anonymousFilterIsRemovedIfDisabledFlagSet() throws Exception {
setContext(
"<http>" +
" <form-login />" +
" <anonymous enabled='false'/>" +
"</http>" + AUTH_PROVIDER_XML);
assertThat(getFilters("/anything").get(4), not(instanceOf(AnonymousProcessingFilter.class)));
}
@Test(expected=BeanCreationException.class)
public void invalidLoginPageIsDetected() throws Exception {
setContext(