diff --git a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurerTests.groovy b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurerTests.groovy deleted file mode 100644 index e3d1fee955..0000000000 --- a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurerTests.groovy +++ /dev/null @@ -1,159 +0,0 @@ -/* - * Copyright 2002-2013 the original author or authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.springframework.security.config.annotation.web.configurers - -import org.springframework.context.annotation.Configuration -import org.springframework.security.config.annotation.AnyObjectPostProcessor -import org.springframework.security.config.annotation.BaseSpringSpec -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder -import org.springframework.security.config.annotation.web.builders.HttpSecurity -import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter -import org.springframework.security.web.AuthenticationEntryPoint -import org.springframework.security.web.access.ExceptionTranslationFilter -import org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter; -import org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint -import org.springframework.security.web.authentication.www.BasicAuthenticationFilter - -/** - * - * @author Rob Winch - */ -class HttpBasicConfigurerTests extends BaseSpringSpec { - - def "httBasic ObjectPostProcessor"() { - setup: - AnyObjectPostProcessor opp = Mock() - HttpSecurity http = new HttpSecurity(opp, authenticationBldr, [:]) - when: - http - .httpBasic() - .and() - .build() - - then: "ExceptionTranslationFilter is registered with LifecycleManager" - 1 * opp.postProcess(_ as BasicAuthenticationFilter) >> {BasicAuthenticationFilter o -> o} - } - - def "SEC-2198: http.httpBasic() defaults AuthenticationEntryPoint"() { - setup: - loadConfig(DefaultsEntryPointConfig) - when: - springSecurityFilterChain.doFilter(request, response, chain) - then: - response.status == 401 - response.getHeader("WWW-Authenticate") == 'Basic realm="Realm"' - } - - @EnableWebSecurity - static class DefaultsEntryPointConfig extends WebSecurityConfigurerAdapter { - @Override - protected void configure(HttpSecurity http) throws Exception { - http - .authorizeRequests() - .anyRequest().authenticated() - .and() - .httpBasic() - } - - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - auth - .inMemoryAuthentication() - } - } - - def "http.httpBasic().authenticationEntryPoint used for AuthenticationEntryPoint"() { - setup: - CustomAuthenticationEntryPointConfig.ENTRY_POINT = Mock(AuthenticationEntryPoint) - when: - loadConfig(CustomAuthenticationEntryPointConfig) - then: - findFilter(ExceptionTranslationFilter).authenticationEntryPoint == CustomAuthenticationEntryPointConfig.ENTRY_POINT - } - - @EnableWebSecurity - static class CustomAuthenticationEntryPointConfig extends WebSecurityConfigurerAdapter { - static AuthenticationEntryPoint ENTRY_POINT - - @Override - protected void configure(HttpSecurity http) throws Exception { - http - .httpBasic() - .authenticationEntryPoint(ENTRY_POINT) - } - - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - auth - .inMemoryAuthentication() - } - } - - def "duplicate httpBasic invocations does not override"() { - setup: - DuplicateDoesNotOverrideConfig.ENTRY_POINT = Mock(AuthenticationEntryPoint) - when: - loadConfig(DuplicateDoesNotOverrideConfig) - then: - findFilter(ExceptionTranslationFilter).authenticationEntryPoint == DuplicateDoesNotOverrideConfig.ENTRY_POINT - } - - @EnableWebSecurity - static class DuplicateDoesNotOverrideConfig extends WebSecurityConfigurerAdapter { - static AuthenticationEntryPoint ENTRY_POINT - - @Override - protected void configure(HttpSecurity http) throws Exception { - http - .httpBasic() - .authenticationEntryPoint(ENTRY_POINT) - .and() - .httpBasic() - } - - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - auth - .inMemoryAuthentication() - } - } - - def "SEC-3019: Basic Authentication uses RememberMe Config"() { - when: - loadConfig(BasicUsesRememberMeConfig) - then: - findFilter(BasicAuthenticationFilter).rememberMeServices == findFilter(RememberMeAuthenticationFilter).rememberMeServices - } - - @EnableWebSecurity - @Configuration - static class BasicUsesRememberMeConfig extends WebSecurityConfigurerAdapter { - - @Override - protected void configure(HttpSecurity http) throws Exception { - http - .httpBasic().and() - .rememberMe() - } - - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - auth - .inMemoryAuthentication() - } - } -} \ No newline at end of file diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurerTests.java new file mode 100644 index 0000000000..a42fac317a --- /dev/null +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurerTests.java @@ -0,0 +1,238 @@ +/* + * Copyright 2002-2019 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.config.annotation.web.configurers; + +import org.junit.Rule; +import org.junit.Test; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.security.config.annotation.ObjectPostProcessor; +import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.config.test.SpringTestRule; +import org.springframework.security.core.AuthenticationException; +import org.springframework.security.core.userdetails.User; +import org.springframework.security.core.userdetails.UserDetailsService; +import org.springframework.security.provisioning.InMemoryUserDetailsManager; +import org.springframework.security.web.AuthenticationEntryPoint; +import org.springframework.security.web.authentication.www.BasicAuthenticationFilter; +import org.springframework.test.web.servlet.MockMvc; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import static org.mockito.ArgumentMatchers.any; +import static org.mockito.Mockito.*; +import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.httpBasic; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*; + +/** + * Tests for {@link HttpBasicConfigurer} + * + * @author Rob Winch + * @author Eleftheria Stein + */ +public class HttpBasicConfigurerTests { + + @Rule + public final SpringTestRule spring = new SpringTestRule(); + + @Autowired + MockMvc mvc; + + @Test + public void configureWhenRegisteringObjectPostProcessorThenInvokedOnBasicAuthenticationFilter() { + this.spring.register(ObjectPostProcessorConfig.class).autowire(); + + verify(ObjectPostProcessorConfig.objectPostProcessor) + .postProcess(any(BasicAuthenticationFilter.class)); + } + + @EnableWebSecurity + static class ObjectPostProcessorConfig extends WebSecurityConfigurerAdapter { + static ObjectPostProcessor objectPostProcessor = spy(ReflectingObjectPostProcessor.class); + + @Override + protected void configure(HttpSecurity http) throws Exception { + // @formatter:off + http + .httpBasic(); + // @formatter:on + } + + @Bean + static ObjectPostProcessor objectPostProcessor() { + return objectPostProcessor; + } + } + + static class ReflectingObjectPostProcessor implements ObjectPostProcessor { + @Override + public O postProcess(O object) { + return object; + } + } + + //SEC-2198 + @Test + public void httpBasicWhenUsingDefaultsThenResponseIncludesBasicChallenge() throws Exception { + this.spring.register(DefaultsEntryPointConfig.class).autowire(); + + this.mvc.perform(get("/")) + .andExpect(status().isUnauthorized()) + .andExpect(header().string("WWW-Authenticate", "Basic realm=\"Realm\"")); + } + + @EnableWebSecurity + static class DefaultsEntryPointConfig extends WebSecurityConfigurerAdapter { + @Override + protected void configure(HttpSecurity http) throws Exception { + // @formatter:off + http + .authorizeRequests() + .anyRequest().authenticated() + .and() + .httpBasic(); + // @formatter:on + } + + @Override + protected void configure(AuthenticationManagerBuilder auth) throws Exception { + // @formatter:off + auth + .inMemoryAuthentication(); + // @formatter:on + } + } + + @Test + public void httpBasicWhenUsingCustomAuthenticationEntryPointThenResponseIncludesBasicChallenge() throws Exception { + this.spring.register(CustomAuthenticationEntryPointConfig.class).autowire(); + + this.mvc.perform(get("/")); + + verify(CustomAuthenticationEntryPointConfig.ENTRY_POINT) + .commence(any(HttpServletRequest.class), + any(HttpServletResponse.class), + any(AuthenticationException.class)); + } + + @EnableWebSecurity + static class CustomAuthenticationEntryPointConfig extends WebSecurityConfigurerAdapter { + static AuthenticationEntryPoint ENTRY_POINT = mock(AuthenticationEntryPoint.class); + + @Override + protected void configure(HttpSecurity http) throws Exception { + // @formatter:off + http + .authorizeRequests() + .anyRequest().authenticated() + .and() + .httpBasic() + .authenticationEntryPoint(ENTRY_POINT); + // @formatter:on + } + + @Override + protected void configure(AuthenticationManagerBuilder auth) throws Exception { + // @formatter:off + auth + .inMemoryAuthentication(); + // @formatter:on + } + } + + @Test + public void httpBasicWhenInvokedTwiceThenUsesOriginalEntryPoint() throws Exception { + this.spring.register(DuplicateDoesNotOverrideConfig.class).autowire(); + + this.mvc.perform(get("/")); + + verify(DuplicateDoesNotOverrideConfig.ENTRY_POINT) + .commence(any(HttpServletRequest.class), + any(HttpServletResponse.class), + any(AuthenticationException.class)); + } + + @EnableWebSecurity + static class DuplicateDoesNotOverrideConfig extends WebSecurityConfigurerAdapter { + static AuthenticationEntryPoint ENTRY_POINT = mock(AuthenticationEntryPoint.class); + + @Override + protected void configure(HttpSecurity http) throws Exception { + // @formatter:off + http + .authorizeRequests() + .anyRequest().authenticated() + .and() + .httpBasic() + .authenticationEntryPoint(ENTRY_POINT) + .and() + .httpBasic(); + // @formatter:on + } + + @Override + protected void configure(AuthenticationManagerBuilder auth) throws Exception { + // @formatter:off + auth + .inMemoryAuthentication(); + // @formatter:on + } + } + + //SEC-3019 + @Test + public void httpBasicWhenRememberMeConfiguredThenSetsRememberMeCookie() throws Exception { + this.spring.register(BasicUsesRememberMeConfig.class).autowire(); + + this.mvc.perform(get("/") + .with(httpBasic("user", "password")) + .param("remember-me", "true")) + .andExpect(cookie().exists("remember-me")); + } + + @EnableWebSecurity + @Configuration + static class BasicUsesRememberMeConfig extends WebSecurityConfigurerAdapter { + + @Override + protected void configure(HttpSecurity http) throws Exception { + // @formatter:off + http + .httpBasic() + .and() + .rememberMe(); + // @formatter:on + } + + @Bean + public UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager( + User.withDefaultPasswordEncoder() + .username("user") + .password("password") + .roles("USER") + .build() + ); + } + } +}