SEC-1763: Prevent nested switches in SwitchUserFilter by calling attemptExitUser() before doing the switch.

This commit is contained in:
Luke Taylor
2011-07-13 21:56:06 +01:00
parent a504cfae1a
commit de97bac85b
2 changed files with 34 additions and 3 deletions

View File

@@ -374,6 +374,26 @@ public class SwitchUserFilterTests {
assertTrue(AuthorityUtils.authorityListToSet(result.getAuthorities()).contains("ROLE_NEW"));
}
// SEC-1763
@Test
public void nestedSwitchesAreNotAllowed() throws Exception {
// original user
UsernamePasswordAuthenticationToken source = new UsernamePasswordAuthenticationToken("orig", "hawaii50", ROLES_12);
SecurityContextHolder.getContext().setAuthentication(source);
SecurityContextHolder.getContext().setAuthentication(switchToUser("jacklord"));
Authentication switched = switchToUser("dano");
SwitchUserGrantedAuthority switchedFrom = null;
for (GrantedAuthority ga: switched.getAuthorities()) {
if (ga instanceof SwitchUserGrantedAuthority) {
switchedFrom = (SwitchUserGrantedAuthority)ga;
break;
}
}
assertSame(source, switchedFrom.getSource());
}
//~ Inner Classes ==================================================================================================