SEC-1349: Allow configuration of OpenID with parameters which should be transferred to the return_to URL.

The OpenIDAuthenticationFilter now has a returnToUrlParameters property (a Set). If this is set, the named parameters will be copied from the incoming submitted request to the return_to URL. If not set, it defaults to the "parameter" property of the AbstractRememberMeServices of the parent class. If remember-me is not in use, it defaults to the empty set.

Enabled remember-me in the OpenID sample.
This commit is contained in:
Luke Taylor
2010-01-09 00:58:26 +00:00
parent bc02fc2de1
commit e211f9b35f
7 changed files with 128 additions and 8 deletions

View File

@@ -8,12 +8,15 @@ import static org.springframework.security.config.http.AuthenticationConfigBuild
import java.lang.reflect.Method;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.regex.Pattern;
import javax.servlet.Filter;
import javax.servlet.http.HttpServletRequest;
import org.junit.After;
import org.junit.Test;
@@ -39,6 +42,9 @@ import org.springframework.security.openid.OpenID4JavaConsumer;
import org.springframework.security.openid.OpenIDAttribute;
import org.springframework.security.openid.OpenIDAuthenticationFilter;
import org.springframework.security.openid.OpenIDAuthenticationProvider;
import org.springframework.security.openid.OpenIDAuthenticationToken;
import org.springframework.security.openid.OpenIDConsumer;
import org.springframework.security.openid.OpenIDConsumerException;
import org.springframework.security.util.FieldUtils;
import org.springframework.security.web.FilterChainProxy;
import org.springframework.security.web.FilterInvocation;
@@ -63,6 +69,7 @@ import org.springframework.security.web.authentication.logout.LogoutHandler;
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
import org.springframework.security.web.authentication.preauth.x509.SubjectDnX509PrincipalExtractor;
import org.springframework.security.web.authentication.preauth.x509.X509AuthenticationFilter;
import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices;
import org.springframework.security.web.authentication.rememberme.InMemoryTokenRepositoryImpl;
import org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices;
import org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter;
@@ -1070,6 +1077,55 @@ public class HttpSecurityBeanDefinitionParserTests {
getFilter(DefaultLoginPageGeneratingFilter.class);
}
@Test
public void openIDAndRememberMeWorkTogether() throws Exception {
setContext(
"<http>" +
" <intercept-url pattern='/**' access='ROLE_NOBODY'/>" +
" <openid-login />" +
" <remember-me />" +
"</http>" +
AUTH_PROVIDER_XML);
// Default login filter should be present since we haven't specified any login URLs
DefaultLoginPageGeneratingFilter loginFilter = getFilter(DefaultLoginPageGeneratingFilter.class);
OpenIDAuthenticationFilter openIDFilter = getFilter(OpenIDAuthenticationFilter.class);
openIDFilter.setConsumer(new OpenIDConsumer() {
public String beginConsumption(HttpServletRequest req, String claimedIdentity, String returnToUrl, String realm)
throws OpenIDConsumerException {
return "http://testopenid.com?openid.return_to=" + returnToUrl;
}
public OpenIDAuthenticationToken endConsumption(HttpServletRequest req) throws OpenIDConsumerException {
throw new UnsupportedOperationException();
}
});
Set<String> returnToUrlParameters = new HashSet<String>();
returnToUrlParameters.add(AbstractRememberMeServices.DEFAULT_PARAMETER);
openIDFilter.setReturnToUrlParameters(returnToUrlParameters);
assertNotNull(FieldUtils.getFieldValue(loginFilter, "openIDrememberMeParameter"));
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletResponse response = new MockHttpServletResponse();
FilterChainProxy fcp = (FilterChainProxy) appContext.getBean(BeanIds.FILTER_CHAIN_PROXY);
request.setServletPath("/something.html");
fcp.doFilter(request, response, new MockFilterChain());
assertTrue(response.getRedirectedUrl().endsWith("/spring_security_login"));
request.setServletPath("/spring_security_login");
request.setRequestURI("/spring_security_login");
response = new MockHttpServletResponse();
fcp.doFilter(request, response, new MockFilterChain());
assertTrue(response.getContentAsString().contains(AbstractRememberMeServices.DEFAULT_PARAMETER));
request.setRequestURI("/j_spring_openid_security_check");
request.setParameter(OpenIDAuthenticationFilter.DEFAULT_CLAIMED_IDENTITY_FIELD, "http://hey.openid.com/");
request.setParameter(AbstractRememberMeServices.DEFAULT_PARAMETER, "on");
response = new MockHttpServletResponse();
fcp.doFilter(request, response, new MockFilterChain());
String expectedReturnTo = request.getRequestURL().append("?")
.append(AbstractRememberMeServices.DEFAULT_PARAMETER)
.append("=").append("on").toString();
assertEquals("http://testopenid.com?openid.return_to=" + expectedReturnTo, response.getRedirectedUrl());
}
@Test
public void formLoginEntryPointTakesPrecedenceIfLoginUrlIsSet() throws Exception {
setContext(