diff --git a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceHttpBasicTests.groovy b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceHttpBasicTests.groovy deleted file mode 100644 index c10ce19665..0000000000 --- a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceHttpBasicTests.groovy +++ /dev/null @@ -1,156 +0,0 @@ -/* - * Copyright 2002-2013 the original author or authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.springframework.security.config.annotation.web.configurers; - -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -import org.springframework.context.annotation.Bean; -import org.springframework.context.annotation.Configuration; -import org.springframework.mock.web.MockFilterChain; -import org.springframework.mock.web.MockHttpServletRequest; -import org.springframework.mock.web.MockHttpServletResponse; -import org.springframework.security.config.annotation.BaseSpringSpec; -import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.configuration.BaseWebConfig; -import org.springframework.security.core.AuthenticationException; -import org.springframework.security.web.AuthenticationEntryPoint; -import org.springframework.security.web.FilterChainProxy; -import org.springframework.security.web.authentication.WebAuthenticationDetailsSource; -import org.springframework.security.web.authentication.www.BasicAuthenticationFilter; - -/** - * Tests to verify that all the functionality of attributes is present - * - * @author Rob Winch - * - */ -public class NamespaceHttpBasicTests extends BaseSpringSpec { - - def "http/http-basic"() { - setup: - loadConfig(HttpBasicConfig) - when: - springSecurityFilterChain.doFilter(request,response,chain) - then: - response.status == HttpServletResponse.SC_UNAUTHORIZED - when: "fail to log in" - super.setup() - basicLogin("user","invalid") - springSecurityFilterChain.doFilter(request,response,chain) - then: "unauthorized" - response.status == HttpServletResponse.SC_UNAUTHORIZED - response.getHeader("WWW-Authenticate") == 'Basic realm="Realm"' - when: "login success" - super.setup() - basicLogin() - then: "sent to default succes page" - !response.committed - } - - @Configuration - static class HttpBasicConfig extends BaseWebConfig { - protected void configure(HttpSecurity http) { - http - .authorizeRequests() - .anyRequest().hasRole("USER") - .and() - .httpBasic(); - } - } - - def "http@realm"() { - setup: - loadConfig(CustomHttpBasicConfig) - when: - basicLogin("user","invalid") - springSecurityFilterChain.doFilter(request,response,chain) - then: "unauthorized" - response.status == HttpServletResponse.SC_UNAUTHORIZED - response.getHeader("WWW-Authenticate") == 'Basic realm="Custom Realm"' - } - - @Configuration - static class CustomHttpBasicConfig extends BaseWebConfig { - protected void configure(HttpSecurity http) { - http - .authorizeRequests() - .anyRequest().hasRole("USER") - .and() - .httpBasic().realmName("Custom Realm"); - } - } - - def "http-basic@authentication-details-source-ref"() { - when: - loadConfig(AuthenticationDetailsSourceHttpBasicConfig) - then: - findFilter(BasicAuthenticationFilter).authenticationDetailsSource.class == CustomAuthenticationDetailsSource - } - - @Configuration - static class AuthenticationDetailsSourceHttpBasicConfig extends BaseWebConfig { - protected void configure(HttpSecurity http) { - http - .httpBasic() - .authenticationDetailsSource(new CustomAuthenticationDetailsSource()) - } - } - - static class CustomAuthenticationDetailsSource extends WebAuthenticationDetailsSource {} - - def "http-basic@entry-point-ref"() { - setup: - loadConfig(EntryPointRefHttpBasicConfig) - when: - springSecurityFilterChain.doFilter(request,response,chain) - then: - response.status == HttpServletResponse.SC_INTERNAL_SERVER_ERROR - when: "fail to log in" - super.setup() - basicLogin("user","invalid") - springSecurityFilterChain.doFilter(request,response,chain) - then: "custom" - response.status == HttpServletResponse.SC_INTERNAL_SERVER_ERROR - when: "login success" - super.setup() - basicLogin() - springSecurityFilterChain.doFilter(request,response,chain) - then: "sent to default succes page" - !response.committed - } - - @Configuration - static class EntryPointRefHttpBasicConfig extends BaseWebConfig { - protected void configure(HttpSecurity http) { - http - .authorizeRequests() - .anyRequest().hasRole("USER") - .and() - .httpBasic() - .authenticationEntryPoint(new AuthenticationEntryPoint() { - public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) { - response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR) - } - }) - } - } - - def basicLogin(String username="user",String password="password") { - def credentials = username + ":" + password - request.addHeader("Authorization", "Basic " + credentials.bytes.encodeBase64()) - } -} diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpBasicTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpBasicTests.java new file mode 100644 index 0000000000..8b2882df9f --- /dev/null +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpBasicTests.java @@ -0,0 +1,198 @@ +/* + * Copyright 2002-2019 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.springframework.security.config.annotation.web.configurers; + +import javax.servlet.http.HttpServletRequest; + +import org.apache.http.HttpHeaders; +import org.junit.Rule; +import org.junit.Test; + +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.security.authentication.AuthenticationDetailsSource; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.config.test.SpringTestRule; +import org.springframework.security.core.userdetails.User; +import org.springframework.security.core.userdetails.UserDetailsService; +import org.springframework.security.provisioning.InMemoryUserDetailsManager; +import org.springframework.security.web.AuthenticationEntryPoint; +import org.springframework.test.web.servlet.MockMvc; + +import static org.mockito.ArgumentMatchers.any; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.verify; +import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.httpBasic; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.header; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; + +/** + * Tests to verify that all the functionality of attributes is present + * + * @author Rob Winch + * @author Josh Cummings + */ +public class NamespaceHttpBasicTests { + + @Rule + public final SpringTestRule spring = new SpringTestRule(); + + @Autowired + MockMvc mvc; + + /** + * http/http-basic equivalent + */ + @Test + public void basicAuthenticationWhenUsingDefaultsThenMatchesNamespace() throws Exception { + this.spring.register(HttpBasicConfig.class, UserConfig.class).autowire(); + + this.mvc.perform(get("/")) + .andExpect(status().isUnauthorized()); + + this.mvc.perform(get("/") + .with(httpBasic("user", "invalid"))) + .andExpect(status().isUnauthorized()) + .andExpect(header().string(HttpHeaders.WWW_AUTHENTICATE, "Basic realm=\"Realm\"")); + + this.mvc.perform(get("/") + .with(httpBasic("user", "password"))) + .andExpect(status().isNotFound()); + } + + @Configuration + static class UserConfig { + @Bean + public UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager( + User.withDefaultPasswordEncoder() + .username("user") + .password("password") + .roles("USER") + .build() + ); + } + } + + @EnableWebSecurity + static class HttpBasicConfig extends WebSecurityConfigurerAdapter { + protected void configure(HttpSecurity http) throws Exception { + http + .authorizeRequests() + .anyRequest().hasRole("USER") + .and() + .httpBasic(); + } + } + + /** + * http@realm equivalent + */ + @Test + public void basicAuthenticationWhenUsingCustomRealmThenMatchesNamespace() throws Exception { + this.spring.register(CustomHttpBasicConfig.class, UserConfig.class).autowire(); + + this.mvc.perform(get("/") + .with(httpBasic("user", "invalid"))) + .andExpect(status().isUnauthorized()) + .andExpect(header().string(HttpHeaders.WWW_AUTHENTICATE, "Basic realm=\"Custom Realm\"")); + } + + @EnableWebSecurity + static class CustomHttpBasicConfig extends WebSecurityConfigurerAdapter { + @Override + protected void configure(HttpSecurity http) throws Exception { + http + .authorizeRequests() + .anyRequest().hasRole("USER") + .and() + .httpBasic().realmName("Custom Realm"); + } + } + + /** + * http/http-basic@authentication-details-source-ref equivalent + */ + @Test + public void basicAuthenticationWhenUsingAuthenticationDetailsSourceRefThenMatchesNamespace() throws Exception { + this.spring.register(AuthenticationDetailsSourceHttpBasicConfig.class, UserConfig.class).autowire(); + + AuthenticationDetailsSource source = + this.spring.getContext().getBean(AuthenticationDetailsSource.class); + + this.mvc.perform(get("/") + .with(httpBasic("user", "password"))); + + verify(source).buildDetails(any(HttpServletRequest.class)); + } + + @EnableWebSecurity + static class AuthenticationDetailsSourceHttpBasicConfig extends WebSecurityConfigurerAdapter { + AuthenticationDetailsSource authenticationDetailsSource = + mock(AuthenticationDetailsSource.class); + + @Override + protected void configure(HttpSecurity http) throws Exception { + http + .httpBasic() + .authenticationDetailsSource(this.authenticationDetailsSource); + } + + @Bean + AuthenticationDetailsSource authenticationDetailsSource() { + return this.authenticationDetailsSource; + } + } + + /** + * http/http-basic@entry-point-ref + */ + @Test + public void basicAuthenticationWhenUsingEntryPointRefThenMatchesNamespace() throws Exception { + this.spring.register(EntryPointRefHttpBasicConfig.class, UserConfig.class).autowire(); + + this.mvc.perform(get("/")) + .andExpect(status().is(999)); + + this.mvc.perform(get("/") + .with(httpBasic("user", "invalid"))) + .andExpect(status().is(999)); + + this.mvc.perform(get("/") + .with(httpBasic("user", "password"))) + .andExpect(status().isNotFound()); + } + + @EnableWebSecurity + static class EntryPointRefHttpBasicConfig extends WebSecurityConfigurerAdapter { + AuthenticationEntryPoint authenticationEntryPoint = + (request, response, ex) -> response.setStatus(999); + + @Override + protected void configure(HttpSecurity http) throws Exception { + http + .authorizeRequests() + .anyRequest().hasRole("USER") + .and() + .httpBasic() + .authenticationEntryPoint(this.authenticationEntryPoint); + } + } +}