RequestRejectedException is 400 by Default

Closes gh-7568
This commit is contained in:
Rob Winch
2022-05-12 10:32:13 -05:00
parent 0137f94f3b
commit f34ea188e2
3 changed files with 17 additions and 20 deletions

View File

@@ -33,8 +33,8 @@ import org.springframework.security.web.firewall.HttpFirewall;
import org.springframework.security.web.firewall.RequestRejectedException;
import org.springframework.test.web.servlet.MockMvc;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
/**
* Tests to verify that all the functionality of <http-firewall> attributes is
@@ -52,24 +52,21 @@ public class NamespaceHttpFirewallTests {
MockMvc mvc;
@Test
public void requestWhenPathContainsDoubleDotsThenBehaviorMatchesNamespace() {
public void requestWhenPathContainsDoubleDotsThenBehaviorMatchesNamespace() throws Exception {
this.rule.register(HttpFirewallConfig.class).autowire();
assertThatExceptionOfType(RequestRejectedException.class)
.isThrownBy(() -> this.mvc.perform(get("/public/../private/")));
this.mvc.perform(get("/public/../private/")).andExpect(status().isBadRequest());
}
@Test
public void requestWithCustomFirewallThenBehaviorMatchesNamespace() {
public void requestWithCustomFirewallThenBehaviorMatchesNamespace() throws Exception {
this.rule.register(CustomHttpFirewallConfig.class).autowire();
assertThatExceptionOfType(RequestRejectedException.class)
.isThrownBy(() -> this.mvc.perform(get("/").param("deny", "true")));
this.mvc.perform(get("/").param("deny", "true")).andExpect(status().isBadRequest());
}
@Test
public void requestWithCustomFirewallBeanThenBehaviorMatchesNamespace() {
public void requestWithCustomFirewallBeanThenBehaviorMatchesNamespace() throws Exception {
this.rule.register(CustomHttpFirewallBeanConfig.class).autowire();
assertThatExceptionOfType(RequestRejectedException.class)
.isThrownBy(() -> this.mvc.perform(get("/").param("deny", "true")));
this.mvc.perform(get("/").param("deny", "true")).andExpect(status().isBadRequest());
}
@EnableWebSecurity