From ff95a34b1f605df925b87b60fde6613b309c024a Mon Sep 17 00:00:00 2001 From: Rob Winch Date: Wed, 19 Nov 2014 11:25:07 -0600 Subject: [PATCH] SEC-2705: DefaultMessageSecurityExpressionHandler populates AuthenticationTrustResolver --- ...faultMessageSecurityExpressionHandler.java | 14 +++- ...MessageSecurityExpressionHandlerTests.java | 78 +++++++++++++++++++ 2 files changed, 91 insertions(+), 1 deletion(-) create mode 100644 messaging/src/test/java/org/springframework/security/messaging/access/expression/DefaultMessageSecurityExpressionHandlerTests.java diff --git a/messaging/src/main/java/org/springframework/security/messaging/access/expression/DefaultMessageSecurityExpressionHandler.java b/messaging/src/main/java/org/springframework/security/messaging/access/expression/DefaultMessageSecurityExpressionHandler.java index b6c2818592..ee44c967b4 100644 --- a/messaging/src/main/java/org/springframework/security/messaging/access/expression/DefaultMessageSecurityExpressionHandler.java +++ b/messaging/src/main/java/org/springframework/security/messaging/access/expression/DefaultMessageSecurityExpressionHandler.java @@ -19,7 +19,10 @@ import org.springframework.messaging.Message; import org.springframework.security.access.expression.AbstractSecurityExpressionHandler; import org.springframework.security.access.expression.SecurityExpressionHandler; import org.springframework.security.access.expression.SecurityExpressionOperations; +import org.springframework.security.authentication.AuthenticationTrustResolver; +import org.springframework.security.authentication.AuthenticationTrustResolverImpl; import org.springframework.security.core.Authentication; +import org.springframework.util.Assert; /** * The default implementation of {@link SecurityExpressionHandler} which uses a {@link MessageSecurityExpressionRoot}. @@ -31,8 +34,17 @@ import org.springframework.security.core.Authentication; */ public class DefaultMessageSecurityExpressionHandler extends AbstractSecurityExpressionHandler> { + private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl(); + @Override protected SecurityExpressionOperations createSecurityExpressionRoot(Authentication authentication, Message invocation) { - return new MessageSecurityExpressionRoot(authentication,invocation); + MessageSecurityExpressionRoot root = new MessageSecurityExpressionRoot(authentication,invocation); + root.setTrustResolver(trustResolver); + return root; + } + + public void setTrustResolver(AuthenticationTrustResolver trustResolver) { + Assert.notNull(trustResolver,"trustResolver cannot be null"); + this.trustResolver = trustResolver; } } diff --git a/messaging/src/test/java/org/springframework/security/messaging/access/expression/DefaultMessageSecurityExpressionHandlerTests.java b/messaging/src/test/java/org/springframework/security/messaging/access/expression/DefaultMessageSecurityExpressionHandlerTests.java new file mode 100644 index 0000000000..8cb3c19080 --- /dev/null +++ b/messaging/src/test/java/org/springframework/security/messaging/access/expression/DefaultMessageSecurityExpressionHandlerTests.java @@ -0,0 +1,78 @@ +/* + * Copyright 2002-2013 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.springframework.security.messaging.access.expression; + +import static org.fest.assertions.Assertions.*; +import static org.mockito.Mockito.*; + +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.mockito.Mock; +import org.mockito.runners.MockitoJUnitRunner; +import org.springframework.expression.EvaluationContext; +import org.springframework.expression.Expression; +import org.springframework.messaging.Message; +import org.springframework.messaging.support.GenericMessage; +import org.springframework.security.access.expression.ExpressionUtils; +import org.springframework.security.authentication.AnonymousAuthenticationToken; +import org.springframework.security.authentication.AuthenticationTrustResolver; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.authority.AuthorityUtils; + +@RunWith(MockitoJUnitRunner.class) +public class DefaultMessageSecurityExpressionHandlerTests { + @Mock + AuthenticationTrustResolver trustResolver; + + DefaultMessageSecurityExpressionHandler handler; + + Message message; + + Authentication authentication; + + @Before + public void setup() { + handler = new DefaultMessageSecurityExpressionHandler(); + + message = new GenericMessage(""); + authentication = new AnonymousAuthenticationToken("key", "anonymous", AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS")); + } + + // SEC-2705 + @Test + public void trustResolverPopulated() { + EvaluationContext context = handler.createEvaluationContext(authentication, message); + Expression expression = handler.getExpressionParser().parseExpression("authenticated"); + + assertThat(ExpressionUtils.evaluateAsBoolean(expression, context)).isFalse(); + } + + @Test(expected = IllegalArgumentException.class) + public void trustResolverNull() { + handler.setTrustResolver(null); + } + + @Test + public void trustResolverCustom() { + handler.setTrustResolver(trustResolver); + EvaluationContext context = handler.createEvaluationContext(authentication, message); + Expression expression = handler.getExpressionParser().parseExpression("authenticated"); + when(trustResolver.isAnonymous(authentication)).thenReturn(false); + + assertThat(ExpressionUtils.evaluateAsBoolean(expression, context)).isTrue(); + } +}