GH-1034 Add security tests

This commit is contained in:
Oleg Zhurakousky
2023-05-10 08:31:12 +02:00
parent 05685c647c
commit 49a8b45979
3 changed files with 40 additions and 37 deletions

View File

@@ -53,6 +53,15 @@ public class RequestResponseTests {
this.mvc.stop();
}
@Test
public void validateAccessDeniedWithCustomHandler() throws Exception {
HttpServletRequest request = new ProxyHttpServletRequest(null, "GET", "/foo");
ProxyHttpServletResponse response = new ProxyHttpServletResponse();
mvc.service(request, response);
assertThat(response.getErrorMessage()).isEqualTo("Can't touch this");
assertThat(response.getStatus()).isEqualTo(403);
}
@Test
public void validateGetListOfPojos() throws Exception {
HttpServletRequest request = new ProxyHttpServletRequest(null, "GET", "/pets");

View File

@@ -17,32 +17,29 @@
package org.springframework.cloud.function.test.app;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collections;
import jakarta.servlet.Filter;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.servlet.http.HttpSession;
import org.springframework.beans.BeansException;
import org.springframework.beans.factory.config.BeanPostProcessor;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.DefaultSecurityFilterChain;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.access.AccessDeniedHandler;
import org.springframework.security.web.context.SecurityContextHolderFilter;
import org.springframework.security.web.csrf.CsrfFilter;
import org.springframework.web.filter.GenericFilterBean;
import org.springframework.web.servlet.HandlerAdapter;
import org.springframework.web.servlet.HandlerMapping;
@@ -73,33 +70,10 @@ public class PetStoreSpringAppConfig {
return new RequestMappingHandlerAdapter();
}
@Bean
public BeanPostProcessor post() {
return new BeanPostProcessor() {
@Override
public Object postProcessBeforeInitialization(Object bean, String beanName) throws BeansException {
if (beanName.equals("securityFilterChain")) {
DefaultSecurityFilterChain chain = (DefaultSecurityFilterChain) bean;
ArrayList<Filter> filters = new ArrayList<>();
chain.getFilters().forEach(f -> {
if (!(f instanceof CsrfFilter)) {
filters.add(f);
}
});
bean = new DefaultSecurityFilterChain(chain.getRequestMatcher(), filters);
}
//System.out.println(beanName);
return bean;
}
};
}
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
http.csrf().disable() // need for POST
.addFilterBefore(new GenericFilterBean() {
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
@@ -112,22 +86,24 @@ public class PetStoreSpringAppConfig {
}
}, SecurityContextHolderFilter.class)
.authorizeHttpRequests((requests) -> requests
.requestMatchers("/", "/pets", "/pets/").permitAll()
.requestMatchers("/", "/pets", "/pets/").hasAnyAuthority("USER")
.requestMatchers("/foo").hasAnyAuthority("FOO")
.anyRequest().authenticated()
)
.exceptionHandling().accessDeniedHandler(accessDeniedHandler()).and()
.logout((logout) -> logout.permitAll());
return http.build();
}
@Bean
public Filter filter() {
return new Filter() {
public AccessDeniedHandler accessDeniedHandler() {
return new AccessDeniedHandler() {
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
System.out.println("FILTER ===> Hello from: " + request.getLocalAddr());
chain.doFilter(request, response);
public void handle(HttpServletRequest request, HttpServletResponse response,
AccessDeniedException accessDeniedException) throws IOException, ServletException {
response.sendError(403, "Can't touch this");
}
};
}

View File

@@ -16,11 +16,15 @@
package org.springframework.cloud.function.test.app;
import java.io.IOException;
import java.security.Principal;
import java.util.Optional;
import java.util.UUID;
import org.springframework.context.annotation.Bean;
import org.springframework.http.HttpStatus;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.web.access.AccessDeniedHandler;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
@@ -30,6 +34,10 @@ import org.springframework.web.bind.annotation.ResponseStatus;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
@RestController
@EnableWebMvc
public class PetsController {
@@ -78,6 +86,16 @@ public class PetsController {
return newPet;
}
@RequestMapping(path = "/foo", method = RequestMethod.GET)
public Pet foo() {
Pet newPet = new Pet();
newPet.setId(UUID.randomUUID().toString());
newPet.setBreed(PetData.getRandomBreed());
newPet.setDateOfBirth(PetData.getRandomDoB());
newPet.setName(PetData.getRandomName());
return newPet;
}
@ResponseStatus(value = HttpStatus.NOT_FOUND, reason = "No such Dog") // 404
public class DogNotFoundException extends RuntimeException {
// ...