@Test @WithMockUser public void methodSecurityWhenProxyTargetClassThenDoesNotWireToInterface() { this.spring.register(ProxyTargetClassConfig.class, MethodSecurityServiceConfig.class).autowire(); // make sure service was actually proxied assertThat(this.service.getClass().getInterfaces()) .doesNotContain(MethodSecurityService.class); assertThatThrownBy(() -> this.service.preAuthorize()) .isInstanceOf(AccessDeniedException.class); }
@Test @WithMockUser public void globalMethodSecurityConfigurationAutowiresPermissionEvaluator() { this.spring.register(AutowirePermissionEvaluatorConfig.class).autowire(); PermissionEvaluator permission = this.spring.getContext().getBean(PermissionEvaluator.class); when(permission.hasPermission(any(), eq("something"), eq("read"))).thenReturn(true, false); this.service.hasPermission("something"); // no exception assertThatThrownBy(() -> this.service.hasPermission("something")) .isInstanceOf(AccessDeniedException.class); }
@Test @WithMockUser public void methodSecurityWhenCustomMethodSecurityMetadataSourceThenAuthorizes() { this.spring.register(CustomMethodSecurityMetadataSourceConfig.class, MethodSecurityServiceConfig.class).autowire(); assertThatThrownBy(() -> this.service.preAuthorize()) .isInstanceOf(AccessDeniedException.class); assertThatThrownBy(() -> this.service.secured()) .isInstanceOf(AccessDeniedException.class); assertThatThrownBy(() -> this.service.jsr250()) .isInstanceOf(AccessDeniedException.class); }
@Test @WithMockUser public void methodSecurityWhenCustomAccessDecisionManagerThenAuthorizes() { this.spring.register(CustomAccessDecisionManagerConfig.class, MethodSecurityServiceConfig.class).autowire(); assertThatThrownBy(() -> this.service.preAuthorize()) .isInstanceOf(AccessDeniedException.class); assertThatThrownBy(() -> this.service.secured()) .isInstanceOf(AccessDeniedException.class); }
@Test @WithMockUser public void methodSecurityWhenCustomRunAsManagerThenRunAsWrapsAuthentication() { this.spring.register(CustomRunAsManagerConfig.class, MethodSecurityServiceConfig.class).autowire(); assertThat(service.runAs().getAuthorities()) .anyMatch(authority -> "ROLE_RUN_AS_SUPER".equals(authority.getAuthority())); }
@Test @WithMockUser public void methodSecurityWhenOrderUnspecifiedThenConfiguredToLowestPrecedence() { this.spring.register(DefaultOrderConfig.class, MethodSecurityServiceConfig.class).autowire(); assertThat(this.spring.getContext() .getBean("metaDataSourceAdvisor", MethodSecurityMetadataSourceAdvisor.class) .getOrder()) .isEqualTo(Ordered.LOWEST_PRECEDENCE); assertThatThrownBy(() -> this.service.jsr250()) .isInstanceOf(UnsupportedOperationException.class); }
@Test @WithMockUser public void methodSecurityWhenOrderSpecifiedThenConfigured() { this.spring.register(CustomOrderConfig.class, MethodSecurityServiceConfig.class).autowire(); assertThat(this.spring.getContext() .getBean("metaDataSourceAdvisor", MethodSecurityMetadataSourceAdvisor.class) .getOrder()) .isEqualTo(-135); assertThatThrownBy(() -> this.service.jsr250()) .isInstanceOf(AccessDeniedException.class); }
@Test @WithMockUser public void enableGlobalMethodSecurityWorksOnSuperclass() { this.spring.register(ChildConfig.class).autowire(); assertThatThrownBy(() -> this.service.preAuthorize()) .isInstanceOf(AccessDeniedException.class); }
@Test @WithMockUser public void methodSecurityWhenCustomAfterInvocationManagerThenAuthorizes() { this.spring.register(CustomAfterInvocationManagerConfig.class, MethodSecurityServiceConfig.class).autowire(); assertThatThrownBy(() -> this.service.preAuthorizePermitAll()) .isInstanceOf(AccessDeniedException.class); }
@Test @WithMockUser public void defaultWebSecurityExpressionHandlerHasBeanResolverSet() { this.spring.register(ExpressionHandlerHasBeanResolverSetConfig.class).autowire(); Authz authz = this.spring.getContext().getBean(Authz.class); assertThatThrownBy(() -> this.service.preAuthorizeBean(false)) .isInstanceOf(AccessDeniedException.class); this.service.preAuthorizeBean(true); }
@Test @WithMockUser public void preAuthorizeBeanSpel() { this.spring.register(PreAuthorizeBeanSpelConfig.class).autowire(); assertThatThrownBy(() -> this.service.preAuthorizeBean(false)) .isInstanceOf(AccessDeniedException.class); this.service.preAuthorizeBean(true); }
@Test @WithMockUser public void roleHierarchy() { this.spring.register(RoleHierarchyConfig.class).autowire(); assertThatThrownBy(() -> this.service.preAuthorize()) .isInstanceOf(AccessDeniedException.class); this.service.preAuthorizeAdmin(); }
@Test @WithMockUser(authorities = "USER") public void grantedAuthorityDefaultsWithEmptyRolePrefix() { this.spring.register(EmptyRolePrefixGrantedAuthorityConfig.class).autowire(); EmptyRolePrefixGrantedAuthorityConfig.CustomAuthorityService customService = this.spring.getContext() .getBean(EmptyRolePrefixGrantedAuthorityConfig.CustomAuthorityService.class); assertThatThrownBy(() -> this.service.securedUser()) .isInstanceOf(AccessDeniedException.class); customService.emptyPrefixRoleUser(); // no exception }
@Test @WithMockUser(username = "nile") public void sendWhenCustomExpressionHandlerThenAuthorizesAccordingly() { this.spring.configLocations(xml("CustomExpressionHandlerConfig")).autowire(); Message<?> message = message("/denyNile"); assertThatThrownBy(send(message)).hasCauseInstanceOf(AccessDeniedException.class); }
@Test @WithMockUser public void methodSecurityWhenPrePostEnabledThenPreAuthorizes() { this.spring.register(PreAuthorizeConfig.class, MethodSecurityServiceConfig.class).autowire(); assertThatCode(() -> this.service.secured()) .doesNotThrowAnyException(); assertThatCode(() -> this.service.jsr250()) .doesNotThrowAnyException(); assertThatThrownBy(() -> this.service.preAuthorize()) .isInstanceOf(AccessDeniedException.class); }
@Test @WithMockUser public void methodSecurityWhenImportingGlobalMethodSecurityConfigurationSubclassThenAuthorizes() { this.spring.register(ImportSubclassGMSCConfig.class, MethodSecurityServiceConfig.class).autowire(); assertThatCode(() -> this.service.secured()) .doesNotThrowAnyException(); assertThatCode(() -> this.service.jsr250()) .doesNotThrowAnyException(); assertThatThrownBy(() -> this.service.preAuthorize()) .isInstanceOf(AccessDeniedException.class); }
@Test @WithMockUser public void messageWhenWithMockUserThenForbidden() throws Exception { this.rest .get() .uri("/message") .exchange() .expectStatus().isEqualTo(HttpStatus.FORBIDDEN); }
@WithMockUser(authorities = "CUSTOM") @Test public void methodSecurityWhenNullifyingRolePrefixThenPassivityRestored() { this.spring.register(SecurityConfig.class).autowire(); assertThatCode(() -> service.doJsr250()) .doesNotThrowAnyException(); assertThatCode(() -> service.doPreAuthorize()) .doesNotThrowAnyException(); }
/** * SEC-2926: Role Prefix is set */ @Test @WithMockUser public void servletIsUserInRoleWhenUsingDefaultConfigThenRoleIsSet() throws Exception { this.spring.configLocations(this.xml("Simple")).autowire(); this.mvc.perform(get("/role")).andExpect(content().string("true")); }
@Test @WithMockUser public void authenticationPrincipalArgumentResolverWhenSpelThenWorks() { this.spring.register(AuthenticationPrincipalConfig.class).autowire(); WebTestClient client = WebTestClient.bindToApplicationContext(this.spring.getContext()).build(); client.get() .uri("/spel") .exchange() .expectStatus().isOk() .expectBody(String.class).isEqualTo("user"); }