@Test public void getWhenUsingCustomExpressionHandlerThenAuthorizesAccordingly() throws Exception { this.spring.configLocations(xml("ExpressionHandler")).autowire(); PermissionEvaluator permissionEvaluator = this.spring.getContext().getBean(PermissionEvaluator.class); when(permissionEvaluator.hasPermission(any(Authentication.class), any(Object.class), any(Object.class))) .thenReturn(false); this.mvc.perform(get("/") .with(httpBasic("user", "password"))) .andExpect(status().isForbidden()); verify(permissionEvaluator).hasPermission(any(Authentication.class), any(Object.class), any(Object.class)); }
@Test public void loginWhenUsingJaasApiProvisionThenJaasSubjectContainsUsername() throws Exception { this.spring.configLocations(xml("Jaas")).autowire(); AuthorityGranter granter = this.spring.getContext().getBean(AuthorityGranter.class); when(granter.grant(any(Principal.class))).thenReturn(new HashSet<>(Arrays.asList("USER"))); this.mvc.perform(get("/username") .with(httpBasic("user", "password"))) .andExpect(content().string("user")); }
/** * http/http-basic@authentication-details-source-ref equivalent */ @Test public void basicAuthenticationWhenUsingAuthenticationDetailsSourceRefThenMatchesNamespace() throws Exception { this.spring.register(AuthenticationDetailsSourceHttpBasicConfig.class, UserConfig.class).autowire(); AuthenticationDetailsSource<HttpServletRequest, ?> source = this.spring.getContext().getBean(AuthenticationDetailsSource.class); this.mvc.perform(get("/") .with(httpBasic("user", "password"))); verify(source).buildDetails(any(HttpServletRequest.class)); }
@Test public void requestWhenUsingHasAnyRoleThenAuthorizesRequestsAccordingly() throws Exception { this.spring.configLocations(this.xml("HasAnyRole")).autowire(); this.mvc.perform(get("/path") .with(httpBasic("user", "password"))) .andExpect(status().isOk()); this.mvc.perform(get("/path") .with(httpBasic("admin", "password"))) .andExpect(status().isForbidden()); }
@Test public void getWhenUsingTwoIdenticalInterceptUrlsThenTheSecondTakesPrecedence() throws Exception { this.spring.configLocations(xml("Sec934")).autowire(); this.mvc.perform(get("/protected") .with(httpBasic("user", "password"))) .andExpect(status().isOk()); this.mvc.perform(get("/protected") .with(httpBasic("admin", "password"))) .andExpect(status().isForbidden()); }
/** * SEC-2020 */ @Test public void loginWhenAuthenticationManagerRefConfiguredToKeepCredentialsThenKeepsCredentialsAfterAuthentication() throws Exception { this.spring.configLocations(xml("AuthenticationManagerRefKeepCredentials")).autowire(); this.mvc.perform(get("/password") .with(httpBasic("user", "password"))) .andExpect(content().string("password")); }
@Test public void passwordEncoderDefaultsToPasswordEncoderBean() throws Exception { this.spring.configLocations("classpath:org/springframework/security/config/authentication/PasswordEncoderParserTests-bean.xml") .mockMvcAfterSpringSecurityOk() .autowire(); this.mockMvc.perform(get("/").with(httpBasic("user", "password"))) .andExpect(status().isOk()); }
@Test public void passwordEncoderBeanUsed() throws Exception { this.spring.context("<b:bean id='passwordEncoder' class='org.springframework.security.crypto.password.NoOpPasswordEncoder' factory-method='getInstance'/>" + "<user-service>" + " <user name='user' password='password' authorities='ROLE_A,ROLE_B' />" + "</user-service>" + "<http/>") .mockMvcAfterSpringSecurityOk() .autowire(); this.mockMvc.perform(get("/").with(httpBasic("user", "password"))) .andExpect(status().isOk()); }
@Test public void loginWhenUsingDefaultsThenErasesCredentialsAfterAuthentication() throws Exception { this.spring.configLocations(xml("HttpBasic")).autowire(); this.mvc.perform(get("/password") .with(httpBasic("user", "password"))) .andExpect(content().string("")); }
@Test public void loginWhenAuthenticationManagerRefIsNotAProviderManagerThenKeepsCredentialsAccordingly() throws Exception { this.spring.configLocations(xml("AuthenticationManagerRefNotProviderManager")).autowire(); this.mvc.perform(get("/password") .with(httpBasic("user", "password"))) .andExpect(content().string("password")); }
@Test public void passwordEncoderDefaultsToDelegatingPasswordEncoder() throws Exception { this.spring.configLocations("classpath:org/springframework/security/config/authentication/PasswordEncoderParserTests-default.xml") .mockMvcAfterSpringSecurityOk() .autowire(); this.mockMvc.perform(get("/").with(httpBasic("user", "password"))) .andExpect(status().isOk()); }
@Test public void loginWhenAuthenticationManagerConfiguredToEraseCredentialsThenErasesCredentialsAfterAuthentication() throws Exception { this.spring.configLocations(xml("AuthenticationManagerEraseCredentials")).autowire(); this.mvc.perform(get("/password") .with(httpBasic("user", "password"))) .andExpect(content().string("")); }
@Test public void getWhenUsingCustomAccessDecisionManagerThenAuthorizesAccordingly() throws Exception { this.spring.configLocations(xml("CustomAccessDecisionManager")).autowire(); this.mvc.perform(get("/unprotected") .with(httpBasic("user", "password"))) .andExpect(status().isForbidden()); }
@Test public void requestWhenCustomSessionAuthenticationStrategyThenInvokesOnAuthentication() throws Exception { this.spring.configLocations(this.xml("SessionAuthenticationStrategyRef")).autowire(); this.mvc.perform(get("/auth") .with(httpBasic("user", "password"))) .andExpect(status().isIAmATeapot()); }
/** * http@realm equivalent */ @Test public void basicAuthenticationWhenUsingCustomRealmThenMatchesNamespace() throws Exception { this.spring.register(CustomHttpBasicConfig.class, UserConfig.class).autowire(); this.mvc.perform(get("/") .with(httpBasic("user", "invalid"))) .andExpect(status().isUnauthorized()) .andExpect(header().string(HttpHeaders.WWW_AUTHENTICATE, "Basic realm=\"Custom Realm\"")); }
@Test public void requestWhenConcurrencyControlIsSetThenDefaultsToResponseBodyExpirationResponse() throws Exception { this.spring.configLocations(this.xml("ConcurrencyControlSessionRegistryAlias")).autowire(); this.mvc.perform(get("/auth") .session(this.expiredSession()) .with(httpBasic("user", "password"))) .andExpect(content().string("This session has been expired (possibly due to multiple concurrent " + "logins being attempted as the same user).")); }
@Test public void requestWhenSessionFixationProtectionIsNoneThenSessionNotInvalidated() throws Exception { this.spring.configLocations(this.xml("SessionFixationProtectionNone")).autowire(); MockHttpSession session = new MockHttpSession(); String sessionId = session.getId(); this.mvc.perform(get("/auth") .session(session) .with(httpBasic("user", "password"))) .andExpect(session().id(sessionId)); }
@Test public void requestWhenExpiredUrlIsSetThenInvalidatesSessionAndRedirects() throws Exception { this.spring.configLocations(this.xml("ConcurrencyControlExpiredUrl")).autowire(); this.mvc.perform(get("/auth") .session(this.expiredSession()) .with(httpBasic("user", "password"))) .andExpect(redirectedUrl("/expired")) .andExpect(session().exists(false)); }
@Test public void requestWhenConcurrencyControlAndRememberMeAreSetThenInvokedWhenSessionExpires() throws Exception { this.spring.configLocations(this.xml("ConcurrencyControlRememberMeHandler")).autowire(); this.mvc.perform(get("/auth") .session(this.expiredSession()) .with(httpBasic("user", "password"))) .andExpect(status().isOk()) .andExpect(cookie().exists("rememberMeCookie")) .andExpect(session().exists(false)); }
@Test public void requestWhenConcurrencyControlAndCustomLogoutHandlersAreSetThenAllAreInvokedWhenSessionExpires() throws Exception { this.spring.configLocations(this.xml("ConcurrencyControlLogoutAndRememberMeHandlers")).autowire(); this.mvc.perform(get("/auth") .session(this.expiredSession()) .with(httpBasic("user", "password"))) .andExpect(status().isOk()) .andExpect(cookie().maxAge("testCookie", 0)) .andExpect(cookie().exists("rememberMeCookie")) .andExpect(session().valid(true)); }