@Test public void getWhenUsingCustomExpressionHandlerThenAuthorizesAccordingly() throws Exception { this.spring.configLocations(xml("ExpressionHandler")).autowire(); PermissionEvaluator permissionEvaluator = this.spring.getContext().getBean(PermissionEvaluator.class); when(permissionEvaluator.hasPermission(any(Authentication.class), any(Object.class), any(Object.class))) .thenReturn(false); this.mvc.perform(get("/") .with(httpBasic("user", "password"))) .andExpect(status().isForbidden()); verify(permissionEvaluator).hasPermission(any(Authentication.class), any(Object.class), any(Object.class)); }
@Test public void requestWhenRealmNameConfiguredThenUsesOnAccessDenied() throws Exception { this.spring.register(RealmNameConfiguredOnAccessDeniedHandler.class, JwtDecoderConfig.class).autowire(); JwtDecoder decoder = this.spring.getContext().getBean(JwtDecoder.class); when(decoder.decode(anyString())).thenReturn(JWT); this.mvc.perform(get("/authenticated") .with(bearerToken("insufficiently_scoped"))) .andExpect(status().isForbidden()) .andExpect(header().string(HttpHeaders.WWW_AUTHENTICATE, startsWith("Bearer realm=\"myRealm\""))); }
@Test public void invalidWhenCsrfElementEnabledThenForbidden() throws Exception { this.spring.configLocations( this.xml("CsrfEnabled") ).autowire(); this.mvc.perform(request("INVALID", new URI("/csrf"))) .andExpect(status().isForbidden()) .andExpect(csrfCreated()); }
@Test public void getWhenUsingCustomAccessDecisionManagerThenAuthorizesAccordingly() throws Exception { this.spring.configLocations(xml("CustomAccessDecisionManager")).autowire(); this.mvc.perform(get("/unprotected") .with(httpBasic("user", "password"))) .andExpect(status().isForbidden()); }
@Test public void putWhenCsrfElementEnabledThenForbidden() throws Exception { this.spring.configLocations( this.xml("CsrfEnabled") ).autowire(); this.mvc.perform(put("/csrf")) .andExpect(status().isForbidden()) .andExpect(csrfCreated()); }
@Test public void patchWhenDefaultConfigurationThenForbiddenSinceCsrfIsEnabled() throws Exception { this.spring.configLocations( this.xml("AutoConfig") ).autowire(); this.mvc.perform(patch("/csrf")) .andExpect(status().isForbidden()) .andExpect(csrfCreated()); }
@Test public void postWhenCsrfElementEnabledThenForbidden() throws Exception { this.spring.configLocations( this.xml("CsrfEnabled") ).autowire(); this.mvc.perform(post("/csrf")) .andExpect(status().isForbidden()) .andExpect(csrfCreated()); }
@Test public void postWhenDefaultConfigurationThenForbiddenSinceCsrfIsEnabled() throws Exception { this.spring.configLocations( this.xml("AutoConfig") ).autowire(); this.mvc.perform(post("/csrf")) .andExpect(status().isForbidden()) .andExpect(csrfCreated()); }
@Test public void putWhenDefaultConfigurationThenForbiddenSinceCsrfIsEnabled() throws Exception { this.spring.configLocations( this.xml("AutoConfig") ).autowire(); this.mvc.perform(put("/csrf")) .andExpect(status().isForbidden()) .andExpect(csrfCreated()); }
@Test public void deleteWhenDefaultConfigurationThenForbiddenSinceCsrfIsEnabled() throws Exception { this.spring.configLocations( this.xml("AutoConfig") ).autowire(); this.mvc.perform(delete("/csrf")) .andExpect(status().isForbidden()) .andExpect(csrfCreated()); }
@Test public void postWhenUsingDefaultsWithNoBearerTokenThenCsrfDenies() throws Exception { this.spring.register(JwkSetUriConfig.class).autowire(); this.mvc.perform(post("/authenticated")) .andExpect(status().isForbidden()) .andExpect(header().doesNotExist(HttpHeaders.WWW_AUTHENTICATE)); }
@Test public void requestWhenIgnoringRequestMatchersThenAugmentedByConfiguredRequestMatcher() throws Exception { this.spring.register(IgnoringRequestMatchers.class, BasicController.class).autowire(); this.mvc.perform(get("/path")) .andExpect(status().isForbidden()); this.mvc.perform(post("/path")) .andExpect(status().isOk()); }
@Test public void loadConfigWhenDefaultSecurityExpressionHandlerThenBeanResolverSet() throws Exception { this.spring.register(DefaultExpressionHandlerSetsBeanResolverConfig.class).autowire(); this.mockMvc.perform(get("/")).andExpect(status().isOk()); this.mockMvc.perform(post("/")).andExpect(status().isForbidden()); }
@Test @WithMockUser(roles = "ANYTHING") public void getWhenAccessDeniedOverriddenThenCustomizesResponseByRequest() throws Exception { this.spring.register(RequestMatcherBasedAccessDeniedHandlerConfig.class).autowire(); this.mvc.perform(get("/hello")) .andExpect(status().isIAmATeapot()); this.mvc.perform(get("/goodbye")) .andExpect(status().isForbidden()); }
@Test public void getWhenUsingMethodSecurityWithInsufficientScpThenInsufficientScopeError() throws Exception { this.spring.register(RestOperationsConfig.class, MethodSecurityConfig.class, BasicController.class).autowire(); mockRestOperations(jwks("Default")); String token = this.token("ValidMessageWriteScp"); this.mvc.perform(get("/ms-requires-read-scope") .with(bearerToken(token))) .andExpect(status().isForbidden()) .andExpect(insufficientScopeHeader("message:write")); }
@Test public void getWhenUsingMethodSecurityWithInsufficientScopeThenInsufficientScopeError() throws Exception { this.spring.register(RestOperationsConfig.class, MethodSecurityConfig.class, BasicController.class).autowire(); mockRestOperations(jwks("Default")); String token = this.token("ValidNoScopes"); this.mvc.perform(get("/ms-requires-read-scope") .with(bearerToken(token))) .andExpect(status().isForbidden()) .andExpect(insufficientScopeHeader("")); }
@Test public void getWhenUsingMethodSecurityWithDenyAllThenInsufficientScopeError() throws Exception { this.spring.register(RestOperationsConfig.class, MethodSecurityConfig.class, BasicController.class).autowire(); mockRestOperations(jwks("Default")); String token = this.token("ValidMessageReadScope"); this.mvc.perform(get("/ms-deny") .with(bearerToken(token))) .andExpect(status().isForbidden()) .andExpect(insufficientScopeHeader("message:read")); }
@Test public void getWhenUsingTwoIdenticalInterceptUrlsThenTheSecondTakesPrecedence() throws Exception { this.spring.configLocations(xml("Sec934")).autowire(); this.mvc.perform(get("/protected") .with(httpBasic("user", "password"))) .andExpect(status().isOk()); this.mvc.perform(get("/protected") .with(httpBasic("admin", "password"))) .andExpect(status().isForbidden()); }
@Test public void requestWhenUsingHasAnyRoleThenAuthorizesRequestsAccordingly() throws Exception { this.spring.configLocations(this.xml("HasAnyRole")).autowire(); this.mvc.perform(get("/path") .with(httpBasic("user", "password"))) .andExpect(status().isOk()); this.mvc.perform(get("/path") .with(httpBasic("admin", "password"))) .andExpect(status().isForbidden()); }
@Test public void requestWhenIgnoringRequestMatcherThenUnionsWithConfiguredIgnoringAntMatchers() throws Exception { this.spring.register(IgnoringPathsAndMatchers.class, BasicController.class).autowire(); this.mvc.perform(put("/csrf")) .andExpect(status().isForbidden()); this.mvc.perform(post("/csrf")) .andExpect(status().isOk()); this.mvc.perform(put("/no-csrf")) .andExpect(status().isOk()); }