@Test @WithMockUser public void methodSecurityWhenCustomMethodSecurityMetadataSourceThenAuthorizes() { this.spring.register(CustomMethodSecurityMetadataSourceConfig.class, MethodSecurityServiceConfig.class).autowire(); assertThatThrownBy(() -> this.service.preAuthorize()) .isInstanceOf(AccessDeniedException.class); assertThatThrownBy(() -> this.service.secured()) .isInstanceOf(AccessDeniedException.class); assertThatThrownBy(() -> this.service.jsr250()) .isInstanceOf(AccessDeniedException.class); }
@Test @WithMockUser public void methodSecurityWhenCustomAccessDecisionManagerThenAuthorizes() { this.spring.register(CustomAccessDecisionManagerConfig.class, MethodSecurityServiceConfig.class).autowire(); assertThatThrownBy(() -> this.service.preAuthorize()) .isInstanceOf(AccessDeniedException.class); assertThatThrownBy(() -> this.service.secured()) .isInstanceOf(AccessDeniedException.class); }
@Test @WithMockUser public void methodSecurityWhenCustomAuthenticationManagerThenAuthorizes() { this.spring.register(CustomAuthenticationConfig.class, MethodSecurityServiceConfig.class).autowire(); assertThatThrownBy(() -> this.service.preAuthorize()) .isInstanceOf(UnsupportedOperationException.class); }
@Test @WithMockUser public void enableGlobalMethodSecurityWorksOnSuperclass() { this.spring.register(ChildConfig.class).autowire(); assertThatThrownBy(() -> this.service.preAuthorize()) .isInstanceOf(AccessDeniedException.class); }
@Test @WithMockUser public void methodSecurityWhenCustomAfterInvocationManagerThenAuthorizes() { this.spring.register(CustomAfterInvocationManagerConfig.class, MethodSecurityServiceConfig.class).autowire(); assertThatThrownBy(() -> this.service.preAuthorizePermitAll()) .isInstanceOf(AccessDeniedException.class); }
@Test @WithMockUser public void methodSecurityWhenMissingEnableAnnotationThenShowsHelpfulError() { assertThatThrownBy(() -> this.spring.register(ExtendsNoEnableAnntotationConfig.class).autowire()) .hasStackTraceContaining(EnableGlobalMethodSecurity.class.getName() + " is required"); }
@Test @WithMockUser public void preAuthorizeBeanSpel() { this.spring.register(PreAuthorizeBeanSpelConfig.class).autowire(); assertThatThrownBy(() -> this.service.preAuthorizeBean(false)) .isInstanceOf(AccessDeniedException.class); this.service.preAuthorizeBean(true); }
@Test @WithMockUser public void methodSecuritySupportsAnnotaitonsOnInterfaceParamerNames() { this.spring.register(MethodSecurityServiceConfig.class).autowire(); assertThatThrownBy(() -> this.service.postAnnotation("deny")) .isInstanceOf(AccessDeniedException.class); this.service.postAnnotation("grant"); // no exception }
@Test @WithMockUser public void roleHierarchy() { this.spring.register(RoleHierarchyConfig.class).autowire(); assertThatThrownBy(() -> this.service.preAuthorize()) .isInstanceOf(AccessDeniedException.class); this.service.preAuthorizeAdmin(); }
@Test @WithMockUser public void messagesWhenUserThenDenied() { StepVerifier.create(this.messages.findMessage()) .expectError(AccessDeniedException.class) .verify(); }
@Test @WithMockUser public void methodSecurityWhenUsingCustomPermissionEvaluatorThenPreAuthorizesAccordingly() { this.spring.register(CustomAccessDecisionManagerConfig.class, MethodSecurityServiceConfig.class).autowire(); assertThatCode(() -> this.service.hasPermission("granted")) .doesNotThrowAnyException(); assertThatThrownBy(() -> this.service.hasPermission("denied")) .isInstanceOf(AccessDeniedException.class); }
@Test @WithMockUser public void methodSecurityWhenUsingCustomPermissionEvaluatorThenPostAuthorizesAccordingly() { this.spring.register(CustomAccessDecisionManagerConfig.class, MethodSecurityServiceConfig.class).autowire(); assertThatCode(() -> this.service.postHasPermission("granted")) .doesNotThrowAnyException(); assertThatThrownBy(() -> this.service.postHasPermission("denied")) .isInstanceOf(AccessDeniedException.class); }
@Test @WithMockUser(roles = "ADMIN") public void messagesWhenAdminThenOk() { StepVerifier.create(this.messages.findMessage()) .expectNext("Hello World!") .verifyComplete(); } }
@Test @WithMockUser(username = "nile") public void sendWhenCustomExpressionHandlerThenAuthorizesAccordingly() { this.spring.configLocations(xml("CustomExpressionHandlerConfig")).autowire(); Message<?> message = message("/denyNile"); assertThatThrownBy(send(message)).hasCauseInstanceOf(AccessDeniedException.class); }
@Test @WithMockUser public void sendWhenIdSpecifiedAndExplicitlyIntegratedWhenBrokerUsesClientInboundChannel() { this.spring.configLocations(xml("IdIntegratedConfig")).autowire(); Message<?> message = message("/denyAll"); assertThatThrownBy(send(message)).hasCauseInstanceOf(AccessDeniedException.class); }
@Test @WithMockUser public void methodSecurityWhenPrePostEnabledThenPreAuthorizes() { this.spring.register(PreAuthorizeConfig.class, MethodSecurityServiceConfig.class).autowire(); assertThatCode(() -> this.service.secured()) .doesNotThrowAnyException(); assertThatCode(() -> this.service.jsr250()) .doesNotThrowAnyException(); assertThatThrownBy(() -> this.service.preAuthorize()) .isInstanceOf(AccessDeniedException.class); }
@Test @WithMockUser public void methodSecurityWhenImportingGlobalMethodSecurityConfigurationSubclassThenAuthorizes() { this.spring.register(ImportSubclassGMSCConfig.class, MethodSecurityServiceConfig.class).autowire(); assertThatCode(() -> this.service.secured()) .doesNotThrowAnyException(); assertThatCode(() -> this.service.jsr250()) .doesNotThrowAnyException(); assertThatThrownBy(() -> this.service.preAuthorize()) .isInstanceOf(AccessDeniedException.class); }
@Test @WithMockUser public void methodSecurityWhenPrePostEnabledAndCustomGlobalMethodSecurityConfigurationThenPreAuthorizes() { this.spring.register(PreAuthorizeExtendsGMSCConfig.class, MethodSecurityServiceConfig.class).autowire(); assertThatCode(() -> this.service.secured()) .doesNotThrowAnyException(); assertThatCode(() -> this.service.jsr250()) .doesNotThrowAnyException(); assertThatThrownBy(() -> this.service.preAuthorize()) .isInstanceOf(AccessDeniedException.class); }
@Test @WithMockUser public void messageWhenWithMockUserThenForbidden() throws Exception { this.rest .get() .uri("/message") .exchange() .expectStatus().isEqualTo(HttpStatus.FORBIDDEN); }
@WithMockUser(authorities = "CUSTOM") @Test public void methodSecurityWhenNullifyingRolePrefixThenPassivityRestored() { this.spring.register(SecurityConfig.class).autowire(); assertThatCode(() -> service.doJsr250()) .doesNotThrowAnyException(); assertThatCode(() -> service.doPreAuthorize()) .doesNotThrowAnyException(); }