/*
* Copyright 2002-2016 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.taglibs.authz;
import static org.assertj.core.api.Assertions.*;
import static org.mockito.Matchers.any;
import static org.mockito.Matchers.eq;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;
import java.io.IOException;
import java.util.Collections;
import javax.servlet.ServletContext;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.mock.web.MockServletContext;
import org.springframework.security.access.expression.SecurityExpressionHandler;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.WebAttributes;
import org.springframework.security.web.access.WebInvocationPrivilegeEvaluator;
import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
import org.springframework.web.context.WebApplicationContext;
/**
*
* @author Rob Winch
*
*/
public class AbstractAuthorizeTagTests {
private AbstractAuthorizeTag tag;
private MockHttpServletRequest request;
private MockHttpServletResponse response;
private MockServletContext servletContext;
@Before
public void setup() {
tag = new AuthzTag();
request = new MockHttpServletRequest();
response = new MockHttpServletResponse();
servletContext = new MockServletContext();
}
@After
public void teardown() {
SecurityContextHolder.clearContext();
}
@Test
public void privilegeEvaluatorFromRequest() throws IOException {
String uri = "/something";
WebInvocationPrivilegeEvaluator expected = mock(WebInvocationPrivilegeEvaluator.class);
tag.setUrl(uri);
request.setAttribute(WebAttributes.WEB_INVOCATION_PRIVILEGE_EVALUATOR_ATTRIBUTE,
expected);
tag.authorizeUsingUrlCheck();
verify(expected).isAllowed(eq(""), eq(uri), eq("GET"), any(Authentication.class));
}
@Test
public void privilegeEvaluatorFromChildContext() throws IOException {
String uri = "/something";
WebInvocationPrivilegeEvaluator expected = mock(WebInvocationPrivilegeEvaluator.class);
tag.setUrl(uri);
WebApplicationContext wac = mock(WebApplicationContext.class);
when(wac.getBeansOfType(WebInvocationPrivilegeEvaluator.class)).thenReturn(Collections.singletonMap("wipe", expected));
servletContext.setAttribute("org.springframework.web.servlet.FrameworkServlet.CONTEXT.dispatcher", wac);
tag.authorizeUsingUrlCheck();
verify(expected).isAllowed(eq(""), eq(uri), eq("GET"), any(Authentication.class));
}
@Test
@SuppressWarnings("rawtypes")
public void expressionFromChildContext() throws IOException {
SecurityContextHolder.getContext().setAuthentication(new TestingAuthenticationToken("user", "pass","USER"));
DefaultWebSecurityExpressionHandler expected = new DefaultWebSecurityExpressionHandler();
tag.setAccess("permitAll");
WebApplicationContext wac = mock(WebApplicationContext.class);
when(wac.getBeansOfType(SecurityExpressionHandler.class)).thenReturn(Collections.<String,SecurityExpressionHandler>singletonMap("wipe", expected));
servletContext.setAttribute("org.springframework.web.servlet.FrameworkServlet.CONTEXT.dispatcher", wac);
assertThat(tag.authorize()).isTrue();
}
private class AuthzTag extends AbstractAuthorizeTag {
@Override
protected ServletRequest getRequest() {
return request;
}
@Override
protected ServletResponse getResponse() {
return response;
}
@Override
protected ServletContext getServletContext() {
return servletContext;
}
}
}