DefaultWebSecurityExpressionHandlerTests.java

/*
 * Copyright 2002-2016 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.springframework.security.web.access.expression;

import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.runners.MockitoJUnitRunner;

import org.springframework.beans.factory.support.RootBeanDefinition;
import org.springframework.context.support.StaticApplicationContext;
import org.springframework.expression.EvaluationContext;
import org.springframework.expression.Expression;
import org.springframework.expression.ExpressionParser;
import org.springframework.security.access.SecurityConfig;
import org.springframework.security.authentication.AuthenticationTrustResolver;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.FilterInvocation;

import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify;

@RunWith(MockitoJUnitRunner.class)
public class DefaultWebSecurityExpressionHandlerTests {

	@Mock
	private AuthenticationTrustResolver trustResolver;

	@Mock
	private Authentication authentication;

	@Mock
	private FilterInvocation invocation;

	private DefaultWebSecurityExpressionHandler handler;

	@Before
	public void setup() {
		handler = new DefaultWebSecurityExpressionHandler();
	}

	@After
	public void cleanup() {
		SecurityContextHolder.clearContext();
	}

	@Test
	public void expressionPropertiesAreResolvedAgainstAppContextBeans() throws Exception {
		StaticApplicationContext appContext = new StaticApplicationContext();
		RootBeanDefinition bean = new RootBeanDefinition(SecurityConfig.class);
		bean.getConstructorArgumentValues().addGenericArgumentValue("ROLE_A");
		appContext.registerBeanDefinition("role", bean);
		handler.setApplicationContext(appContext);

		EvaluationContext ctx = handler.createEvaluationContext(
				mock(Authentication.class), mock(FilterInvocation.class));
		ExpressionParser parser = handler.getExpressionParser();
		assertThat(parser.parseExpression("@role.getAttribute() == 'ROLE_A'").getValue(
				ctx, Boolean.class)).isTrue();
		assertThat(parser.parseExpression("@role.attribute == 'ROLE_A'").getValue(ctx,
				Boolean.class)).isTrue();
	}

	@Test(expected = IllegalArgumentException.class)
	public void setTrustResolverNull() {
		handler.setTrustResolver(null);
	}

	@Test
	public void createEvaluationContextCustomTrustResolver() {
		handler.setTrustResolver(trustResolver);

		Expression expression = handler.getExpressionParser().parseExpression(
				"anonymous");
		EvaluationContext context = handler.createEvaluationContext(authentication,
				invocation);
		assertThat(expression.getValue(context, Boolean.class)).isFalse();

		verify(trustResolver).isAnonymous(authentication);
	}

}