diff --git a/aspects/src/test/java/org/springframework/security/access/intercept/aspectj/aspect/AnnotationSecurityAspectTests.java b/aspects/src/test/java/org/springframework/security/access/intercept/aspectj/aspect/AnnotationSecurityAspectTests.java index 8e4a8828c5..cfe1dc12bb 100644 --- a/aspects/src/test/java/org/springframework/security/access/intercept/aspectj/aspect/AnnotationSecurityAspectTests.java +++ b/aspects/src/test/java/org/springframework/security/access/intercept/aspectj/aspect/AnnotationSecurityAspectTests.java @@ -1,6 +1,10 @@ package org.springframework.security.access.intercept.aspectj.aspect; +import static org.junit.Assert.*; + +import java.util.ArrayList; import java.util.Arrays; +import java.util.List; import org.junit.After; import org.junit.Before; @@ -14,8 +18,12 @@ import org.springframework.security.access.annotation.Secured; import org.springframework.security.access.annotation.SecuredAnnotationSecurityMetadataSource; import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler; import org.springframework.security.access.expression.method.ExpressionBasedAnnotationAttributeFactory; +import org.springframework.security.access.expression.method.ExpressionBasedPostInvocationAdvice; import org.springframework.security.access.expression.method.ExpressionBasedPreInvocationAdvice; +import org.springframework.security.access.intercept.AfterInvocationProviderManager; import org.springframework.security.access.intercept.aspectj.AspectJMethodSecurityInterceptor; +import org.springframework.security.access.prepost.PostFilter; +import org.springframework.security.access.prepost.PostInvocationAdviceProvider; import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter; import org.springframework.security.access.prepost.PrePostAnnotationSecurityMetadataSource; @@ -74,15 +82,33 @@ public class AnnotationSecurityAspectTests { // SEC-1262 @Test(expected=AccessDeniedException.class) public void denyAllPreAuthorizeDeniesAccess() throws Exception { + configureForElAnnotations(); SecurityContextHolder.getContext().setAuthentication(anne); + prePostSecured.denyAllMethod(); + } + + @Test + public void postFilterIsApplied() throws Exception { + configureForElAnnotations(); + SecurityContextHolder.getContext().setAuthentication(anne); + List objects = prePostSecured.postFilterMethod(); + assertEquals(2, objects.size()); + assertTrue(objects.contains("apple")); + assertTrue(objects.contains("aubergine")); + } + + private void configureForElAnnotations() { + DefaultMethodSecurityExpressionHandler eh = new DefaultMethodSecurityExpressionHandler(); interceptor.setSecurityMetadataSource(new PrePostAnnotationSecurityMetadataSource( - new ExpressionBasedAnnotationAttributeFactory(new DefaultMethodSecurityExpressionHandler()))); + new ExpressionBasedAnnotationAttributeFactory(eh))); AffirmativeBased adm = new AffirmativeBased(); AccessDecisionVoter[] voters = new AccessDecisionVoter[] {new PreInvocationAuthorizationAdviceVoter(new ExpressionBasedPreInvocationAdvice())}; adm.setDecisionVoters(Arrays.asList(voters)); interceptor.setAccessDecisionManager(adm); - prePostSecured.denyAllMethod(); + AfterInvocationProviderManager aim = new AfterInvocationProviderManager(); + aim.setProviders(Arrays.asList(new PostInvocationAdviceProvider(new ExpressionBasedPostInvocationAdvice(eh)))); + interceptor.setAfterInvocationManager(aim); } } @@ -92,7 +118,6 @@ interface SecuredInterface { } class SecuredImpl implements SecuredInterface { - // Not really secured because AspectJ doesn't inherit annotations from interfaces public void securedMethod() { } @@ -103,8 +128,14 @@ class SecuredImpl implements SecuredInterface { } class PrePostSecured { - @PreAuthorize("denyAll") public void denyAllMethod() { } + + @PostFilter("filterObject.startsWith('a')") + public List postFilterMethod() { + ArrayList objects = new ArrayList(); + objects.addAll(Arrays.asList(new String[] {"apple", "banana", "aubergine", "orange"})); + return objects; + } }