1
0
mirror of synced 2026-07-19 09:35:12 +00:00

SEC-3031: DelegatingSecurityContext(Runnable|Callable) only modify SecurityContext on new Thread

Modifying the SecurityContext on the same Thread can cause issues. For example, with a
RejectedExecutionHandler the SecurityContext may be cleared out on the original Thread.

This change modifies both the DelegatingSecurityContextRunnable and DelegatingSecurityContextCallable to,
by default, only modify the SecurityContext if they are invoked on a new Thread. The behavior can be changed
by setting the property enableOnOrigionalThread to true.
This commit is contained in:
Rob Winch
2015-07-22 16:48:04 -05:00
parent 12ed990aa2
commit 23de257508
5 changed files with 269 additions and 77 deletions
@@ -19,8 +19,17 @@ import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.util.Assert;
/**
* Wraps a delegate {@link Callable} with logic for setting up a {@link SecurityContext} before invoking the delegate
* {@link Callable} and then removing the {@link SecurityContext} after the delegate has completed.
* <p>
* Wraps a delegate {@link Callable} with logic for setting up a
* {@link SecurityContext} before invoking the delegate {@link Callable} and
* then removing the {@link SecurityContext} after the delegate has completed.
* </p>
* <p>
* By default the {@link SecurityContext} is only setup if {@link #call()} is
* invoked on a separate {@link Thread} than the
* {@link DelegatingSecurityContextCallable} was created on. This can be
* overridden by setting {@link #setEnableOnOriginalThread(boolean)} to true.
* </p>
*
* @author Rob Winch
* @since 3.2
@@ -31,6 +40,10 @@ public final class DelegatingSecurityContextCallable<V> implements Callable<V> {
private final SecurityContext securityContext;
private final Thread originalThread;
private boolean enableOnOriginalThread;
/**
* Creates a new {@link DelegatingSecurityContextCallable} with a specific {@link SecurityContext}.
* @param delegate the delegate {@link DelegatingSecurityContextCallable} to run with the specified
@@ -43,6 +56,7 @@ public final class DelegatingSecurityContextCallable<V> implements Callable<V> {
Assert.notNull(securityContext, "securityContext cannot be null");
this.delegate = delegate;
this.securityContext = securityContext;
this.originalThread = Thread.currentThread();
}
/**
@@ -54,7 +68,27 @@ public final class DelegatingSecurityContextCallable<V> implements Callable<V> {
this(delegate, SecurityContextHolder.getContext());
}
/**
* Determines if the SecurityContext should be transfered if {@link #call()}
* is invoked on the same {@link Thread} the
* {@link DelegatingSecurityContextCallable} was created on.
*
* @param enableOnOriginalThread
* if false (default), will only transfer the
* {@link SecurityContext} if {@link #call()} is invoked on a
* different {@link Thread} than the
* {@link DelegatingSecurityContextCallable} was created on.
*
* @since 4.0.2
*/
public void setEnableOnOriginalThread(boolean enableOnOriginalThread) {
this.enableOnOriginalThread = enableOnOriginalThread;
}
public V call() throws Exception {
if(!enableOnOriginalThread && originalThread == Thread.currentThread()) {
return delegate.call();
}
try {
SecurityContextHolder.setContext(securityContext);
return delegate.call();
@@ -17,8 +17,17 @@ import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.util.Assert;
/**
* Wraps a delegate {@link Runnable} with logic for setting up a {@link SecurityContext} before invoking the delegate
* {@link Runnable} and then removing the {@link SecurityContext} after the delegate has completed.
* <p>
* Wraps a delegate {@link Runnable} with logic for setting up a {@link SecurityContext}
* before invoking the delegate {@link Runnable} and then removing the
* {@link SecurityContext} after the delegate has completed.
* </p>
* <p>
* By default the {@link SecurityContext} is only setup if {@link #run()} is
* invoked on a separate {@link Thread} than the
* {@link DelegatingSecurityContextRunnable} was created on. This can be
* overridden by setting {@link #setEnableOnOriginalThread(boolean)} to true.
* </p>
*
* @author Rob Winch
* @since 3.2
@@ -29,6 +38,10 @@ public final class DelegatingSecurityContextRunnable implements Runnable {
private final SecurityContext securityContext;
private final Thread originalThread;
private boolean enableOnOriginalThread;
/**
* Creates a new {@link DelegatingSecurityContextRunnable} with a specific {@link SecurityContext}.
* @param delegate the delegate {@link Runnable} to run with the specified {@link SecurityContext}. Cannot be null.
@@ -40,6 +53,7 @@ public final class DelegatingSecurityContextRunnable implements Runnable {
Assert.notNull(securityContext, "securityContext cannot be null");
this.delegate = delegate;
this.securityContext = securityContext;
this.originalThread = Thread.currentThread();
}
/**
@@ -51,7 +65,27 @@ public final class DelegatingSecurityContextRunnable implements Runnable {
this(delegate, SecurityContextHolder.getContext());
}
/**
* Determines if the SecurityContext should be transfered if {@link #call()}
* is invoked on the same {@link Thread} the
* {@link DelegatingSecurityContextCallable} was created on.
*
* @param enableOnOriginalThread
* if false (default), will only transfer the
* {@link SecurityContext} if {@link #call()} is invoked on a
* different {@link Thread} than the
* {@link DelegatingSecurityContextCallable} was created on.
* @since 4.0.2
*/
public void setEnableOnOriginalThread(boolean enableOnOriginalThread) {
this.enableOnOriginalThread = enableOnOriginalThread;
}
public void run() {
if(!enableOnOriginalThread && originalThread == Thread.currentThread()) {
delegate.run();
return;
}
try {
SecurityContextHolder.setContext(securityContext);
delegate.run();
@@ -17,6 +17,9 @@ import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;
import java.util.concurrent.Callable;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.Future;
import org.junit.After;
import org.junit.Before;
@@ -45,6 +48,8 @@ public class DelegatingSecurityContextCallableTests {
private Callable<Object> callable;
private ExecutorService executor;
@Before
@SuppressWarnings("serial")
public void setUp() throws Exception {
@@ -55,6 +60,7 @@ public class DelegatingSecurityContextCallableTests {
return super.answer(invocation);
}
});
executor = Executors.newFixedThreadPool(1);
}
@After
@@ -88,15 +94,34 @@ public class DelegatingSecurityContextCallableTests {
@Test
public void call() throws Exception {
callable = new DelegatingSecurityContextCallable<Object>(delegate, securityContext);
assertWrapped(callable.call());
callable = new DelegatingSecurityContextCallable<Object>(delegate,
securityContext);
assertWrapped(callable);
}
@Test
public void callDefaultSecurityContext() throws Exception {
SecurityContextHolder.setContext(securityContext);
callable = new DelegatingSecurityContextCallable<Object>(delegate);
SecurityContextHolder.clearContext(); // ensure callable is what sets up the SecurityContextHolder
SecurityContextHolder.clearContext(); // ensure callable is what sets up the
// SecurityContextHolder
assertWrapped(callable);
}
// SEC-3031
@Test
public void callOnSameThread() throws Exception {
callable = new DelegatingSecurityContextCallable<Object>(delegate,
securityContext);
securityContext = SecurityContextHolder.createEmptyContext();
assertWrapped(callable.call());
}
@Test
public void callOnSameThreadExplicitlyEnabled() throws Exception {
DelegatingSecurityContextCallable<Object> callable = new DelegatingSecurityContextCallable<Object>(delegate,
securityContext);
callable.setEnableOnOriginalThread(true);
assertWrapped(callable.call());
}
@@ -116,14 +141,15 @@ public class DelegatingSecurityContextCallableTests {
public void createNullSecurityContext() throws Exception {
SecurityContextHolder.setContext(securityContext);
callable = DelegatingSecurityContextCallable.create(delegate, null);
SecurityContextHolder.clearContext(); // ensure callable is what sets up the SecurityContextHolder
assertWrapped(callable.call());
SecurityContextHolder.clearContext(); // ensure callable is what sets up the
// SecurityContextHolder
assertWrapped(callable);
}
@Test
public void create() throws Exception {
callable = DelegatingSecurityContextCallable.create(delegate, securityContext);
assertWrapped(callable.call());
assertWrapped(callable);
}
// --- toString
@@ -131,13 +157,19 @@ public class DelegatingSecurityContextCallableTests {
// SEC-2682
@Test
public void toStringDelegates() {
callable = new DelegatingSecurityContextCallable<Object>(delegate, securityContext);
callable = new DelegatingSecurityContextCallable<Object>(delegate,
securityContext);
assertThat(callable.toString()).isEqualTo(delegate.toString());
}
private void assertWrapped(Object actualResult) throws Exception {
assertThat(actualResult).isEqualTo(callableResult);
private void assertWrapped(Callable<Object> callable) throws Exception {
Future<Object> submit = executor.submit(callable);
assertWrapped(submit.get());
}
private void assertWrapped(Object callableResult) throws Exception {
verify(delegate).call();
assertThat(SecurityContextHolder.getContext()).isEqualTo(SecurityContextHolder.createEmptyContext());
assertThat(SecurityContextHolder.getContext()).isEqualTo(
SecurityContextHolder.createEmptyContext());
}
}
@@ -16,6 +16,10 @@ import static org.fest.assertions.Assertions.assertThat;
import static org.mockito.Mockito.doAnswer;
import static org.mockito.Mockito.verify;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.Future;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
@@ -24,6 +28,8 @@ import org.mockito.Mock;
import org.mockito.invocation.InvocationOnMock;
import org.mockito.runners.MockitoJUnitRunner;
import org.mockito.stubbing.Answer;
import org.springframework.core.task.SyncTaskExecutor;
import org.springframework.core.task.support.ExecutorServiceAdapter;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
@@ -43,6 +49,8 @@ public class DelegatingSecurityContextRunnableTests {
private Runnable runnable;
private ExecutorService executor;
@Before
public void setUp() throws Exception {
doAnswer(new Answer<Object>() {
@@ -50,8 +58,9 @@ public class DelegatingSecurityContextRunnableTests {
assertThat(SecurityContextHolder.getContext()).isEqualTo(securityContext);
return null;
}
})
.when(delegate).run();
}).when(delegate).run();
executor = Executors.newFixedThreadPool(1);
}
@After
@@ -86,17 +95,35 @@ public class DelegatingSecurityContextRunnableTests {
@Test
public void call() throws Exception {
runnable = new DelegatingSecurityContextRunnable(delegate, securityContext);
runnable.run();
assertWrapped();
assertWrapped(runnable);
}
@Test
public void callDefaultSecurityContext() throws Exception {
SecurityContextHolder.setContext(securityContext);
runnable = new DelegatingSecurityContextRunnable(delegate);
SecurityContextHolder.clearContext(); // ensure runnable is what sets up the SecurityContextHolder
runnable.run();
assertWrapped();
SecurityContextHolder.clearContext(); // ensure runnable is what sets up the
// SecurityContextHolder
assertWrapped(runnable);
}
// SEC-3031
@Test
public void callOnSameThread() throws Exception {
executor = synchronousExecutor();
runnable = new DelegatingSecurityContextRunnable(delegate,
securityContext);
securityContext = SecurityContextHolder.createEmptyContext();
assertWrapped(runnable);
}
@Test
public void callOnSameThreadExplicitlyEnabled() throws Exception {
executor = synchronousExecutor();
DelegatingSecurityContextRunnable runnable = new DelegatingSecurityContextRunnable(delegate,
securityContext);
runnable.setEnableOnOriginalThread(true);
assertWrapped(runnable);
}
// --- create ---
@@ -112,19 +139,18 @@ public class DelegatingSecurityContextRunnableTests {
}
@Test
public void createNullSecurityContext() {
public void createNullSecurityContext() throws Exception {
SecurityContextHolder.setContext(securityContext);
runnable = DelegatingSecurityContextRunnable.create(delegate, null);
SecurityContextHolder.clearContext(); // ensure runnable is what sets up the SecurityContextHolder
runnable.run();
assertWrapped();
SecurityContextHolder.clearContext(); // ensure runnable is what sets up the
// SecurityContextHolder
assertWrapped(runnable);
}
@Test
public void create() {
public void create() throws Exception {
runnable = DelegatingSecurityContextRunnable.create(delegate, securityContext);
runnable.run();
assertWrapped();
assertWrapped(runnable);
}
// --- toString
@@ -136,8 +162,15 @@ public class DelegatingSecurityContextRunnableTests {
assertThat(runnable.toString()).isEqualTo(delegate.toString());
}
private void assertWrapped() {
private void assertWrapped(Runnable runnable) throws Exception {
Future<?> submit = executor.submit(runnable);
submit.get();
verify(delegate).run();
assertThat(SecurityContextHolder.getContext()).isEqualTo(SecurityContextHolder.createEmptyContext());
assertThat(SecurityContextHolder.getContext()).isEqualTo(
SecurityContextHolder.createEmptyContext());
}
private static ExecutorService synchronousExecutor() {
return new ExecutorServiceAdapter(new SyncTaskExecutor());
}
}
@@ -63,7 +63,6 @@ import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.authentication.logout.LogoutHandler;
import org.springframework.util.ClassUtils;
/**
* Tests {@link SecurityContextHolderAwareRequestFilter}.
*
@@ -107,18 +106,23 @@ public class SecurityContextHolderAwareRequestFilterTests {
SecurityContextHolder.clearContext();
}
//~ Methods ========================================================================================================
// ~ Methods
// ========================================================================================================
@Test
public void expectedRequestWrapperClassIsUsed() throws Exception {
filter.setRolePrefix("ROLE_");
filter.doFilter(new MockHttpServletRequest(), new MockHttpServletResponse(), filterChain);
filter.doFilter(new MockHttpServletRequest(), new MockHttpServletResponse(),
filterChain);
// Now re-execute the filter, ensuring our replacement wrapper is still used
filter.doFilter(new MockHttpServletRequest(), new MockHttpServletResponse(), filterChain);
filter.doFilter(new MockHttpServletRequest(), new MockHttpServletResponse(),
filterChain);
verify(filterChain, times(2)).doFilter(any(SecurityContextHolderAwareRequestWrapper.class), any(HttpServletResponse.class));
verify(filterChain, times(2)).doFilter(
any(SecurityContextHolderAwareRequestWrapper.class),
any(HttpServletResponse.class));
filter.destroy();
}
@@ -126,17 +130,20 @@ public class SecurityContextHolderAwareRequestFilterTests {
@Test
public void authenticateFalse() throws Exception {
assertThat(wrappedRequest().authenticate(response)).isFalse();
verify(authenticationEntryPoint).commence(eq(requestCaptor.getValue()), eq(response), any(AuthenticationException.class));
verify(authenticationEntryPoint).commence(eq(requestCaptor.getValue()),
eq(response), any(AuthenticationException.class));
verifyZeroInteractions(authenticationManager, logoutHandler);
verify(request, times(0)).authenticate(any(HttpServletResponse.class));
}
@Test
public void authenticateTrue() throws Exception {
SecurityContextHolder.getContext().setAuthentication(new TestingAuthenticationToken("test","password","ROLE_USER"));
SecurityContextHolder.getContext().setAuthentication(
new TestingAuthenticationToken("test", "password", "ROLE_USER"));
assertThat(wrappedRequest().authenticate(response)).isTrue();
verifyZeroInteractions(authenticationEntryPoint, authenticationManager, logoutHandler);
verifyZeroInteractions(authenticationEntryPoint, authenticationManager,
logoutHandler);
verify(request, times(0)).authenticate(any(HttpServletResponse.class));
}
@@ -147,7 +154,8 @@ public class SecurityContextHolderAwareRequestFilterTests {
assertThat(wrappedRequest().authenticate(response)).isFalse();
verify(request).authenticate(response);
verifyZeroInteractions(authenticationEntryPoint, authenticationManager, logoutHandler);
verifyZeroInteractions(authenticationEntryPoint, authenticationManager,
logoutHandler);
}
@Test
@@ -158,53 +166,73 @@ public class SecurityContextHolderAwareRequestFilterTests {
assertThat(wrappedRequest().authenticate(response)).isTrue();
verify(request).authenticate(response);
verifyZeroInteractions(authenticationEntryPoint, authenticationManager, logoutHandler);
verifyZeroInteractions(authenticationEntryPoint, authenticationManager,
logoutHandler);
}
@Test
public void login() throws Exception {
TestingAuthenticationToken expectedAuth = new TestingAuthenticationToken("user", "password","ROLE_USER");
when(authenticationManager.authenticate(any(UsernamePasswordAuthenticationToken.class))).thenReturn(expectedAuth);
TestingAuthenticationToken expectedAuth = new TestingAuthenticationToken("user",
"password", "ROLE_USER");
when(
authenticationManager
.authenticate(any(UsernamePasswordAuthenticationToken.class)))
.thenReturn(expectedAuth);
wrappedRequest().login(expectedAuth.getName(),String.valueOf(expectedAuth.getCredentials()));
wrappedRequest().login(expectedAuth.getName(),
String.valueOf(expectedAuth.getCredentials()));
assertThat(SecurityContextHolder.getContext().getAuthentication()).isSameAs(expectedAuth);
assertThat(SecurityContextHolder.getContext().getAuthentication()).isSameAs(
expectedAuth);
verifyZeroInteractions(authenticationEntryPoint, logoutHandler);
verify(request, times(0)).login(anyString(),anyString());
verify(request, times(0)).login(anyString(), anyString());
}
// SEC-2296
@Test
public void loginWithExstingUser() throws Exception {
TestingAuthenticationToken expectedAuth = new TestingAuthenticationToken("user", "password","ROLE_USER");
when(authenticationManager.authenticate(any(UsernamePasswordAuthenticationToken.class))).thenReturn(new TestingAuthenticationToken("newuser","not be found","ROLE_USER"));
TestingAuthenticationToken expectedAuth = new TestingAuthenticationToken("user",
"password", "ROLE_USER");
when(
authenticationManager
.authenticate(any(UsernamePasswordAuthenticationToken.class)))
.thenReturn(
new TestingAuthenticationToken("newuser", "not be found",
"ROLE_USER"));
SecurityContextHolder.getContext().setAuthentication(expectedAuth);
try {
wrappedRequest().login(expectedAuth.getName(),String.valueOf(expectedAuth.getCredentials()));
wrappedRequest().login(expectedAuth.getName(),
String.valueOf(expectedAuth.getCredentials()));
fail("Expected Exception");
} catch(ServletException success) {
assertThat(SecurityContextHolder.getContext().getAuthentication()).isSameAs(expectedAuth);
}
catch (ServletException success) {
assertThat(SecurityContextHolder.getContext().getAuthentication()).isSameAs(
expectedAuth);
verifyZeroInteractions(authenticationEntryPoint, logoutHandler);
verify(request, times(0)).login(anyString(),anyString());
verify(request, times(0)).login(anyString(), anyString());
}
}
@Test
public void loginFail() throws Exception {
AuthenticationException authException = new BadCredentialsException("Invalid");
when(authenticationManager.authenticate(any(UsernamePasswordAuthenticationToken.class))).thenThrow(authException);
when(
authenticationManager
.authenticate(any(UsernamePasswordAuthenticationToken.class)))
.thenThrow(authException);
try {
wrappedRequest().login("invalid","credentials");
wrappedRequest().login("invalid", "credentials");
Assert.fail("Expected Exception");
} catch(ServletException success) {
}
catch (ServletException success) {
assertThat(success.getCause()).isEqualTo(authException);
}
assertThat(SecurityContextHolder.getContext().getAuthentication()).isNull();
verifyZeroInteractions(authenticationEntryPoint, logoutHandler);
verify(request, times(0)).login(anyString(),anyString());
verify(request, times(0)).login(anyString(), anyString());
}
@Test
@@ -218,7 +246,8 @@ public class SecurityContextHolderAwareRequestFilterTests {
wrappedRequest().login(username, password);
verify(request).login(username, password);
verifyZeroInteractions(authenticationEntryPoint, authenticationManager, logoutHandler);
verifyZeroInteractions(authenticationEntryPoint, authenticationManager,
logoutHandler);
}
@Test
@@ -234,16 +263,19 @@ public class SecurityContextHolderAwareRequestFilterTests {
try {
wrappedRequest().login(username, password);
Assert.fail("Expected Exception");
} catch(ServletException success) {
}
catch (ServletException success) {
assertThat(success).isEqualTo(authException);
}
verifyZeroInteractions(authenticationEntryPoint, authenticationManager, logoutHandler);
verifyZeroInteractions(authenticationEntryPoint, authenticationManager,
logoutHandler);
}
@Test
public void logout() throws Exception {
TestingAuthenticationToken expectedAuth = new TestingAuthenticationToken("user", "password","ROLE_USER");
TestingAuthenticationToken expectedAuth = new TestingAuthenticationToken("user",
"password", "ROLE_USER");
SecurityContextHolder.getContext().setAuthentication(expectedAuth);
HttpServletRequest wrappedRequest = wrappedRequest();
@@ -262,78 +294,105 @@ public class SecurityContextHolderAwareRequestFilterTests {
wrappedRequest().logout();
verify(request).logout();
verifyZeroInteractions(authenticationEntryPoint, authenticationManager, logoutHandler);
verifyZeroInteractions(authenticationEntryPoint, authenticationManager,
logoutHandler);
}
@Test
public void getAsyncContextStart() throws Exception {
ArgumentCaptor<Runnable> runnableCaptor = ArgumentCaptor.forClass(Runnable.class);
SecurityContext context = SecurityContextHolder.createEmptyContext();
TestingAuthenticationToken expectedAuth = new TestingAuthenticationToken("user", "password","ROLE_USER");
TestingAuthenticationToken expectedAuth = new TestingAuthenticationToken("user",
"password", "ROLE_USER");
context.setAuthentication(expectedAuth);
SecurityContextHolder.setContext(context);
AsyncContext asyncContext = mock(AsyncContext.class);
when(request.getAsyncContext()).thenReturn(asyncContext);
Runnable runnable = new Runnable() {
public void run() {}
public void run() {
}
};
wrappedRequest().getAsyncContext().start(runnable);
verifyZeroInteractions(authenticationManager, logoutHandler);
verify(asyncContext).start(runnableCaptor.capture());
DelegatingSecurityContextRunnable wrappedRunnable = (DelegatingSecurityContextRunnable) runnableCaptor.getValue();
assertThat(WhiteboxImpl.getInternalState(wrappedRunnable, SecurityContext.class)).isEqualTo(context);
assertThat(WhiteboxImpl.getInternalState(wrappedRunnable, Runnable.class)).isEqualTo(runnable);
DelegatingSecurityContextRunnable wrappedRunnable = (DelegatingSecurityContextRunnable) runnableCaptor
.getValue();
assertThat(WhiteboxImpl.getInternalState(wrappedRunnable, SecurityContext.class))
.isEqualTo(context);
assertThat(WhiteboxImpl.getInternalState(wrappedRunnable, "delegate"))
.isEqualTo(runnable);
}
@Test
public void startAsyncStart() throws Exception {
ArgumentCaptor<Runnable> runnableCaptor = ArgumentCaptor.forClass(Runnable.class);
SecurityContext context = SecurityContextHolder.createEmptyContext();
TestingAuthenticationToken expectedAuth = new TestingAuthenticationToken("user", "password","ROLE_USER");
TestingAuthenticationToken expectedAuth = new TestingAuthenticationToken("user",
"password", "ROLE_USER");
context.setAuthentication(expectedAuth);
SecurityContextHolder.setContext(context);
AsyncContext asyncContext = mock(AsyncContext.class);
when(request.startAsync()).thenReturn(asyncContext);
Runnable runnable = new Runnable() {
public void run() {}
public void run() {
}
};
wrappedRequest().startAsync().start(runnable);
verifyZeroInteractions(authenticationManager, logoutHandler);
verify(asyncContext).start(runnableCaptor.capture());
DelegatingSecurityContextRunnable wrappedRunnable = (DelegatingSecurityContextRunnable) runnableCaptor.getValue();
assertThat(WhiteboxImpl.getInternalState(wrappedRunnable, SecurityContext.class)).isEqualTo(context);
assertThat(WhiteboxImpl.getInternalState(wrappedRunnable, Runnable.class)).isEqualTo(runnable);
DelegatingSecurityContextRunnable wrappedRunnable = (DelegatingSecurityContextRunnable) runnableCaptor
.getValue();
assertThat(WhiteboxImpl.getInternalState(wrappedRunnable, SecurityContext.class))
.isEqualTo(context);
assertThat(WhiteboxImpl.getInternalState(wrappedRunnable, "delegate"))
.isEqualTo(runnable);
}
@Test
public void startAsyncWithRequestResponseStart() throws Exception {
ArgumentCaptor<Runnable> runnableCaptor = ArgumentCaptor.forClass(Runnable.class);
SecurityContext context = SecurityContextHolder.createEmptyContext();
TestingAuthenticationToken expectedAuth = new TestingAuthenticationToken("user", "password","ROLE_USER");
TestingAuthenticationToken expectedAuth = new TestingAuthenticationToken("user",
"password", "ROLE_USER");
context.setAuthentication(expectedAuth);
SecurityContextHolder.setContext(context);
AsyncContext asyncContext = mock(AsyncContext.class);
when(request.startAsync(request,response)).thenReturn(asyncContext);
when(request.startAsync(request, response)).thenReturn(asyncContext);
Runnable runnable = new Runnable() {
public void run() {}
public void run() {
}
};
wrappedRequest().startAsync(request, response).start(runnable);
verifyZeroInteractions(authenticationManager, logoutHandler);
verify(asyncContext).start(runnableCaptor.capture());
DelegatingSecurityContextRunnable wrappedRunnable = (DelegatingSecurityContextRunnable) runnableCaptor.getValue();
assertThat(WhiteboxImpl.getInternalState(wrappedRunnable, SecurityContext.class)).isEqualTo(context);
assertThat(WhiteboxImpl.getInternalState(wrappedRunnable, Runnable.class)).isEqualTo(runnable);
DelegatingSecurityContextRunnable wrappedRunnable = (DelegatingSecurityContextRunnable) runnableCaptor
.getValue();
assertThat(WhiteboxImpl.getInternalState(wrappedRunnable, SecurityContext.class))
.isEqualTo(context);
assertThat(WhiteboxImpl.getInternalState(wrappedRunnable, "delegate"))
.isEqualTo(runnable);
}
// SEC-3047
@Test
public void updateRequestFactory() throws Exception {
SecurityContextHolder.getContext().setAuthentication(new TestingAuthenticationToken("user",
"password", "PREFIX_USER"));
filter.setRolePrefix("PREFIX_");
assertThat(wrappedRequest().isUserInRole("PREFIX_USER")).isTrue();;
}
private HttpServletRequest wrappedRequest() throws Exception {
filter.doFilter(request, response, filterChain);
verify(filterChain).doFilter(requestCaptor.capture(), any(HttpServletResponse.class));
verify(filterChain).doFilter(requestCaptor.capture(),
any(HttpServletResponse.class));
return requestCaptor.getValue();
}