SEC-2714: Add AuthenticationPrincipal resolver for messaging support

messaging/src/main/java/org/springframework/security/messaging/context/AuthenticationPrincipalArgumentResolver.java

@@ -0,0 +1,134 @@
+/*
+ * Copyright 2002-2013 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.messaging.context;
+
+import java.lang.annotation.Annotation;
+
+import org.springframework.core.MethodParameter;
+import org.springframework.core.annotation.AnnotationUtils;
+import org.springframework.messaging.Message;
+import org.springframework.messaging.handler.invocation.HandlerMethodArgumentResolver;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.annotation.AuthenticationPrincipal;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.stereotype.Controller;
+
+
+/**
+ * Allows resolving the {@link Authentication#getPrincipal()} using the
+ * {@link AuthenticationPrincipal} annotation. For example, the following
+ * {@link Controller}:
+ *
+ * <pre>
+ * @Controller
+ * public class MyController {
+ *     @MessageMapping("/im")
+ *     public void im(@AuthenticationPrincipal CustomUser customUser) {
+ *         // do something with CustomUser
+ *     }
+ * </pre>
+ *
+ * <p>
+ * Will resolve the CustomUser argument using
+ * {@link Authentication#getPrincipal()} from the {@link SecurityContextHolder}.
+ * If the {@link Authentication} or {@link Authentication#getPrincipal()} is
+ * null, it will return null. If the types do not match, null will be returned
+ * unless {@link AuthenticationPrincipal#errorOnInvalidType()} is true in which
+ * case a {@link ClassCastException} will be thrown.
+ * </p>
+ *
+ * <p>
+ * Alternatively, users can create a custom meta annotation as shown below:
+ * </p>
+ *
+ * <pre>
+ * &#064;Target({ ElementType.PARAMETER })
+ * &#064;Retention(RetentionPolicy.RUNTIME)
+ * &#064;AuthenticationPrincipal
+ * public @interface CurrentUser {
+ * }
+ * </pre>
+ *
+ * <p>
+ * The custom annotation can then be used instead. For example:
+ * </p>
+ *
+ * <pre>
+ * @Controller
+ * public class MyController {
+ *     @MessageMapping("/im")
+ *     public void im(@CurrentUser CustomUser customUser) {
+ *         // do something with CustomUser
+ *     }
+ * </pre>
+ *
+ * @author Rob Winch
+ * @since 4.0
+ */
+public final class AuthenticationPrincipalArgumentResolver implements
+    HandlerMethodArgumentResolver {
+
+    /*
+     * (non-Javadoc)
+     * @see org.springframework.messaging.handler.invocation.HandlerMethodArgumentResolver#supportsParameter(org.springframework.core.MethodParameter)
+     */
+    public boolean supportsParameter(MethodParameter parameter) {
+        return findMethodAnnotation(AuthenticationPrincipal.class, parameter) != null;
+    }
+
+    /*
+     * (non-Javadoc)
+     * @see org.springframework.messaging.handler.invocation.HandlerMethodArgumentResolver#resolveArgument(org.springframework.core.MethodParameter, org.springframework.messaging.Message)
+     */
+    public Object resolveArgument(MethodParameter parameter, Message<?> message) throws Exception {
+        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+        if(authentication == null) {
+            return null;
+        }
+        Object principal = authentication.getPrincipal();
+        if(principal != null && !parameter.getParameterType().isAssignableFrom(principal.getClass())) {
+            AuthenticationPrincipal authPrincipal = findMethodAnnotation(AuthenticationPrincipal.class, parameter);
+            if(authPrincipal.errorOnInvalidType()) {
+                throw new ClassCastException(principal + " is not assignable to " + parameter.getParameterType());
+            } else {
+                return null;
+            }
+        }
+        return principal;
+    }
+
+    /**
+     * Obtains the specified {@link Annotation} on the specified {@link MethodParameter}.
+     *
+     * @param annotationClass the class of the {@link Annotation} to find on the {@link MethodParameter}
+     * @param parameter the {@link MethodParameter} to search for an {@link Annotation}
+     * @return the {@link Annotation} that was found or null.
+     */
+    private <T extends Annotation> T findMethodAnnotation(Class<T> annotationClass, MethodParameter parameter) {
+        T annotation = parameter.getParameterAnnotation(annotationClass);
+        if(annotation != null) {
+            return annotation;
+        }
+        Annotation[] annotationsToSearch = parameter.getParameterAnnotations();
+        for(Annotation toSearch : annotationsToSearch) {
+            annotation = AnnotationUtils.findAnnotation(toSearch.annotationType(), annotationClass);
+            if(annotation != null) {
+                return annotation;
+            }
+        }
+        return null;
+    }
+}

messaging/src/test/java/org/springframework/security/messaging/context/AuthenticationPrincipalArgumentResolverTests.java

@@ -0,0 +1,202 @@
+/*
+ * Copyright 2002-2013 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.messaging.context;
+
+
+import static org.fest.assertions.Assertions.assertThat;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+import java.lang.reflect.Method;
+
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.springframework.core.MethodParameter;
+import org.springframework.security.authentication.TestingAuthenticationToken;
+import org.springframework.security.core.annotation.AuthenticationPrincipal;
+import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.util.ReflectionUtils;
+
+/**
+ * @author Rob Winch
+ *
+ */
+public class AuthenticationPrincipalArgumentResolverTests {
+    private Object expectedPrincipal;
+    private AuthenticationPrincipalArgumentResolver resolver;
+
+    @Before
+    public void setup() {
+        resolver = new AuthenticationPrincipalArgumentResolver();
+    }
+
+    @After
+    public void cleanup() {
+        SecurityContextHolder.clearContext();
+    }
+
+    @Test
+    public void supportsParameterNoAnnotation() throws Exception {
+        assertThat(resolver.supportsParameter(showUserNoAnnotation())).isFalse();
+    }
+
+    @Test
+    public void supportsParameterAnnotation() throws Exception {
+        assertThat(resolver.supportsParameter(showUserAnnotationObject())).isTrue();
+    }
+
+    @Test
+    public void supportsParameterCustomAnnotation() throws Exception {
+        assertThat(resolver.supportsParameter(showUserCustomAnnotation())).isTrue();
+    }
+
+    @Test
+    public void resolveArgumentNullAuthentication() throws Exception {
+        assertThat(resolver.resolveArgument(showUserAnnotationString(), null)).isNull();
+    }
+
+    @Test
+    public void resolveArgumentNullPrincipal() throws Exception {
+        setAuthenticationPrincipal(null);
+        assertThat(resolver.resolveArgument(showUserAnnotationString(), null)).isNull();
+    }
+
+    @Test
+    public void resolveArgumentString() throws Exception {
+        setAuthenticationPrincipal("john");
+        assertThat(resolver.resolveArgument(showUserAnnotationString(), null)).isEqualTo(expectedPrincipal);
+    }
+
+    @Test
+    public void resolveArgumentPrincipalStringOnObject() throws Exception {
+        setAuthenticationPrincipal("john");
+        assertThat(resolver.resolveArgument(showUserAnnotationObject(), null)).isEqualTo(expectedPrincipal);
+    }
+
+    @Test
+    public void resolveArgumentUserDetails() throws Exception {
+        setAuthenticationPrincipal(new User("user", "password", AuthorityUtils.createAuthorityList("ROLE_USER")));
+        assertThat(resolver.resolveArgument(showUserAnnotationUserDetails(), null)).isEqualTo(expectedPrincipal);
+    }
+
+    @Test
+    public void resolveArgumentCustomUserPrincipal() throws Exception {
+        setAuthenticationPrincipal(new CustomUserPrincipal());
+        assertThat(resolver.resolveArgument(showUserAnnotationCustomUserPrincipal(), null)).isEqualTo(expectedPrincipal);
+    }
+
+    @Test
+    public void resolveArgumentCustomAnnotation() throws Exception {
+        setAuthenticationPrincipal(new CustomUserPrincipal());
+        assertThat(resolver.resolveArgument(showUserCustomAnnotation(), null)).isEqualTo(expectedPrincipal);
+    }
+
+    @Test
+    public void resolveArgumentNullOnInvalidType() throws Exception {
+        setAuthenticationPrincipal(new CustomUserPrincipal());
+        assertThat(resolver.resolveArgument(showUserAnnotationString(), null)).isNull();
+    }
+
+    @Test(expected = ClassCastException.class)
+    public void resolveArgumentErrorOnInvalidType() throws Exception {
+        setAuthenticationPrincipal(new CustomUserPrincipal());
+        resolver.resolveArgument(showUserAnnotationErrorOnInvalidType(), null);
+    }
+
+
+    @Test(expected = ClassCastException.class)
+    public void resolveArgumentCustomserErrorOnInvalidType() throws Exception {
+        setAuthenticationPrincipal(new CustomUserPrincipal());
+        resolver.resolveArgument(showUserAnnotationCurrentUserErrorOnInvalidType(), null);
+    }
+
+    @Test
+    public void resolveArgumentObject() throws Exception {
+        setAuthenticationPrincipal(new Object());
+        assertThat(resolver.resolveArgument(showUserAnnotationObject(), null)).isEqualTo(expectedPrincipal);
+    }
+
+    private MethodParameter showUserNoAnnotation() {
+        return getMethodParameter("showUserNoAnnotation", String.class);
+    }
+
+    private MethodParameter showUserAnnotationString() {
+        return getMethodParameter("showUserAnnotation", String.class);
+    }
+
+    private MethodParameter showUserAnnotationErrorOnInvalidType() {
+        return getMethodParameter("showUserAnnotationErrorOnInvalidType", String.class);
+    }
+
+    private MethodParameter showUserAnnotationCurrentUserErrorOnInvalidType() {
+        return getMethodParameter("showUserAnnotationCurrentUserErrorOnInvalidType", String.class);
+    }
+
+    private MethodParameter showUserAnnotationUserDetails() {
+        return getMethodParameter("showUserAnnotation", UserDetails.class);
+    }
+
+    private MethodParameter showUserAnnotationCustomUserPrincipal() {
+        return getMethodParameter("showUserAnnotation", CustomUserPrincipal.class);
+    }
+
+    private MethodParameter showUserCustomAnnotation() {
+        return getMethodParameter("showUserCustomAnnotation", CustomUserPrincipal.class);
+    }
+
+    private MethodParameter showUserAnnotationObject() {
+        return getMethodParameter("showUserAnnotation", Object.class);
+    }
+
+    private MethodParameter getMethodParameter(String methodName, Class<?>... paramTypes) {
+        Method method = ReflectionUtils.findMethod(TestController.class, methodName,paramTypes);
+        return new MethodParameter(method,0);
+    }
+
+    @Target({ ElementType.PARAMETER})
+    @Retention(RetentionPolicy.RUNTIME)
+    @AuthenticationPrincipal
+    static @interface CurrentUser { }
+
+    @Target({ ElementType.PARAMETER})
+    @Retention(RetentionPolicy.RUNTIME)
+    @AuthenticationPrincipal(errorOnInvalidType = true)
+    static @interface CurrentUserErrorOnInvalidType { }
+
+    public static class TestController {
+        public void showUserNoAnnotation(String user) {}
+        public void showUserAnnotation(@AuthenticationPrincipal String user) {}
+        public void showUserAnnotationErrorOnInvalidType(@AuthenticationPrincipal(errorOnInvalidType=true) String user) {}
+        public void showUserAnnotationCurrentUserErrorOnInvalidType(@CurrentUserErrorOnInvalidType String user) {}
+        public void showUserAnnotation(@AuthenticationPrincipal UserDetails user) {}
+        public void showUserAnnotation(@AuthenticationPrincipal CustomUserPrincipal user) {}
+        public void showUserCustomAnnotation(@CurrentUser CustomUserPrincipal user) {}
+        public void showUserAnnotation(@AuthenticationPrincipal Object user) {}
+    }
+
+    private static class CustomUserPrincipal {}
+
+    private void setAuthenticationPrincipal(Object principal) {
+        this.expectedPrincipal = principal;
+        SecurityContextHolder.getContext().setAuthentication(new TestingAuthenticationToken(expectedPrincipal, "password", "ROLE_USER"));
+    }
+}