Cwikius-Spring/spring-security
1
0
Fork 0
mirror of synced 2026-05-22 21:33:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add remaining methods from ExpressionUrlAuthorizationConfigurer to MessageMatcherDelegatingAuthorizationManager

Browse Source 
- Added fullyAuthenticated
- Added rememberMe
- Added anonymous

Closes gh-11509
This commit is contained in:
Evgeniy Cheban
2022-08-06 20:11:19 +02:00
committed by Josh Cummings
parent 7359bd5949
commit ba50c50b4b
2 changed files with 85 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
config/src/test/java/org/springframework/security/config/annotation/web/socket/WebSocketMessageBrokerSecurityConfigurationTests.java
+57 -1
View File
@@ -52,6 +52,8 @@ import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.mock.web.MockServletConfig;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.RememberMeAuthenticationToken;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationManager;
@@ -59,6 +61,7 @@ import org.springframework.security.config.annotation.SecurityContextChangedList
import org.springframework.security.config.annotation.web.messaging.MessageSecurityMetadataSourceRegistry;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.annotation.AuthenticationPrincipal;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.context.SecurityContextHolderStrategy;
import org.springframework.security.messaging.access.intercept.AuthorizationChannelInterceptor;
import org.springframework.security.messaging.access.intercept.MessageAuthorizationContext;
@@ -94,7 +97,7 @@ public class WebSocketMessageBrokerSecurityConfigurationTests {
AnnotationConfigWebApplicationContext context;
TestingAuthenticationToken messageUser;
Authentication messageUser;
CsrfToken token;
@@ -312,6 +315,56 @@ public class WebSocketMessageBrokerSecurityConfigurationTests {
assertThat(interceptors).contains(AuthorizationChannelInterceptor.class);
}
@Test
public void sendMessageWhenFullyAuthenticatedConfiguredAndRememberMeTokenThenAccessDeniedException() {
loadConfig(WebSocketSecurityConfig.class);
this.messageUser = new RememberMeAuthenticationToken("key", "user",
AuthorityUtils.createAuthorityList("ROLE_USER"));
assertThatExceptionOfType(MessageDeliveryException.class)
.isThrownBy(() -> clientInboundChannel().send(message("/fullyAuthenticated")))
.withCauseInstanceOf(AccessDeniedException.class);
}
@Test
public void sendMessageWhenFullyAuthenticatedConfiguredAndUserThenPasses() {
loadConfig(WebSocketSecurityConfig.class);
clientInboundChannel().send(message("/fullyAuthenticated"));
}
@Test
public void sendMessageWhenRememberMeConfiguredAndNoUserThenAccessDeniedException() {
loadConfig(WebSocketSecurityConfig.class);
this.messageUser = null;
assertThatExceptionOfType(MessageDeliveryException.class)
.isThrownBy(() -> clientInboundChannel().send(message("/rememberMe")))
.withCauseInstanceOf(AccessDeniedException.class);
}
@Test
public void sendMessageWhenRememberMeConfiguredAndRememberMeTokenThenPasses() {
loadConfig(WebSocketSecurityConfig.class);
this.messageUser = new RememberMeAuthenticationToken("key", "user",
AuthorityUtils.createAuthorityList("ROLE_USER"));
clientInboundChannel().send(message("/rememberMe"));
}
@Test
public void sendMessageWhenAnonymousConfiguredAndAnonymousUserThenPasses() {
loadConfig(WebSocketSecurityConfig.class);
this.messageUser = new AnonymousAuthenticationToken("key", "user",
AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
clientInboundChannel().send(message("/anonymous"));
}
@Test
public void sendMessageWhenAnonymousConfiguredAndLoggedInUserThenAccessDeniedException() {
loadConfig(WebSocketSecurityConfig.class);
assertThatExceptionOfType(MessageDeliveryException.class)
.isThrownBy(() -> clientInboundChannel().send(message("/anonymous")))
.withCauseInstanceOf(AccessDeniedException.class);
}
private void assertHandshake(HttpServletRequest request) {
TestHandshakeHandler handshakeHandler = this.context.getBean(TestHandshakeHandler.class);
assertThat(handshakeHandler.attributes.get(CsrfToken.class.getName())).isSameAs(this.token);
@@ -709,6 +762,9 @@ public class WebSocketMessageBrokerSecurityConfigurationTests {
messages
.simpDestMatchers("/permitAll/**").permitAll()
.simpDestMatchers("/authenticated/**").authenticated()
.simpDestMatchers("/fullyAuthenticated/**").fullyAuthenticated()
.simpDestMatchers("/rememberMe/**").rememberMe()
.simpDestMatchers("/anonymous/**").anonymous()
.anyMessage().denyAll();
// @formatter:on
return messages.build();