|
15 | 15 | */ |
16 | 16 | package org.springframework.security.config.annotation.web.configuration; |
17 | 17 |
|
| 18 | +import static org.assertj.core.api.Assertions.assertThat; |
| 19 | +import static org.assertj.core.api.Assertions.catchThrowable; |
| 20 | +import static org.mockito.Mockito.mock; |
| 21 | +import static org.mockito.Mockito.when; |
| 22 | +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; |
| 23 | +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; |
| 24 | +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; |
| 25 | + |
| 26 | +import java.io.Serializable; |
| 27 | +import java.lang.reflect.Method; |
| 28 | +import java.lang.reflect.Modifier; |
| 29 | +import java.util.List; |
| 30 | + |
18 | 31 | import org.junit.Rule; |
19 | 32 | import org.junit.Test; |
20 | 33 | import org.springframework.beans.factory.BeanCreationException; |
|
23 | 36 | import org.springframework.context.annotation.Configuration; |
24 | 37 | import org.springframework.context.annotation.Import; |
25 | 38 | import org.springframework.core.annotation.Order; |
| 39 | +import org.springframework.expression.EvaluationContext; |
| 40 | +import org.springframework.expression.Expression; |
26 | 41 | import org.springframework.expression.ExpressionParser; |
| 42 | +import org.springframework.mock.web.MockFilterChain; |
27 | 43 | import org.springframework.mock.web.MockHttpServletRequest; |
| 44 | +import org.springframework.mock.web.MockHttpServletResponse; |
| 45 | +import org.springframework.security.access.PermissionEvaluator; |
| 46 | +import org.springframework.security.access.expression.AbstractSecurityExpressionHandler; |
28 | 47 | import org.springframework.security.access.expression.SecurityExpressionHandler; |
| 48 | +import org.springframework.security.authentication.TestingAuthenticationToken; |
29 | 49 | import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; |
30 | 50 | import org.springframework.security.config.annotation.web.builders.HttpSecurity; |
31 | 51 | import org.springframework.security.config.annotation.web.builders.WebSecurity; |
32 | 52 | import org.springframework.security.config.test.SpringTestRule; |
33 | 53 | import org.springframework.security.config.users.AuthenticationTestConfiguration; |
| 54 | +import org.springframework.security.core.Authentication; |
34 | 55 | import org.springframework.security.web.FilterChainProxy; |
| 56 | +import org.springframework.security.web.FilterInvocation; |
35 | 57 | import org.springframework.security.web.SecurityFilterChain; |
36 | 58 | import org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator; |
37 | 59 | import org.springframework.security.web.access.WebInvocationPrivilegeEvaluator; |
|
41 | 63 | import org.springframework.web.bind.annotation.GetMapping; |
42 | 64 | import org.springframework.web.bind.annotation.RestController; |
43 | 65 |
|
44 | | -import java.lang.reflect.Method; |
45 | | -import java.lang.reflect.Modifier; |
46 | | -import java.util.List; |
47 | | - |
48 | | -import static org.assertj.core.api.Assertions.assertThat; |
49 | | -import static org.assertj.core.api.Assertions.catchThrowable; |
50 | | -import static org.mockito.Mockito.mock; |
51 | | -import static org.mockito.Mockito.when; |
52 | | -import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; |
53 | | -import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; |
54 | | -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; |
55 | | - |
56 | 66 | /** |
57 | 67 | * Tests for {@link WebSecurityConfiguration}. |
58 | 68 | * |
@@ -260,6 +270,42 @@ protected void configure(HttpSecurity http) throws Exception { |
260 | 270 | } |
261 | 271 | } |
262 | 272 |
|
| 273 | + @Test |
| 274 | + public void securityExpressionHandlerWhenPermissionEvaluatorBeanThenPermissionEvaluatorUsed() throws Exception { |
| 275 | + this.spring.register(WebSecurityExpressionHandlerPermissionEvaluatorBeanConfig.class).autowire(); |
| 276 | + TestingAuthenticationToken authentication = new TestingAuthenticationToken("user", "notused"); |
| 277 | + FilterInvocation invocation = new FilterInvocation(new MockHttpServletRequest(), new MockHttpServletResponse(), new MockFilterChain()); |
| 278 | + |
| 279 | + AbstractSecurityExpressionHandler handler = this.spring.getContext().getBean(AbstractSecurityExpressionHandler.class); |
| 280 | + EvaluationContext evaluationContext = handler.createEvaluationContext(authentication, invocation); |
| 281 | + Expression expression = handler.getExpressionParser() |
| 282 | + .parseExpression("hasPermission(#study,'DELETE')"); |
| 283 | + boolean granted = expression.getValue(evaluationContext, Boolean.class); |
| 284 | + assertThat(granted).isTrue(); |
| 285 | + } |
| 286 | + |
| 287 | + @EnableWebSecurity |
| 288 | + static class WebSecurityExpressionHandlerPermissionEvaluatorBeanConfig extends WebSecurityConfigurerAdapter { |
| 289 | + static final PermissionEvaluator PERMIT_ALL_PERMISSION_EVALUATOR = new PermissionEvaluator() { |
| 290 | + @Override |
| 291 | + public boolean hasPermission(Authentication authentication, |
| 292 | + Object targetDomainObject, Object permission) { |
| 293 | + return true; |
| 294 | + } |
| 295 | + |
| 296 | + @Override |
| 297 | + public boolean hasPermission(Authentication authentication, |
| 298 | + Serializable targetId, String targetType, Object permission) { |
| 299 | + return true; |
| 300 | + } |
| 301 | + }; |
| 302 | + |
| 303 | + @Bean |
| 304 | + public PermissionEvaluator permissionEvaluator() { |
| 305 | + return PERMIT_ALL_PERMISSION_EVALUATOR; |
| 306 | + } |
| 307 | + } |
| 308 | + |
263 | 309 | @Test |
264 | 310 | public void loadConfigWhenDefaultWebInvocationPrivilegeEvaluatorThenDefaultIsRegistered() throws Exception { |
265 | 311 | this.spring.register(WebInvocationPrivilegeEvaluatorDefaultsConfig.class).autowire(); |
|
0 commit comments