|
|
@ -36,11 +36,15 @@ import org.springframework.boot.autoconfigure.web.ErrorMvcAutoConfiguration;
|
|
|
|
import org.springframework.boot.autoconfigure.web.HttpMessageConvertersAutoConfiguration;
|
|
|
|
import org.springframework.boot.autoconfigure.web.HttpMessageConvertersAutoConfiguration;
|
|
|
|
import org.springframework.boot.autoconfigure.web.ServerPropertiesAutoConfiguration;
|
|
|
|
import org.springframework.boot.autoconfigure.web.ServerPropertiesAutoConfiguration;
|
|
|
|
import org.springframework.boot.autoconfigure.web.WebMvcAutoConfiguration;
|
|
|
|
import org.springframework.boot.autoconfigure.web.WebMvcAutoConfiguration;
|
|
|
|
|
|
|
|
import org.springframework.boot.test.TestRestTemplate;
|
|
|
|
import org.springframework.context.ConfigurableApplicationContext;
|
|
|
|
import org.springframework.context.ConfigurableApplicationContext;
|
|
|
|
import org.springframework.context.annotation.Configuration;
|
|
|
|
import org.springframework.context.annotation.Configuration;
|
|
|
|
import org.springframework.context.annotation.Import;
|
|
|
|
import org.springframework.context.annotation.Import;
|
|
|
|
import org.springframework.core.Ordered;
|
|
|
|
import org.springframework.core.Ordered;
|
|
|
|
import org.springframework.core.annotation.Order;
|
|
|
|
import org.springframework.core.annotation.Order;
|
|
|
|
|
|
|
|
import org.springframework.http.HttpMethod;
|
|
|
|
|
|
|
|
import org.springframework.http.HttpStatus;
|
|
|
|
|
|
|
|
import org.springframework.http.ResponseEntity;
|
|
|
|
import org.springframework.security.authentication.AuthenticationManager;
|
|
|
|
import org.springframework.security.authentication.AuthenticationManager;
|
|
|
|
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
|
|
|
|
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
|
|
|
|
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
|
|
|
|
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
|
|
|
@ -51,8 +55,11 @@ import org.springframework.test.web.servlet.MockMvc;
|
|
|
|
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
|
|
|
|
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
|
|
|
|
import org.springframework.test.web.servlet.result.MockMvcResultMatchers;
|
|
|
|
import org.springframework.test.web.servlet.result.MockMvcResultMatchers;
|
|
|
|
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
|
|
|
|
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
|
|
|
|
|
|
|
|
import org.springframework.util.LinkedMultiValueMap;
|
|
|
|
|
|
|
|
import org.springframework.util.MultiValueMap;
|
|
|
|
import org.springframework.web.context.WebApplicationContext;
|
|
|
|
import org.springframework.web.context.WebApplicationContext;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
import static org.junit.Assert.assertEquals;
|
|
|
|
import static org.junit.Assert.assertNotNull;
|
|
|
|
import static org.junit.Assert.assertNotNull;
|
|
|
|
import static org.junit.Assert.assertTrue;
|
|
|
|
import static org.junit.Assert.assertTrue;
|
|
|
|
|
|
|
|
|
|
|
@ -60,6 +67,7 @@ import static org.junit.Assert.assertTrue;
|
|
|
|
* Tests for {@link SpringBootWebSecurityConfiguration}.
|
|
|
|
* Tests for {@link SpringBootWebSecurityConfiguration}.
|
|
|
|
*
|
|
|
|
*
|
|
|
|
* @author Dave Syer
|
|
|
|
* @author Dave Syer
|
|
|
|
|
|
|
|
* @author Rob Winch
|
|
|
|
*/
|
|
|
|
*/
|
|
|
|
public class SpringBootWebSecurityConfigurationTests {
|
|
|
|
public class SpringBootWebSecurityConfigurationTests {
|
|
|
|
|
|
|
|
|
|
|
@ -160,6 +168,30 @@ public class SpringBootWebSecurityConfigurationTests {
|
|
|
|
new UsernamePasswordAuthenticationToken("dave", "secret")));
|
|
|
|
new UsernamePasswordAuthenticationToken("dave", "secret")));
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// gh-3447
|
|
|
|
|
|
|
|
@Test
|
|
|
|
|
|
|
|
public void testHiddenHttpMethodFilterOrderedFirst()
|
|
|
|
|
|
|
|
throws Exception {
|
|
|
|
|
|
|
|
this.context = SpringApplication.run(DenyPostRequestConfig.class,
|
|
|
|
|
|
|
|
"--server.port=0");
|
|
|
|
|
|
|
|
int port = Integer.parseInt(this.context.getEnvironment().getProperty("local.server.port"));
|
|
|
|
|
|
|
|
TestRestTemplate rest = new TestRestTemplate();
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// not overriding causes forbidden
|
|
|
|
|
|
|
|
MultiValueMap<String, String> form = new LinkedMultiValueMap<String, String>();
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
ResponseEntity<Object> result = rest.postForEntity("http://localhost:" + port + "/", form, Object.class);
|
|
|
|
|
|
|
|
assertEquals(HttpStatus.FORBIDDEN, result.getStatusCode());
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// override method with GET
|
|
|
|
|
|
|
|
form = new LinkedMultiValueMap<String, String>();
|
|
|
|
|
|
|
|
form.add("_method", "GET");
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
result = rest.postForEntity("http://localhost:" + port + "/", form, Object.class);
|
|
|
|
|
|
|
|
assertEquals(HttpStatus.NOT_FOUND, result.getStatusCode());
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
@Configuration
|
|
|
|
@Configuration
|
|
|
|
@Import(TestWebConfiguration.class)
|
|
|
|
@Import(TestWebConfiguration.class)
|
|
|
|
@Order(Ordered.LOWEST_PRECEDENCE)
|
|
|
|
@Order(Ordered.LOWEST_PRECEDENCE)
|
|
|
@ -219,4 +251,15 @@ public class SpringBootWebSecurityConfigurationTests {
|
|
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@MinimalWebConfiguration
|
|
|
|
|
|
|
|
@Import(SecurityAutoConfiguration.class)
|
|
|
|
|
|
|
|
protected static class DenyPostRequestConfig extends WebSecurityConfigurerAdapter {
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@Override
|
|
|
|
|
|
|
|
protected void configure(HttpSecurity http) throws Exception {
|
|
|
|
|
|
|
|
http
|
|
|
|
|
|
|
|
.authorizeRequests()
|
|
|
|
|
|
|
|
.antMatchers(HttpMethod.POST, "/**").denyAll();
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|