Search in sources :

Example 31 with FilterChain

use of jakarta.servlet.FilterChain in project spring-security by spring-projects.

the class BasicAuthenticationFilterTests method doFilterWhenTokenAndFilterCharsetMatchDefaultThenAuthenticated.

@Test
public void doFilterWhenTokenAndFilterCharsetMatchDefaultThenAuthenticated() throws Exception {
    SecurityContextHolder.clearContext();
    UsernamePasswordAuthenticationToken rodRequest = new UsernamePasswordAuthenticationToken("rod", "äöü");
    rodRequest.setDetails(new WebAuthenticationDetails(new MockHttpServletRequest()));
    Authentication rod = new UsernamePasswordAuthenticationToken("rod", "äöü", AuthorityUtils.createAuthorityList("ROLE_1"));
    this.manager = mock(AuthenticationManager.class);
    given(this.manager.authenticate(rodRequest)).willReturn(rod);
    given(this.manager.authenticate(not(eq(rodRequest)))).willThrow(new BadCredentialsException(""));
    this.filter = new BasicAuthenticationFilter(this.manager, new BasicAuthenticationEntryPoint());
    String token = "rod:äöü";
    MockHttpServletRequest request = new MockHttpServletRequest();
    request.addHeader("Authorization", "Basic " + new String(Base64.encodeBase64(token.getBytes(StandardCharsets.UTF_8))));
    request.setServletPath("/some_file.html");
    MockHttpServletResponse response = new MockHttpServletResponse();
    // Test
    assertThat(SecurityContextHolder.getContext().getAuthentication()).isNull();
    FilterChain chain = mock(FilterChain.class);
    this.filter.doFilter(request, response, chain);
    assertThat(response.getStatus()).isEqualTo(HttpServletResponse.SC_OK);
    verify(chain).doFilter(any(ServletRequest.class), any(ServletResponse.class));
    assertThat(SecurityContextHolder.getContext().getAuthentication().getName()).isEqualTo("rod");
    assertThat(SecurityContextHolder.getContext().getAuthentication().getCredentials()).isEqualTo("äöü");
}
Also used : ServletRequest(jakarta.servlet.ServletRequest) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) ServletResponse(jakarta.servlet.ServletResponse) HttpServletResponse(jakarta.servlet.http.HttpServletResponse) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) FilterChain(jakarta.servlet.FilterChain) UsernamePasswordAuthenticationToken(org.springframework.security.authentication.UsernamePasswordAuthenticationToken) BadCredentialsException(org.springframework.security.authentication.BadCredentialsException) AuthenticationManager(org.springframework.security.authentication.AuthenticationManager) WebAuthenticationDetails(org.springframework.security.web.authentication.WebAuthenticationDetails) Authentication(org.springframework.security.core.Authentication) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) Test(org.junit.jupiter.api.Test)

Example 32 with FilterChain

use of jakarta.servlet.FilterChain in project spring-security by spring-projects.

the class BasicAuthenticationFilterTests method doFilterWhenTokenAndFilterCharsetDoNotMatchThenUnauthorized.

@Test
public void doFilterWhenTokenAndFilterCharsetDoNotMatchThenUnauthorized() throws Exception {
    SecurityContextHolder.clearContext();
    UsernamePasswordAuthenticationToken rodRequest = new UsernamePasswordAuthenticationToken("rod", "äöü");
    rodRequest.setDetails(new WebAuthenticationDetails(new MockHttpServletRequest()));
    Authentication rod = new UsernamePasswordAuthenticationToken("rod", "äöü", AuthorityUtils.createAuthorityList("ROLE_1"));
    this.manager = mock(AuthenticationManager.class);
    given(this.manager.authenticate(rodRequest)).willReturn(rod);
    given(this.manager.authenticate(not(eq(rodRequest)))).willThrow(new BadCredentialsException(""));
    this.filter = new BasicAuthenticationFilter(this.manager, new BasicAuthenticationEntryPoint());
    this.filter.setCredentialsCharset("ISO-8859-1");
    String token = "rod:äöü";
    MockHttpServletRequest request = new MockHttpServletRequest();
    request.addHeader("Authorization", "Basic " + new String(Base64.encodeBase64(token.getBytes(StandardCharsets.UTF_8))));
    request.setServletPath("/some_file.html");
    MockHttpServletResponse response = new MockHttpServletResponse();
    // Test
    assertThat(SecurityContextHolder.getContext().getAuthentication()).isNull();
    FilterChain chain = mock(FilterChain.class);
    this.filter.doFilter(request, response, chain);
    assertThat(response.getStatus()).isEqualTo(HttpServletResponse.SC_UNAUTHORIZED);
    verify(chain, never()).doFilter(any(ServletRequest.class), any(ServletResponse.class));
    assertThat(SecurityContextHolder.getContext().getAuthentication()).isNull();
}
Also used : ServletRequest(jakarta.servlet.ServletRequest) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) ServletResponse(jakarta.servlet.ServletResponse) HttpServletResponse(jakarta.servlet.http.HttpServletResponse) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) FilterChain(jakarta.servlet.FilterChain) UsernamePasswordAuthenticationToken(org.springframework.security.authentication.UsernamePasswordAuthenticationToken) BadCredentialsException(org.springframework.security.authentication.BadCredentialsException) AuthenticationManager(org.springframework.security.authentication.AuthenticationManager) WebAuthenticationDetails(org.springframework.security.web.authentication.WebAuthenticationDetails) Authentication(org.springframework.security.core.Authentication) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) Test(org.junit.jupiter.api.Test)

Example 33 with FilterChain

use of jakarta.servlet.FilterChain in project spring-security by spring-projects.

the class BasicAuthenticationFilterTests method testSuccessLoginThenFailureLoginResultsInSessionLosingToken.

@Test
public void testSuccessLoginThenFailureLoginResultsInSessionLosingToken() throws Exception {
    String token = "rod:koala";
    MockHttpServletRequest request = new MockHttpServletRequest();
    request.addHeader("Authorization", "Basic " + new String(Base64.encodeBase64(token.getBytes())));
    request.setServletPath("/some_file.html");
    final MockHttpServletResponse response1 = new MockHttpServletResponse();
    FilterChain chain = mock(FilterChain.class);
    this.filter.doFilter(request, response1, chain);
    verify(chain).doFilter(any(ServletRequest.class), any(ServletResponse.class));
    // Test
    assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull();
    assertThat(SecurityContextHolder.getContext().getAuthentication().getName()).isEqualTo("rod");
    // NOW PERFORM FAILED AUTHENTICATION
    token = "otherUser:WRONG_PASSWORD";
    request = new MockHttpServletRequest();
    request.addHeader("Authorization", "Basic " + new String(Base64.encodeBase64(token.getBytes())));
    final MockHttpServletResponse response2 = new MockHttpServletResponse();
    chain = mock(FilterChain.class);
    this.filter.doFilter(request, response2, chain);
    verify(chain, never()).doFilter(any(ServletRequest.class), any(ServletResponse.class));
    request.setServletPath("/some_file.html");
    // Test - the filter chain will not be invoked, as we get a 401 forbidden response
    MockHttpServletResponse response = response2;
    assertThat(SecurityContextHolder.getContext().getAuthentication()).isNull();
    assertThat(response.getStatus()).isEqualTo(401);
}
Also used : ServletRequest(jakarta.servlet.ServletRequest) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) ServletResponse(jakarta.servlet.ServletResponse) HttpServletResponse(jakarta.servlet.http.HttpServletResponse) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) FilterChain(jakarta.servlet.FilterChain) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) Test(org.junit.jupiter.api.Test)

Example 34 with FilterChain

use of jakarta.servlet.FilterChain in project spring-security by spring-projects.

the class BasicAuthenticationFilterTests method testWrongPasswordContinuesFilterChainIfIgnoreFailureIsTrue.

@Test
public void testWrongPasswordContinuesFilterChainIfIgnoreFailureIsTrue() throws Exception {
    String token = "rod:WRONG_PASSWORD";
    MockHttpServletRequest request = new MockHttpServletRequest();
    request.addHeader("Authorization", "Basic " + new String(Base64.encodeBase64(token.getBytes())));
    request.setServletPath("/some_file.html");
    request.setSession(new MockHttpSession());
    this.filter = new BasicAuthenticationFilter(this.manager);
    assertThat(this.filter.isIgnoreFailure()).isTrue();
    FilterChain chain = mock(FilterChain.class);
    this.filter.doFilter(request, new MockHttpServletResponse(), chain);
    verify(chain).doFilter(any(ServletRequest.class), any(ServletResponse.class));
    // Test - the filter chain will be invoked, as we've set ignoreFailure = true
    assertThat(SecurityContextHolder.getContext().getAuthentication()).isNull();
}
Also used : ServletRequest(jakarta.servlet.ServletRequest) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) ServletResponse(jakarta.servlet.ServletResponse) HttpServletResponse(jakarta.servlet.http.HttpServletResponse) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) FilterChain(jakarta.servlet.FilterChain) MockHttpSession(org.springframework.mock.web.MockHttpSession) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) Test(org.junit.jupiter.api.Test)

Example 35 with FilterChain

use of jakarta.servlet.FilterChain in project spring-security by spring-projects.

the class BasicAuthenticationFilterTests method doFilterWhenSchemeLowercaseThenCaseInsensitveMatchWorks.

// gh-5586
@Test
public void doFilterWhenSchemeLowercaseThenCaseInsensitveMatchWorks() throws Exception {
    String token = "rod:koala";
    MockHttpServletRequest request = new MockHttpServletRequest();
    request.addHeader("Authorization", "basic " + new String(Base64.encodeBase64(token.getBytes())));
    request.setServletPath("/some_file.html");
    // Test
    assertThat(SecurityContextHolder.getContext().getAuthentication()).isNull();
    FilterChain chain = mock(FilterChain.class);
    this.filter.doFilter(request, new MockHttpServletResponse(), chain);
    verify(chain).doFilter(any(ServletRequest.class), any(ServletResponse.class));
    assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull();
    assertThat(SecurityContextHolder.getContext().getAuthentication().getName()).isEqualTo("rod");
}
Also used : ServletRequest(jakarta.servlet.ServletRequest) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) ServletResponse(jakarta.servlet.ServletResponse) HttpServletResponse(jakarta.servlet.http.HttpServletResponse) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) FilterChain(jakarta.servlet.FilterChain) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) Test(org.junit.jupiter.api.Test)

Aggregations

FilterChain (jakarta.servlet.FilterChain)141 Test (org.junit.jupiter.api.Test)134 MockHttpServletResponse (org.springframework.mock.web.MockHttpServletResponse)103 MockHttpServletRequest (org.springframework.mock.web.MockHttpServletRequest)102 HttpServletResponse (jakarta.servlet.http.HttpServletResponse)68 HttpServletRequest (jakarta.servlet.http.HttpServletRequest)54 MockHttpServletResponse (org.springframework.web.testfixture.servlet.MockHttpServletResponse)35 Assertions.assertThat (org.assertj.core.api.Assertions.assertThat)32 MockHttpServletRequest (org.springframework.web.testfixture.servlet.MockHttpServletRequest)29 ServletRequest (jakarta.servlet.ServletRequest)25 ServletResponse (jakarta.servlet.ServletResponse)25 Authentication (org.springframework.security.core.Authentication)23 MockFilterChain (org.springframework.mock.web.MockFilterChain)20 ServletException (jakarta.servlet.ServletException)16 StandardCharsets (java.nio.charset.StandardCharsets)16 TestingAuthenticationToken (org.springframework.security.authentication.TestingAuthenticationToken)16 IOException (java.io.IOException)15 BeforeEach (org.junit.jupiter.api.BeforeEach)14 FileCopyUtils (org.springframework.util.FileCopyUtils)14 Arrays (java.util.Arrays)11