Search in sources :

Example 31 with HttpServletRequest

use of jakarta.servlet.http.HttpServletRequest in project spring-security by spring-projects.

the class StrictHttpFirewallTests method getFirewalledRequestGetParameterValuesWhenNotAllowedInParameterValueThenException.

@Test
public void getFirewalledRequestGetParameterValuesWhenNotAllowedInParameterValueThenException() {
    this.firewall.setAllowedParameterValues((value) -> !value.equals("bad value"));
    this.request.addParameter("Something", "bad value");
    HttpServletRequest request = this.firewall.getFirewalledRequest(this.request);
    assertThatExceptionOfType(RequestRejectedException.class).isThrownBy(() -> request.getParameterValues("Something"));
}
Also used : HttpServletRequest(jakarta.servlet.http.HttpServletRequest) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) Test(org.junit.jupiter.api.Test)

Example 32 with HttpServletRequest

use of jakarta.servlet.http.HttpServletRequest in project spring-security by spring-projects.

the class DefaultOAuth2AuthorizationRequestResolverTests method resolveWhenNotAuthorizationRequestThenRequestBodyNotConsumed.

// gh-8650
@Test
public void resolveWhenNotAuthorizationRequestThenRequestBodyNotConsumed() throws IOException {
    String requestUri = "/path";
    MockHttpServletRequest request = new MockHttpServletRequest("POST", requestUri);
    request.setContent("foo".getBytes(StandardCharsets.UTF_8));
    request.setCharacterEncoding(StandardCharsets.UTF_8.name());
    HttpServletRequest spyRequest = Mockito.spy(request);
    this.resolver.resolve(spyRequest);
    Mockito.verify(spyRequest, Mockito.never()).getReader();
    Mockito.verify(spyRequest, Mockito.never()).getInputStream();
    Mockito.verify(spyRequest, Mockito.never()).getParameter(ArgumentMatchers.anyString());
    Mockito.verify(spyRequest, Mockito.never()).getParameterMap();
    Mockito.verify(spyRequest, Mockito.never()).getParameterNames();
    Mockito.verify(spyRequest, Mockito.never()).getParameterValues(ArgumentMatchers.anyString());
}
Also used : HttpServletRequest(jakarta.servlet.http.HttpServletRequest) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) Test(org.junit.jupiter.api.Test)

Example 33 with HttpServletRequest

use of jakarta.servlet.http.HttpServletRequest in project spring-security by spring-projects.

the class Saml2LogoutResponseFilter method doFilterInternal.

/**
 * {@inheritDoc}
 */
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException {
    if (!this.logoutRequestMatcher.matches(request)) {
        chain.doFilter(request, response);
        return;
    }
    if (request.getParameter(Saml2ParameterNames.SAML_RESPONSE) == null) {
        chain.doFilter(request, response);
        return;
    }
    Saml2LogoutRequest logoutRequest = this.logoutRequestRepository.removeLogoutRequest(request, response);
    if (logoutRequest == null) {
        this.logger.trace("Did not process logout response since could not find associated LogoutRequest");
        response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Failed to find associated LogoutRequest");
        return;
    }
    RelyingPartyRegistration registration = this.relyingPartyRegistrationResolver.resolve(request, logoutRequest.getRelyingPartyRegistrationId());
    if (registration == null) {
        this.logger.trace("Did not process logout request since failed to find associated RelyingPartyRegistration");
        Saml2Error error = new Saml2Error(Saml2ErrorCodes.RELYING_PARTY_REGISTRATION_NOT_FOUND, "Failed to find associated RelyingPartyRegistration");
        response.sendError(HttpServletResponse.SC_BAD_REQUEST, error.toString());
        return;
    }
    if (registration.getSingleLogoutServiceResponseLocation() == null) {
        this.logger.trace("Did not process logout response since RelyingPartyRegistration has not been configured with a logout response endpoint");
        response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
        return;
    }
    if (!isCorrectBinding(request, registration)) {
        this.logger.trace("Did not process logout request since used incorrect binding");
        response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
        return;
    }
    String serialized = request.getParameter(Saml2ParameterNames.SAML_RESPONSE);
    Saml2LogoutResponse logoutResponse = Saml2LogoutResponse.withRelyingPartyRegistration(registration).samlResponse(serialized).relayState(request.getParameter(Saml2ParameterNames.RELAY_STATE)).binding(registration.getSingleLogoutServiceBinding()).location(registration.getSingleLogoutServiceResponseLocation()).parameters((params) -> params.put(Saml2ParameterNames.SIG_ALG, request.getParameter(Saml2ParameterNames.SIG_ALG))).parameters((params) -> params.put(Saml2ParameterNames.SIGNATURE, request.getParameter(Saml2ParameterNames.SIGNATURE))).build();
    Saml2LogoutResponseValidatorParameters parameters = new Saml2LogoutResponseValidatorParameters(logoutResponse, logoutRequest, registration);
    Saml2LogoutValidatorResult result = this.logoutResponseValidator.validate(parameters);
    if (result.hasErrors()) {
        response.sendError(HttpServletResponse.SC_UNAUTHORIZED, result.getErrors().iterator().next().toString());
        this.logger.debug(LogMessage.format("Failed to validate LogoutResponse: %s", result.getErrors()));
        return;
    }
    this.logoutSuccessHandler.onLogoutSuccess(request, response, null);
}
Also used : RelyingPartyRegistration(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration) Saml2Error(org.springframework.security.saml2.core.Saml2Error) Saml2ErrorCodes(org.springframework.security.saml2.core.Saml2ErrorCodes) HttpServletRequest(jakarta.servlet.http.HttpServletRequest) RelyingPartyRegistrationResolver(org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver) FilterChain(jakarta.servlet.FilterChain) Saml2Error(org.springframework.security.saml2.core.Saml2Error) OncePerRequestFilter(org.springframework.web.filter.OncePerRequestFilter) IOException(java.io.IOException) ServletException(jakarta.servlet.ServletException) Saml2LogoutResponse(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponse) RequestMatcher(org.springframework.security.web.util.matcher.RequestMatcher) Saml2LogoutResponseValidatorParameters(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponseValidatorParameters) RelyingPartyRegistration(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration) Saml2MessageBinding(org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding) LogMessage(org.springframework.core.log.LogMessage) Saml2LogoutValidatorResult(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutValidatorResult) Saml2ParameterNames(org.springframework.security.saml2.core.Saml2ParameterNames) Saml2LogoutResponseValidator(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponseValidator) LogoutSuccessHandler(org.springframework.security.web.authentication.logout.LogoutSuccessHandler) Log(org.apache.commons.logging.Log) HttpServletResponse(jakarta.servlet.http.HttpServletResponse) LogFactory(org.apache.commons.logging.LogFactory) Saml2LogoutRequest(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest) AntPathRequestMatcher(org.springframework.security.web.util.matcher.AntPathRequestMatcher) Assert(org.springframework.util.Assert) Saml2LogoutValidatorResult(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutValidatorResult) Saml2LogoutResponseValidatorParameters(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponseValidatorParameters) Saml2LogoutRequest(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest) Saml2LogoutResponse(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponse)

Example 34 with HttpServletRequest

use of jakarta.servlet.http.HttpServletRequest in project spring-security by spring-projects.

the class HttpSessionSecurityContextRepository method loadContext.

/**
 * Gets the security context for the current request (if available) and returns it.
 * <p>
 * If the session is null, the context object is null or the context object stored in
 * the session is not an instance of {@code SecurityContext}, a new context object
 * will be generated and returned.
 */
@Override
public SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder) {
    HttpServletRequest request = requestResponseHolder.getRequest();
    HttpServletResponse response = requestResponseHolder.getResponse();
    HttpSession httpSession = request.getSession(false);
    SecurityContext context = readSecurityContextFromSession(httpSession);
    if (context == null) {
        context = generateNewContext();
        if (this.logger.isTraceEnabled()) {
            this.logger.trace(LogMessage.format("Created %s", context));
        }
    }
    SaveToSessionResponseWrapper wrappedResponse = new SaveToSessionResponseWrapper(response, request, httpSession != null, context);
    requestResponseHolder.setResponse(wrappedResponse);
    requestResponseHolder.setRequest(new SaveToSessionRequestWrapper(request, wrappedResponse));
    return context;
}
Also used : HttpServletRequest(jakarta.servlet.http.HttpServletRequest) HttpSession(jakarta.servlet.http.HttpSession) SecurityContext(org.springframework.security.core.context.SecurityContext) HttpServletResponse(jakarta.servlet.http.HttpServletResponse)

Example 35 with HttpServletRequest

use of jakarta.servlet.http.HttpServletRequest in project spring-security by spring-projects.

the class CookieRequestCacheTests method matchingRequestWhenRequestDoesNotContainSavedRequestCookieThenReturnsNull.

@Test
public void matchingRequestWhenRequestDoesNotContainSavedRequestCookieThenReturnsNull() {
    CookieRequestCache cookieRequestCache = new CookieRequestCache();
    MockHttpServletResponse response = new MockHttpServletResponse();
    HttpServletRequest matchingRequest = cookieRequestCache.getMatchingRequest(new MockHttpServletRequest(), response);
    assertThat(matchingRequest).isNull();
    assertThat(response.getCookie(DEFAULT_COOKIE_NAME)).isNull();
}
Also used : HttpServletRequest(jakarta.servlet.http.HttpServletRequest) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) Test(org.junit.jupiter.api.Test)

Aggregations

HttpServletRequest (jakarta.servlet.http.HttpServletRequest)334 Test (org.junit.jupiter.api.Test)200 MockHttpServletRequest (org.springframework.mock.web.MockHttpServletRequest)93 HttpServletResponse (jakarta.servlet.http.HttpServletResponse)91 MockHttpServletRequest (org.springframework.web.testfixture.servlet.MockHttpServletRequest)67 MockHttpServletResponse (org.springframework.mock.web.MockHttpServletResponse)44 Authentication (org.springframework.security.core.Authentication)31 MockHttpServletResponse (org.springframework.web.testfixture.servlet.MockHttpServletResponse)31 Test (org.junit.Test)28 TomcatBaseTest (org.apache.catalina.startup.TomcatBaseTest)26 IOException (java.io.IOException)22 ServletException (jakarta.servlet.ServletException)21 HashMap (java.util.HashMap)20 HttpServlet (jakarta.servlet.http.HttpServlet)19 FilterChain (jakarta.servlet.FilterChain)17 FilterDef (org.apache.tomcat.util.descriptor.web.FilterDef)16 HttpSession (jakarta.servlet.http.HttpSession)14 MockFilterChain (org.springframework.mock.web.MockFilterChain)14 TestingAuthenticationToken (org.springframework.security.authentication.TestingAuthenticationToken)14 ServletRequest (jakarta.servlet.ServletRequest)13