Example 36 with AuthorizationDecision
use of org.springframework.security.authorization.AuthorizationDecision in project spring-security by spring-projects.
the class SecuredAuthorizationManagerTests method checkSecuredUserOrAdminWhenRoleAnonymousThenDeniedDecision.
@Test
public void checkSecuredUserOrAdminWhenRoleAnonymousThenDeniedDecision() throws Exception {
Supplier<Authentication> authentication = () -> new TestingAuthenticationToken("user", "password", "ROLE_ANONYMOUS");
MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class, "securedUserOrAdmin");
SecuredAuthorizationManager manager = new SecuredAuthorizationManager();
AuthorizationDecision decision = manager.check(authentication, methodInvocation);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isFalse();
}
Also used :
AuthorizationDecision(org.springframework.security.authorization.AuthorizationDecision)
TestAuthentication(org.springframework.security.authentication.TestAuthentication)
Authentication(org.springframework.security.core.Authentication)
MockMethodInvocation(org.springframework.security.access.intercept.method.MockMethodInvocation)
TestingAuthenticationToken(org.springframework.security.authentication.TestingAuthenticationToken)
Test(org.junit.jupiter.api.Test)
Example 37 with AuthorizationDecision
use of org.springframework.security.authorization.AuthorizationDecision in project spring-security by spring-projects.
the class AuthorizationWebFilterTests method filterWhenGrantedAndDoeAccessAuthenticationThenChainSubscribedAndSecurityContextSubscribed.
@Test
public void filterWhenGrantedAndDoeAccessAuthenticationThenChainSubscribedAndSecurityContextSubscribed() {
PublisherProbe<SecurityContext> context = PublisherProbe.empty();
given(this.chain.filter(this.exchange)).willReturn(this.chainResult.mono());
AuthorizationWebFilter filter = new AuthorizationWebFilter((a, e) -> a.map((auth) -> new AuthorizationDecision(true)).defaultIfEmpty(new AuthorizationDecision(true)));
Mono<Void> result = filter.filter(this.exchange, this.chain).subscriberContext(ReactiveSecurityContextHolder.withSecurityContext(context.mono()));
StepVerifier.create(result).verifyComplete();
this.chainResult.assertWasSubscribed();
context.assertWasSubscribed();
}
Also used :
AuthorizationDecision(org.springframework.security.authorization.AuthorizationDecision)
SecurityContext(org.springframework.security.core.context.SecurityContext)
Test(org.junit.jupiter.api.Test)
Example 38 with AuthorizationDecision
use of org.springframework.security.authorization.AuthorizationDecision in project spring-security by spring-projects.
the class RequestMatcherDelegatingAuthorizationManagerTests method checkWhenMultipleMappingsConfiguredThenDelegatesMatchingManager.
@Test
public void checkWhenMultipleMappingsConfiguredThenDelegatesMatchingManager() {
RequestMatcherDelegatingAuthorizationManager manager = RequestMatcherDelegatingAuthorizationManager.builder().add(new MvcRequestMatcher(null, "/grant"), (a, o) -> new AuthorizationDecision(true)).add(new MvcRequestMatcher(null, "/deny"), (a, o) -> new AuthorizationDecision(false)).add(new MvcRequestMatcher(null, "/neutral"), (a, o) -> null).build();
Supplier<Authentication> authentication = () -> new TestingAuthenticationToken("user", "password", "ROLE_USER");
AuthorizationDecision grant = manager.check(authentication, new MockHttpServletRequest(null, "/grant"));
assertThat(grant).isNotNull();
assertThat(grant.isGranted()).isTrue();
AuthorizationDecision deny = manager.check(authentication, new MockHttpServletRequest(null, "/deny"));
assertThat(deny).isNotNull();
assertThat(deny.isGranted()).isFalse();
AuthorizationDecision neutral = manager.check(authentication, new MockHttpServletRequest(null, "/neutral"));
assertThat(neutral).isNull();
AuthorizationDecision abstain = manager.check(authentication, new MockHttpServletRequest(null, "/abstain"));
assertThat(abstain).isNull();
}
Also used :
Test(org.junit.jupiter.api.Test)
TestingAuthenticationToken(org.springframework.security.authentication.TestingAuthenticationToken)
AuthorityAuthorizationManager(org.springframework.security.authorization.AuthorityAuthorizationManager)
Assertions.assertThat(org.assertj.core.api.Assertions.assertThat)
Assertions.assertThatIllegalArgumentException(org.assertj.core.api.Assertions.assertThatIllegalArgumentException)
AnyRequestMatcher(org.springframework.security.web.util.matcher.AnyRequestMatcher)
MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest)
Authentication(org.springframework.security.core.Authentication)
Supplier(java.util.function.Supplier)
AuthorizationDecision(org.springframework.security.authorization.AuthorizationDecision)
MvcRequestMatcher(org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher)
AuthorizationDecision(org.springframework.security.authorization.AuthorizationDecision)
Authentication(org.springframework.security.core.Authentication)
MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest)
TestingAuthenticationToken(org.springframework.security.authentication.TestingAuthenticationToken)
MvcRequestMatcher(org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher)
Test(org.junit.jupiter.api.Test)
Example 39 with AuthorizationDecision
use of org.springframework.security.authorization.AuthorizationDecision in project spring-security by spring-projects.
the class AuthorizationManagerWebInvocationPrivilegeEvaluatorTests method isAllowedWhenAuthorizationManagerDeniesAllowedFalse.
@Test
void isAllowedWhenAuthorizationManagerDeniesAllowedFalse() {
given(this.authorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(false));
boolean allowed = this.privilegeEvaluator.isAllowed("/test", TestAuthentication.authenticatedUser());
assertThat(allowed).isFalse();
}
Also used :
AuthorizationDecision(org.springframework.security.authorization.AuthorizationDecision)
Test(org.junit.jupiter.api.Test)
Aggregations
AuthorizationDecision (org.springframework.security.authorization.AuthorizationDecision)39
Test (org.junit.jupiter.api.Test)36
MockMethodInvocation (org.springframework.security.access.intercept.method.MockMethodInvocation)27
TestAuthentication (org.springframework.security.authentication.TestAuthentication)27
TestingAuthenticationToken (org.springframework.security.authentication.TestingAuthenticationToken)13
Authentication (org.springframework.security.core.Authentication)13
PayloadExchangeMatcherEntry (org.springframework.security.rsocket.util.matcher.PayloadExchangeMatcherEntry)4
Assertions.assertThat (org.assertj.core.api.Assertions.assertThat)3
Supplier (java.util.function.Supplier)2
Assertions.assertThatIllegalArgumentException (org.assertj.core.api.Assertions.assertThatIllegalArgumentException)2
MockHttpServletRequest (org.springframework.mock.web.MockHttpServletRequest)2
AccessDeniedException (org.springframework.security.access.AccessDeniedException)2
AuthorityAuthorizationManager (org.springframework.security.authorization.AuthorityAuthorizationManager)2
MvcRequestMatcher (org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher)2
AnyRequestMatcher (org.springframework.security.web.util.matcher.AnyRequestMatcher)2
ExtendWith (org.junit.jupiter.api.extension.ExtendWith)1
ArgumentMatchers.any (org.mockito.ArgumentMatchers.any)1
BDDMockito.given (org.mockito.BDDMockito.given)1
Mock (org.mockito.Mock)1
MockitoExtension (org.mockito.junit.jupiter.MockitoExtension)1
