Search in sources :

Example 6 with WebFilterChainProxy

use of org.springframework.security.web.server.WebFilterChainProxy in project spring-security by spring-projects.

the class ServerHttpSecurityTests method postWhenCsrfDisabledThenPermitted.

@Test
public void postWhenCsrfDisabledThenPermitted() {
    SecurityWebFilterChain securityFilterChain = this.http.csrf((csrf) -> csrf.disable()).build();
    WebFilterChainProxy springSecurityFilterChain = new WebFilterChainProxy(securityFilterChain);
    WebTestClient client = WebTestClientBuilder.bindToWebFilters(springSecurityFilterChain).build();
    client.post().uri("/").exchange().expectStatus().isOk();
}
Also used : ServerAuthorizationRequestRepository(org.springframework.security.oauth2.client.web.server.ServerAuthorizationRequestRepository) BeforeEach(org.junit.jupiter.api.BeforeEach) Arrays(java.util.Arrays) TestingAuthenticationToken(org.springframework.security.authentication.TestingAuthenticationToken) Assertions.assertThat(org.assertj.core.api.Assertions.assertThat) ServerLogoutHandler(org.springframework.security.web.server.authentication.logout.ServerLogoutHandler) ExtendWith(org.junit.jupiter.api.extension.ExtendWith) LogoutWebFilter(org.springframework.security.web.server.authentication.logout.LogoutWebFilter) WebFilter(org.springframework.web.server.WebFilter) BDDMockito.given(org.mockito.BDDMockito.given) HttpBasicServerAuthenticationEntryPoint(org.springframework.security.web.server.authentication.HttpBasicServerAuthenticationEntryPoint) ReactiveAuthenticationManager(org.springframework.security.authentication.ReactiveAuthenticationManager) SecurityContextServerWebExchangeWebFilter(org.springframework.security.web.server.context.SecurityContextServerWebExchangeWebFilter) WebSessionServerSecurityContextRepository(org.springframework.security.web.server.context.WebSessionServerSecurityContextRepository) HttpHeaders(org.apache.http.HttpHeaders) OAuth2LoginAuthenticationWebFilter(org.springframework.security.oauth2.client.web.server.authentication.OAuth2LoginAuthenticationWebFilter) WebFilterChain(org.springframework.web.server.WebFilterChain) MockitoExtension(org.mockito.junit.jupiter.MockitoExtension) ServerHttpSecurityConfigurationBuilder(org.springframework.security.config.annotation.web.reactive.ServerHttpSecurityConfigurationBuilder) ServerAuthenticationEntryPoint(org.springframework.security.web.server.ServerAuthenticationEntryPoint) Collectors(java.util.stream.Collectors) RestController(org.springframework.web.bind.annotation.RestController) EntityExchangeResult(org.springframework.test.web.reactive.server.EntityExchangeResult) Objects(java.util.Objects) Test(org.junit.jupiter.api.Test) List(java.util.List) SecurityContext(org.springframework.security.core.context.SecurityContext) Optional(java.util.Optional) CsrfWebFilter(org.springframework.security.web.server.csrf.CsrfWebFilter) Authentication(org.springframework.security.core.Authentication) Mockito.mock(org.mockito.Mockito.mock) ArgumentMatchers.any(org.mockito.ArgumentMatchers.any) TestPublisher(reactor.test.publisher.TestPublisher) Mock(org.mockito.Mock) TestOAuth2AuthorizationRequests(org.springframework.security.oauth2.core.endpoint.TestOAuth2AuthorizationRequests) Mockito.spy(org.mockito.Mockito.spy) ServerWebExchange(org.springframework.web.server.ServerWebExchange) Mockito.verifyZeroInteractions(org.mockito.Mockito.verifyZeroInteractions) WebTestClient(org.springframework.test.web.reactive.server.WebTestClient) SecurityContextServerLogoutHandler(org.springframework.security.web.server.authentication.logout.SecurityContextServerLogoutHandler) ArgumentCaptor(org.mockito.ArgumentCaptor) WebSessionServerRequestCache(org.springframework.security.web.server.savedrequest.WebSessionServerRequestCache) GetMapping(org.springframework.web.bind.annotation.GetMapping) AnonymousAuthenticationWebFilterTests(org.springframework.security.web.server.authentication.AnonymousAuthenticationWebFilterTests) WebTestClientBuilder(org.springframework.security.test.web.reactive.server.WebTestClientBuilder) ServerSecurityContextRepository(org.springframework.security.web.server.context.ServerSecurityContextRepository) ReactiveClientRegistrationRepository(org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository) ServerRequestCache(org.springframework.security.web.server.savedrequest.ServerRequestCache) OAuth2AuthorizationRequest(org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest) X509PrincipalExtractor(org.springframework.security.web.authentication.preauth.x509.X509PrincipalExtractor) ReflectionTestUtils(org.springframework.test.util.ReflectionTestUtils) Mono(reactor.core.publisher.Mono) WebFilterChainProxy(org.springframework.security.web.server.WebFilterChainProxy) CsrfServerLogoutHandler(org.springframework.security.web.server.csrf.CsrfServerLogoutHandler) Mockito.verify(org.mockito.Mockito.verify) HttpStatus(org.springframework.http.HttpStatus) FluxExchangeResult(org.springframework.test.web.reactive.server.FluxExchangeResult) SecurityWebFilterChain(org.springframework.security.web.server.SecurityWebFilterChain) HttpStatusServerEntryPoint(org.springframework.security.web.server.authentication.HttpStatusServerEntryPoint) ServerCsrfTokenRepository(org.springframework.security.web.server.csrf.ServerCsrfTokenRepository) ServerX509AuthenticationConverter(org.springframework.security.web.server.authentication.ServerX509AuthenticationConverter) DelegatingServerLogoutHandler(org.springframework.security.web.server.authentication.logout.DelegatingServerLogoutHandler) Customizer.withDefaults(org.springframework.security.config.Customizer.withDefaults) WebTestClient(org.springframework.test.web.reactive.server.WebTestClient) WebFilterChainProxy(org.springframework.security.web.server.WebFilterChainProxy) SecurityWebFilterChain(org.springframework.security.web.server.SecurityWebFilterChain) Test(org.junit.jupiter.api.Test)

Example 7 with WebFilterChainProxy

use of org.springframework.security.web.server.WebFilterChainProxy in project spring-boot by spring-projects.

the class ReactiveManagementWebSecurityAutoConfigurationTests method performFilter.

private ServerWebExchange performFilter(AssertableReactiveWebApplicationContext context, String path) {
    ServerWebExchange exchange = webHandler(context).createExchange(MockServerHttpRequest.get(path).build(), new MockServerHttpResponse());
    WebFilterChainProxy proxy = context.getBean(WebFilterChainProxy.class);
    proxy.filter(exchange, (serverWebExchange) -> Mono.empty()).block(Duration.ofSeconds(30));
    return exchange;
}
Also used : ReactiveUserDetailsServiceAutoConfiguration(org.springframework.boot.autoconfigure.security.reactive.ReactiveUserDetailsServiceAutoConfiguration) HttpWebHandlerAdapter(org.springframework.web.server.adapter.HttpWebHandlerAdapter) ServerHttpResponse(org.springframework.http.server.reactive.ServerHttpResponse) Assertions.assertThat(org.assertj.core.api.Assertions.assertThat) EnvironmentEndpointAutoConfiguration(org.springframework.boot.actuate.autoconfigure.env.EnvironmentEndpointAutoConfiguration) WebHandler(org.springframework.web.server.WebHandler) ReactiveOAuth2ResourceServerAutoConfiguration(org.springframework.boot.autoconfigure.security.oauth2.resource.reactive.ReactiveOAuth2ResourceServerAutoConfiguration) ServerWebExchange(org.springframework.web.server.ServerWebExchange) HealthEndpointAutoConfiguration(org.springframework.boot.actuate.autoconfigure.health.HealthEndpointAutoConfiguration) ServerHttpSecurity(org.springframework.security.config.web.server.ServerHttpSecurity) ReactiveWebApplicationContextRunner(org.springframework.boot.test.context.runner.ReactiveWebApplicationContextRunner) Duration(java.time.Duration) HealthContributorAutoConfiguration(org.springframework.boot.actuate.autoconfigure.health.HealthContributorAutoConfiguration) WebEndpointAutoConfiguration(org.springframework.boot.actuate.autoconfigure.endpoint.web.WebEndpointAutoConfiguration) ReactiveAuthenticationManager(org.springframework.security.authentication.ReactiveAuthenticationManager) URI(java.net.URI) AssertableReactiveWebApplicationContext(org.springframework.boot.test.context.assertj.AssertableReactiveWebApplicationContext) InfoEndpointAutoConfiguration(org.springframework.boot.actuate.autoconfigure.info.InfoEndpointAutoConfiguration) ServerHttpRequest(org.springframework.http.server.reactive.ServerHttpRequest) ReactiveSecurityAutoConfiguration(org.springframework.boot.autoconfigure.security.reactive.ReactiveSecurityAutoConfiguration) AutoConfigurations(org.springframework.boot.autoconfigure.AutoConfigurations) MockServerHttpRequest(org.springframework.mock.http.server.reactive.MockServerHttpRequest) HttpHeaders(org.springframework.http.HttpHeaders) Customizer(org.springframework.security.config.Customizer) Mono(reactor.core.publisher.Mono) EndpointAutoConfiguration(org.springframework.boot.actuate.autoconfigure.endpoint.EndpointAutoConfiguration) ApplicationContext(org.springframework.context.ApplicationContext) WebFilterChainProxy(org.springframework.security.web.server.WebFilterChainProxy) Test(org.junit.jupiter.api.Test) Configuration(org.springframework.context.annotation.Configuration) List(java.util.List) SecurityWebFilterChain(org.springframework.security.web.server.SecurityWebFilterChain) WebFluxAutoConfiguration(org.springframework.boot.autoconfigure.web.reactive.WebFluxAutoConfiguration) Bean(org.springframework.context.annotation.Bean) MockServerHttpResponse(org.springframework.mock.http.server.reactive.MockServerHttpResponse) Collections(java.util.Collections) ApplicationContextAware(org.springframework.context.ApplicationContextAware) Mockito.mock(org.mockito.Mockito.mock) ServerWebExchange(org.springframework.web.server.ServerWebExchange) WebFilterChainProxy(org.springframework.security.web.server.WebFilterChainProxy) MockServerHttpResponse(org.springframework.mock.http.server.reactive.MockServerHttpResponse)

Example 8 with WebFilterChainProxy

use of org.springframework.security.web.server.WebFilterChainProxy in project spring-boot by spring-projects.

the class ReactiveCloudFoundryActuatorAutoConfigurationTests method cloudFoundryPathsIgnoredBySpringSecurity.

@Test
@SuppressWarnings("unchecked")
void cloudFoundryPathsIgnoredBySpringSecurity() {
    this.contextRunner.withPropertyValues("VCAP_APPLICATION:---", "vcap.application.application_id:my-app-id", "vcap.application.cf_api:https://my-cloud-controller.com").run((context) -> {
        WebFilterChainProxy chainProxy = context.getBean(WebFilterChainProxy.class);
        List<SecurityWebFilterChain> filters = (List<SecurityWebFilterChain>) ReflectionTestUtils.getField(chainProxy, "filters");
        Boolean cfRequestMatches = filters.get(0).matches(MockServerWebExchange.from(MockServerHttpRequest.get("/cloudfoundryapplication/my-path").build())).block(Duration.ofSeconds(30));
        Boolean otherRequestMatches = filters.get(0).matches(MockServerWebExchange.from(MockServerHttpRequest.get("/some-other-path").build())).block(Duration.ofSeconds(30));
        assertThat(cfRequestMatches).isTrue();
        assertThat(otherRequestMatches).isFalse();
        otherRequestMatches = filters.get(1).matches(MockServerWebExchange.from(MockServerHttpRequest.get("/some-other-path").build())).block(Duration.ofSeconds(30));
        assertThat(otherRequestMatches).isTrue();
    });
}
Also used : WebFilterChainProxy(org.springframework.security.web.server.WebFilterChainProxy) List(java.util.List) SecurityWebFilterChain(org.springframework.security.web.server.SecurityWebFilterChain) Test(org.junit.jupiter.api.Test)

Example 9 with WebFilterChainProxy

use of org.springframework.security.web.server.WebFilterChainProxy in project spring-security by spring-projects.

the class RequestCacheTests method defaultFormLoginRequestCache.

@Test
public void defaultFormLoginRequestCache() {
    // @formatter:off
    SecurityWebFilterChain securityWebFilter = this.http.authorizeExchange().anyExchange().authenticated().and().formLogin().and().build();
    WebTestClient webTestClient = WebTestClient.bindToController(new SecuredPageController(), new WebTestClientBuilder.Http200RestController()).webFilter(new WebFilterChainProxy(securityWebFilter)).build();
    WebDriver driver = WebTestClientHtmlUnitDriverBuilder.webTestClientSetup(webTestClient).build();
    // @formatter:on
    DefaultLoginPage loginPage = SecuredPage.to(driver, DefaultLoginPage.class).assertAt();
    // @formatter:off
    SecuredPage securedPage = loginPage.loginForm().username("user").password("password").submit(SecuredPage.class);
    // @formatter:on
    securedPage.assertAt();
}
Also used : WebTestClientBuilder(org.springframework.security.test.web.reactive.server.WebTestClientBuilder) WebDriver(org.openqa.selenium.WebDriver) WebTestClient(org.springframework.test.web.reactive.server.WebTestClient) WebFilterChainProxy(org.springframework.security.web.server.WebFilterChainProxy) DefaultLoginPage(org.springframework.security.config.web.server.FormLoginTests.DefaultLoginPage) SecurityWebFilterChain(org.springframework.security.web.server.SecurityWebFilterChain) Test(org.junit.jupiter.api.Test)

Example 10 with WebFilterChainProxy

use of org.springframework.security.web.server.WebFilterChainProxy in project spring-security by spring-projects.

the class ServerHttpSecurityTests method postWhenCustomCsrfTokenRepositoryThenUsed.

@Test
public void postWhenCustomCsrfTokenRepositoryThenUsed() {
    ServerCsrfTokenRepository customServerCsrfTokenRepository = mock(ServerCsrfTokenRepository.class);
    given(customServerCsrfTokenRepository.loadToken(any(ServerWebExchange.class))).willReturn(Mono.empty());
    SecurityWebFilterChain securityFilterChain = this.http.csrf((csrf) -> csrf.csrfTokenRepository(customServerCsrfTokenRepository)).build();
    WebFilterChainProxy springSecurityFilterChain = new WebFilterChainProxy(securityFilterChain);
    WebTestClient client = WebTestClientBuilder.bindToWebFilters(springSecurityFilterChain).build();
    client.post().uri("/").exchange().expectStatus().isForbidden();
    verify(customServerCsrfTokenRepository).loadToken(any());
}
Also used : ServerAuthorizationRequestRepository(org.springframework.security.oauth2.client.web.server.ServerAuthorizationRequestRepository) BeforeEach(org.junit.jupiter.api.BeforeEach) Arrays(java.util.Arrays) TestingAuthenticationToken(org.springframework.security.authentication.TestingAuthenticationToken) Assertions.assertThat(org.assertj.core.api.Assertions.assertThat) ServerLogoutHandler(org.springframework.security.web.server.authentication.logout.ServerLogoutHandler) ExtendWith(org.junit.jupiter.api.extension.ExtendWith) LogoutWebFilter(org.springframework.security.web.server.authentication.logout.LogoutWebFilter) WebFilter(org.springframework.web.server.WebFilter) BDDMockito.given(org.mockito.BDDMockito.given) HttpBasicServerAuthenticationEntryPoint(org.springframework.security.web.server.authentication.HttpBasicServerAuthenticationEntryPoint) ReactiveAuthenticationManager(org.springframework.security.authentication.ReactiveAuthenticationManager) SecurityContextServerWebExchangeWebFilter(org.springframework.security.web.server.context.SecurityContextServerWebExchangeWebFilter) WebSessionServerSecurityContextRepository(org.springframework.security.web.server.context.WebSessionServerSecurityContextRepository) HttpHeaders(org.apache.http.HttpHeaders) OAuth2LoginAuthenticationWebFilter(org.springframework.security.oauth2.client.web.server.authentication.OAuth2LoginAuthenticationWebFilter) WebFilterChain(org.springframework.web.server.WebFilterChain) MockitoExtension(org.mockito.junit.jupiter.MockitoExtension) ServerHttpSecurityConfigurationBuilder(org.springframework.security.config.annotation.web.reactive.ServerHttpSecurityConfigurationBuilder) ServerAuthenticationEntryPoint(org.springframework.security.web.server.ServerAuthenticationEntryPoint) Collectors(java.util.stream.Collectors) RestController(org.springframework.web.bind.annotation.RestController) EntityExchangeResult(org.springframework.test.web.reactive.server.EntityExchangeResult) Objects(java.util.Objects) Test(org.junit.jupiter.api.Test) List(java.util.List) SecurityContext(org.springframework.security.core.context.SecurityContext) Optional(java.util.Optional) CsrfWebFilter(org.springframework.security.web.server.csrf.CsrfWebFilter) Authentication(org.springframework.security.core.Authentication) Mockito.mock(org.mockito.Mockito.mock) ArgumentMatchers.any(org.mockito.ArgumentMatchers.any) TestPublisher(reactor.test.publisher.TestPublisher) Mock(org.mockito.Mock) TestOAuth2AuthorizationRequests(org.springframework.security.oauth2.core.endpoint.TestOAuth2AuthorizationRequests) Mockito.spy(org.mockito.Mockito.spy) ServerWebExchange(org.springframework.web.server.ServerWebExchange) Mockito.verifyZeroInteractions(org.mockito.Mockito.verifyZeroInteractions) WebTestClient(org.springframework.test.web.reactive.server.WebTestClient) SecurityContextServerLogoutHandler(org.springframework.security.web.server.authentication.logout.SecurityContextServerLogoutHandler) ArgumentCaptor(org.mockito.ArgumentCaptor) WebSessionServerRequestCache(org.springframework.security.web.server.savedrequest.WebSessionServerRequestCache) GetMapping(org.springframework.web.bind.annotation.GetMapping) AnonymousAuthenticationWebFilterTests(org.springframework.security.web.server.authentication.AnonymousAuthenticationWebFilterTests) WebTestClientBuilder(org.springframework.security.test.web.reactive.server.WebTestClientBuilder) ServerSecurityContextRepository(org.springframework.security.web.server.context.ServerSecurityContextRepository) ReactiveClientRegistrationRepository(org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository) ServerRequestCache(org.springframework.security.web.server.savedrequest.ServerRequestCache) OAuth2AuthorizationRequest(org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest) X509PrincipalExtractor(org.springframework.security.web.authentication.preauth.x509.X509PrincipalExtractor) ReflectionTestUtils(org.springframework.test.util.ReflectionTestUtils) Mono(reactor.core.publisher.Mono) WebFilterChainProxy(org.springframework.security.web.server.WebFilterChainProxy) CsrfServerLogoutHandler(org.springframework.security.web.server.csrf.CsrfServerLogoutHandler) Mockito.verify(org.mockito.Mockito.verify) HttpStatus(org.springframework.http.HttpStatus) FluxExchangeResult(org.springframework.test.web.reactive.server.FluxExchangeResult) SecurityWebFilterChain(org.springframework.security.web.server.SecurityWebFilterChain) HttpStatusServerEntryPoint(org.springframework.security.web.server.authentication.HttpStatusServerEntryPoint) ServerCsrfTokenRepository(org.springframework.security.web.server.csrf.ServerCsrfTokenRepository) ServerX509AuthenticationConverter(org.springframework.security.web.server.authentication.ServerX509AuthenticationConverter) DelegatingServerLogoutHandler(org.springframework.security.web.server.authentication.logout.DelegatingServerLogoutHandler) Customizer.withDefaults(org.springframework.security.config.Customizer.withDefaults) ServerWebExchange(org.springframework.web.server.ServerWebExchange) ServerCsrfTokenRepository(org.springframework.security.web.server.csrf.ServerCsrfTokenRepository) WebTestClient(org.springframework.test.web.reactive.server.WebTestClient) WebFilterChainProxy(org.springframework.security.web.server.WebFilterChainProxy) SecurityWebFilterChain(org.springframework.security.web.server.SecurityWebFilterChain) Test(org.junit.jupiter.api.Test)

Aggregations

Test (org.junit.jupiter.api.Test)14 WebFilterChainProxy (org.springframework.security.web.server.WebFilterChainProxy)14 SecurityWebFilterChain (org.springframework.security.web.server.SecurityWebFilterChain)12 WebTestClient (org.springframework.test.web.reactive.server.WebTestClient)10 WebTestClientBuilder (org.springframework.security.test.web.reactive.server.WebTestClientBuilder)9 Assertions.assertThat (org.assertj.core.api.Assertions.assertThat)7 ServerWebExchange (org.springframework.web.server.ServerWebExchange)7 List (java.util.List)6 Mockito.mock (org.mockito.Mockito.mock)6 ReactiveAuthenticationManager (org.springframework.security.authentication.ReactiveAuthenticationManager)6 Customizer.withDefaults (org.springframework.security.config.Customizer.withDefaults)6 ServerHttpSecurityConfigurationBuilder (org.springframework.security.config.annotation.web.reactive.ServerHttpSecurityConfigurationBuilder)6 Mono (reactor.core.publisher.Mono)6 ArgumentMatchers.any (org.mockito.ArgumentMatchers.any)5 BDDMockito.given (org.mockito.BDDMockito.given)5 Mockito.verify (org.mockito.Mockito.verify)5 Mockito.verifyZeroInteractions (org.mockito.Mockito.verifyZeroInteractions)5 WebDriver (org.openqa.selenium.WebDriver)5 TestingAuthenticationToken (org.springframework.security.authentication.TestingAuthenticationToken)5 Authentication (org.springframework.security.core.Authentication)5