Skip to content

Commit 9179db9

Browse files
jzheauxjzheaux
committed
Add Authorization Event Tests
- These ensure that the parameterized version of authorization events can be listened to Issue gh-16700
1 parent de034f7 commit 9179db9

File tree

2 files changed

+72
-0
lines changed

2 files changed

+72
-0
lines changed

config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -51,11 +51,13 @@
5151
import org.springframework.beans.factory.config.BeanDefinition;
5252
import org.springframework.beans.factory.config.BeanPostProcessor;
5353
import org.springframework.beans.factory.support.BeanDefinitionRegistryPostProcessor;
54+
import org.springframework.context.ApplicationEventPublisher;
5455
import org.springframework.context.annotation.AdviceMode;
5556
import org.springframework.context.annotation.Bean;
5657
import org.springframework.context.annotation.Configuration;
5758
import org.springframework.context.annotation.Import;
5859
import org.springframework.context.annotation.Role;
60+
import org.springframework.context.event.EventListener;
5961
import org.springframework.core.annotation.AnnotationConfigurationException;
6062
import org.springframework.security.access.AccessDeniedException;
6163
import org.springframework.security.access.PermissionEvaluator;
@@ -76,6 +78,8 @@
7678
import org.springframework.security.authorization.AuthorizationEventPublisher;
7779
import org.springframework.security.authorization.AuthorizationManager;
7880
import org.springframework.security.authorization.AuthorizationResult;
81+
import org.springframework.security.authorization.SpringAuthorizationEventPublisher;
82+
import org.springframework.security.authorization.event.AuthorizationDeniedEvent;
7983
import org.springframework.security.authorization.method.AuthorizationAdvisor;
8084
import org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory;
8185
import org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory.TargetVisitor;
@@ -1103,6 +1107,17 @@ public void jsr250MethodWhenExcludeAuthorizationObservationsThenUnobserved() {
11031107
verifyNoInteractions(handler);
11041108
}
11051109

1110+
@Test
1111+
@WithMockUser
1112+
public void preAuthorizeWhenDenyAllThenPublishesParameterizedAuthorizationDeniedEvent() {
1113+
this.spring
1114+
.register(MethodSecurityServiceConfig.class, EventPublisherConfig.class, AuthorizationDeniedListener.class)
1115+
.autowire();
1116+
assertThatExceptionOfType(AccessDeniedException.class)
1117+
.isThrownBy(() -> this.methodSecurityService.preAuthorize());
1118+
assertThat(this.spring.getContext().getBean(AuthorizationDeniedListener.class).invocations).isEqualTo(1);
1119+
}
1120+
11061121
private static Consumer<ConfigurableWebApplicationContext> disallowBeanOverriding() {
11071122
return (context) -> ((AnnotationConfigWebApplicationContext) context).setAllowBeanDefinitionOverriding(false);
11081123
}
@@ -1795,4 +1810,26 @@ SecurityObservationSettings observabilityDefaults() {
17951810

17961811
}
17971812

1813+
@Configuration
1814+
static class EventPublisherConfig {
1815+
1816+
@Bean
1817+
static AuthorizationEventPublisher eventPublisher(ApplicationEventPublisher publisher) {
1818+
return new SpringAuthorizationEventPublisher(publisher);
1819+
}
1820+
1821+
}
1822+
1823+
@Component
1824+
static class AuthorizationDeniedListener {
1825+
1826+
int invocations;
1827+
1828+
@EventListener
1829+
void onRequestDenied(AuthorizationDeniedEvent<? extends MethodInvocation> denied) {
1830+
this.invocations++;
1831+
}
1832+
1833+
}
1834+
17981835
}

config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurerTests.java

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,8 +32,10 @@
3232
import org.springframework.beans.factory.ObjectProvider;
3333
import org.springframework.beans.factory.annotation.Autowired;
3434
import org.springframework.beans.factory.config.BeanPostProcessor;
35+
import org.springframework.context.ApplicationEventPublisher;
3536
import org.springframework.context.annotation.Bean;
3637
import org.springframework.context.annotation.Configuration;
38+
import org.springframework.context.event.EventListener;
3739
import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
3840
import org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl;
3941
import org.springframework.security.authentication.RememberMeAuthenticationToken;
@@ -43,6 +45,8 @@
4345
import org.springframework.security.authorization.AuthorizationManager;
4446
import org.springframework.security.authorization.AuthorizationObservationContext;
4547
import org.springframework.security.authorization.AuthorizationResult;
48+
import org.springframework.security.authorization.SpringAuthorizationEventPublisher;
49+
import org.springframework.security.authorization.event.AuthorizationDeniedEvent;
4650
import org.springframework.security.config.ObjectPostProcessor;
4751
import org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry;
4852
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -66,6 +70,7 @@
6670
import org.springframework.security.web.access.intercept.RequestMatcherDelegatingAuthorizationManager;
6771
import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
6872
import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
73+
import org.springframework.stereotype.Component;
6974
import org.springframework.test.web.servlet.MockMvc;
7075
import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder;
7176
import org.springframework.test.web.servlet.request.RequestPostProcessor;
@@ -670,6 +675,14 @@ public void getWhenExcludeAuthorizationObservationsThenUnobserved() throws Excep
670675
verifyNoInteractions(handler);
671676
}
672677

678+
@Test
679+
public void getWhenDeniedThenParameterizedAuthorizationDeniedEventIsPublished() throws Exception {
680+
this.spring.register(DenyAllConfig.class, EventPublisherConfig.class, AuthorizationDeniedListener.class)
681+
.autowire();
682+
this.mvc.perform(get("/").with(user("user")));
683+
assertThat(this.spring.getContext().getBean(AuthorizationDeniedListener.class).invocations).isEqualTo(1);
684+
}
685+
673686
@Test
674687
public void requestMatchersWhenMultipleDispatcherServletsAndPathBeanThenAllows() throws Exception {
675688
this.spring.register(MvcRequestMatcherBuilderConfig.class, BasicController.class)
@@ -1390,4 +1403,26 @@ PathPatternRequestMatcherBuilderFactoryBean pathPatternFactoryBean() {
13901403

13911404
}
13921405

1406+
@Configuration
1407+
static class EventPublisherConfig {
1408+
1409+
@Bean
1410+
static AuthorizationEventPublisher eventPublisher(ApplicationEventPublisher publisher) {
1411+
return new SpringAuthorizationEventPublisher(publisher);
1412+
}
1413+
1414+
}
1415+
1416+
@Component
1417+
static class AuthorizationDeniedListener {
1418+
1419+
int invocations;
1420+
1421+
@EventListener
1422+
void onRequestDenied(AuthorizationDeniedEvent<? extends HttpServletRequest> denied) {
1423+
this.invocations++;
1424+
}
1425+
1426+
}
1427+
13931428
}

0 commit comments

Comments
 (0)