You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@shiro.apache.org by lh...@apache.org on 2010/02/22 17:58:27 UTC
svn commit: r912654 - in /incubator/shiro/trunk: core/pom.xml pom.xml
web/pom.xml
web/src/main/java/org/apache/shiro/web/filter/authz/AuthorizationFilter.java
web/src/test/java/org/apache/shiro/web/filter/authz/AuthorizationFilterTest.java
Author: lhazlewood
Date: Mon Feb 22 16:58:26 2010
New Revision: 912654
URL: http://svn.apache.org/viewvc?rev=912654&view=rev
Log:
SHIRO-142: ensured only the error code or the redirect occured. Added accompanying test cases for verification.
Added:
incubator/shiro/trunk/web/src/test/java/org/apache/shiro/web/filter/authz/AuthorizationFilterTest.java
Modified:
incubator/shiro/trunk/core/pom.xml
incubator/shiro/trunk/pom.xml
incubator/shiro/trunk/web/pom.xml
incubator/shiro/trunk/web/src/main/java/org/apache/shiro/web/filter/authz/AuthorizationFilter.java
Modified: incubator/shiro/trunk/core/pom.xml
URL: http://svn.apache.org/viewvc/incubator/shiro/trunk/core/pom.xml?rev=912654&r1=912653&r2=912654&view=diff
==============================================================================
--- incubator/shiro/trunk/core/pom.xml (original)
+++ incubator/shiro/trunk/core/pom.xml Mon Feb 22 16:58:26 2010
@@ -32,6 +32,23 @@
<name>Apache Shiro :: Core</name>
<packaging>jar</packaging>
+ <build>
+ <plugins>
+ <!-- bundle up the test classes to be referenced by other modules -->
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-jar-plugin</artifactId>
+ <executions>
+ <execution>
+ <goals>
+ <goal>test-jar</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
+ </plugins>
+ </build>
+
<dependencies>
<dependency>
<groupId>org.slf4j</groupId>
Modified: incubator/shiro/trunk/pom.xml
URL: http://svn.apache.org/viewvc/incubator/shiro/trunk/pom.xml?rev=912654&r1=912653&r2=912654&view=diff
==============================================================================
--- incubator/shiro/trunk/pom.xml (original)
+++ incubator/shiro/trunk/pom.xml Mon Feb 22 16:58:26 2010
@@ -150,6 +150,15 @@
<version>${project.version}</version>
</dependency>
+ <!-- Intra project test dependencies: -->
+ <dependency>
+ <groupId>org.apache.shiro</groupId>
+ <artifactId>shiro-core</artifactId>
+ <version>${project.version}</version>
+ <type>test-jar</type>
+ <scope>test</scope>
+ </dependency>
+
<!-- 3rd party dependencies -->
<dependency>
<groupId>org.slf4j</groupId>
@@ -379,7 +388,7 @@
</dependency>
</dependencies>
</dependencyManagement>
-
+
<!-- Note that reporting may fail with lower settings than something like: MAVEN_OPTS="-X512m -XX:MaxPermSize=128m" -->
<reporting>
<plugins>
Modified: incubator/shiro/trunk/web/pom.xml
URL: http://svn.apache.org/viewvc/incubator/shiro/trunk/web/pom.xml?rev=912654&r1=912653&r2=912654&view=diff
==============================================================================
--- incubator/shiro/trunk/web/pom.xml (original)
+++ incubator/shiro/trunk/web/pom.xml Mon Feb 22 16:58:26 2010
@@ -51,6 +51,12 @@
</dependency>
<!-- Test dependencies - scope set appropriately already in the parent pom-->
<dependency>
+ <groupId>org.apache.shiro</groupId>
+ <artifactId>shiro-core</artifactId>
+ <type>test-jar</type>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
<groupId>org.slf4j</groupId>
<artifactId>jcl-over-slf4j</artifactId>
</dependency>
Modified: incubator/shiro/trunk/web/src/main/java/org/apache/shiro/web/filter/authz/AuthorizationFilter.java
URL: http://svn.apache.org/viewvc/incubator/shiro/trunk/web/src/main/java/org/apache/shiro/web/filter/authz/AuthorizationFilter.java?rev=912654&r1=912653&r2=912654&view=diff
==============================================================================
--- incubator/shiro/trunk/web/src/main/java/org/apache/shiro/web/filter/authz/AuthorizationFilter.java (original)
+++ incubator/shiro/trunk/web/src/main/java/org/apache/shiro/web/filter/authz/AuthorizationFilter.java Mon Feb 22 16:58:26 2010
@@ -115,11 +115,13 @@
} else {
// If subject is known but not authorized, redirect to the unauthorized URL if there is one
// If no unauthorized URL is specified, just return an unauthorized HTTP status code
- WebUtils.toHttp(response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
- if (StringUtils.hasText(getUnauthorizedUrl())) {
- WebUtils.issueRedirect(request, response, getUnauthorizedUrl());
+ String unauthorizedUrl = getUnauthorizedUrl();
+ //SHIRO-142 - ensure that redirect _or_ error code occurs - both cannot happen due to response commit:
+ if ( StringUtils.hasText(unauthorizedUrl) ) {
+ WebUtils.issueRedirect(request, response, unauthorizedUrl);
+ } else {
+ WebUtils.toHttp(response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
}
-
}
return false;
}
Added: incubator/shiro/trunk/web/src/test/java/org/apache/shiro/web/filter/authz/AuthorizationFilterTest.java
URL: http://svn.apache.org/viewvc/incubator/shiro/trunk/web/src/test/java/org/apache/shiro/web/filter/authz/AuthorizationFilterTest.java?rev=912654&view=auto
==============================================================================
--- incubator/shiro/trunk/web/src/test/java/org/apache/shiro/web/filter/authz/AuthorizationFilterTest.java (added)
+++ incubator/shiro/trunk/web/src/test/java/org/apache/shiro/web/filter/authz/AuthorizationFilterTest.java Mon Feb 22 16:58:26 2010
@@ -0,0 +1,99 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.shiro.web.filter.authz;
+
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.authc.UsernamePasswordToken;
+import org.apache.shiro.test.SecurityManagerTestSupport;
+import org.junit.Test;
+
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+import static org.easymock.EasyMock.*;
+
+/**
+ * Test cases for the {@link AuthorizationFilter} class.
+ */
+public class AuthorizationFilterTest extends SecurityManagerTestSupport {
+
+ @Test
+ public void testUserOnAccessDeniedWithResponseError() throws IOException {
+ // Tests when a user (known identity) is denied access and no unauthorizedUrl has been configured.
+ // This should trigger an HTTP response error code.
+
+ //log in the user using the account provided by the superclass for tests:
+ SecurityUtils.getSubject().login(new UsernamePasswordToken("test", "test"));
+
+ AuthorizationFilter filter = new AuthorizationFilter() {
+ @Override
+ protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue)
+ throws Exception {
+ return false; //for this test case
+ }
+ };
+
+ HttpServletRequest request = createNiceMock(HttpServletRequest.class);
+ HttpServletResponse response = createNiceMock(HttpServletResponse.class);
+
+ response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
+ replay(response);
+ filter.onAccessDenied(request, response);
+ verify(response);
+ }
+
+ @Test
+ public void testUserOnAccessDeniedWithRedirect() throws IOException {
+ // Tests when a user (known identity) is denied access and an unauthorizedUrl *has* been configured.
+ // This should trigger an HTTP redirect
+
+ //log in the user using the account provided by the superclass for tests:
+ SecurityUtils.getSubject().login(new UsernamePasswordToken("test", "test"));
+
+ String unauthorizedUrl = "unauthorized.jsp";
+
+ AuthorizationFilter filter = new AuthorizationFilter() {
+ @Override
+ protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue)
+ throws Exception {
+ return false; //for this test case
+ }
+ };
+ filter.setUnauthorizedUrl(unauthorizedUrl);
+
+ HttpServletRequest request = createNiceMock(HttpServletRequest.class);
+ HttpServletResponse response = createNiceMock(HttpServletResponse.class);
+
+ expect(request.getContextPath()).andReturn("/").anyTimes();
+
+ String encoded = "/" + unauthorizedUrl;
+ expect(response.encodeRedirectURL(unauthorizedUrl)).andReturn(encoded);
+ response.sendRedirect(encoded);
+ replay(request);
+ replay(response);
+
+ filter.onAccessDenied(request, response);
+
+ verify(request);
+ verify(response);
+ }
+}