@Test public void taglibsDocumentationHasPermissionOr() throws Exception { Object domain = new Object(); request.setAttribute("domain", domain); authorizeTag.setAccess("hasPermission(#domain,'read') or hasPermission(#domain,'write')"); when(permissionEvaluator.hasPermission(eq(currentUser), eq(domain), anyString())) .thenReturn(true); assertThat(authorizeTag.doStartTag()).isEqualTo(Tag.EVAL_BODY_INCLUDE); }
@Before public void setUp() throws Exception { SecurityContextHolder.getContext().setAuthentication(currentUser); StaticWebApplicationContext ctx = new StaticWebApplicationContext(); BeanDefinitionBuilder webExpressionHandler = BeanDefinitionBuilder.rootBeanDefinition(DefaultWebSecurityExpressionHandler.class); webExpressionHandler.addPropertyValue("permissionEvaluator", permissionEvaluator); ctx.registerBeanDefinition("expressionHandler", webExpressionHandler.getBeanDefinition()); ctx.registerSingleton("wipe", MockWebInvocationPrivilegeEvaluator.class); MockServletContext servletCtx = new MockServletContext(); servletCtx.setAttribute(WebApplicationContext.ROOT_WEB_APPLICATION_CONTEXT_ATTRIBUTE, ctx); authorizeTag = new JspAuthorizeTag(); authorizeTag.setPageContext( new MockPageContext(servletCtx, request, new MockHttpServletResponse())); }
@Test public void skipsBodyIfNoAuthenticationPresent() throws Exception { SecurityContextHolder.clearContext(); authorizeTag.setAccess("permitAll"); assertThat(authorizeTag.doStartTag()).isEqualTo(Tag.SKIP_BODY); }
@Test public void skipsBodyIfMethodIsNotAllowed() throws Exception { authorizeTag.setUrl("/allowed"); authorizeTag.setMethod("POST"); assertThat(authorizeTag.doStartTag()).isEqualTo(Tag.SKIP_BODY); }
@Test public void evaluatesBodyIfUrlIsAllowed() throws Exception { authorizeTag.setUrl("/allowed"); authorizeTag.setMethod("GET"); assertThat(authorizeTag.doStartTag()).isEqualTo(Tag.EVAL_BODY_INCLUDE); }
// url attribute tests @Test public void skipsBodyWithUrlSetIfNoAuthenticationPresent() throws Exception { SecurityContextHolder.clearContext(); authorizeTag.setUrl("/something"); assertThat(authorizeTag.doStartTag()).isEqualTo(Tag.SKIP_BODY); }
@Test public void requestAttributeIsResolvedAsElVariable() throws JspException { request.setAttribute("blah", "blah"); authorizeTag.setAccess("#blah == 'blah'"); assertThat(authorizeTag.doStartTag()).isEqualTo(Tag.EVAL_BODY_INCLUDE); }
@Test public void showsBodyIfAccessExpressionAllowsAccess() throws Exception { authorizeTag.setAccess("permitAll"); assertThat(authorizeTag.doStartTag()).isEqualTo(Tag.EVAL_BODY_INCLUDE); }
@Test public void skipsBodyIfAccessExpressionDeniesAccess() throws Exception { authorizeTag.setAccess("denyAll"); assertThat(authorizeTag.doStartTag()).isEqualTo(Tag.SKIP_BODY); }