@Test
  public void taglibsDocumentationHasPermissionOr() throws Exception {
    Object domain = new Object();
    request.setAttribute("domain", domain);
    authorizeTag.setAccess("hasPermission(#domain,'read') or hasPermission(#domain,'write')");
    when(permissionEvaluator.hasPermission(eq(currentUser), eq(domain), anyString()))
        .thenReturn(true);

    assertThat(authorizeTag.doStartTag()).isEqualTo(Tag.EVAL_BODY_INCLUDE);
  }
  @Before
  public void setUp() throws Exception {
    SecurityContextHolder.getContext().setAuthentication(currentUser);
    StaticWebApplicationContext ctx = new StaticWebApplicationContext();

    BeanDefinitionBuilder webExpressionHandler =
        BeanDefinitionBuilder.rootBeanDefinition(DefaultWebSecurityExpressionHandler.class);
    webExpressionHandler.addPropertyValue("permissionEvaluator", permissionEvaluator);

    ctx.registerBeanDefinition("expressionHandler", webExpressionHandler.getBeanDefinition());
    ctx.registerSingleton("wipe", MockWebInvocationPrivilegeEvaluator.class);
    MockServletContext servletCtx = new MockServletContext();
    servletCtx.setAttribute(WebApplicationContext.ROOT_WEB_APPLICATION_CONTEXT_ATTRIBUTE, ctx);
    authorizeTag = new JspAuthorizeTag();
    authorizeTag.setPageContext(
        new MockPageContext(servletCtx, request, new MockHttpServletResponse()));
  }
 @Test
 public void skipsBodyIfNoAuthenticationPresent() throws Exception {
   SecurityContextHolder.clearContext();
   authorizeTag.setAccess("permitAll");
   assertThat(authorizeTag.doStartTag()).isEqualTo(Tag.SKIP_BODY);
 }
 @Test
 public void skipsBodyIfMethodIsNotAllowed() throws Exception {
   authorizeTag.setUrl("/allowed");
   authorizeTag.setMethod("POST");
   assertThat(authorizeTag.doStartTag()).isEqualTo(Tag.SKIP_BODY);
 }
 @Test
 public void evaluatesBodyIfUrlIsAllowed() throws Exception {
   authorizeTag.setUrl("/allowed");
   authorizeTag.setMethod("GET");
   assertThat(authorizeTag.doStartTag()).isEqualTo(Tag.EVAL_BODY_INCLUDE);
 }
 // url attribute tests
 @Test
 public void skipsBodyWithUrlSetIfNoAuthenticationPresent() throws Exception {
   SecurityContextHolder.clearContext();
   authorizeTag.setUrl("/something");
   assertThat(authorizeTag.doStartTag()).isEqualTo(Tag.SKIP_BODY);
 }
 @Test
 public void requestAttributeIsResolvedAsElVariable() throws JspException {
   request.setAttribute("blah", "blah");
   authorizeTag.setAccess("#blah == 'blah'");
   assertThat(authorizeTag.doStartTag()).isEqualTo(Tag.EVAL_BODY_INCLUDE);
 }
 @Test
 public void showsBodyIfAccessExpressionAllowsAccess() throws Exception {
   authorizeTag.setAccess("permitAll");
   assertThat(authorizeTag.doStartTag()).isEqualTo(Tag.EVAL_BODY_INCLUDE);
 }
 @Test
 public void skipsBodyIfAccessExpressionDeniesAccess() throws Exception {
   authorizeTag.setAccess("denyAll");
   assertThat(authorizeTag.doStartTag()).isEqualTo(Tag.SKIP_BODY);
 }