/** * Add an authentication filter that requires a certain LDAP role to access secured paths. * All routes starting with the value of the {@code edison.ldap.prefixes} property will be secured by LDAP. * If no property is set this will default to all routes starting with '/internal'. * * @param ldapProperties the properties used to configure LDAP */ @Bean @ConditionalOnProperty(prefix = "edison.ldap", name = "required-role") public FilterRegistrationBean<LdapRoleAuthenticationFilter> ldapRoleAuthenticationFilter(final LdapProperties ldapProperties) { FilterRegistrationBean<LdapRoleAuthenticationFilter> filterRegistration = new FilterRegistrationBean<>(); filterRegistration.setFilter(new LdapRoleAuthenticationFilter(ldapProperties)); filterRegistration.setOrder(Ordered.LOWEST_PRECEDENCE); ldapProperties.getPrefixes().forEach(prefix -> filterRegistration.addUrlPatterns(String.format("%s/*", prefix))); return filterRegistration; } }
@Test public void shouldRejectUserThatHasNotRequiredRole() throws ServletException, IOException { // given final LdapProperties ldapProperties = mockLdapPropertiesWithRequiredRole("roleX"); final LdapRoleAuthenticationFilter filter = new LdapRoleAuthenticationFilter(ldapProperties); final HttpServletRequest request = mockRequestWithAvailableRoles("roleA", "roleB"); final HttpServletResponse response = mockResponse(); final FilterChain filterChain = mockFilterChain(); // when filter.doFilterInternal(request, response, filterChain); // then verifyZeroInteractions(filterChain); verify(response).setStatus(HttpServletResponse.SC_UNAUTHORIZED); }
@Test public void shouldContinueFilterChainWhenUserHasRequiredRole() throws ServletException, IOException { // given final LdapProperties ldapProperties = mockLdapPropertiesWithRequiredRole("roleB"); final LdapRoleAuthenticationFilter filter = new LdapRoleAuthenticationFilter(ldapProperties); final HttpServletRequest request = mockRequestWithAvailableRoles("roleA", "roleB", "roleC"); final HttpServletResponse response = mockResponse(); final FilterChain filterChain = mockFilterChain(); // when filter.doFilterInternal(request, response, filterChain); // then verify(filterChain).doFilter(request, response); verifyZeroInteractions(response); }
@Test public void shouldNotInvokeFilterLogicWhenRequestIsForWhitelistedPath() throws ServletException { // given final LdapProperties ldapProperties = mockLdapPropertiesWithProtecedAndWhiteListedPath("/internal", "/internal/public"); final LdapRoleAuthenticationFilter filter = new LdapRoleAuthenticationFilter(ldapProperties); final HttpServletRequest request = mockRequestWithPath("/internal/public"); // when final boolean shouldInvokeFilterLogic = !filter.shouldNotFilter(request); // then assertFalse(shouldInvokeFilterLogic); }
@Test public void shouldInvokeFilterLogicWhenRequestIsForSecuredPath() throws ServletException { // given final LdapProperties ldapProperties = mockLdapPropertiesWithProtecedAndWhiteListedPath("/internal", "/internal/public"); final LdapRoleAuthenticationFilter filter = new LdapRoleAuthenticationFilter(ldapProperties); final HttpServletRequest request = mockRequestWithPath("/internal"); // when final boolean shouldInvokeFilterLogic = !filter.shouldNotFilter(request); // then assertTrue(shouldInvokeFilterLogic); }