View Javadoc

1   package com.atlassian.asap.core.server.springsecurity;
2   
3   import org.hamcrest.Matchers;
4   import org.junit.After;
5   import org.junit.Before;
6   import org.junit.Test;
7   import org.junit.runner.RunWith;
8   import org.mockito.ArgumentCaptor;
9   import org.mockito.Captor;
10  import org.mockito.InjectMocks;
11  import org.mockito.Mock;
12  import org.mockito.runners.MockitoJUnitRunner;
13  import org.springframework.http.HttpHeaders;
14  import org.springframework.mock.web.MockHttpServletRequest;
15  import org.springframework.mock.web.MockHttpServletResponse;
16  import org.springframework.security.authentication.AuthenticationManager;
17  import org.springframework.security.core.Authentication;
18  import org.springframework.security.core.AuthenticationException;
19  import org.springframework.security.core.context.SecurityContextHolder;
20  
21  import javax.servlet.FilterChain;
22  
23  import static org.hamcrest.MatcherAssert.assertThat;
24  import static org.hamcrest.Matchers.is;
25  import static org.junit.Assert.assertNull;
26  import static org.mockito.Matchers.any;
27  import static org.mockito.Mockito.never;
28  import static org.mockito.Mockito.verify;
29  import static org.mockito.Mockito.when;
30  
31  @RunWith(MockitoJUnitRunner.class)
32  public class BearerTokenAuthenticationProcessingFilterTest {
33      @Mock
34      private AuthenticationManager authenticationManager;
35  
36      @InjectMocks
37      private BearerTokenAuthenticationProcessingFilter filter;
38  
39      private MockHttpServletRequest request = new MockHttpServletRequest();
40      private MockHttpServletResponse response = new MockHttpServletResponse();
41  
42      @Mock
43      private FilterChain chain;
44  
45      @Mock
46      private Authentication validAuthentication;
47  
48      @Captor
49      private ArgumentCaptor<Authentication> authenticationCaptor;
50  
51      @Before
52      @After
53      public void clearContext() {
54          SecurityContextHolder.clearContext();
55      }
56  
57      @Test
58      public void shouldSetAuthenticationInTheContextAndPropagateRequestIfTokenIsValid() throws Exception {
59          request.addHeader(HttpHeaders.AUTHORIZATION, "Bearer some-token");
60          when(authenticationManager.authenticate(any(Authentication.class))).thenReturn(validAuthentication);
61  
62          filter.doFilter(request, response, chain);
63  
64          verify(authenticationManager).authenticate(authenticationCaptor.capture());
65          assertThat(authenticationCaptor.getValue(), Matchers.instanceOf(UnverifiedBearerToken.class));
66          assertThat(authenticationCaptor.getValue().getCredentials(), is("some-token"));
67          verify(chain).doFilter(request, response);
68          assertThat(SecurityContextHolder.getContext().getAuthentication(), is(validAuthentication));
69      }
70  
71      @Test
72      public void shouldRespondWith401AndNotPropagateRequestIfTokenIsInvalid() throws Exception {
73          request.addHeader(HttpHeaders.AUTHORIZATION, "Bearer some-token");
74          when(authenticationManager.authenticate(any(Authentication.class)))
75                  .thenThrow(new AuthenticationException("") {
76                  });
77  
78          filter.doFilter(request, response, chain);
79  
80          verify(authenticationManager).authenticate(any(Authentication.class));
81          verify(chain, never()).doFilter(request, response);
82          assertNull(SecurityContextHolder.getContext().getAuthentication());
83          assertThat(response.getStatus(), is(401));
84      }
85  
86      @Test
87      public void shouldNotAttemptAuthenticationAndPropagateRequestIfTokenIsAbsent() throws Exception {
88          filter.doFilter(request, response, chain);
89  
90          verify(authenticationManager, never()).authenticate(any(Authentication.class));
91          verify(chain).doFilter(request, response);
92          assertNull(SecurityContextHolder.getContext().getAuthentication());
93      }
94  }