Skip to content

Commit 8c34af7

Browse files
marcusdacoregiomarcusdacoregio
committed
Use ServletContext in AuthorizationManagerWebInvocationPrivilegeEvaluator
Closes gh-10908
1 parent e176d76 commit 8c34af7

File tree

2 files changed

+27
-4
lines changed

2 files changed

+27
-4
lines changed

web/src/main/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluator.java

Lines changed: 13 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
/*
2-
* Copyright 2002-2021 the original author or authors.
2+
* Copyright 2002-2022 the original author or authors.
33
*
44
* Licensed under the Apache License, Version 2.0 (the "License");
55
* you may not use this file except in compliance with the License.
@@ -16,13 +16,15 @@
1616

1717
package org.springframework.security.web.access;
1818

19+
import jakarta.servlet.ServletContext;
1920
import jakarta.servlet.http.HttpServletRequest;
2021

2122
import org.springframework.security.authorization.AuthorizationDecision;
2223
import org.springframework.security.authorization.AuthorizationManager;
2324
import org.springframework.security.core.Authentication;
2425
import org.springframework.security.web.FilterInvocation;
2526
import org.springframework.util.Assert;
27+
import org.springframework.web.context.ServletContextAware;
2628

2729
/**
2830
* An implementation of {@link WebInvocationPrivilegeEvaluator} which delegates the checks
@@ -31,10 +33,13 @@
3133
* @author Marcus Da Coregio
3234
* @since 5.5.5
3335
*/
34-
public final class AuthorizationManagerWebInvocationPrivilegeEvaluator implements WebInvocationPrivilegeEvaluator {
36+
public final class AuthorizationManagerWebInvocationPrivilegeEvaluator
37+
implements WebInvocationPrivilegeEvaluator, ServletContextAware {
3538

3639
private final AuthorizationManager<HttpServletRequest> authorizationManager;
3740

41+
private ServletContext servletContext;
42+
3843
public AuthorizationManagerWebInvocationPrivilegeEvaluator(
3944
AuthorizationManager<HttpServletRequest> authorizationManager) {
4045
Assert.notNull(authorizationManager, "authorizationManager cannot be null");
@@ -48,10 +53,15 @@ public boolean isAllowed(String uri, Authentication authentication) {
4853

4954
@Override
5055
public boolean isAllowed(String contextPath, String uri, String method, Authentication authentication) {
51-
FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method);
56+
FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method, this.servletContext);
5257
AuthorizationDecision decision = this.authorizationManager.check(() -> authentication,
5358
filterInvocation.getHttpRequest());
5459
return decision == null || decision.isGranted();
5560
}
5661

62+
@Override
63+
public void setServletContext(ServletContext servletContext) {
64+
this.servletContext = servletContext;
65+
}
66+
5767
}

web/src/test/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluatorTests.java

Lines changed: 14 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
/*
2-
* Copyright 2002-2021 the original author or authors.
2+
* Copyright 2002-2022 the original author or authors.
33
*
44
* Licensed under the Apache License, Version 2.0 (the "License");
55
* you may not use this file except in compliance with the License.
@@ -16,13 +16,16 @@
1616

1717
package org.springframework.security.web.access;
1818

19+
import jakarta.servlet.ServletContext;
1920
import jakarta.servlet.http.HttpServletRequest;
2021
import org.junit.jupiter.api.Test;
2122
import org.junit.jupiter.api.extension.ExtendWith;
23+
import org.mockito.ArgumentCaptor;
2224
import org.mockito.InjectMocks;
2325
import org.mockito.Mock;
2426
import org.mockito.junit.jupiter.MockitoExtension;
2527

28+
import org.springframework.mock.web.MockServletContext;
2629
import org.springframework.security.authentication.TestAuthentication;
2730
import org.springframework.security.authorization.AuthorizationDecision;
2831
import org.springframework.security.authorization.AuthorizationManager;
@@ -71,4 +74,14 @@ void isAllowedWhenAuthorizationManagerAbstainsThenAllowedTrue() {
7174
assertThat(allowed).isTrue();
7275
}
7376

77+
@Test
78+
void isAllowedWhenServletContextExistsThenFilterInvocationHasServletContext() {
79+
ServletContext servletContext = new MockServletContext();
80+
this.privilegeEvaluator.setServletContext(servletContext);
81+
this.privilegeEvaluator.isAllowed("/test", TestAuthentication.authenticatedUser());
82+
ArgumentCaptor<HttpServletRequest> captor = ArgumentCaptor.forClass(HttpServletRequest.class);
83+
verify(this.authorizationManager).check(any(), captor.capture());
84+
assertThat(captor.getValue().getServletContext()).isSameAs(servletContext);
85+
}
86+
7487
}

0 commit comments

Comments
 (0)