1158 - Added ITs for SpringSecurity Loging and Logout Handlers + Added PUT to de list of allowed CORS methods

Author: Mario

extensions/servlet/src/main/resources/com/stormpath/sdk/servlet/config/web.stormpath.properties

@@ -355,4 +355,4 @@ stormpath.web.cors.enabled = true
 #Comma separated list of allowed origins
 stormpath.web.cors.allowed.originUris =
 stormpath.web.cors.allowed.headers = Content-Type,Accept,X-Requested-With,remember-me
-stormpath.web.cors.allowed.methods = POST,GET,OPTIONS,DELETE
+stormpath.web.cors.allowed.methods = POST,GET,OPTIONS,DELETE,PUT

extensions/spring/boot/stormpath-webmvc-spring-boot-starter/src/main/resources/META-INF/additional-spring-configuration-metadata.json

@@ -1024,7 +1024,7 @@
       "name": "stormpath.web.cors.allowed.methods",
       "type": "java.lang.String",
       "description": "Comma separated list of allowed methods for a CORS request.",
-      "defaultValue": "POST,GET,OPTIONS,DELETE"
+      "defaultValue": "POST,GET,OPTIONS,DELETE,PUT"
     }
   ]
 }

extensions/spring/stormpath-spring-security-webmvc/src/main/java/com/stormpath/spring/config/AbstractStormpathWebSecurityConfiguration.java

@@ -131,7 +131,7 @@ public abstract class AbstractStormpathWebSecurityConfiguration {
     @Value("#{ @environment['stormpath.web.cors.allowed.headers'] ?: 'Content-Type,Accept,X-Requested-With,remember-me' }")
     protected String corsAllowedHeaders;
 
-    @Value("#{ @environment['stormpath.web.cors.allowed.methods'] ?: 'POST,GET,OPTIONS,DELETE' }")
+    @Value("#{ @environment['stormpath.web.cors.allowed.methods'] ?: 'POST,GET,OPTIONS,DELETE,PUT' }")
     protected String corsAllowedMethods;
 
     @Value("#{ @environment['stormpath.web.stormpathFilter.enabled'] ?: true }")

extensions/spring/stormpath-spring-security-webmvc/src/main/java/com/stormpath/spring/config/StormpathWebSecurityConfigurer.java

@@ -26,8 +26,6 @@
 import com.stormpath.sdk.servlet.mvc.WebHandler;
 import com.stormpath.spring.filter.ContentNegotiationSpringSecurityAuthenticationFilter;
 import com.stormpath.spring.filter.StormpathSecurityContextPersistenceFilter;
-//import com.stormpath.spring.oauth.OAuthAuthenticationSpringSecurityProcessingFilter;
-//import com.stormpath.spring.filter.StormpathWrapperFilter;
 import com.stormpath.spring.filter.StormpathWrapperFilter;
 import com.stormpath.spring.security.provider.SocialCallbackSpringSecurityProcessingFilter;
 import org.slf4j.Logger;

extensions/spring/stormpath-spring-security-webmvc/src/test/groovy/com/stormpath/spring/config/CorsFilterIT.groovy

@@ -106,7 +106,7 @@ class CorsFilterIT extends AbstractTestNGSpringContextTests {
     void testAccessControlRequestMethodRequestFailsForPUT() {
         mvc.perform(options(new URI("/me"))
                     .header("Origin", "http://localhost:3000")
-                    .header("Access-Control-Request-Method", "PUT") //PUT is not allowed
+                    .header("Access-Control-Request-Method", "HEAD") //HEAD is not allowed
                     .accept(MediaType.APPLICATION_JSON))
                 .andExpect(status().is(HttpServletResponse.SC_FORBIDDEN)); //403
 

extensions/spring/stormpath-spring-security-webmvc/src/test/groovy/com/stormpath/spring/config/LoginAndLogoutHandlersConfig.groovy

@@ -0,0 +1,96 @@
+/*
+ * Copyright 2016 Stormpath, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.stormpath.spring.config
+
+import org.springframework.context.annotation.Bean
+import org.springframework.context.annotation.Configuration
+import org.springframework.context.annotation.PropertySource
+import org.springframework.security.config.annotation.web.builders.HttpSecurity
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
+import org.springframework.security.core.Authentication
+import org.springframework.security.core.AuthenticationException
+import org.springframework.security.web.authentication.AuthenticationFailureHandler
+import org.springframework.security.web.authentication.AuthenticationSuccessHandler
+import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler
+import org.springframework.security.web.authentication.logout.LogoutHandler
+
+import javax.servlet.ServletException
+import javax.servlet.http.HttpServletRequest
+import javax.servlet.http.HttpServletResponse
+
+import static com.stormpath.spring.config.StormpathWebSecurityConfigurer.stormpath
+
+
+/**
+ * @since 1.3.0
+ */
+@Configuration
+@EnableStormpathWebSecurity
+@PropertySource("classpath:com/stormpath/spring/config/loginAndLogoutHandlers.properties")
+class LoginAndLogoutHandlersConfig extends WebSecurityConfigurerAdapter {
+
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http.apply(stormpath());
+    }
+
+    @Bean
+    public AuthenticationSuccessHandler stormpathAuthenticationSuccessHandler() {
+        return new CustomLoginSuccessHandler();
+    }
+
+    @Bean
+    public AuthenticationFailureHandler stormpathAuthenticationFailureHandler() {
+        return new CustomLoginFailureHandler();
+    }
+
+    @Bean
+    public LogoutHandler stormpathLogoutHandler() {
+        return new CustomLogoutHandler();
+    }
+
+    class CustomLoginSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler {
+
+        public boolean invoked = false
+
+        @Override
+        public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, final Authentication authentication) throws IOException, ServletException {
+            invoked = true
+        }
+    }
+
+    class CustomLoginFailureHandler implements AuthenticationFailureHandler {
+
+        public boolean invoked = false
+
+        @Override
+        void onAuthenticationFailure(HttpServletRequest request,
+                                     HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
+            invoked = true
+        }
+    }
+
+    class CustomLogoutHandler implements LogoutHandler {
+
+        public boolean invoked = false
+
+        @Override
+        void logout(HttpServletRequest request, HttpServletResponse response,
+                    Authentication authentication) {
+            invoked = true
+        }
+    }
+}

extensions/spring/stormpath-spring-security-webmvc/src/test/groovy/com/stormpath/spring/config/LoginAndLogoutHandlersIT.groovy

@@ -0,0 +1,107 @@
+/*
+ * Copyright 2016 Stormpath, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.stormpath.spring.config
+
+import org.springframework.beans.factory.annotation.Autowired
+import org.springframework.beans.factory.annotation.Qualifier
+import org.springframework.security.web.FilterChainProxy
+import org.springframework.security.web.authentication.AuthenticationFailureHandler
+import org.springframework.security.web.authentication.AuthenticationSuccessHandler
+import org.springframework.security.web.authentication.logout.LogoutHandler
+import org.springframework.test.context.ContextConfiguration
+import org.springframework.test.context.web.WebAppConfiguration
+import org.springframework.test.web.servlet.MockMvc
+import org.springframework.test.web.servlet.setup.MockMvcBuilders
+import org.springframework.web.context.WebApplicationContext
+import org.testng.annotations.BeforeMethod
+import org.testng.annotations.Test
+
+import javax.servlet.Filter
+
+import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.authenticated
+import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.unauthenticated
+
+import static org.testng.Assert.assertFalse
+import static org.testng.Assert.assertTrue
+
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders.*;
+
+/**
+ * Validates that https://github.com/stormpath/stormpath-sdk-java/issues/1158 is fixed
+ *
+ * @since 1.3.0
+ */
+@WebAppConfiguration
+@ContextConfiguration(classes = [LoginAndLogoutHandlersConfig.class, TwoAppTenantStormpathTestConfiguration.class])
+class LoginAndLogoutHandlersIT extends AbstractClientIT {
+
+    @Autowired
+    WebApplicationContext context;
+
+    @Autowired
+    @Qualifier("stormpathAuthenticationSuccessHandler")
+    public AuthenticationSuccessHandler customLoginSuccessHandler;
+
+    @Autowired
+    @Qualifier("stormpathAuthenticationFailureHandler")
+    public AuthenticationFailureHandler customLoginFailureHandler;
+
+    @Autowired
+    @Qualifier("stormpathLogoutHandler")
+    public LogoutHandler customLogoutHandler;
+
+    @Autowired
+    protected FilterChainProxy springSecurityFilterChain;
+
+    @Autowired
+    protected Filter stormpathFilter;
+
+    private MockMvc mvc;
+
+    @BeforeMethod
+    public void setup() {
+          mvc = MockMvcBuilders.webAppContextSetup(context)
+                .apply(StormpathMockMvcConfigurers.stormpath())
+                .build()
+    }
+
+    @Test
+    void testHandlersAreInvoked() {
+
+        assertFalse customLoginSuccessHandler.invoked
+        assertFalse customLoginFailureHandler.invoked
+        assertFalse customLogoutHandler.invoked
+
+        def password = "P@\$sw0rd*"
+        def account = createTempAccount(password)
+
+        mvc.perform(SecurityMockMvcLoginRequestBuilder.formLogin().login(account.getEmail()).password("this_password_will_fail")).andExpect(unauthenticated())
+
+        assertFalse customLoginSuccessHandler.invoked
+        assertTrue customLoginFailureHandler.invoked //was the login failure handler actually invoked?
+        assertFalse customLogoutHandler.invoked
+
+        mvc.perform(SecurityMockMvcLoginRequestBuilder.formLogin().login(account.getEmail()).password(password)).andExpect(authenticated())
+
+        assertTrue customLoginSuccessHandler.invoked //was the login success handler actually invoked?
+
+        mvc.perform(logout())
+
+        assertTrue customLogoutHandler.invoked //was the logout handler actually invoked?
+    }
+
+
+}

extensions/spring/stormpath-spring-security-webmvc/src/test/groovy/com/stormpath/spring/config/StormpathAuthenticationFailureHandlerTest.groovy

@@ -1,3 +1,18 @@
+/*
+ * Copyright 2016 Stormpath, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package com.stormpath.spring.config
 
 import com.stormpath.sdk.servlet.authc.FailedAuthenticationRequestEvent

extensions/spring/stormpath-spring-security-webmvc/src/test/java/com/stormpath/spring/config/SecurityMockMvcLoginRequestBuilder.java

@@ -1,8 +1,24 @@
+/*
+ * Copyright 2016 Stormpath, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package com.stormpath.spring.config;
 
 import org.springframework.http.MediaType;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.test.web.servlet.RequestBuilder;
+import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder;
 import org.springframework.test.web.servlet.request.RequestPostProcessor;
 
 import javax.servlet.ServletContext;
@@ -17,14 +33,21 @@ public static FormLoginRequestBuilder formLogin() {
     }
 
     static final class FormLoginRequestBuilder implements RequestBuilder {
+        private String username = "user";
+        private String login = "null";
         private String password = "password";
         private RequestPostProcessor postProcessor = csrf();
 
         public MockHttpServletRequest buildRequest(ServletContext servletContext) {
-            MockHttpServletRequest request = post("/login")
-                .param("username", "user").param("password", password)
-                .accept(MediaType.APPLICATION_FORM_URLENCODED)
-                .buildRequest(servletContext);
+            MockHttpServletRequestBuilder builder = post("/login")
+                .param("password", password)
+                .accept(MediaType.APPLICATION_FORM_URLENCODED);
+            if (username == null) {
+                builder.param("login", login);
+            } else {
+                builder.param("username", username);
+            }
+            MockHttpServletRequest request = builder.buildRequest(servletContext);
             return postProcessor.postProcessRequest(request);
         }
 
@@ -33,6 +56,20 @@ public FormLoginRequestBuilder password(String password) {
             return this;
         }
 
+        //username and login are mutually exclusive. When Stormpath is in place the param name is 'login', but in SpringSec it is called 'username' by default
+        public FormLoginRequestBuilder username(String username) {
+            this.login = null;
+            this.username = username;
+            return this;
+        }
+
+        //username and login are mutually exclusive. When Stormpath is in place the param name is 'login', but in SpringSec it is called 'username' by default
+        public FormLoginRequestBuilder login(String login) {
+            this.username = null;
+            this.login = login;
+            return this;
+        }
+
         private FormLoginRequestBuilder() {
         }
     }

extensions/spring/stormpath-spring-security-webmvc/src/test/resources/com/stormpath/spring/config/loginAndLogoutHandlers.properties

@@ -0,0 +1,17 @@
+#
+# Copyright 2016 Stormpath, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+stormpath.web.csrf.token.enabled = false