From 14c473960522cef5d2b6d34fdc24199cef4c9d33 Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Mon, 11 May 2009 05:18:20 +0000 Subject: [PATCH] SEC-1158: Decoupling of Pre/Post annotations implementation from Spring EL. --- .../security/config/ConfigUtils.java | 3 +- .../ContextSourceSettingPostProcessor.java | 4 +- .../security/config/Elements.java | 4 + ...balMethodSecurityBeanDefinitionParser.java | 109 +- .../SaltSourceBeanDefinitionParser.java | 4 +- .../security/config/spring-security-3.0.rnc | 21 +- .../security/config/spring-security-3.0.xsd | 3176 +++++++++-------- .../security/config/spring-security.xsl | 2 +- ...tionProviderBeanDefinitionParserTests.java | 3 +- ...thodSecurityBeanDefinitionParserTests.java | 31 +- config/src/test/resources/namespace-usage.xml | 6 +- .../{expression => }/PermissionEvaluator.java | 4 +- .../security/access/annotation/Secured.java | 6 +- ...uredAnnotationSecurityMetadataSource.java} | 2 +- .../access/expression/ExpressionUtils.java | 2 +- .../{support => }/SecurityExpressionRoot.java | 4 +- ...tExpressionBasedMethodConfigAttribute.java | 2 +- ...efaultMethodSecurityExpressionHandler.java | 8 +- .../DenyAllPermissionEvaluator.java | 6 +- ...essionBasedAnnotationAttributeFactory.java | 58 + .../ExpressionBasedPostInvocationAdvice.java | 61 + ...> ExpressionBasedPreInvocationAdvice.java} | 63 +- ...thodExpressionAfterInvocationProvider.java | 96 - .../MethodSecurityEvaluationContext.java | 4 +- .../MethodSecurityExpressionHandler.java | 4 +- .../MethodSecurityExpressionRoot.java | 7 +- .../PostInvocationExpressionAttribute.java | 10 +- .../PreInvocationExpressionAttribute.java | 11 +- .../security/access/expression/package.html | 2 + .../AbstractSecurityExpressionHandler.java | 5 - .../annotation => prepost}/PostAuthorize.java | 4 +- .../annotation => prepost}/PostFilter.java | 4 +- .../prepost/PostInvocationAdviceProvider.java | 59 + .../prepost/PostInvocationAttribute.java | 16 + .../PostInvocationAuthorizationAdvice.java | 18 + .../annotation => prepost}/PreAuthorize.java | 4 +- .../annotation => prepost}/PreFilter.java | 4 +- .../prepost/PreInvocationAttribute.java | 16 + .../PreInvocationAuthorizationAdvice.java | 16 + ...PreInvocationAuthorizationAdviceVoter.java | 69 + ...PostAnnotationSecurityMetadataSource.java} | 94 +- .../PrePostInvocationAttributeFactory.java | 14 + .../security/access/prepost/package.html | 6 + .../dao/{salt => }/ReflectionSaltSource.java | 3 +- .../dao/{salt => }/SystemWideSaltSource.java | 3 +- .../authentication/dao/salt/package.html | 5 - .../core/session/SessionCreationEvent.java | 2 +- .../core/session/SessionDestroyedEvent.java | 2 +- .../access/annotation/BusinessService.java | 2 +- ...xpressionProtectedBusinessServiceImpl.java | 5 +- .../annotation/Jsr250BusinessServiceImpl.java | 1 + ...ecurityMetadataDefinitionSourceTests.java} | 10 +- .../method/MethodExpressionVoterTests.java | 5 +- .../MethodSecurityExpressionRootTests.java | 6 +- ...nnotationSecurityMetadataSourceTests.java} | 24 +- .../dao/DaoAuthenticationProviderTests.java | 1 - .../dao/salt/ReflectionSaltSourceTests.java | 2 +- .../dao/salt/SystemWideSaltSourceTests.java | 2 +- core/src/test/resources/someMethod.py | 9 + itest/context/pom.xml | 5 + ...PythonInterpreterPostInvocationAdvice.java | 15 + .../PythonInterpreterPreInvocationAdvice.java | 62 + ...thonInterpreterPreInvocationAttribute.java | 19 + ...eterPrePostInvocationAttributeFactory.java | 26 + .../integration/python/TestService.java | 10 + .../integration/python/TestServiceImpl.java | 9 + .../PythonInterpreterBasedSecurityTests.java | 26 + .../python-method-access-app-context.xml | 32 + .../test/resources/sec-933-app-context.xml | 50 +- .../test/resources/sec-936-app-context.xml | 2 +- .../WEB-INF/applicationContext-security.xml | 2 +- .../contact/AdminPermissionController.java | 12 +- .../java/sample/contact/ContactManager.java | 8 +- .../sample/contact/ContactManagerBackend.java | 18 +- .../sample/contact/DataSourcePopulator.java | 12 +- .../java/sample/contact/IndexController.java | 6 +- .../WEB-INF/applicationContext-security.xml | 17 +- .../sample/contact/ContactManagerTests.java | 2 +- .../applicationContext-contacts-test.xml | 18 +- .../secured/SecureDataSourcePopulator.java | 18 +- .../dms/secured/SecureDocumentDaoImpl.java | 10 +- .../applicationContext-dms-secure.xml | 8 +- .../src/main/java/bigbank/BankService.java | 2 +- .../WEB-INF/applicationContext-security.xml | 4 +- 84 files changed, 2489 insertions(+), 2028 deletions(-) rename core/src/main/java/org/springframework/security/access/{expression => }/PermissionEvaluator.java (96%) rename core/src/main/java/org/springframework/security/access/annotation/{SecuredMethodSecurityMetadataSource.java => SecuredAnnotationSecurityMetadataSource.java} (95%) rename core/src/main/java/org/springframework/security/access/expression/{support => }/SecurityExpressionRoot.java (96%) rename core/src/main/java/org/springframework/security/access/expression/{support => method}/DefaultMethodSecurityExpressionHandler.java (95%) rename core/src/main/java/org/springframework/security/access/expression/{support => method}/DenyAllPermissionEvaluator.java (88%) create mode 100644 core/src/main/java/org/springframework/security/access/expression/method/ExpressionBasedAnnotationAttributeFactory.java create mode 100644 core/src/main/java/org/springframework/security/access/expression/method/ExpressionBasedPostInvocationAdvice.java rename core/src/main/java/org/springframework/security/access/expression/method/{MethodExpressionVoter.java => ExpressionBasedPreInvocationAdvice.java} (52%) delete mode 100644 core/src/main/java/org/springframework/security/access/expression/method/MethodExpressionAfterInvocationProvider.java rename core/src/main/java/org/springframework/security/access/expression/{support => method}/MethodSecurityEvaluationContext.java (96%) rename core/src/main/java/org/springframework/security/access/expression/{ => method}/MethodSecurityExpressionHandler.java (96%) rename core/src/main/java/org/springframework/security/access/expression/{support => method}/MethodSecurityExpressionRoot.java (87%) create mode 100644 core/src/main/java/org/springframework/security/access/expression/package.html delete mode 100644 core/src/main/java/org/springframework/security/access/expression/support/AbstractSecurityExpressionHandler.java rename core/src/main/java/org/springframework/security/access/{expression/annotation => prepost}/PostAuthorize.java (89%) rename core/src/main/java/org/springframework/security/access/{expression/annotation => prepost}/PostFilter.java (89%) create mode 100644 core/src/main/java/org/springframework/security/access/prepost/PostInvocationAdviceProvider.java create mode 100644 core/src/main/java/org/springframework/security/access/prepost/PostInvocationAttribute.java create mode 100644 core/src/main/java/org/springframework/security/access/prepost/PostInvocationAuthorizationAdvice.java rename core/src/main/java/org/springframework/security/access/{expression/annotation => prepost}/PreAuthorize.java (89%) rename core/src/main/java/org/springframework/security/access/{expression/annotation => prepost}/PreFilter.java (95%) create mode 100644 core/src/main/java/org/springframework/security/access/prepost/PreInvocationAttribute.java create mode 100644 core/src/main/java/org/springframework/security/access/prepost/PreInvocationAuthorizationAdvice.java create mode 100644 core/src/main/java/org/springframework/security/access/prepost/PreInvocationAuthorizationAdviceVoter.java rename core/src/main/java/org/springframework/security/access/{expression/method/ExpressionAnnotationMethodSecurityMetadataSource.java => prepost/PrePostAnnotationSecurityMetadataSource.java} (58%) create mode 100644 core/src/main/java/org/springframework/security/access/prepost/PrePostInvocationAttributeFactory.java create mode 100644 core/src/main/java/org/springframework/security/access/prepost/package.html rename core/src/main/java/org/springframework/security/authentication/dao/{salt => }/ReflectionSaltSource.java (97%) rename core/src/main/java/org/springframework/security/authentication/dao/{salt => }/SystemWideSaltSource.java (94%) delete mode 100644 core/src/main/java/org/springframework/security/authentication/dao/salt/package.html rename core/src/test/java/org/springframework/security/access/annotation/{SecuredMethodDefinitionSourceTests.java => SecuredAnnotationSecurityMetadataDefinitionSourceTests.java} (91%) rename core/src/test/java/org/springframework/security/access/expression/{support => method}/MethodSecurityExpressionRootTests.java (95%) rename core/src/test/java/org/springframework/security/access/expression/method/{ExpressionAnnotationMethodDefinitionSourceTests.java => PrePostAnnotationSecurityMetadataSourceTests.java} (90%) create mode 100644 core/src/test/resources/someMethod.py create mode 100644 itest/context/src/main/java/org/springframework/security/integration/python/PythonInterpreterPostInvocationAdvice.java create mode 100644 itest/context/src/main/java/org/springframework/security/integration/python/PythonInterpreterPreInvocationAdvice.java create mode 100644 itest/context/src/main/java/org/springframework/security/integration/python/PythonInterpreterPreInvocationAttribute.java create mode 100644 itest/context/src/main/java/org/springframework/security/integration/python/PythonInterpreterPrePostInvocationAttributeFactory.java create mode 100644 itest/context/src/main/java/org/springframework/security/integration/python/TestService.java create mode 100644 itest/context/src/main/java/org/springframework/security/integration/python/TestServiceImpl.java create mode 100644 itest/context/src/test/java/org/springframework/security/integration/python/PythonInterpreterBasedSecurityTests.java create mode 100755 itest/context/src/test/resources/python-method-access-app-context.xml diff --git a/config/src/main/java/org/springframework/security/config/ConfigUtils.java b/config/src/main/java/org/springframework/security/config/ConfigUtils.java index c92f646b6b..10cb22edc2 100644 --- a/config/src/main/java/org/springframework/security/config/ConfigUtils.java +++ b/config/src/main/java/org/springframework/security/config/ConfigUtils.java @@ -12,7 +12,6 @@ import org.springframework.beans.factory.support.BeanDefinitionBuilder; import org.springframework.beans.factory.support.ManagedList; import org.springframework.beans.factory.support.RootBeanDefinition; import org.springframework.beans.factory.xml.ParserContext; -import org.springframework.security.access.expression.method.MethodExpressionVoter; import org.springframework.security.access.intercept.AfterInvocationProviderManager; import org.springframework.security.access.vote.AccessDecisionVoter; import org.springframework.security.access.vote.AffirmativeBased; @@ -35,7 +34,7 @@ abstract class ConfigUtils { static void registerDefaultMethodAccessManagerIfNecessary(ParserContext parserContext) { if (!parserContext.getRegistry().containsBeanDefinition(BeanIds.METHOD_ACCESS_MANAGER)) { parserContext.getRegistry().registerBeanDefinition(BeanIds.METHOD_ACCESS_MANAGER, - createAccessManagerBean(MethodExpressionVoter.class, RoleVoter.class, AuthenticatedVoter.class)); + createAccessManagerBean(RoleVoter.class, AuthenticatedVoter.class)); } } diff --git a/config/src/main/java/org/springframework/security/config/ContextSourceSettingPostProcessor.java b/config/src/main/java/org/springframework/security/config/ContextSourceSettingPostProcessor.java index b9284bc00f..8454c23c06 100644 --- a/config/src/main/java/org/springframework/security/config/ContextSourceSettingPostProcessor.java +++ b/config/src/main/java/org/springframework/security/config/ContextSourceSettingPostProcessor.java @@ -14,7 +14,7 @@ import org.springframework.util.ClassUtils; * * @author Luke Taylor * @version $Id$ - * @since 2.5 + * @since 3.0 */ class ContextSourceSettingPostProcessor implements BeanFactoryPostProcessor, Ordered { private static final String REQUIRED_CONTEXT_SOURCE_CLASS_NAME = "org.springframework.ldap.core.support.BaseLdapPathContextSource"; @@ -27,7 +27,7 @@ class ContextSourceSettingPostProcessor implements BeanFactoryPostProcessor, Ord Class contextSourceClass; try { - contextSourceClass = ClassUtils.forName(REQUIRED_CONTEXT_SOURCE_CLASS_NAME); + contextSourceClass = ClassUtils.forName(REQUIRED_CONTEXT_SOURCE_CLASS_NAME, ClassUtils.getDefaultClassLoader()); } catch (ClassNotFoundException e) { throw new SecurityConfigurationException("Couldn't locate: " + REQUIRED_CONTEXT_SOURCE_CLASS_NAME + ". " + " If you are using LDAP with Spring Security, please ensure that you include the spring-ldap " + diff --git a/config/src/main/java/org/springframework/security/config/Elements.java b/config/src/main/java/org/springframework/security/config/Elements.java index 4dfc3aefb3..c0d558dcbb 100644 --- a/config/src/main/java/org/springframework/security/config/Elements.java +++ b/config/src/main/java/org/springframework/security/config/Elements.java @@ -22,6 +22,10 @@ public abstract class Elements { public static final String LDAP_USER_SERVICE = "ldap-user-service"; public static final String PROTECT_POINTCUT = "protect-pointcut"; public static final String EXPRESSION_HANDLER = "expression-handler"; + public static final String INVOCATION_HANDLING = "pre-post-annotation-handling"; + public static final String INVOCATION_ATTRIBUTE_FACTORY = "invocation-attribute-factory"; + public static final String PRE_INVOCATION_ADVICE = "pre-invocation-advice"; + public static final String POST_INVOCATION_ADVICE = "post-invocation-advice"; public static final String PROTECT = "protect"; public static final String CONCURRENT_SESSIONS = "concurrent-session-control"; public static final String LOGOUT = "logout"; diff --git a/config/src/main/java/org/springframework/security/config/GlobalMethodSecurityBeanDefinitionParser.java b/config/src/main/java/org/springframework/security/config/GlobalMethodSecurityBeanDefinitionParser.java index 3b98ccb796..9b33e58030 100644 --- a/config/src/main/java/org/springframework/security/config/GlobalMethodSecurityBeanDefinitionParser.java +++ b/config/src/main/java/org/springframework/security/config/GlobalMethodSecurityBeanDefinitionParser.java @@ -1,5 +1,7 @@ package org.springframework.security.config; +import static org.springframework.security.config.Elements.*; + import java.util.ArrayList; import java.util.LinkedHashMap; import java.util.List; @@ -18,14 +20,21 @@ import org.springframework.beans.factory.xml.BeanDefinitionParser; import org.springframework.beans.factory.xml.ParserContext; import org.springframework.security.access.ConfigAttribute; import org.springframework.security.access.SecurityConfig; -import org.springframework.security.access.expression.method.MethodExpressionAfterInvocationProvider; -import org.springframework.security.access.expression.method.MethodExpressionVoter; -import org.springframework.security.access.expression.support.DefaultMethodSecurityExpressionHandler; +import org.springframework.security.access.annotation.Jsr250MethodSecurityMetadataSource; +import org.springframework.security.access.annotation.Jsr250Voter; +import org.springframework.security.access.annotation.SecuredAnnotationSecurityMetadataSource; +import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler; +import org.springframework.security.access.expression.method.ExpressionBasedAnnotationAttributeFactory; +import org.springframework.security.access.expression.method.ExpressionBasedPostInvocationAdvice; +import org.springframework.security.access.expression.method.ExpressionBasedPreInvocationAdvice; import org.springframework.security.access.intercept.method.DelegatingMethodSecurityMetadataSource; import org.springframework.security.access.intercept.method.MapBasedMethodSecurityMetadataSource; import org.springframework.security.access.intercept.method.ProtectPointcutPostProcessor; import org.springframework.security.access.intercept.method.aopalliance.MethodSecurityInterceptor; import org.springframework.security.access.intercept.method.aopalliance.MethodSecurityMetadataSourceAdvisor; +import org.springframework.security.access.prepost.PostInvocationAdviceProvider; +import org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter; +import org.springframework.security.access.prepost.PrePostAnnotationSecurityMetadataSource; import org.springframework.security.access.vote.AffirmativeBased; import org.springframework.security.access.vote.AuthenticatedVoter; import org.springframework.security.access.vote.RoleVoter; @@ -45,11 +54,6 @@ class GlobalMethodSecurityBeanDefinitionParser implements BeanDefinitionParser { private final Log logger = LogFactory.getLog(getClass()); - static final String SECURED_METHOD_DEFINITION_SOURCE_CLASS = "org.springframework.security.access.annotation.SecuredMethodSecurityMetadataSource"; - static final String EXPRESSION_METHOD_DEFINITION_SOURCE_CLASS = "org.springframework.security.access.expression.method.ExpressionAnnotationMethodSecurityMetadataSource"; - static final String JSR_250_SECURITY_METHOD_DEFINITION_SOURCE_CLASS = "org.springframework.security.access.annotation.Jsr250MethodSecurityMetadataSource"; - static final String JSR_250_VOTER_CLASS = "org.springframework.security.access.annotation.Jsr250Voter"; - /* * Internal Bean IDs which are only used within this class */ @@ -65,7 +69,7 @@ class GlobalMethodSecurityBeanDefinitionParser implements BeanDefinitionParser { private static final String ATT_RUN_AS_MGR = "run-as-manager-ref"; private static final String ATT_USE_JSR250 = "jsr250-annotations"; private static final String ATT_USE_SECURED = "secured-annotations"; - private static final String ATT_USE_EXPRESSIONS = "expression-annotations"; + private static final String ATT_USE_PREPOST = "pre-post-annotations"; @SuppressWarnings("unchecked") public BeanDefinition parse(Element element, ParserContext parserContext) { @@ -75,12 +79,12 @@ class GlobalMethodSecurityBeanDefinitionParser implements BeanDefinitionParser { boolean jsr250Enabled = "enabled".equals(element.getAttribute(ATT_USE_JSR250)); boolean useSecured = "enabled".equals(element.getAttribute(ATT_USE_SECURED)); - boolean expressionsEnabled = "enabled".equals(element.getAttribute(ATT_USE_EXPRESSIONS)); - BeanDefinition expressionVoter = null; + boolean prePostAnnotationsEnabled = "enabled".equals(element.getAttribute(ATT_USE_PREPOST)); + BeanDefinition preInvocationVoter = null; // Now create a Map for each sub-element Map> pointcutMap = parseProtectPointcuts(parserContext, - DomUtils.getChildElementsByTagName(element, Elements.PROTECT_POINTCUT)); + DomUtils.getChildElementsByTagName(element, PROTECT_POINTCUT)); if (pointcutMap.size() > 0) { // SEC-1016: Put the pointcut MDS first, but only add it if there are actually any pointcuts defined. @@ -89,39 +93,70 @@ class GlobalMethodSecurityBeanDefinitionParser implements BeanDefinitionParser { registerProtectPointcutPostProcessor(parserContext, pointcutMap, mapBasedMethodSecurityMetadataSource, source); } - if (expressionsEnabled) { - Element expressionHandlerElt = DomUtils.getChildElementByTagName(element, Elements.EXPRESSION_HANDLER); - String expressionHandlerRef = expressionHandlerElt == null ? null : expressionHandlerElt.getAttribute("ref"); + if (prePostAnnotationsEnabled) { + Element prePostElt = DomUtils.getChildElementByTagName(element, INVOCATION_HANDLING); + Element expressionHandlerElt = DomUtils.getChildElementByTagName(element, EXPRESSION_HANDLER); - if (StringUtils.hasText(expressionHandlerRef)) { - logger.info("Using bean '" + expressionHandlerRef + "' as method SecurityExpressionHandler implementation"); - } else { - parserContext.getRegistry().registerBeanDefinition(EXPRESSION_HANDLER_ID, new RootBeanDefinition(DefaultMethodSecurityExpressionHandler.class)); - logger.warn("Expressions were enabled for method security but no SecurityExpressionHandler was configured. " + - "All hasPermision() expressions will evaluate to false."); - expressionHandlerRef = EXPRESSION_HANDLER_ID; + if (prePostElt != null && expressionHandlerElt != null) { + parserContext.getReaderContext().error(INVOCATION_HANDLING + " and " + + EXPRESSION_HANDLER + " cannot be used together ", source); } - BeanDefinitionBuilder expressionVoterBldr = BeanDefinitionBuilder.rootBeanDefinition(MethodExpressionVoter.class); - BeanDefinitionBuilder afterInvocationProvider = BeanDefinitionBuilder.rootBeanDefinition(MethodExpressionAfterInvocationProvider.class); - expressionVoterBldr.addPropertyReference("expressionHandler", expressionHandlerRef); - expressionVoter = expressionVoterBldr.getBeanDefinition(); - // After-invocation provider to handle post-invocation filtering and authorization expression annotations. - afterInvocationProvider.addPropertyReference("expressionHandler", expressionHandlerRef); - ConfigUtils.getRegisteredAfterInvocationProviders(parserContext).add(afterInvocationProvider.getBeanDefinition()); - // Add the expression method definition source, which will obtain its parser from the registered expression - // handler - BeanDefinitionBuilder mds = BeanDefinitionBuilder.rootBeanDefinition(EXPRESSION_METHOD_DEFINITION_SOURCE_CLASS); - mds.addConstructorArgReference(expressionHandlerRef); + BeanDefinitionBuilder preInvocationVoterBldr = BeanDefinitionBuilder.rootBeanDefinition(PreInvocationAuthorizationAdviceVoter.class); + // After-invocation provider to handle post-invocation filtering and authorization expression annotations. + BeanDefinitionBuilder afterInvocationBldr = BeanDefinitionBuilder.rootBeanDefinition(PostInvocationAdviceProvider.class); + // The metadata source for the security interceptor + BeanDefinitionBuilder mds = BeanDefinitionBuilder.rootBeanDefinition(PrePostAnnotationSecurityMetadataSource.class); + + if (prePostElt != null) { + // Customized override of expression handling system + String attributeFactoryRef = + DomUtils.getChildElementByTagName(prePostElt, INVOCATION_ATTRIBUTE_FACTORY).getAttribute("ref"); + String preAdviceRef = + DomUtils.getChildElementByTagName(prePostElt, PRE_INVOCATION_ADVICE).getAttribute("ref"); + String postAdviceRef = + DomUtils.getChildElementByTagName(prePostElt, POST_INVOCATION_ADVICE).getAttribute("ref"); + + mds.addConstructorArgReference(attributeFactoryRef); + preInvocationVoterBldr.addConstructorArgReference(preAdviceRef); + afterInvocationBldr.addConstructorArgReference(postAdviceRef); + } else { + // The default expression-based system + String expressionHandlerRef = expressionHandlerElt == null ? null : expressionHandlerElt.getAttribute("ref"); + + if (StringUtils.hasText(expressionHandlerRef)) { + logger.info("Using bean '" + expressionHandlerRef + "' as method ExpressionHandler implementation"); + } else { + parserContext.getRegistry().registerBeanDefinition(EXPRESSION_HANDLER_ID, new RootBeanDefinition(DefaultMethodSecurityExpressionHandler.class)); + logger.warn("Expressions were enabled for method security but no SecurityExpressionHandler was configured. " + + "All hasPermision() expressions will evaluate to false."); + expressionHandlerRef = EXPRESSION_HANDLER_ID; + } + + BeanDefinitionBuilder expressionPreAdviceBldr = BeanDefinitionBuilder.rootBeanDefinition(ExpressionBasedPreInvocationAdvice.class); + expressionPreAdviceBldr.addPropertyReference("expressionHandler", expressionHandlerRef); + preInvocationVoterBldr.addConstructorArgValue(expressionPreAdviceBldr.getBeanDefinition()); + + BeanDefinitionBuilder expressionPostAdviceBldr = BeanDefinitionBuilder.rootBeanDefinition(ExpressionBasedPostInvocationAdvice.class); + expressionPostAdviceBldr.addConstructorArgReference(expressionHandlerRef); + afterInvocationBldr.addConstructorArgValue(expressionPostAdviceBldr.getBeanDefinition()); + + BeanDefinitionBuilder annotationInvocationFactory = BeanDefinitionBuilder.rootBeanDefinition(ExpressionBasedAnnotationAttributeFactory.class); + annotationInvocationFactory.addConstructorArgReference(expressionHandlerRef); + mds.addConstructorArgValue(annotationInvocationFactory.getBeanDefinition()); + } + + preInvocationVoter = preInvocationVoterBldr.getBeanDefinition(); + ConfigUtils.getRegisteredAfterInvocationProviders(parserContext).add(afterInvocationBldr.getBeanDefinition()); delegates.add(mds.getBeanDefinition()); } if (useSecured) { - delegates.add(BeanDefinitionBuilder.rootBeanDefinition(SECURED_METHOD_DEFINITION_SOURCE_CLASS).getBeanDefinition()); + delegates.add(BeanDefinitionBuilder.rootBeanDefinition(SecuredAnnotationSecurityMetadataSource.class).getBeanDefinition()); } if (jsr250Enabled) { - delegates.add(BeanDefinitionBuilder.rootBeanDefinition(JSR_250_SECURITY_METHOD_DEFINITION_SOURCE_CLASS).getBeanDefinition()); + delegates.add(BeanDefinitionBuilder.rootBeanDefinition(Jsr250MethodSecurityMetadataSource.class).getBeanDefinition()); } registerDelegatingMethodSecurityMetadataSource(parserContext, delegates, source); @@ -129,7 +164,7 @@ class GlobalMethodSecurityBeanDefinitionParser implements BeanDefinitionParser { String accessManagerId = element.getAttribute(ATT_ACCESS_MGR); if (!StringUtils.hasText(accessManagerId)) { - registerAccessManager(parserContext, jsr250Enabled, expressionVoter); + registerAccessManager(parserContext, jsr250Enabled, preInvocationVoter); accessManagerId = ACCESS_MANAGER_ID; } @@ -161,7 +196,7 @@ class GlobalMethodSecurityBeanDefinitionParser implements BeanDefinitionParser { voters.add(new RootBeanDefinition(AuthenticatedVoter.class)); if (jsr250Enabled) { - voters.add(new RootBeanDefinition(JSR_250_VOTER_CLASS, null, null)); + voters.add(new RootBeanDefinition(Jsr250Voter.class)); } accessMgrBuilder.addPropertyValue("decisionVoters", voters); diff --git a/config/src/main/java/org/springframework/security/config/SaltSourceBeanDefinitionParser.java b/config/src/main/java/org/springframework/security/config/SaltSourceBeanDefinitionParser.java index 0c0ba6582c..24fa5bb84c 100644 --- a/config/src/main/java/org/springframework/security/config/SaltSourceBeanDefinitionParser.java +++ b/config/src/main/java/org/springframework/security/config/SaltSourceBeanDefinitionParser.java @@ -5,8 +5,8 @@ import org.springframework.beans.factory.config.BeanDefinition; import org.springframework.beans.factory.config.RuntimeBeanReference; import org.springframework.beans.factory.support.RootBeanDefinition; import org.springframework.beans.factory.xml.ParserContext; -import org.springframework.security.authentication.dao.salt.ReflectionSaltSource; -import org.springframework.security.authentication.dao.salt.SystemWideSaltSource; +import org.springframework.security.authentication.dao.ReflectionSaltSource; +import org.springframework.security.authentication.dao.SystemWideSaltSource; import org.springframework.util.StringUtils; import org.w3c.dom.Element; diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-3.0.rnc b/config/src/main/resources/org/springframework/security/config/spring-security-3.0.rnc index 901ae6eb32..4774642643 100644 --- a/config/src/main/resources/org/springframework/security/config/spring-security-3.0.rnc +++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.0.rnc @@ -184,10 +184,10 @@ protect.attlist &= global-method-security = ## Provides method security for all beans registered in the Spring application context. Specifically, beans will be scanned for matches with the ordered list of "protect-pointcut" sub-elements, Spring Security annotations and/or. Where there is a match, the beans will automatically be proxied and security authorization applied to the methods accordingly. If you use and enable all four sources of method security metadata (ie "protect-pointcut" declarations, expression annotations, @Secured and also JSR250 security annotations), the metadata sources will be queried in that order. In practical terms, this enables you to use XML to override method security metadata expressed in annotations. If using annotations, the order of precedence is EL-based (@PreAuthorize etc.), @Secured and finally JSR-250. - element global-method-security {global-method-security.attlist, expression-handler?, protect-pointcut*} + element global-method-security {global-method-security.attlist, (pre-post-annotation-handling | expression-handler)?, protect-pointcut*} global-method-security.attlist &= - ## Specifies whether the use of Spring Security's expression-based annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) should be enabled for this application context. Defaults to "disabled". - attribute expression-annotations {"disabled" | "enabled" }? + ## Specifies whether the use of Spring Security's pre and post invocation annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) should be enabled for this application context. Defaults to "disabled". + attribute pre-post-annotations {"disabled" | "enabled" }? global-method-security.attlist &= ## Specifies whether the use of Spring Security's @Secured annotations should be enabled for this application context. Defaults to "disabled". attribute secured-annotations {"disabled" | "enabled" }? @@ -201,6 +201,21 @@ global-method-security.attlist &= ## Optional RunAsmanager implementation which will be used by the configured MethodSecurityInterceptor attribute run-as-manager-ref {xsd:token}? +pre-post-annotation-handling = + ## Allows the default expression-based mechanism for handling Spring Security's pre and post invocation annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) to be replace entirely. Only applies if these annotations are enabled. + element pre-post-annotation-handling {invocation-attribute-factory, pre-invocation-advice, post-invocation-advice} + +invocation-attribute-factory = + ## Defines the PrePostInvocationAttributeFactory instance which is used to generate pre and post invocation metadata from the annotated methods. + element invocation-attribute-factory {ref} + +pre-invocation-advice = + element pre-invocation-advice {ref} + +post-invocation-advice = + element post-invocation-advice {ref} + + expression-handler = ## Defines the SecurityExpressionHandler instance which will be used if expression-based access-control is enabled. A default implementation (with no ACL support) will be used if not supplied. element expression-handler {ref} diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-3.0.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-3.0.xsd index 6e0aa6cbf4..a46ab1c53a 100644 --- a/config/src/main/resources/org/springframework/security/config/spring-security-3.0.xsd +++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.0.xsd @@ -1,1618 +1,1636 @@ - - - - Defines the hashing algorithm used on user passwords. We recommend - strongly against using MD4, as it is a very weak hashing - algorithm. - - - - - - - - - - - - - - - - - - Whether a string should be base64 encoded - - - - - - - - - - - - - Defines the type of pattern used to specify URL paths (either JDK - 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if - unspecified. - - - - - - - - - - - - - Specifies an IP port number. Used to configure an embedded LDAP - server, for example. - - - - - - - Specifies a URL. - - - - - - - A bean identifier, used for referring to the bean elsewhere in the - context. - - - - - - - Defines a reference to a Spring bean Id. - - - - - - - Defines a reference to a cache for use with a - UserDetailsService. - - - - - - - A reference to a user-service (or UserDetailsService bean) - Id - - - - - - - A reference to a DataSource bean - - - - - - - Defines a reference to a Spring bean Id. - - - - - Defines the hashing algorithm used on user passwords. We recommend - strongly against using MD4, as it is a very weak hashing - algorithm. - - - - - - - - - - - - - - - - Whether a string should be base64 encoded - - - - - - - - - - - - - A property of the UserDetails object which will be used as salt by a - password encoder. Typically something like "username" might be used. - - - - - - - - A single value that will be used as the salt for a password encoder. - - - - - - - - - - - - - - A non-empty string prefix that will be added to role strings loaded - from persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases - where the default is non-empty. - - - - - - - Enables the use of expressions in the 'access' attributes in - <intercept-url> elements rather than the traditional list of - configuration attributes. Defaults to 'false'. If enabled, each attribute should - contain a single boolean expression. If the expression evaluates to 'true', access - will be granted. - - - - + xmlns:security="http://www.springframework.org/schema/security" elementFormDefault="qualified" + targetNamespace="http://www.springframework.org/schema/security"> + + - Defines an LDAP server location or starts an embedded server. The url - indicates the location of a remote server. If no url is given, an embedded server will - be started, listening on the supplied port number. The port is optional and defaults to - 33389. A Spring LDAP ContextSource bean will be registered for the server with the id - supplied. + Defines the hashing algorithm used on user passwords. We recommend + strongly against using MD4, as it is a very weak hashing algorithm. - - - - - - - - A bean identifier, used for referring to the bean elsewhere in the - context. - - - - - Specifies a URL. - - - - - Specifies an IP port number. Used to configure an embedded LDAP - server, for example. - - - - - Username (DN) of the "manager" user identity which will be used to - authenticate to a (non-embedded) LDAP server. If omitted, anonymous access will be - used. - - - - - The password for the manager DN. - - - - - Explicitly specifies an ldif file resource to load into an embedded - LDAP server - - - - - Optional root suffix for the embedded LDAP server. Default is - "dc=springframework,dc=org" - - - - - - - The optional server to use. If omitted, and a default LDAP server is - registered (using <ldap-server> with no Id), that server will be used. - - - - - - - - Group search filter. Defaults to (uniqueMember={0}). The substituted - parameter is the DN of the user. - - - - - - - Search base for group membership searches. Defaults to "" (searching - from the root). - - - - - - - The LDAP filter used to search for users (optional). For example - "(uid={0})". The substituted parameter is the user's login name. - - - - - - - Search base for user searches. Defaults to "". Only used with a - 'user-search-filter'. - - - - - - - The LDAP attribute name which contains the role name which will be - used within Spring Security. Defaults to "cn". - - - - - - - Allows the objectClass of the user entry to be specified. If set, the - framework will attempt to load standard attributes for the defined class into the - returned UserDetails object - - - - - - - - - - - - - - - - - - A bean identifier, used for referring to the bean elsewhere in the - context. - - - - - The optional server to use. If omitted, and a default LDAP server is - registered (using <ldap-server> with no Id), that server will be used. - - - - - - The LDAP filter used to search for users (optional). For example - "(uid={0})". The substituted parameter is the user's login name. - - - - - Search base for user searches. Defaults to "". Only used with a - 'user-search-filter'. - - - - - Group search filter. Defaults to (uniqueMember={0}). The substituted - parameter is the DN of the user. - - - - - Search base for group membership searches. Defaults to "" (searching - from the root). - - - - - The LDAP attribute name which contains the role name which will be - used within Spring Security. Defaults to "cn". - - - - - Defines a reference to a cache for use with a - UserDetailsService. - - - - - A non-empty string prefix that will be added to role strings loaded - from persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases - where the default is non-empty. - - - - - Allows the objectClass of the user entry to be specified. If set, the - framework will attempt to load standard attributes for the defined class into the - returned UserDetails object - - - - - - - - - - + + + + + + + + + + + + + + + - Sets up an ldap authentication provider + Whether a string should be base64 encoded - - - - - Specifies that an LDAP provider should use an LDAP compare - operation of the user's password to authenticate the user - - - - - - element which defines a password encoding strategy. - Used by an authentication provider to convert submitted passwords to - hashed versions, for example. - - - - - - Password salting strategy. A system-wide - constant or a property from the UserDetails object can be - used. - - - - - A property of the UserDetails object - which will be used as salt by a password encoder. - Typically something like "username" might be used. - - - - - - A single value that will be used as the - salt for a password encoder. - - - - - Defines a reference to a Spring bean - Id. - - - - - - - - - - - - - - - - - - - - The optional server to use. If omitted, and a default LDAP server is - registered (using <ldap-server> with no Id), that server will be used. - - - - - - Search base for user searches. Defaults to "". Only used with a - 'user-search-filter'. - - - - - The LDAP filter used to search for users (optional). For example - "(uid={0})". The substituted parameter is the user's login name. - - - - - Search base for group membership searches. Defaults to "" (searching - from the root). - - - - - Group search filter. Defaults to (uniqueMember={0}). The substituted - parameter is the DN of the user. - - - - - The LDAP attribute name which contains the role name which will be - used within Spring Security. Defaults to "cn". - - - - - A specific pattern used to build the user's DN, for example - "uid={0},ou=people". The key "{0}" must be present and will be substituted with the - username. - - - - - A non-empty string prefix that will be added to role strings loaded - from persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases - where the default is non-empty. - - - - - Allows the objectClass of the user entry to be specified. If set, the - framework will attempt to load standard attributes for the defined class into the - returned UserDetails object - - - - - - - - - - - - - The attribute in the directory which contains the user password. - Defaults to "userPassword". - - - - - Defines the hashing algorithm used on user passwords. We recommend - strongly against using MD4, as it is a very weak hashing - algorithm. - - - - - - - - - - - - - - - + + + + + + + + + + - Can be used inside a bean definition to add a security interceptor to the - bean and set up access configuration attributes for the bean's - methods + Defines the type of pattern used to specify URL paths (either JDK + 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if + unspecified. - - - - - Defines a protected method and the access control configuration - attributes that apply to it. We strongly advise you NOT to mix "protect" - declarations with any services provided - "global-method-security". - - - - - - - - - - - - - Optional AccessDecisionManager bean ID to be used by the created - method security interceptor. - - - - - - - A method name - - - - - Access configuration attributes list that applies to the method, e.g. - "ROLE_A,ROLE_B". - - - - + + + + + + + + + + - Provides method security for all beans registered in the Spring - application context. Specifically, beans will be scanned for matches with the ordered - list of "protect-pointcut" sub-elements, Spring Security annotations and/or. Where there - is a match, the beans will automatically be proxied and security authorization applied - to the methods accordingly. If you use and enable all four sources of method security - metadata (ie "protect-pointcut" declarations, expression annotations, @Secured and also - JSR250 security annotations), the metadata sources will be queried in that order. In - practical terms, this enables you to use XML to override method security metadata - expressed in annotations. If using annotations, the order of precedence is EL-based - (@PreAuthorize etc.), @Secured and finally JSR-250. + Specifies an IP port number. Used to configure an embedded LDAP server, + for example. - - - - - - Defines a protected pointcut and the access control - configuration attributes that apply to it. Every bean registered in the Spring - application context that provides a method that matches the pointcut will - receive security authorization. - - - - - - - - - - - - - Specifies whether the use of Spring Security's expression-based - annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) should be - enabled for this application context. Defaults to "disabled". - - - - - - - - - - - Specifies whether the use of Spring Security's @Secured annotations - should be enabled for this application context. Defaults to - "disabled". - - - - - - - - - - - Specifies whether JSR-250 style attributes are to be used (for example - "RolesAllowed"). This will require the javax.annotation.security classes on the - classpath. Defaults to "disabled". - - - - - - - - - - - Optional AccessDecisionManager bean ID to override the default used - for method security. - - - - - Optional RunAsmanager implementation which will be used by the - configured MethodSecurityInterceptor - - - - + + + + - Defines the SecurityExpressionHandler instance which will be used if - expression-based access-control is enabled. A default implementation (with no ACL - support) will be used if not supplied. + Specifies a URL. - - - - - + + + + - Used to decorate an AfterInvocationProvider to specify that it should be - used with method security. + A bean identifier, used for referring to the bean elsewhere in the + context. - - - - - - An AspectJ expression, including the 'execution' keyword. For example, - 'execution(int com.foo.TargetObject.countLength(String))' (without the - quotes). - - - - - Access configuration attributes list that applies to all methods - matching the pointcut, e.g. "ROLE_A,ROLE_B" - - - - + + + + - Container element for HTTP security configuration + Defines a reference to a Spring bean Id. - - - - - Specifies the access attributes and/or filter list for a - particular set of URLs. - - - - - - - - Defines the access-denied strategy that should be used. An - access denied page can be defined or a reference to an AccessDeniedHandler - instance. - - - - - - - - Sets up a form login configuration for authentication with a - username and password - - - - - - - - - Adds support for X.509 client authentication. - - - - - - - - Adds support for basic authentication (this is an element to - permit future expansion, such as supporting an "ignoreFailure" - attribute) - - - - - - Incorporates a logout processing filter. Most web applications - require a logout filter, although you may not require one if you write a - controller to provider similar logic. - - - - - - - - Adds support for concurrent session control, allowing limits to - be placed on the number of sessions a user can have. - - - - - - - - Sets up remember-me authentication. If used with the "key" - attribute (or no attributes) the cookie-only implementation will be used. - Specifying "token-repository-ref" or "remember-me-data-source-ref" will use the - more secure, persisten token approach. - - - - - - - - Adds support for automatically granting all anonymous web - requests a particular principal identity and a corresponding granted - authority. - - - - - - - - Defines the list of mappings between http and https ports for - use in redirects - - - - - - - - - - - - - - - Automatically registers a login form, BASIC authentication, anonymous - authentication, logout services, remember-me and servlet-api-integration. If set to - "true", all of these capabilities are added (although you can still customize the - configuration of each by providing the respective element). If unspecified, defaults - to "false". - - - - - Enables the use of expressions in the 'access' attributes in - <intercept-url> elements rather than the traditional list of - configuration attributes. Defaults to 'false'. If enabled, each attribute should - contain a single boolean expression. If the expression evaluates to 'true', access - will be granted. - - - - - Controls the eagerness with which an HTTP session is created. If not - set, defaults to "ifRequired". Note that if a custom SecurityContextRepository is set - using security-context-repository-ref, then the only value which can be set is - "always". Otherwise the session creation behaviour will be determined by the - repository bean implementation. - - - - - - - - - - - - A reference to a SecurityContextRepository bean. This can be used to - customize how the SecurityContext is stored between requests. - - - - - Defines the type of pattern used to specify URL paths (either JDK - 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if - unspecified. - - - - - - - - - - - Whether test URLs should be converted to lower case prior to comparing - with defined path patterns. If unspecified, defaults to "true". - - - - - Provides versions of HttpServletRequest security methods such as - isUserInRole() and getPrincipal() which are implemented by accessing the Spring - SecurityContext. Defaults to "true". - - - - - Optional attribute specifying the ID of the AccessDecisionManager - implementation which should be used for authorizing HTTP requests. - - - - - Optional attribute specifying the realm name that will be used for all - authentication features that require a realm name (eg BASIC and Digest - authentication). If unspecified, defaults to "Spring Security - Application". - - - - - Indicates whether an existing session should be invalidated when a - user authenticates and a new session started. If set to "none" no change will be - made. "newSession" will create a new empty session. "migrateSession" will create a - new session and copy the session attributes to the new session. Defaults to - "migrateSession". - - - - - - - - - - - - Allows a customized AuthenticationEntryPoint to be - used. - - - - - Corresponds to the observeOncePerRequest property of - FilterSecurityInterceptor. Defaults to "true" - - - - - Deprecated in favour of the access-denied-handler - element. - - - - - - - - - - - - Defines a reference to a Spring bean Id. - - - - - The access denied page that an authenticated user will be redirected - to if they request a page which they don't have the authority to access. - - - - - - - - The access denied page that an authenticated user will be redirected - to if they request a page which they don't have the authority to access. - - - - - - - - The pattern which defines the URL path. The content will depend on the - type set in the containing http element, so will default to ant path - syntax. - - - - - The access configuration attributes that apply for the configured - path. - - - - - The HTTP Method for which the access configuration attributes should - apply. If not specified, the attributes will apply to any method. - - - - - - - - - - - - - - - - The filter list for the path. Currently can be set to "none" to remove - a path from having any filters applied. The full filter stack (consisting of all - filters created by the namespace configuration, and any added using 'custom-filter'), - will be applied to any other paths. - - - - - - - - - - Used to specify that a URL must be accessed over http or https, or - that there is no preference. - - - - - - - - - - - - - - Specifies the URL that will cause a logout. Spring Security will - initialize a filter that responds to this particular URL. Defaults to - /j_spring_security_logout if unspecified. - - - - - Specifies the URL to display once the user has logged out. If not - specified, defaults to /. - - - - - Specifies whether a logout also causes HttpSession invalidation, which - is generally desirable. If unspecified, defaults to true. - - - - - - - The URL that the login form is posted to. If unspecified, it defaults - to /j_spring_security_check. - - - - - The URL that will be redirected to after successful authentication, if - the user's previous action could not be resumed. This generally happens if the user - visits a login page without having first requested a secured operation that triggers - authentication. If unspecified, defaults to the root of the - application. - - - - - Whether the user should always be redirected to the default-target-url - after login. - - - - - The URL for the login page. If no login URL is specified, Spring - Security will automatically create a login URL at /spring_security_login and a - corresponding filter to render that login URL when requested. - - - - - The URL for the login failure page. If no login failure URL is - specified, Spring Security will automatically create a failure login URL at - /spring_security_login?login_error and a corresponding filter to render that login - failure URL when requested. - - - - - Reference to an AuthenticationSuccessHandler bean which should be used - to handle a successful authentication request. Should not be used in combination with - default-target-url (or always-use-default-target-url) as the implementation should - always deal with navigation to the subsequent destination - - - - - Reference to an AuthenticationFailureHandler bean which should be used - to handle a failed authentication request. Should not be used in combination with - authentication-failure-url as the implementation should always deal with navigation - to the subsequent destination - - - - + + + + - Sets up form login for authentication with an Open ID - identity + Defines a reference to a cache for use with a + UserDetailsService. - - - - - A reference to a user-service (or UserDetailsService bean) - Id - - - - - + + + + - Used to explicitly configure a FilterChainProxy instance with a - FilterChainMap + A reference to a user-service (or UserDetailsService bean) + Id - - - - - Used within filter-chain-map to define a specific URL pattern - and the list of filters which apply to the URLs matching that pattern. When - multiple filter-chain elements are used within a filter-chain-map element, the - most specific patterns must be placed at the top of the list, with most general - ones at the bottom. - - - - - - - - - - - - - - - - - + + + + - Used to explicitly configure a FilterInvocationDefinitionSource bean for - use with a FilterSecurityInterceptor. Usually only needed if you are configuring a - FilterChainProxy explicitly, rather than using the <http> element. The - intercept-url elements used should only contain pattern, method and access attributes. - Any others will result in a configuration error. + A reference to a DataSource bean - - - - - Specifies the access attributes and/or filter list for a - particular set of URLs. - - - - - - - - - - - - - Enables the use of expressions in the 'access' attributes in - <intercept-url> elements rather than the traditional list of - configuration attributes. Defaults to 'false'. If enabled, each attribute should - contain a single boolean expression. If the expression evaluates to 'true', access - will be granted. - - - - - A bean identifier, used for referring to the bean elsewhere in the - context. - - - - - as for http element - - - - - Defines the type of pattern used to specify URL paths (either JDK - 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if - unspecified. - - - - - - - - - - - - - The maximum number of sessions a single user can have open at the same - time. Defaults to "1". - - - - - The URL a user will be redirected to if they attempt to use a session - which has been "expired" by the concurrent session controller because they have - logged in again. - - - - - Specifies that an exception should be raised when a user attempts to - login when they already have the maximum configured sessions open. The default - behaviour is to expire the original session. - - - - - Allows you to define an alias for the SessionRegistry bean in order to - access it in your own configuration - - - - - A reference to an external SessionRegistry implementation which will - be used in place of the standard one. - - - - - - - The "key" used to identify cookies from a specific token-based - remember-me application. You should set this to a unique value for your - application. - - - - - Reference to a PersistentTokenRepository bean for use with the - persistent token remember-me implementation. - - - - - A reference to a DataSource bean - - - - - - A reference to a user-service (or UserDetailsService bean) - Id - - - - - The period (in seconds) for which the remember-me cookie should be - valid. If set to a negative value - - - - - - - Reference to a PersistentTokenRepository bean for use with the - persistent token remember-me implementation. - - - - - - - Allows a custom implementation of RememberMeServices to be used. Note - that this implementation should return RememberMeAuthenticationToken instances with - the same "key" value as specified in the remember-me element. Alternatively it should - register its own AuthenticationProvider. - - - - - - - - - - The key shared between the provider and filter. This generally does - not need to be set. If unset, it will default to "doesNotMatter". - - - - - The username that should be assigned to the anonymous request. This - allows the principal to be identified, which may be important for logging and - auditing. if unset, defaults to "anonymousUser". - - - - - The granted authority that should be assigned to the anonymous - request. Commonly this is used to assign the anonymous request particular roles, - which can subsequently be used in authorization decisions. If unset, defaults to - "ROLE_ANONYMOUS". - - - - - With the default namespace setup, the anonymous "authentication" - facility is automatically enabled. You can disable it using this property. - - - - - - - - - - - - - - - - - - - - The regular expression used to obtain the username from the - certificate's subject. Defaults to matching on the common name using the pattern - "CN=(.*?),". - - - - - A reference to a user-service (or UserDetailsService bean) - Id - - - - + + + + - If you are using namespace configuration with Spring Security, an - AuthenticationManager will automatically be registered. This element allows you to - define an alias to allow you to reference the authentication-manager in your own beans. - + Defines a reference to a Spring bean Id. - - - - - - - - The alias you wish to use for the AuthenticationManager - bean - - - - - Allows the session controller to be set on the internal - AuthenticationManager. This should not be used with the - <concurrent-session-control /> element - - - - + + - Indicates that the contained user-service should be used as an - authentication source. + Defines the hashing algorithm used on user passwords. We recommend + strongly against using MD4, as it is a very weak hashing algorithm. - - - - - + + + + + + + + + + + + + + + Whether a string should be base64 encoded + + + + + + + + + + + + + A property of the UserDetails object which will be used as salt by a + password encoder. Typically something like "username" might be used. + + + + + + + A single value that will be used as the salt for a password encoder. + + + + + + + + + + + + + + A non-empty string prefix that will be added to role strings loaded from + persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases where the + default is non-empty. + + + + + + + Enables the use of expressions in the 'access' attributes in + <intercept-url> elements rather than the traditional list of configuration + attributes. Defaults to 'false'. If enabled, each attribute should contain a single + boolean expression. If the expression evaluates to 'true', access will be granted. + + + + + + + Defines an LDAP server location or starts an embedded server. The url + indicates the location of a remote server. If no url is given, an embedded server will be + started, listening on the supplied port number. The port is optional and defaults to 33389. + A Spring LDAP ContextSource bean will be registered for the server with the id supplied. + + + + + + + + + + A bean identifier, used for referring to the bean elsewhere in the + context. + + + + + Specifies a URL. + + + + + Specifies an IP port number. Used to configure an embedded LDAP server, + for example. + + + + + Username (DN) of the "manager" user identity which will be used to + authenticate to a (non-embedded) LDAP server. If omitted, anonymous access will be used. + + + + + + The password for the manager DN. + + + + + Explicitly specifies an ldif file resource to load into an embedded LDAP + server + + + + + Optional root suffix for the embedded LDAP server. Default is + "dc=springframework,dc=org" + + + + + + + The optional server to use. If omitted, and a default LDAP server is + registered (using <ldap-server> with no Id), that server will be used. + + + + + + + + Group search filter. Defaults to (uniqueMember={0}). The substituted + parameter is the DN of the user. + + + + + + + Search base for group membership searches. Defaults to "" (searching from + the root). + + + + + + + The LDAP filter used to search for users (optional). For example + "(uid={0})". The substituted parameter is the user's login name. + + + + + + + Search base for user searches. Defaults to "". Only used with a + 'user-search-filter'. + + + + + + + The LDAP attribute name which contains the role name which will be used + within Spring Security. Defaults to "cn". + + + + + + + Allows the objectClass of the user entry to be specified. If set, the + framework will attempt to load standard attributes for the defined class into the returned + UserDetails object + + + + + + + + + + + + + + + + + + A bean identifier, used for referring to the bean elsewhere in the + context. + + + + + The optional server to use. If omitted, and a default LDAP server is + registered (using <ldap-server> with no Id), that server will be used. + + + + + + The LDAP filter used to search for users (optional). For example + "(uid={0})". The substituted parameter is the user's login name. + + + + + Search base for user searches. Defaults to "". Only used with a + 'user-search-filter'. + + + + + Group search filter. Defaults to (uniqueMember={0}). The substituted + parameter is the DN of the user. + + + + + Search base for group membership searches. Defaults to "" (searching from + the root). + + + + + The LDAP attribute name which contains the role name which will be used + within Spring Security. Defaults to "cn". + + + + + Defines a reference to a cache for use with a + UserDetailsService. + + + + + A non-empty string prefix that will be added to role strings loaded from + persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases where the + default is non-empty. + + + + + Allows the objectClass of the user entry to be specified. If set, the + framework will attempt to load standard attributes for the defined class into the returned + UserDetails object + + + + + + + + + + + + Sets up an ldap authentication provider + + + + + + Specifies that an LDAP provider should use an LDAP compare operation + of the user's password to authenticate the user + + + + + element which defines a password encoding strategy. Used by an - authentication provider to convert submitted passwords to hashed versions, for - example. - - + authentication provider to convert submitted passwords to hashed versions, for + example. + + - - - Password salting strategy. A system-wide constant or a - property from the UserDetails object can be used. - - - - - A property of the UserDetails object which will - be used as salt by a password encoder. Typically something like - "username" might be used. - - - - - A single value that will be used as the salt for - a password encoder. - - - - - Defines a reference to a Spring bean - Id. - - - - + + + Password salting strategy. A system-wide constant or a + property from the UserDetails object can be used. + + + + + A property of the UserDetails object which will be + used as salt by a password encoder. Typically something like + "username" might be used. + + + + + A single value that will be used as the salt for a + password encoder. + + + + + Defines a reference to a Spring bean + Id. + + + + - - - - - - - - - - A reference to a user-service (or UserDetailsService bean) - Id - - - - - - Element used to decorate an AuthenticationProvider bean to add it to the - internal AuthenticationManager maintained by the namespace. - - - - - - Creates an in-memory UserDetailsService from a properties file or a list - of "user" child elements. - - - - - - - - A bean identifier, used for referring to the bean elsewhere in the - context. - - - - - - - - - - - Represents a user in the application. - - - - - - - - - The username assigned to the user. - - - - - The password assigned to the user. This may be hashed if the - corresponding authentication provider supports hashing (remember to set the "hash" - attribute of the "user-service" element). - - - - - One of more authorities granted to the user. Separate authorities with - a comma (but no space). For example, - "ROLE_USER,ROLE_ADMINISTRATOR" - - - - - Can be set to "true" to mark an account as locked and - unusable. - - - - - Can be set to "true" to mark an account as disabled and - unusable. - - - - - - Causes creation of a JDBC-based UserDetailsService. - - - - - A bean identifier, used for referring to the bean elsewhere in the - context. - - - - - - - - - The bean ID of the DataSource which provides the required - tables. - - - - - Defines a reference to a cache for use with a - UserDetailsService. - - - - - An SQL statement to query a username, password, and enabled status - given a username - - - - - An SQL statement to query for a user's granted authorities given a - username. - - - - - An SQL statement to query user's group authorities given a - username. - - - - - A non-empty string prefix that will be added to role strings loaded - from persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases - where the default is non-empty. - - - - - - - + + + + + + - - + + + + + - Used to indicate that a filter bean declaration should be incorporated - into the security filter chain. If neither the 'after' or 'before' options are supplied, - then the filter must implement the Ordered interface directly. + The optional server to use. If omitted, and a default LDAP server is + registered (using <ldap-server> with no Id), that server will be used. + - - + + + + Search base for user searches. Defaults to "". Only used with a + 'user-search-filter'. + + + + + The LDAP filter used to search for users (optional). For example + "(uid={0})". The substituted parameter is the user's login name. + + + + + Search base for group membership searches. Defaults to "" (searching from + the root). + + + + + Group search filter. Defaults to (uniqueMember={0}). The substituted + parameter is the DN of the user. + + + + + The LDAP attribute name which contains the role name which will be used + within Spring Security. Defaults to "cn". + + + + + A specific pattern used to build the user's DN, for example + "uid={0},ou=people". The key "{0}" must be present and will be substituted with the + username. + + + + + A non-empty string prefix that will be added to role strings loaded from + persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases where the + default is non-empty. + + + + + Allows the objectClass of the user entry to be specified. If set, the + framework will attempt to load standard attributes for the defined class into the returned + UserDetails object + + + + + + + + + + + + + The attribute in the directory which contains the user password. Defaults + to "userPassword". + + + + + Defines the hashing algorithm used on user passwords. We recommend + strongly against using MD4, as it is a very weak hashing algorithm. + + + + + + + + + + + + + + + + + Can be used inside a bean definition to add a security interceptor to the + bean and set up access configuration attributes for the bean's methods + + + + + + Defines a protected method and the access control configuration + attributes that apply to it. We strongly advise you NOT to mix "protect" declarations + with any services provided "global-method-security". + + + + + + + + + + + + + Optional AccessDecisionManager bean ID to be used by the created method + security interceptor. + + + + + + + A method name + + + + + Access configuration attributes list that applies to the method, e.g. + "ROLE_A,ROLE_B". + + + + + + Provides method security for all beans registered in the Spring application + context. Specifically, beans will be scanned for matches with the ordered list of + "protect-pointcut" sub-elements, Spring Security annotations and/or. Where there is a match, + the beans will automatically be proxied and security authorization applied to the methods + accordingly. If you use and enable all four sources of method security metadata (ie + "protect-pointcut" declarations, expression annotations, @Secured and also JSR250 security + annotations), the metadata sources will be queried in that order. In practical terms, this + enables you to use XML to override method security metadata expressed in annotations. If + using annotations, the order of precedence is EL-based (@PreAuthorize etc.), @Secured and + finally JSR-250. + + + + + - The filter immediately after which the custom-filter should be - placed in the chain. This feature will only be needed by advanced users who wish - to mix their own filters into the security filter chain and have some knowledge of - the standard Spring Security filters. The filter names map to specific Spring - Security implementation filters. + Allows the default expression-based mechanism for handling Spring + Security's pre and post invocation annotations (@PreFilter, @PreAuthorize, + @PostFilter, @PostAuthorize) to be replace entirely. Only applies if these + annotations are enabled. - - - - The filter immediately before which the custom-filter should be - placed in the chain - - - - - The explicit position at which the custom-filter should be placed - in the chain. Use if you are replacing a standard filter. - - - - - - - - The filter immediately after which the custom-filter should be placed - in the chain. This feature will only be needed by advanced users who wish to mix - their own filters into the security filter chain and have some knowledge of the - standard Spring Security filters. The filter names map to specific Spring Security - implementation filters. - + + + + + Defines the PrePostInvocationAttributeFactory instance which + is used to generate pre and post invocation metadata from the annotated + methods. + + + + + + + + + + + + + + + + + + + + + + + Defines a protected pointcut and the access control configuration + attributes that apply to it. Every bean registered in the Spring application context + that provides a method that matches the pointcut will receive security + authorization. + + + + + + + + + + + + + Specifies whether the use of Spring Security's pre and post invocation + annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) should be enabled for + this application context. Defaults to "disabled". + + + + + + + + + + + Specifies whether the use of Spring Security's @Secured annotations should + be enabled for this application context. Defaults to "disabled". + + + + + + + + + + + Specifies whether JSR-250 style attributes are to be used (for example + "RolesAllowed"). This will require the javax.annotation.security classes on the classpath. + Defaults to "disabled". + + + + + + + + + + + Optional AccessDecisionManager bean ID to override the default used for + method security. + + + + + Optional RunAsmanager implementation which will be used by the configured + MethodSecurityInterceptor + + + + + + Defines the SecurityExpressionHandler instance which will be used if + expression-based access-control is enabled. A default implementation (with no ACL support) + will be used if not supplied. + + + + + + + + Used to decorate an AfterInvocationProvider to specify that it should be + used with method security. + + + + + + + An AspectJ expression, including the 'execution' keyword. For example, + 'execution(int com.foo.TargetObject.countLength(String))' (without the + quotes). + + + + + Access configuration attributes list that applies to all methods matching + the pointcut, e.g. "ROLE_A,ROLE_B" + + + + + + Container element for HTTP security configuration + + + + + + Specifies the access attributes and/or filter list for a particular + set of URLs. + + + + + + + + Defines the access-denied strategy that should be used. An access + denied page can be defined or a reference to an AccessDeniedHandler instance. + + + + + + + + + Sets up a form login configuration for authentication with a username + and password + + + + + + + + + Adds support for X.509 client authentication. + + + + + + + + Adds support for basic authentication (this is an element to permit + future expansion, such as supporting an "ignoreFailure" attribute) + + + + + + Incorporates a logout processing filter. Most web applications require + a logout filter, although you may not require one if you write a controller to + provider similar logic. + + + + + + + + Adds support for concurrent session control, allowing limits to be + placed on the number of sessions a user can have. + + + + + + + + Sets up remember-me authentication. If used with the "key" attribute + (or no attributes) the cookie-only implementation will be used. Specifying + "token-repository-ref" or "remember-me-data-source-ref" will use the more secure, + persisten token approach. + + + + + + + + Adds support for automatically granting all anonymous web requests a + particular principal identity and a corresponding granted + authority. + + + + + + + + Defines the list of mappings between http and https ports for use in + redirects + + + + + + + + + + + + + + + Automatically registers a login form, BASIC authentication, anonymous + authentication, logout services, remember-me and servlet-api-integration. If set to + "true", all of these capabilities are added (although you can still customize the + configuration of each by providing the respective element). If unspecified, defaults to + "false". + + + + + Enables the use of expressions in the 'access' attributes in + <intercept-url> elements rather than the traditional list of configuration + attributes. Defaults to 'false'. If enabled, each attribute should contain a single + boolean expression. If the expression evaluates to 'true', access will be granted. + + + + + + Controls the eagerness with which an HTTP session is created. If not set, + defaults to "ifRequired". Note that if a custom SecurityContextRepository is set using + security-context-repository-ref, then the only value which can be set is "always". + Otherwise the session creation behaviour will be determined by the repository bean + implementation. + + + + + + + + + + + + A reference to a SecurityContextRepository bean. This can be used to + customize how the SecurityContext is stored between requests. + + + + + Defines the type of pattern used to specify URL paths (either JDK + 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if + unspecified. + + + + + + + + + + + Whether test URLs should be converted to lower case prior to comparing + with defined path patterns. If unspecified, defaults to "true". + + + + + Provides versions of HttpServletRequest security methods such as + isUserInRole() and getPrincipal() which are implemented by accessing the Spring + SecurityContext. Defaults to "true". + + + + + Optional attribute specifying the ID of the AccessDecisionManager + implementation which should be used for authorizing HTTP requests. + + + + + Optional attribute specifying the realm name that will be used for all + authentication features that require a realm name (eg BASIC and Digest authentication). If + unspecified, defaults to "Spring Security Application". + + + + + Indicates whether an existing session should be invalidated when a user + authenticates and a new session started. If set to "none" no change will be made. + "newSession" will create a new empty session. "migrateSession" will create a new session + and copy the session attributes to the new session. Defaults to + "migrateSession". + + + + + + + + + + + + Allows a customized AuthenticationEntryPoint to be + used. + + + + + Corresponds to the observeOncePerRequest property of + FilterSecurityInterceptor. Defaults to "true" + + + + + Deprecated in favour of the access-denied-handler + element. + + + + + + + + + + + + Defines a reference to a Spring bean Id. + + + + + The access denied page that an authenticated user will be redirected to if + they request a page which they don't have the authority to access. + + + + + + + The access denied page that an authenticated user will be redirected to if + they request a page which they don't have the authority to access. + + + + + + + The pattern which defines the URL path. The content will depend on the + type set in the containing http element, so will default to ant path + syntax. + + + + + The access configuration attributes that apply for the configured + path. + + + + + The HTTP Method for which the access configuration attributes should + apply. If not specified, the attributes will apply to any method. + + + + + + + + + + + + + + + + The filter list for the path. Currently can be set to "none" to remove a + path from having any filters applied. The full filter stack (consisting of all filters + created by the namespace configuration, and any added using 'custom-filter'), will be + applied to any other paths. + + + + + + + + + + Used to specify that a URL must be accessed over http or https, or that + there is no preference. + + + + + + + + + + + + + + Specifies the URL that will cause a logout. Spring Security will + initialize a filter that responds to this particular URL. Defaults to + /j_spring_security_logout if unspecified. + + + + + Specifies the URL to display once the user has logged out. If not + specified, defaults to /. + + + + + Specifies whether a logout also causes HttpSession invalidation, which is + generally desirable. If unspecified, defaults to true. + + + + + + + The URL that the login form is posted to. If unspecified, it defaults to + /j_spring_security_check. + + + + + The URL that will be redirected to after successful authentication, if the + user's previous action could not be resumed. This generally happens if the user visits a + login page without having first requested a secured operation that triggers + authentication. If unspecified, defaults to the root of the + application. + + + + + Whether the user should always be redirected to the default-target-url + after login. + + + + + The URL for the login page. If no login URL is specified, Spring Security + will automatically create a login URL at /spring_security_login and a corresponding filter + to render that login URL when requested. + + + + + The URL for the login failure page. If no login failure URL is specified, + Spring Security will automatically create a failure login URL at + /spring_security_login?login_error and a corresponding filter to render that login failure + URL when requested. + + + + + Reference to an AuthenticationSuccessHandler bean which should be used to + handle a successful authentication request. Should not be used in combination with + default-target-url (or always-use-default-target-url) as the implementation should always + deal with navigation to the subsequent destination + + + + + Reference to an AuthenticationFailureHandler bean which should be used to + handle a failed authentication request. Should not be used in combination with + authentication-failure-url as the implementation should always deal with navigation to the + subsequent destination + + + + + + Sets up form login for authentication with an Open ID + identity + + + + + + A reference to a user-service (or UserDetailsService bean) + Id + - - - - - The filter immediately before which the custom-filter should be placed - in the chain - + + + + + Used to explicitly configure a FilterChainProxy instance with a + FilterChainMap + + + + + + Used within filter-chain-map to define a specific URL pattern and the + list of filters which apply to the URLs matching that pattern. When multiple + filter-chain elements are used within a filter-chain-map element, the most specific + patterns must be placed at the top of the list, with most general ones at the + bottom. + + + + + + + + + + + + + + + + + + + Used to explicitly configure a FilterInvocationDefinitionSource bean for use + with a FilterSecurityInterceptor. Usually only needed if you are configuring a + FilterChainProxy explicitly, rather than using the <http> element. The + intercept-url elements used should only contain pattern, method and access attributes. Any + others will result in a configuration error. + + + + + + Specifies the access attributes and/or filter list for a particular + set of URLs. + + + + + + + + + + + + + Enables the use of expressions in the 'access' attributes in + <intercept-url> elements rather than the traditional list of configuration + attributes. Defaults to 'false'. If enabled, each attribute should contain a single + boolean expression. If the expression evaluates to 'true', access will be granted. + + + + + + A bean identifier, used for referring to the bean elsewhere in the + context. + + + + + as for http element + + + + + Defines the type of pattern used to specify URL paths (either JDK + 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if + unspecified. + + + + + + + + + + + + + The maximum number of sessions a single user can have open at the same + time. Defaults to "1". + + + + + The URL a user will be redirected to if they attempt to use a session + which has been "expired" by the concurrent session controller because they have logged in + again. + + + + + Specifies that an exception should be raised when a user attempts to login + when they already have the maximum configured sessions open. The default behaviour is to + expire the original session. + + + + + Allows you to define an alias for the SessionRegistry bean in order to + access it in your own configuration + + + + + A reference to an external SessionRegistry implementation which will be + used in place of the standard one. + + + + + + + The "key" used to identify cookies from a specific token-based remember-me + application. You should set this to a unique value for your + application. + + + + + Reference to a PersistentTokenRepository bean for use with the persistent + token remember-me implementation. + + + + + A reference to a DataSource bean + + + + + + A reference to a user-service (or UserDetailsService bean) + Id + + + + + The period (in seconds) for which the remember-me cookie should be valid. + If set to a negative value + + + + + + + Reference to a PersistentTokenRepository bean for use with the persistent + token remember-me implementation. + + + + + + + Allows a custom implementation of RememberMeServices to be used. Note that + this implementation should return RememberMeAuthenticationToken instances with the same + "key" value as specified in the remember-me element. Alternatively it should register its + own AuthenticationProvider. + + + + + + + + + + The key shared between the provider and filter. This generally does not + need to be set. If unset, it will default to "doesNotMatter". + + + + + The username that should be assigned to the anonymous request. This allows + the principal to be identified, which may be important for logging and auditing. if unset, + defaults to "anonymousUser". + + + + + The granted authority that should be assigned to the anonymous request. + Commonly this is used to assign the anonymous request particular roles, which can + subsequently be used in authorization decisions. If unset, defaults to + "ROLE_ANONYMOUS". + + + + + With the default namespace setup, the anonymous "authentication" facility + is automatically enabled. You can disable it using this property. + + + + + + + + + + + + + + + + + + + The regular expression used to obtain the username from the certificate's + subject. Defaults to matching on the common name using the pattern + "CN=(.*?),". + + + + + A reference to a user-service (or UserDetailsService bean) + Id + + + + + + If you are using namespace configuration with Spring Security, an + AuthenticationManager will automatically be registered. This element allows you to define an + alias to allow you to reference the authentication-manager in your own beans. + + + + + + + + + + The alias you wish to use for the AuthenticationManager + bean + + + + + Allows the session controller to be set on the internal + AuthenticationManager. This should not be used with the <concurrent-session-control + /> element + + + + + + Indicates that the contained user-service should be used as an + authentication source. + + + + + + + element which defines a password encoding strategy. Used by an + authentication provider to convert submitted passwords to hashed versions, for + example. + + + + + + Password salting strategy. A system-wide constant or a property + from the UserDetails object can be used. + + + + + A property of the UserDetails object which will be used as + salt by a password encoder. Typically something like "username" might be + used. + + + + + A single value that will be used as the salt for a password + encoder. + + + + + Defines a reference to a Spring bean Id. + + + + + + + + + + + + + + + + A reference to a user-service (or UserDetailsService bean) + Id + + + + + + Element used to decorate an AuthenticationProvider bean to add it to the + internal AuthenticationManager maintained by the namespace. + + + + + + Creates an in-memory UserDetailsService from a properties file or a list of + "user" child elements. + + + + + + + + A bean identifier, used for referring to the bean elsewhere in the + context. + - - - - - The explicit position at which the custom-filter should be placed in - the chain. Use if you are replacing a standard filter. - + + + + + + + + + Represents a user in the application. + + + + + + + + + The username assigned to the user. + + + + + The password assigned to the user. This may be hashed if the corresponding + authentication provider supports hashing (remember to set the "hash" attribute of the + "user-service" element). + + + + + One of more authorities granted to the user. Separate authorities with a + comma (but no space). For example, "ROLE_USER,ROLE_ADMINISTRATOR" + + + + + Can be set to "true" to mark an account as locked and + unusable. + + + + + Can be set to "true" to mark an account as disabled and + unusable. + + + + + + Causes creation of a JDBC-based UserDetailsService. + + + + + A bean identifier, used for referring to the bean elsewhere in the + context. + - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + The bean ID of the DataSource which provides the required + tables. + + + + + Defines a reference to a cache for use with a + UserDetailsService. + + + + + An SQL statement to query a username, password, and enabled status given a + username + + + + + An SQL statement to query for a user's granted authorities given a + username. + + + + + An SQL statement to query user's group authorities given a + username. + + + + + A non-empty string prefix that will be added to role strings loaded from + persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases where the + default is non-empty. + + + + + + + + + + + + Used to indicate that a filter bean declaration should be incorporated into + the security filter chain. If neither the 'after' or 'before' options are supplied, then the + filter must implement the Ordered interface directly. + + + + + The filter immediately after which the custom-filter should be placed in + the chain. This feature will only be needed by advanced users who wish to mix their own + filters into the security filter chain and have some knowledge of the standard Spring + Security filters. The filter names map to specific Spring Security implementation + filters. + + + + + The filter immediately before which the custom-filter should be placed + in the chain + + + + + The explicit position at which the custom-filter should be placed in the + chain. Use if you are replacing a standard filter. + + + + + + + + The filter immediately after which the custom-filter should be placed in + the chain. This feature will only be needed by advanced users who wish to mix their own + filters into the security filter chain and have some knowledge of the standard Spring + Security filters. The filter names map to specific Spring Security implementation filters. + + + + + + + + The filter immediately before which the custom-filter should be placed in + the chain + + + + + + + The explicit position at which the custom-filter should be placed in the + chain. Use if you are replacing a standard filter. + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/config/src/main/resources/org/springframework/security/config/spring-security.xsl b/config/src/main/resources/org/springframework/security/config/spring-security.xsl index fa87e2e563..0e94992ff0 100644 --- a/config/src/main/resources/org/springframework/security/config/spring-security.xsl +++ b/config/src/main/resources/org/springframework/security/config/spring-security.xsl @@ -10,7 +10,7 @@ - ,access-denied-handler,anonymous,concurrent-session-control,filter-chain,form-login,http-basic,intercept-url,logout,password-encoder,port-mappings,port-mapper,password-compare,protect,protect-pointcut,remember-me,salt-source,x509, + ,access-denied-handler,anonymous,concurrent-session-control,filter-chain,form-login,http-basic,intercept-url,logout,password-encoder,port-mappings,port-mapper,password-compare,protect,protect-pointcut,pre-post-annotation-handling,pre-invocation-advice,post-invocation-advice,invocation-attribute-factory,remember-me,salt-source,x509, diff --git a/config/src/test/java/org/springframework/security/config/AuthenticationProviderBeanDefinitionParserTests.java b/config/src/test/java/org/springframework/security/config/AuthenticationProviderBeanDefinitionParserTests.java index e9dbe5f4ac..669849cce1 100644 --- a/config/src/test/java/org/springframework/security/config/AuthenticationProviderBeanDefinitionParserTests.java +++ b/config/src/test/java/org/springframework/security/config/AuthenticationProviderBeanDefinitionParserTests.java @@ -5,6 +5,7 @@ import static org.junit.Assert.*; import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.authentication.ProviderManager; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; +import org.springframework.security.authentication.dao.ReflectionSaltSource; import org.springframework.security.authentication.encoding.ShaPasswordEncoder; import org.springframework.security.config.util.InMemoryXmlApplicationContext; import org.springframework.security.util.FieldUtils; @@ -111,7 +112,7 @@ public class AuthenticationProviderBeanDefinitionParserTests { " " + " " + + " class='" + ReflectionSaltSource.class.getName() +"'>" + " " + " " + " " + AUTH_PROVIDER_XML); + setContext("" + AUTH_PROVIDER_XML); AffirmativeBased adm = (AffirmativeBased) appContext.getBean(GlobalMethodSecurityBeanDefinitionParser.ACCESS_MANAGER_ID); List voters = (List) FieldUtils.getFieldValue(adm, "decisionVoters"); - MethodExpressionVoter mev = (MethodExpressionVoter) voters.get(0); + PreInvocationAuthorizationAdviceVoter mev = (PreInvocationAuthorizationAdviceVoter) voters.get(0); AfterInvocationProviderManager pm = (AfterInvocationProviderManager) appContext.getBean(BeanIds.AFTER_INVOCATION_MANAGER); - MethodExpressionAfterInvocationProvider aip = (MethodExpressionAfterInvocationProvider) pm.getProviders().get(0); - assertTrue(FieldUtils.getFieldValue(mev, "expressionHandler") == FieldUtils.getFieldValue(aip, "expressionHandler")); + PostInvocationAdviceProvider aip = (PostInvocationAdviceProvider) pm.getProviders().get(0); + assertTrue(FieldUtils.getFieldValue(mev, "preAdvice.expressionHandler") == FieldUtils.getFieldValue(aip, "postAdvice.expressionHandler")); } @Test(expected=AccessDeniedException.class) public void accessIsDeniedForHasRoleExpression() { setContext( - "" + + "" + "" + AUTH_PROVIDER_XML); SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken("bob","bobspassword")); @@ -234,7 +221,7 @@ public class GlobalMethodSecurityBeanDefinitionParserTests { @Test public void preAndPostFilterAnnotationsWorkWithLists() { setContext( - "" + + "" + "" + AUTH_PROVIDER_XML); SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken("bob","bobspassword")); @@ -253,7 +240,7 @@ public class GlobalMethodSecurityBeanDefinitionParserTests { @Test public void prePostFilterAnnotationWorksWithArrays() { setContext( - "" + + "" + "" + AUTH_PROVIDER_XML); SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken("bob","bobspassword")); diff --git a/config/src/test/resources/namespace-usage.xml b/config/src/test/resources/namespace-usage.xml index db95542952..f909ab3898 100644 --- a/config/src/test/resources/namespace-usage.xml +++ b/config/src/test/resources/namespace-usage.xml @@ -13,9 +13,11 @@ http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-2.5.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-2.5.xsd http://www.springframework.org/schema/security ../../main/resources/org/springframework/security/config/spring-security-3.0.xsd"> - + - + + < + diff --git a/core/src/main/java/org/springframework/security/access/expression/PermissionEvaluator.java b/core/src/main/java/org/springframework/security/access/PermissionEvaluator.java similarity index 96% rename from core/src/main/java/org/springframework/security/access/expression/PermissionEvaluator.java rename to core/src/main/java/org/springframework/security/access/PermissionEvaluator.java index 25acb4dfbe..72f159357b 100644 --- a/core/src/main/java/org/springframework/security/access/expression/PermissionEvaluator.java +++ b/core/src/main/java/org/springframework/security/access/PermissionEvaluator.java @@ -1,4 +1,4 @@ -package org.springframework.security.access.expression; +package org.springframework.security.access; import java.io.Serializable; @@ -11,7 +11,7 @@ import org.springframework.security.core.Authentication; * * @author Luke Taylor * @version $Id$ - * @since 2.5 + * @since 3.0 */ public interface PermissionEvaluator { /** diff --git a/core/src/main/java/org/springframework/security/access/annotation/Secured.java b/core/src/main/java/org/springframework/security/access/annotation/Secured.java index 2c5ffe1ec2..aa9df1e4ef 100644 --- a/core/src/main/java/org/springframework/security/access/annotation/Secured.java +++ b/core/src/main/java/org/springframework/security/access/annotation/Secured.java @@ -47,9 +47,9 @@ import java.lang.annotation.Target; @Inherited @Documented public @interface Secured { -/** - * Returns the list of security configuration attributes. - * (i.e. ROLE_USER, ROLE_ADMIN etc.) + /** + * Returns the list of security configuration attributes (e.g. ROLE_USER, ROLE_ADMIN). + * * @return String[] The secure method attributes */ public String[] value(); diff --git a/core/src/main/java/org/springframework/security/access/annotation/SecuredMethodSecurityMetadataSource.java b/core/src/main/java/org/springframework/security/access/annotation/SecuredAnnotationSecurityMetadataSource.java similarity index 95% rename from core/src/main/java/org/springframework/security/access/annotation/SecuredMethodSecurityMetadataSource.java rename to core/src/main/java/org/springframework/security/access/annotation/SecuredAnnotationSecurityMetadataSource.java index 1bb49483cb..c638efa005 100644 --- a/core/src/main/java/org/springframework/security/access/annotation/SecuredMethodSecurityMetadataSource.java +++ b/core/src/main/java/org/springframework/security/access/annotation/SecuredAnnotationSecurityMetadataSource.java @@ -33,7 +33,7 @@ import org.springframework.security.access.intercept.method.AbstractFallbackMeth * @author Ben Alex * @version $Id$ */ -public class SecuredMethodSecurityMetadataSource extends AbstractFallbackMethodSecurityMetadataSource { +public class SecuredAnnotationSecurityMetadataSource extends AbstractFallbackMethodSecurityMetadataSource { protected List findAttributes(Class clazz) { return processAnnotation(clazz.getAnnotation(Secured.class)); diff --git a/core/src/main/java/org/springframework/security/access/expression/ExpressionUtils.java b/core/src/main/java/org/springframework/security/access/expression/ExpressionUtils.java index 79538b2a65..32cc169810 100644 --- a/core/src/main/java/org/springframework/security/access/expression/ExpressionUtils.java +++ b/core/src/main/java/org/springframework/security/access/expression/ExpressionUtils.java @@ -4,7 +4,7 @@ import org.springframework.expression.EvaluationContext; import org.springframework.expression.EvaluationException; import org.springframework.expression.Expression; -public class ExpressionUtils { +public final class ExpressionUtils { public static boolean evaluateAsBoolean(Expression expr, EvaluationContext ctx) { try { diff --git a/core/src/main/java/org/springframework/security/access/expression/support/SecurityExpressionRoot.java b/core/src/main/java/org/springframework/security/access/expression/SecurityExpressionRoot.java similarity index 96% rename from core/src/main/java/org/springframework/security/access/expression/support/SecurityExpressionRoot.java rename to core/src/main/java/org/springframework/security/access/expression/SecurityExpressionRoot.java index 2eaaf206ee..87ead1ff89 100644 --- a/core/src/main/java/org/springframework/security/access/expression/support/SecurityExpressionRoot.java +++ b/core/src/main/java/org/springframework/security/access/expression/SecurityExpressionRoot.java @@ -1,4 +1,4 @@ -package org.springframework.security.access.expression.support; +package org.springframework.security.access.expression; import java.util.Set; @@ -13,7 +13,7 @@ import org.springframework.security.core.authority.AuthorityUtils; * * @author Luke Taylor * @version $Id$ - * @since 2.5 + * @since 3.0 */ public abstract class SecurityExpressionRoot { protected final Authentication authentication; diff --git a/core/src/main/java/org/springframework/security/access/expression/method/AbstractExpressionBasedMethodConfigAttribute.java b/core/src/main/java/org/springframework/security/access/expression/method/AbstractExpressionBasedMethodConfigAttribute.java index 8f6b3b6d86..ce98b5849a 100644 --- a/core/src/main/java/org/springframework/security/access/expression/method/AbstractExpressionBasedMethodConfigAttribute.java +++ b/core/src/main/java/org/springframework/security/access/expression/method/AbstractExpressionBasedMethodConfigAttribute.java @@ -15,7 +15,7 @@ import org.springframework.util.Assert; * * @author Luke Taylor * @version $Id$ - * @since 2.5 + * @since 3.0 */ abstract class AbstractExpressionBasedMethodConfigAttribute implements ConfigAttribute { private final Expression filterExpression; diff --git a/core/src/main/java/org/springframework/security/access/expression/support/DefaultMethodSecurityExpressionHandler.java b/core/src/main/java/org/springframework/security/access/expression/method/DefaultMethodSecurityExpressionHandler.java similarity index 95% rename from core/src/main/java/org/springframework/security/access/expression/support/DefaultMethodSecurityExpressionHandler.java rename to core/src/main/java/org/springframework/security/access/expression/method/DefaultMethodSecurityExpressionHandler.java index c8158c2820..d5a273b047 100644 --- a/core/src/main/java/org/springframework/security/access/expression/support/DefaultMethodSecurityExpressionHandler.java +++ b/core/src/main/java/org/springframework/security/access/expression/method/DefaultMethodSecurityExpressionHandler.java @@ -1,4 +1,4 @@ -package org.springframework.security.access.expression.support; +package org.springframework.security.access.expression.method; import java.lang.reflect.Array; import java.util.ArrayList; @@ -14,9 +14,9 @@ import org.springframework.expression.EvaluationContext; import org.springframework.expression.Expression; import org.springframework.expression.ExpressionParser; import org.springframework.expression.spel.antlr.SpelAntlrExpressionParser; +import org.springframework.security.access.PermissionEvaluator; import org.springframework.security.access.expression.ExpressionUtils; -import org.springframework.security.access.expression.MethodSecurityExpressionHandler; -import org.springframework.security.access.expression.PermissionEvaluator; +import org.springframework.security.access.expression.SecurityExpressionRoot; import org.springframework.security.authentication.AuthenticationTrustResolver; import org.springframework.security.authentication.AuthenticationTrustResolverImpl; import org.springframework.security.core.Authentication; @@ -28,7 +28,7 @@ import org.springframework.security.core.Authentication; * * @author Luke Taylor * @version $Id$ - * @since 2.5 + * @since 3.0 */ public class DefaultMethodSecurityExpressionHandler implements MethodSecurityExpressionHandler { diff --git a/core/src/main/java/org/springframework/security/access/expression/support/DenyAllPermissionEvaluator.java b/core/src/main/java/org/springframework/security/access/expression/method/DenyAllPermissionEvaluator.java similarity index 88% rename from core/src/main/java/org/springframework/security/access/expression/support/DenyAllPermissionEvaluator.java rename to core/src/main/java/org/springframework/security/access/expression/method/DenyAllPermissionEvaluator.java index 836fd86b4f..0b9a0e9667 100644 --- a/core/src/main/java/org/springframework/security/access/expression/support/DenyAllPermissionEvaluator.java +++ b/core/src/main/java/org/springframework/security/access/expression/method/DenyAllPermissionEvaluator.java @@ -1,10 +1,10 @@ -package org.springframework.security.access.expression.support; +package org.springframework.security.access.expression.method; import java.io.Serializable; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; -import org.springframework.security.access.expression.PermissionEvaluator; +import org.springframework.security.access.PermissionEvaluator; import org.springframework.security.core.Authentication; /** @@ -13,7 +13,7 @@ import org.springframework.security.core.Authentication; * * @author Luke Taylor * @version $Id$ - * @since 2.5 + * @since 3.0 */ class DenyAllPermissionEvaluator implements PermissionEvaluator { diff --git a/core/src/main/java/org/springframework/security/access/expression/method/ExpressionBasedAnnotationAttributeFactory.java b/core/src/main/java/org/springframework/security/access/expression/method/ExpressionBasedAnnotationAttributeFactory.java new file mode 100644 index 0000000000..9705cbf3e2 --- /dev/null +++ b/core/src/main/java/org/springframework/security/access/expression/method/ExpressionBasedAnnotationAttributeFactory.java @@ -0,0 +1,58 @@ +/** + * + */ +package org.springframework.security.access.expression.method; + +import org.springframework.expression.Expression; +import org.springframework.expression.ExpressionParser; +import org.springframework.expression.ParseException; +import org.springframework.security.access.prepost.PostAuthorize; +import org.springframework.security.access.prepost.PostFilter; +import org.springframework.security.access.prepost.PostInvocationAttribute; +import org.springframework.security.access.prepost.PreAuthorize; +import org.springframework.security.access.prepost.PreFilter; +import org.springframework.security.access.prepost.PreInvocationAttribute; +import org.springframework.security.access.prepost.PrePostInvocationAttributeFactory; + +/** + * {@link PrePostInvocationAttributeFactory} which interprets the annotation value as + * an expression to be evaluated at runtime. + * + * @author Luke Taylor + * @version $Id$ + * @since 3.0 + */ +public class ExpressionBasedAnnotationAttributeFactory implements PrePostInvocationAttributeFactory { + private ExpressionParser parser; + + public ExpressionBasedAnnotationAttributeFactory(MethodSecurityExpressionHandler handler) { + parser = handler.getExpressionParser(); + } + + public PreInvocationAttribute createPreInvocationAttribute(PreFilter preFilter, PreAuthorize preAuthorize) { + try { + // TODO: Optimization of permitAll + Expression preAuthorizeExpression = preAuthorize == null ? parser.parseExpression("permitAll") : parser.parseExpression(preAuthorize.value()); + Expression preFilterExpression = preFilter == null ? null : parser.parseExpression(preFilter.value()); + String filterObject = preFilter == null ? null : preFilter.filterTarget(); + return new PreInvocationExpressionAttribute(preFilterExpression, filterObject, preAuthorizeExpression); + } catch (ParseException e) { + throw new IllegalArgumentException("Failed to parse expression '" + e.getExpressionString() + "'", e); + } + } + + public PostInvocationAttribute createPostInvocationAttribute(PostFilter postFilter, PostAuthorize postAuthorize) { + try { + Expression postAuthorizeExpression = postAuthorize == null ? null : parser.parseExpression(postAuthorize.value()); + Expression postFilterExpression = postFilter == null ? null : parser.parseExpression(postFilter.value()); + + if (postFilterExpression != null || postAuthorizeExpression != null) { + return new PostInvocationExpressionAttribute(postFilterExpression, postAuthorizeExpression); + } + } catch (ParseException e) { + throw new IllegalArgumentException("Failed to parse expression '" + e.getExpressionString() + "'", e); + } + + return null; + } +} diff --git a/core/src/main/java/org/springframework/security/access/expression/method/ExpressionBasedPostInvocationAdvice.java b/core/src/main/java/org/springframework/security/access/expression/method/ExpressionBasedPostInvocationAdvice.java new file mode 100644 index 0000000000..3cbf4811c9 --- /dev/null +++ b/core/src/main/java/org/springframework/security/access/expression/method/ExpressionBasedPostInvocationAdvice.java @@ -0,0 +1,61 @@ +package org.springframework.security.access.expression.method; + +import org.aopalliance.intercept.MethodInvocation; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.springframework.expression.EvaluationContext; +import org.springframework.expression.Expression; +import org.springframework.security.access.AccessDeniedException; +import org.springframework.security.access.expression.ExpressionUtils; +import org.springframework.security.access.prepost.PostInvocationAttribute; +import org.springframework.security.access.prepost.PostInvocationAuthorizationAdvice; +import org.springframework.security.core.Authentication; + +/** + * + * @author Luke Taylor + * @version $Id$ + * @since 3.0 + */ +public class ExpressionBasedPostInvocationAdvice implements PostInvocationAuthorizationAdvice{ + protected final Log logger = LogFactory.getLog(getClass()); + + private MethodSecurityExpressionHandler expressionHandler; + + public ExpressionBasedPostInvocationAdvice(MethodSecurityExpressionHandler expressionHandler) { + this.expressionHandler = expressionHandler; + } + + public Object after(Authentication authentication, MethodInvocation mi, + PostInvocationAttribute postAttr, Object returnedObject) throws AccessDeniedException{ + PostInvocationExpressionAttribute pia = (PostInvocationExpressionAttribute) postAttr; + EvaluationContext ctx = expressionHandler.createEvaluationContext(authentication, mi); + Expression postFilter = pia.getFilterExpression(); + Expression postAuthorize = pia.getAuthorizeExpression(); + + if (postFilter != null) { + if (logger.isDebugEnabled()) { + logger.debug("Applying PostFilter expression " + postFilter); + } + + if (returnedObject != null) { + returnedObject = expressionHandler.filter(returnedObject, postFilter, ctx); + } else { + if (logger.isDebugEnabled()) { + logger.debug("Return object is null, filtering will be skipped"); + } + } + } + + expressionHandler.setReturnObject(returnedObject, ctx); + + if (postAuthorize != null && !ExpressionUtils.evaluateAsBoolean(postAuthorize, ctx)) { + if (logger.isDebugEnabled()) { + logger.debug("PostAuthorize expression rejected access"); + } + throw new AccessDeniedException("Access is denied"); + } + + return returnedObject; + } +} diff --git a/core/src/main/java/org/springframework/security/access/expression/method/MethodExpressionVoter.java b/core/src/main/java/org/springframework/security/access/expression/method/ExpressionBasedPreInvocationAdvice.java similarity index 52% rename from core/src/main/java/org/springframework/security/access/expression/method/MethodExpressionVoter.java rename to core/src/main/java/org/springframework/security/access/expression/method/ExpressionBasedPreInvocationAdvice.java index 30162c6502..4278490612 100644 --- a/core/src/main/java/org/springframework/security/access/expression/method/MethodExpressionVoter.java +++ b/core/src/main/java/org/springframework/security/access/expression/method/ExpressionBasedPreInvocationAdvice.java @@ -1,68 +1,47 @@ +/** + * + */ package org.springframework.security.access.expression.method; import java.util.Collection; -import java.util.List; import org.aopalliance.intercept.MethodInvocation; -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; import org.springframework.expression.EvaluationContext; import org.springframework.expression.Expression; -import org.springframework.security.access.ConfigAttribute; import org.springframework.security.access.expression.ExpressionUtils; -import org.springframework.security.access.expression.MethodSecurityExpressionHandler; -import org.springframework.security.access.expression.support.DefaultMethodSecurityExpressionHandler; -import org.springframework.security.access.vote.AccessDecisionVoter; +import org.springframework.security.access.prepost.PreInvocationAttribute; +import org.springframework.security.access.prepost.PreInvocationAuthorizationAdvice; import org.springframework.security.core.Authentication; /** - * Voter which performs the actions for @PreFilter and @PostAuthorize annotations. - *

* If only a @PreFilter condition is specified, it will vote to grant access, otherwise it will vote - * to grant or deny access depending on whether the @PostAuthorize expression evaluates to 'true' or 'false', + * to grant or deny access depending on whether the @PreAuthorize expression evaluates to 'true' or 'false', * respectively. - * + * @author Luke Taylor * @version $Id$ - * @since 2.5 + * @since */ -public class MethodExpressionVoter implements AccessDecisionVoter { - protected final Log logger = LogFactory.getLog(getClass()); - +public class ExpressionBasedPreInvocationAdvice implements PreInvocationAuthorizationAdvice { private MethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler(); - public boolean supports(ConfigAttribute attribute) { - return attribute instanceof AbstractExpressionBasedMethodConfigAttribute; - } - - public boolean supports(Class clazz) { - return clazz.isAssignableFrom(MethodInvocation.class); - } - - public int vote(Authentication authentication, Object object, List attributes) { - PreInvocationExpressionAttribute mace = findMethodAccessControlExpression(attributes); - - if (mace == null) { - // No expression based metadata, so abstain - return ACCESS_ABSTAIN; - } - - MethodInvocation mi = (MethodInvocation)object; + public boolean before(Authentication authentication, MethodInvocation mi, PreInvocationAttribute attr) { + PreInvocationExpressionAttribute preAttr = (PreInvocationExpressionAttribute) attr; EvaluationContext ctx = expressionHandler.createEvaluationContext(authentication, mi); - Expression preFilter = mace.getFilterExpression(); - Expression preAuthorize = mace.getAuthorizeExpression(); + Expression preFilter = preAttr.getFilterExpression(); + Expression preAuthorize = preAttr.getAuthorizeExpression(); if (preFilter != null) { - Object filterTarget = findFilterTarget(mace.getFilterTarget(), ctx, mi); + Object filterTarget = findFilterTarget(preAttr.getFilterTarget(), ctx, mi); expressionHandler.filter(filterTarget, preFilter, ctx); } if (preAuthorize == null) { - return ACCESS_GRANTED; + return true; } - return ExpressionUtils.evaluateAsBoolean(preAuthorize, ctx) ? ACCESS_GRANTED : ACCESS_DENIED; + return ExpressionUtils.evaluateAsBoolean(preAuthorize, ctx); } private Object findFilterTarget(String filterTargetName, EvaluationContext ctx, MethodInvocation mi) { @@ -94,16 +73,6 @@ public class MethodExpressionVoter implements AccessDecisionVoter { return filterTarget; } - private PreInvocationExpressionAttribute findMethodAccessControlExpression(List config) { - // Find the MethodAccessControlExpression attribute - for (ConfigAttribute attribute : config) { - if (attribute instanceof PreInvocationExpressionAttribute) { - return (PreInvocationExpressionAttribute)attribute; - } - } - - return null; - } public void setExpressionHandler(MethodSecurityExpressionHandler expressionHandler) { this.expressionHandler = expressionHandler; diff --git a/core/src/main/java/org/springframework/security/access/expression/method/MethodExpressionAfterInvocationProvider.java b/core/src/main/java/org/springframework/security/access/expression/method/MethodExpressionAfterInvocationProvider.java deleted file mode 100644 index a9ebb24298..0000000000 --- a/core/src/main/java/org/springframework/security/access/expression/method/MethodExpressionAfterInvocationProvider.java +++ /dev/null @@ -1,96 +0,0 @@ -package org.springframework.security.access.expression.method; - -import java.util.List; - -import org.aopalliance.intercept.MethodInvocation; -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; -import org.springframework.expression.EvaluationContext; -import org.springframework.expression.Expression; -import org.springframework.security.access.AccessDeniedException; -import org.springframework.security.access.ConfigAttribute; -import org.springframework.security.access.expression.ExpressionUtils; -import org.springframework.security.access.expression.MethodSecurityExpressionHandler; -import org.springframework.security.access.expression.support.DefaultMethodSecurityExpressionHandler; -import org.springframework.security.access.intercept.AfterInvocationProvider; -import org.springframework.security.core.Authentication; - -/** - * AfterInvocationProvider which handles the @PostAuthorize and @PostFilter annotation expressions. - * - * @author Luke Taylor - * @verson $Id$ - * @since 2.5 - */ -public class MethodExpressionAfterInvocationProvider implements AfterInvocationProvider { - - protected final Log logger = LogFactory.getLog(getClass()); - - private MethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler(); - - public Object decide(Authentication authentication, Object object, List config, Object returnedObject) - throws AccessDeniedException { - - PostInvocationExpressionAttribute mca = findMethodAccessControlExpression(config); - - if (mca == null) { - return returnedObject; - } - - EvaluationContext ctx = - expressionHandler.createEvaluationContext(authentication, (MethodInvocation)object); - //SecurityExpressionRoot expressionRoot = new SecurityExpressionRoot(authentication); - //ctx.setRootObject(expressionRoot); - - Expression postFilter = mca.getFilterExpression(); - Expression postAuthorize = mca.getAuthorizeExpression(); - - if (postFilter != null) { - if (logger.isDebugEnabled()) { - logger.debug("Applying PostFilter expression " + postFilter); - } - - if (returnedObject != null) { - returnedObject = expressionHandler.filter(returnedObject, postFilter, ctx); - } else { - if (logger.isDebugEnabled()) { - logger.debug("Return object is null, filtering will be skipped"); - } - } - } - - expressionHandler.setReturnObject(returnedObject, ctx); - - if (postAuthorize != null && !ExpressionUtils.evaluateAsBoolean(postAuthorize, ctx)) { - if (logger.isDebugEnabled()) { - logger.debug("PostAuthorize expression rejected access"); - } - throw new AccessDeniedException("Access is denied"); - } - - return returnedObject; - } - - private PostInvocationExpressionAttribute findMethodAccessControlExpression(List config) { - // Find the MethodAccessControlExpression attribute - for (ConfigAttribute attribute : config) { - if (attribute instanceof PostInvocationExpressionAttribute) { - return (PostInvocationExpressionAttribute)attribute; - } - } - - return null; - } - - public boolean supports(ConfigAttribute attribute) { - return attribute instanceof PostInvocationExpressionAttribute; - } - - public boolean supports(Class clazz) { - return clazz.isAssignableFrom(MethodInvocation.class); - } - - public void setExpressionHandler(MethodSecurityExpressionHandler expressionHandler) { - this.expressionHandler = expressionHandler; - } -} diff --git a/core/src/main/java/org/springframework/security/access/expression/support/MethodSecurityEvaluationContext.java b/core/src/main/java/org/springframework/security/access/expression/method/MethodSecurityEvaluationContext.java similarity index 96% rename from core/src/main/java/org/springframework/security/access/expression/support/MethodSecurityEvaluationContext.java rename to core/src/main/java/org/springframework/security/access/expression/method/MethodSecurityEvaluationContext.java index eee898921c..f5fce6b14a 100644 --- a/core/src/main/java/org/springframework/security/access/expression/support/MethodSecurityEvaluationContext.java +++ b/core/src/main/java/org/springframework/security/access/expression/method/MethodSecurityEvaluationContext.java @@ -1,4 +1,4 @@ -package org.springframework.security.access.expression.support; +package org.springframework.security.access.expression.method; import java.lang.reflect.Method; @@ -15,7 +15,7 @@ import org.springframework.util.ClassUtils; * and when they are required. * * @author Luke Taylor - * @since 2.5 + * @since 3.0 */ class MethodSecurityEvaluationContext extends StandardEvaluationContext { private ParameterNameDiscoverer parameterNameDiscoverer; diff --git a/core/src/main/java/org/springframework/security/access/expression/MethodSecurityExpressionHandler.java b/core/src/main/java/org/springframework/security/access/expression/method/MethodSecurityExpressionHandler.java similarity index 96% rename from core/src/main/java/org/springframework/security/access/expression/MethodSecurityExpressionHandler.java rename to core/src/main/java/org/springframework/security/access/expression/method/MethodSecurityExpressionHandler.java index ef44972671..09a7c57e15 100644 --- a/core/src/main/java/org/springframework/security/access/expression/MethodSecurityExpressionHandler.java +++ b/core/src/main/java/org/springframework/security/access/expression/method/MethodSecurityExpressionHandler.java @@ -1,4 +1,4 @@ -package org.springframework.security.access.expression; +package org.springframework.security.access.expression.method; import org.aopalliance.intercept.MethodInvocation; import org.springframework.expression.EvaluationContext; @@ -12,7 +12,7 @@ import org.springframework.security.core.Authentication; * * @author Luke Taylor * @version $Id$ - * @since 2.5 + * @since 3.0 */ public interface MethodSecurityExpressionHandler { /** diff --git a/core/src/main/java/org/springframework/security/access/expression/support/MethodSecurityExpressionRoot.java b/core/src/main/java/org/springframework/security/access/expression/method/MethodSecurityExpressionRoot.java similarity index 87% rename from core/src/main/java/org/springframework/security/access/expression/support/MethodSecurityExpressionRoot.java rename to core/src/main/java/org/springframework/security/access/expression/method/MethodSecurityExpressionRoot.java index ff08e0dd3c..9781ff1637 100644 --- a/core/src/main/java/org/springframework/security/access/expression/support/MethodSecurityExpressionRoot.java +++ b/core/src/main/java/org/springframework/security/access/expression/method/MethodSecurityExpressionRoot.java @@ -1,8 +1,9 @@ -package org.springframework.security.access.expression.support; +package org.springframework.security.access.expression.method; import java.io.Serializable; -import org.springframework.security.access.expression.PermissionEvaluator; +import org.springframework.security.access.PermissionEvaluator; +import org.springframework.security.access.expression.SecurityExpressionRoot; import org.springframework.security.core.Authentication; @@ -11,7 +12,7 @@ import org.springframework.security.core.Authentication; * * @author Luke Taylor * @version $Id$ - * @since 2.5 + * @since 3.0 */ class MethodSecurityExpressionRoot extends SecurityExpressionRoot { private PermissionEvaluator permissionEvaluator; diff --git a/core/src/main/java/org/springframework/security/access/expression/method/PostInvocationExpressionAttribute.java b/core/src/main/java/org/springframework/security/access/expression/method/PostInvocationExpressionAttribute.java index ec62866e07..771e7c9d38 100644 --- a/core/src/main/java/org/springframework/security/access/expression/method/PostInvocationExpressionAttribute.java +++ b/core/src/main/java/org/springframework/security/access/expression/method/PostInvocationExpressionAttribute.java @@ -2,8 +2,16 @@ package org.springframework.security.access.expression.method; import org.springframework.expression.Expression; import org.springframework.expression.ParseException; +import org.springframework.security.access.prepost.PostInvocationAttribute; -class PostInvocationExpressionAttribute extends AbstractExpressionBasedMethodConfigAttribute { +/** + * + * @author Luke Taylor + * @version $Id$ + * @since 3.0 + */ +class PostInvocationExpressionAttribute extends AbstractExpressionBasedMethodConfigAttribute + implements PostInvocationAttribute { PostInvocationExpressionAttribute(String filterExpression, String authorizeExpression) throws ParseException { diff --git a/core/src/main/java/org/springframework/security/access/expression/method/PreInvocationExpressionAttribute.java b/core/src/main/java/org/springframework/security/access/expression/method/PreInvocationExpressionAttribute.java index a9be7b45b1..a9dfc4b69a 100644 --- a/core/src/main/java/org/springframework/security/access/expression/method/PreInvocationExpressionAttribute.java +++ b/core/src/main/java/org/springframework/security/access/expression/method/PreInvocationExpressionAttribute.java @@ -2,8 +2,17 @@ package org.springframework.security.access.expression.method; import org.springframework.expression.Expression; import org.springframework.expression.ParseException; +import org.springframework.security.access.prepost.PreInvocationAttribute; + +/** + * + * @author Luke Taylor + * @version $Id$ + * @since 3.0 + */ +class PreInvocationExpressionAttribute extends AbstractExpressionBasedMethodConfigAttribute + implements PreInvocationAttribute { -class PreInvocationExpressionAttribute extends AbstractExpressionBasedMethodConfigAttribute { private final String filterTarget; PreInvocationExpressionAttribute(String filterExpression, String filterTarget, String authorizeExpression) diff --git a/core/src/main/java/org/springframework/security/access/expression/package.html b/core/src/main/java/org/springframework/security/access/expression/package.html new file mode 100644 index 0000000000..28e8ad98d1 --- /dev/null +++ b/core/src/main/java/org/springframework/security/access/expression/package.html @@ -0,0 +1,2 @@ +Expression handling code to support the use of Spring-EL based expressions in @PreAuthorize, @PreFilter, +@PostAuthorizue and @PostFilter annotations. Mainly for internal framework use and liable to change. diff --git a/core/src/main/java/org/springframework/security/access/expression/support/AbstractSecurityExpressionHandler.java b/core/src/main/java/org/springframework/security/access/expression/support/AbstractSecurityExpressionHandler.java deleted file mode 100644 index a1a90f2f3a..0000000000 --- a/core/src/main/java/org/springframework/security/access/expression/support/AbstractSecurityExpressionHandler.java +++ /dev/null @@ -1,5 +0,0 @@ -package org.springframework.security.access.expression.support; - -public class AbstractSecurityExpressionHandler { - -} diff --git a/core/src/main/java/org/springframework/security/access/expression/annotation/PostAuthorize.java b/core/src/main/java/org/springframework/security/access/prepost/PostAuthorize.java similarity index 89% rename from core/src/main/java/org/springframework/security/access/expression/annotation/PostAuthorize.java rename to core/src/main/java/org/springframework/security/access/prepost/PostAuthorize.java index 00e89cc260..4833867749 100644 --- a/core/src/main/java/org/springframework/security/access/expression/annotation/PostAuthorize.java +++ b/core/src/main/java/org/springframework/security/access/prepost/PostAuthorize.java @@ -1,4 +1,4 @@ -package org.springframework.security.access.expression.annotation; +package org.springframework.security.access.prepost; import java.lang.annotation.Documented; import java.lang.annotation.ElementType; @@ -12,7 +12,7 @@ import java.lang.annotation.Target; * * @author Luke Taylor * @version $Id$ - * @since 2.5 + * @since 3.0 */ @Target({ElementType.METHOD, ElementType.TYPE}) @Retention(RetentionPolicy.RUNTIME) diff --git a/core/src/main/java/org/springframework/security/access/expression/annotation/PostFilter.java b/core/src/main/java/org/springframework/security/access/prepost/PostFilter.java similarity index 89% rename from core/src/main/java/org/springframework/security/access/expression/annotation/PostFilter.java rename to core/src/main/java/org/springframework/security/access/prepost/PostFilter.java index 935ac1fc7d..1db1dbbb02 100644 --- a/core/src/main/java/org/springframework/security/access/expression/annotation/PostFilter.java +++ b/core/src/main/java/org/springframework/security/access/prepost/PostFilter.java @@ -1,4 +1,4 @@ -package org.springframework.security.access.expression.annotation; +package org.springframework.security.access.prepost; import java.lang.annotation.Documented; import java.lang.annotation.ElementType; @@ -12,7 +12,7 @@ import java.lang.annotation.Target; * * @author Luke Taylor * @version $Id$ - * @since 2.5 + * @since 3.0 */ @Target({ElementType.METHOD, ElementType.TYPE}) @Retention(RetentionPolicy.RUNTIME) diff --git a/core/src/main/java/org/springframework/security/access/prepost/PostInvocationAdviceProvider.java b/core/src/main/java/org/springframework/security/access/prepost/PostInvocationAdviceProvider.java new file mode 100644 index 0000000000..06fe43c0b3 --- /dev/null +++ b/core/src/main/java/org/springframework/security/access/prepost/PostInvocationAdviceProvider.java @@ -0,0 +1,59 @@ +package org.springframework.security.access.prepost; + +import java.util.List; + +import org.aopalliance.intercept.MethodInvocation; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.springframework.security.access.AccessDeniedException; +import org.springframework.security.access.ConfigAttribute; +import org.springframework.security.access.intercept.AfterInvocationProvider; +import org.springframework.security.core.Authentication; + +/** + * AfterInvocationProvider which delegates to a {@link PostInvocationAuthorizationAdvice} instance + * passing it the PostInvocationAttribute created from @PostAuthorize and @PostFilter annotations. + * + * @author Luke Taylor + * @version $Id$ + * @since 3.0 + */ +public class PostInvocationAdviceProvider implements AfterInvocationProvider { + protected final Log logger = LogFactory.getLog(getClass()); + + private PostInvocationAuthorizationAdvice postAdvice; + + public PostInvocationAdviceProvider(PostInvocationAuthorizationAdvice postAdvice) { + this.postAdvice = postAdvice; + } + + public Object decide(Authentication authentication, Object object, List config, Object returnedObject) + throws AccessDeniedException { + + PostInvocationAttribute pia = findPostInvocationAttribute(config); + + if (pia == null) { + return returnedObject; + } + + return postAdvice.after(authentication, (MethodInvocation)object, pia, returnedObject); + } + + private PostInvocationAttribute findPostInvocationAttribute(List config) { + for (ConfigAttribute attribute : config) { + if (attribute instanceof PostInvocationAttribute) { + return (PostInvocationAttribute)attribute; + } + } + + return null; + } + + public boolean supports(ConfigAttribute attribute) { + return attribute instanceof PostInvocationAttribute; + } + + public boolean supports(Class clazz) { + return clazz.isAssignableFrom(MethodInvocation.class); + } +} diff --git a/core/src/main/java/org/springframework/security/access/prepost/PostInvocationAttribute.java b/core/src/main/java/org/springframework/security/access/prepost/PostInvocationAttribute.java new file mode 100644 index 0000000000..86f1955908 --- /dev/null +++ b/core/src/main/java/org/springframework/security/access/prepost/PostInvocationAttribute.java @@ -0,0 +1,16 @@ +package org.springframework.security.access.prepost; + +import org.springframework.security.access.ConfigAttribute; + +/** + * Marker interface for attributes which are created from combined @PostFilter and @PostAuthorize annotations. + *

+ * Consumed by a {@link PostInvocationAuthorizationAdvice}. + * + * @author Luke Taylor + * @version $Id$ + * @since 3.0 + */ +public interface PostInvocationAttribute extends ConfigAttribute{ + +} diff --git a/core/src/main/java/org/springframework/security/access/prepost/PostInvocationAuthorizationAdvice.java b/core/src/main/java/org/springframework/security/access/prepost/PostInvocationAuthorizationAdvice.java new file mode 100644 index 0000000000..18f0645f1e --- /dev/null +++ b/core/src/main/java/org/springframework/security/access/prepost/PostInvocationAuthorizationAdvice.java @@ -0,0 +1,18 @@ +package org.springframework.security.access.prepost; + +import org.aopalliance.intercept.MethodInvocation; +import org.springframework.security.access.AccessDeniedException; +import org.springframework.security.core.Authentication; + +/** + * Performs filtering and authorization logic after a method is invoked. + * + * @author Luke Taylor + * @version $Id$ + * @since 3.0 + */ +public interface PostInvocationAuthorizationAdvice { + + Object after(Authentication authentication, MethodInvocation mi, + PostInvocationAttribute pia, Object returnedObject) throws AccessDeniedException; +} diff --git a/core/src/main/java/org/springframework/security/access/expression/annotation/PreAuthorize.java b/core/src/main/java/org/springframework/security/access/prepost/PreAuthorize.java similarity index 89% rename from core/src/main/java/org/springframework/security/access/expression/annotation/PreAuthorize.java rename to core/src/main/java/org/springframework/security/access/prepost/PreAuthorize.java index 387da38cc4..32d3f1df0e 100644 --- a/core/src/main/java/org/springframework/security/access/expression/annotation/PreAuthorize.java +++ b/core/src/main/java/org/springframework/security/access/prepost/PreAuthorize.java @@ -1,4 +1,4 @@ -package org.springframework.security.access.expression.annotation; +package org.springframework.security.access.prepost; import java.lang.annotation.Documented; import java.lang.annotation.ElementType; @@ -13,7 +13,7 @@ import java.lang.annotation.Target; * * @author Luke Taylor * @version $Id$ - * @since 2.5 + * @since 3.0 */ @Target({ElementType.METHOD, ElementType.TYPE}) @Retention(RetentionPolicy.RUNTIME) diff --git a/core/src/main/java/org/springframework/security/access/expression/annotation/PreFilter.java b/core/src/main/java/org/springframework/security/access/prepost/PreFilter.java similarity index 95% rename from core/src/main/java/org/springframework/security/access/expression/annotation/PreFilter.java rename to core/src/main/java/org/springframework/security/access/prepost/PreFilter.java index e615c60a7a..b15644892e 100644 --- a/core/src/main/java/org/springframework/security/access/expression/annotation/PreFilter.java +++ b/core/src/main/java/org/springframework/security/access/prepost/PreFilter.java @@ -1,4 +1,4 @@ -package org.springframework.security.access.expression.annotation; +package org.springframework.security.access.prepost; import java.lang.annotation.Documented; import java.lang.annotation.ElementType; @@ -23,7 +23,7 @@ import java.lang.annotation.Target; * * @author Luke Taylor * @version $Id$ - * @since 2.5 + * @since 3.0 */ @Target({ElementType.METHOD, ElementType.TYPE}) @Retention(RetentionPolicy.RUNTIME) diff --git a/core/src/main/java/org/springframework/security/access/prepost/PreInvocationAttribute.java b/core/src/main/java/org/springframework/security/access/prepost/PreInvocationAttribute.java new file mode 100644 index 0000000000..71551eb128 --- /dev/null +++ b/core/src/main/java/org/springframework/security/access/prepost/PreInvocationAttribute.java @@ -0,0 +1,16 @@ +package org.springframework.security.access.prepost; + +import org.springframework.security.access.ConfigAttribute; + +/** + * Marker interface for attributes which are created from combined @PreFilter and @PreAuthorize annotations. + *

+ * Consumed by a {@link PreInvocationAuthorizationAdvice}. + * + * @author Luke Taylor + * @version $Id$ + * @since 3.0 + */ +public interface PreInvocationAttribute extends ConfigAttribute{ + +} diff --git a/core/src/main/java/org/springframework/security/access/prepost/PreInvocationAuthorizationAdvice.java b/core/src/main/java/org/springframework/security/access/prepost/PreInvocationAuthorizationAdvice.java new file mode 100644 index 0000000000..01feb65f91 --- /dev/null +++ b/core/src/main/java/org/springframework/security/access/prepost/PreInvocationAuthorizationAdvice.java @@ -0,0 +1,16 @@ +package org.springframework.security.access.prepost; + +import org.aopalliance.intercept.MethodInvocation; +import org.springframework.security.core.Authentication; + +/** + * Performs argument filtering and authorization logic before a method is invoked. + * + * @author Luke Taylor + * @version $Id$ + * @since 3.0 + */ +public interface PreInvocationAuthorizationAdvice { + + boolean before(Authentication authentication, MethodInvocation mi, PreInvocationAttribute preInvocationAttribute); +} diff --git a/core/src/main/java/org/springframework/security/access/prepost/PreInvocationAuthorizationAdviceVoter.java b/core/src/main/java/org/springframework/security/access/prepost/PreInvocationAuthorizationAdviceVoter.java new file mode 100644 index 0000000000..eb32fb4e70 --- /dev/null +++ b/core/src/main/java/org/springframework/security/access/prepost/PreInvocationAuthorizationAdviceVoter.java @@ -0,0 +1,69 @@ +package org.springframework.security.access.prepost; + +import java.util.List; + +import org.aopalliance.intercept.MethodInvocation; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.springframework.security.access.ConfigAttribute; +import org.springframework.security.access.vote.AccessDecisionVoter; +import org.springframework.security.core.Authentication; + +/** + * Voter which performs the actions using a PreInvocationAuthorizationAdvice implementation + * generated from @PreFilter and @PreAuthorize annotations. + *

+ * In practice, if these annotations are being used, they will normally contain all the necessary + * access control logic, so a voter-based system is not really necessary and a single AccessDecisionManager + * which contained the same logic would suffice. However, this class fits in readily with the traditional + * voter-based AccessDecisionManager implementations used by Spring Security. + * + * @author Luke Taylor + * @version $Id$ + * @since 3.0 + */ +public class PreInvocationAuthorizationAdviceVoter implements AccessDecisionVoter { + protected final Log logger = LogFactory.getLog(getClass()); + + private PreInvocationAuthorizationAdvice preAdvice; + + public PreInvocationAuthorizationAdviceVoter(PreInvocationAuthorizationAdvice pre) { + this.preAdvice = pre; + } + + public boolean supports(ConfigAttribute attribute) { + return attribute instanceof PreInvocationAuthorizationAdvice; + } + + public boolean supports(Class clazz) { + return clazz.isAssignableFrom(MethodInvocation.class); + } + + public int vote(Authentication authentication, Object object, List attributes) { + + // Find prefilter and preauth (or combined) attributes + // if both null, abstain + // else call advice with them + + PreInvocationAttribute preAttr = findPreInvocationAttribute(attributes); + + if (preAttr == null) { + // No expression based metadata, so abstain + return ACCESS_ABSTAIN; + } + + boolean allowed = preAdvice.before(authentication, (MethodInvocation)object, preAttr); + + return allowed ? ACCESS_GRANTED : ACCESS_DENIED; + } + + private PreInvocationAttribute findPreInvocationAttribute(List config) { + for (ConfigAttribute attribute : config) { + if (attribute instanceof PreInvocationAttribute) { + return (PreInvocationAttribute)attribute; + } + } + + return null; + } +} diff --git a/core/src/main/java/org/springframework/security/access/expression/method/ExpressionAnnotationMethodSecurityMetadataSource.java b/core/src/main/java/org/springframework/security/access/prepost/PrePostAnnotationSecurityMetadataSource.java similarity index 58% rename from core/src/main/java/org/springframework/security/access/expression/method/ExpressionAnnotationMethodSecurityMetadataSource.java rename to core/src/main/java/org/springframework/security/access/prepost/PrePostAnnotationSecurityMetadataSource.java index 81cb45fbe0..eaab8d0f12 100644 --- a/core/src/main/java/org/springframework/security/access/expression/method/ExpressionAnnotationMethodSecurityMetadataSource.java +++ b/core/src/main/java/org/springframework/security/access/prepost/PrePostAnnotationSecurityMetadataSource.java @@ -1,4 +1,4 @@ -package org.springframework.security.access.expression.method; +package org.springframework.security.access.prepost; import java.lang.annotation.Annotation; import java.lang.reflect.Method; @@ -7,22 +7,15 @@ import java.util.Collection; import java.util.List; import org.springframework.core.annotation.AnnotationUtils; -import org.springframework.expression.Expression; -import org.springframework.expression.ExpressionParser; -import org.springframework.expression.ParseException; -import org.springframework.expression.spel.antlr.SpelAntlrExpressionParser; import org.springframework.security.access.ConfigAttribute; -import org.springframework.security.access.expression.MethodSecurityExpressionHandler; -import org.springframework.security.access.expression.annotation.PostAuthorize; -import org.springframework.security.access.expression.annotation.PostFilter; -import org.springframework.security.access.expression.annotation.PreAuthorize; -import org.springframework.security.access.expression.annotation.PreFilter; import org.springframework.security.access.intercept.method.AbstractMethodSecurityMetadataSource; import org.springframework.util.ClassUtils; /** * MethodSecurityMetadataSource which extracts metadata from the @PreFilter and @PreAuthorize annotations - * placed on a method. The metadata is encapsulated in a {@link AbstractExpressionBasedMethodConfigAttribute} instance. + * placed on a method. This class is merely responsible for locating the relevant annotations (if any). It delegates + * the actual ConfigAttribute creation to its {@link PrePostInvocationAttributeFactory}, thus + * decoupling itself from the mechanism which will enforce the annotations' behaviour. *

* Annotations may be specified on classes or methods, and method-specific annotations will take precedence. * If you use any annotation and do not specify a pre-authorization condition, then the method will be @@ -31,25 +24,18 @@ import org.springframework.util.ClassUtils; * Since we are handling multiple annotations here, it's possible that we may have to combine annotations defined in * multiple locations for a single method - they may be defined on the method itself, or at interface or class level. * - * @see MethodExpressionVoter + * @see PreInvocationAuthorizationAdviceVoter * * @author Luke Taylor - * @since 2.5 + * @since 3.0 * @version $Id$ */ -public class ExpressionAnnotationMethodSecurityMetadataSource extends AbstractMethodSecurityMetadataSource { - private ExpressionParser parser; +public class PrePostAnnotationSecurityMetadataSource extends AbstractMethodSecurityMetadataSource { - public ExpressionAnnotationMethodSecurityMetadataSource() { - parser = new SpelAntlrExpressionParser(); - } + private final PrePostInvocationAttributeFactory attributeFactory; - /** - * Constructor which obtains the expression parser from the {@link MethodSecurityExpressionHandler#getExpressionParser() } - * method on the supplied SecurityExpressionHandler. - */ - public ExpressionAnnotationMethodSecurityMetadataSource(MethodSecurityExpressionHandler handler) { - parser = handler.getExpressionParser(); + public PrePostAnnotationSecurityMetadataSource(PrePostInvocationAttributeFactory attributeFactory) { + this.attributeFactory = attributeFactory; } public List getAttributes(Method method, Class targetClass) { @@ -57,7 +43,7 @@ public class ExpressionAnnotationMethodSecurityMetadataSource extends AbstractMe return null; } - logger.trace("Looking for expression annotations for method '" + + logger.trace("Looking for Pre/Post annotations for method '" + method.getName() + "' on target class '" + targetClass + "'"); PreFilter preFilter = findAnnotation(method, targetClass, PreFilter.class); PreAuthorize preAuthorize = findAnnotation(method, targetClass, PreAuthorize.class); @@ -71,7 +57,27 @@ public class ExpressionAnnotationMethodSecurityMetadataSource extends AbstractMe return null; } - return createAttributeList(preFilter, preAuthorize, postFilter, postAuthorize); + ArrayList attrs = new ArrayList(); + + PreInvocationAttribute pre = attributeFactory.createPreInvocationAttribute(preFilter, preAuthorize); + + if (pre != null) { + attrs.add(pre); + } + + PostInvocationAttribute post = attributeFactory.createPostInvocationAttribute(postFilter, postAuthorize); + + if (post != null) { + attrs.add(post); + } + + attrs.trimToSize(); + + return attrs.isEmpty() ? null : attrs; + } + + public Collection getAllConfigAttributes() { + return null; } /** @@ -121,40 +127,4 @@ public class ExpressionAnnotationMethodSecurityMetadataSource extends AbstractMe return null; } - public Collection getAllConfigAttributes() { - return null; - } - - private List createAttributeList(PreFilter preFilter, PreAuthorize preAuthorize, - PostFilter postFilter, PostAuthorize postAuthorize) { - ConfigAttribute pre = null; - ConfigAttribute post = null; - - // TODO: Optimization of permitAll - try { - Expression preAuthorizeExpression = preAuthorize == null ? parser.parseExpression("permitAll") : parser.parseExpression(preAuthorize.value()); - Expression preFilterExpression = preFilter == null ? null : parser.parseExpression(preFilter.value()); - String filterObject = preFilter == null ? null : preFilter.filterTarget(); - Expression postAuthorizeExpression = postAuthorize == null ? null : parser.parseExpression(postAuthorize.value()); - Expression postFilterExpression = postFilter == null ? null : parser.parseExpression(postFilter.value()); - - pre = new PreInvocationExpressionAttribute(preFilterExpression, filterObject, preAuthorizeExpression); - if (postFilterExpression != null || postAuthorizeExpression != null) { - post = new PostInvocationExpressionAttribute(postFilterExpression, postAuthorizeExpression); - } - } catch (ParseException e) { - throw new IllegalArgumentException("Failed to parse expression '" + e.getExpressionString() + "'", e); - } - - List attrs = new ArrayList(2); - if (pre != null) { - attrs.add(pre); - } - - if (post != null) { - attrs.add(post); - } - - return attrs; - } } diff --git a/core/src/main/java/org/springframework/security/access/prepost/PrePostInvocationAttributeFactory.java b/core/src/main/java/org/springframework/security/access/prepost/PrePostInvocationAttributeFactory.java new file mode 100644 index 0000000000..5162d116e7 --- /dev/null +++ b/core/src/main/java/org/springframework/security/access/prepost/PrePostInvocationAttributeFactory.java @@ -0,0 +1,14 @@ +package org.springframework.security.access.prepost; + +/** + * + * @author Luke Taylor + * @version $Id$ + * @since 3.0 + */ +public interface PrePostInvocationAttributeFactory { + + PreInvocationAttribute createPreInvocationAttribute(PreFilter preFilter, PreAuthorize preAuthorize); + + PostInvocationAttribute createPostInvocationAttribute(PostFilter postFilter, PostAuthorize postAuthorize); +} diff --git a/core/src/main/java/org/springframework/security/access/prepost/package.html b/core/src/main/java/org/springframework/security/access/prepost/package.html new file mode 100644 index 0000000000..1736197f5f --- /dev/null +++ b/core/src/main/java/org/springframework/security/access/prepost/package.html @@ -0,0 +1,6 @@ +

+Contains the infrastructure classes for handling the @PreAuthorize, @PreFilter, @PostAuthorize and +@PostFilter annotations. +

+Other than the annotations themselves, the classes should be regarded as for internal framework use and +are liable to change without notice. diff --git a/core/src/main/java/org/springframework/security/authentication/dao/salt/ReflectionSaltSource.java b/core/src/main/java/org/springframework/security/authentication/dao/ReflectionSaltSource.java similarity index 97% rename from core/src/main/java/org/springframework/security/authentication/dao/salt/ReflectionSaltSource.java rename to core/src/main/java/org/springframework/security/authentication/dao/ReflectionSaltSource.java index bb5406530e..b48b24be44 100644 --- a/core/src/main/java/org/springframework/security/authentication/dao/salt/ReflectionSaltSource.java +++ b/core/src/main/java/org/springframework/security/authentication/dao/ReflectionSaltSource.java @@ -13,11 +13,10 @@ * limitations under the License. */ -package org.springframework.security.authentication.dao.salt; +package org.springframework.security.authentication.dao; import org.springframework.security.authentication.AuthenticationServiceException; -import org.springframework.security.authentication.dao.SaltSource; import org.springframework.security.core.userdetails.UserDetails; diff --git a/core/src/main/java/org/springframework/security/authentication/dao/salt/SystemWideSaltSource.java b/core/src/main/java/org/springframework/security/authentication/dao/SystemWideSaltSource.java similarity index 94% rename from core/src/main/java/org/springframework/security/authentication/dao/salt/SystemWideSaltSource.java rename to core/src/main/java/org/springframework/security/authentication/dao/SystemWideSaltSource.java index dad98b1458..d29fa9b311 100644 --- a/core/src/main/java/org/springframework/security/authentication/dao/salt/SystemWideSaltSource.java +++ b/core/src/main/java/org/springframework/security/authentication/dao/SystemWideSaltSource.java @@ -13,9 +13,8 @@ * limitations under the License. */ -package org.springframework.security.authentication.dao.salt; +package org.springframework.security.authentication.dao; -import org.springframework.security.authentication.dao.SaltSource; import org.springframework.security.core.userdetails.UserDetails; diff --git a/core/src/main/java/org/springframework/security/authentication/dao/salt/package.html b/core/src/main/java/org/springframework/security/authentication/dao/salt/package.html deleted file mode 100644 index 8f240835e6..0000000000 --- a/core/src/main/java/org/springframework/security/authentication/dao/salt/package.html +++ /dev/null @@ -1,5 +0,0 @@ - - -Implementations that provide salts for more secure password encoding. - - diff --git a/core/src/main/java/org/springframework/security/core/session/SessionCreationEvent.java b/core/src/main/java/org/springframework/security/core/session/SessionCreationEvent.java index 4b20f2b8c5..600990b036 100644 --- a/core/src/main/java/org/springframework/security/core/session/SessionCreationEvent.java +++ b/core/src/main/java/org/springframework/security/core/session/SessionCreationEvent.java @@ -8,7 +8,7 @@ import org.springframework.context.ApplicationEvent; * * @author Luke Taylor * @version $Id$ - * @since 2.5 + * @since 3.0 */ public abstract class SessionCreationEvent extends ApplicationEvent { diff --git a/core/src/main/java/org/springframework/security/core/session/SessionDestroyedEvent.java b/core/src/main/java/org/springframework/security/core/session/SessionDestroyedEvent.java index c66b8f938c..76b77e1fb6 100644 --- a/core/src/main/java/org/springframework/security/core/session/SessionDestroyedEvent.java +++ b/core/src/main/java/org/springframework/security/core/session/SessionDestroyedEvent.java @@ -9,7 +9,7 @@ import org.springframework.security.core.context.SecurityContext; * * @author Luke Taylor * @version $Id$ - * @since 2.5 + * @since 3.0 */ public abstract class SessionDestroyedEvent extends ApplicationEvent { diff --git a/core/src/test/java/org/springframework/security/access/annotation/BusinessService.java b/core/src/test/java/org/springframework/security/access/annotation/BusinessService.java index f54794cae5..52cc679ff1 100644 --- a/core/src/test/java/org/springframework/security/access/annotation/BusinessService.java +++ b/core/src/test/java/org/springframework/security/access/annotation/BusinessService.java @@ -21,7 +21,7 @@ import javax.annotation.security.RolesAllowed; import javax.annotation.security.PermitAll; import org.springframework.security.access.annotation.Secured; -import org.springframework.security.access.expression.annotation.PreAuthorize; +import org.springframework.security.access.prepost.PreAuthorize; /** * @version $Id$ diff --git a/core/src/test/java/org/springframework/security/access/annotation/ExpressionProtectedBusinessServiceImpl.java b/core/src/test/java/org/springframework/security/access/annotation/ExpressionProtectedBusinessServiceImpl.java index 1563ff31c4..2a8f6f91b4 100644 --- a/core/src/test/java/org/springframework/security/access/annotation/ExpressionProtectedBusinessServiceImpl.java +++ b/core/src/test/java/org/springframework/security/access/annotation/ExpressionProtectedBusinessServiceImpl.java @@ -3,8 +3,9 @@ package org.springframework.security.access.annotation; import java.util.ArrayList; import java.util.List; -import org.springframework.security.access.expression.annotation.PostFilter; -import org.springframework.security.access.expression.annotation.PreFilter; +import org.springframework.security.access.prepost.PostFilter; +import org.springframework.security.access.prepost.PreFilter; + public class ExpressionProtectedBusinessServiceImpl implements BusinessService { diff --git a/core/src/test/java/org/springframework/security/access/annotation/Jsr250BusinessServiceImpl.java b/core/src/test/java/org/springframework/security/access/annotation/Jsr250BusinessServiceImpl.java index 8bd0e41452..7077359161 100644 --- a/core/src/test/java/org/springframework/security/access/annotation/Jsr250BusinessServiceImpl.java +++ b/core/src/test/java/org/springframework/security/access/annotation/Jsr250BusinessServiceImpl.java @@ -6,6 +6,7 @@ import java.util.List; import javax.annotation.security.RolesAllowed; import javax.annotation.security.PermitAll; + /** * * @author Luke Taylor diff --git a/core/src/test/java/org/springframework/security/access/annotation/SecuredMethodDefinitionSourceTests.java b/core/src/test/java/org/springframework/security/access/annotation/SecuredAnnotationSecurityMetadataDefinitionSourceTests.java similarity index 91% rename from core/src/test/java/org/springframework/security/access/annotation/SecuredMethodDefinitionSourceTests.java rename to core/src/test/java/org/springframework/security/access/annotation/SecuredAnnotationSecurityMetadataDefinitionSourceTests.java index 028ad2b914..54556eb0b2 100644 --- a/core/src/test/java/org/springframework/security/access/annotation/SecuredMethodDefinitionSourceTests.java +++ b/core/src/test/java/org/springframework/security/access/annotation/SecuredAnnotationSecurityMetadataDefinitionSourceTests.java @@ -23,23 +23,23 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.springframework.security.access.ConfigAttribute; import org.springframework.security.access.SecurityConfig; -import org.springframework.security.access.annotation.SecuredMethodSecurityMetadataSource; +import org.springframework.security.access.annotation.SecuredAnnotationSecurityMetadataSource; import org.springframework.util.StringUtils; /** - * Tests for {@link org.springframework.security.access.annotation.SecuredMethodSecurityMetadataSource} + * Tests for {@link org.springframework.security.access.annotation.SecuredAnnotationSecurityMetadataSource} * * @author Mark St.Godard * @author Joe Scalise * @author Ben Alex * @version $Id$ */ -public class SecuredMethodDefinitionSourceTests extends TestCase { +public class SecuredAnnotationSecurityMetadataDefinitionSourceTests extends TestCase { //~ Instance fields ================================================================================================ - private SecuredMethodSecurityMetadataSource mds = new SecuredMethodSecurityMetadataSource();; - private Log logger = LogFactory.getLog(SecuredMethodDefinitionSourceTests.class); + private SecuredAnnotationSecurityMetadataSource mds = new SecuredAnnotationSecurityMetadataSource();; + private Log logger = LogFactory.getLog(SecuredAnnotationSecurityMetadataDefinitionSourceTests.class); //~ Methods ======================================================================================================== diff --git a/core/src/test/java/org/springframework/security/access/expression/method/MethodExpressionVoterTests.java b/core/src/test/java/org/springframework/security/access/expression/method/MethodExpressionVoterTests.java index 8f74490b14..069c2e4c26 100644 --- a/core/src/test/java/org/springframework/security/access/expression/method/MethodExpressionVoterTests.java +++ b/core/src/test/java/org/springframework/security/access/expression/method/MethodExpressionVoterTests.java @@ -11,8 +11,8 @@ import java.util.List; import org.aopalliance.intercept.MethodInvocation; import org.junit.Test; import org.springframework.security.access.ConfigAttribute; -import org.springframework.security.access.expression.method.MethodExpressionVoter; import org.springframework.security.access.expression.method.PreInvocationExpressionAttribute; +import org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter; import org.springframework.security.access.vote.AccessDecisionVoter; import org.springframework.security.authentication.TestingAuthenticationToken; import org.springframework.security.util.SimpleMethodInvocation; @@ -20,7 +20,8 @@ import org.springframework.security.util.SimpleMethodInvocation; @SuppressWarnings("unchecked") public class MethodExpressionVoterTests { private TestingAuthenticationToken joe = new TestingAuthenticationToken("joe", "joespass", "blah"); - private MethodExpressionVoter am = new MethodExpressionVoter(); + private PreInvocationAuthorizationAdviceVoter am = + new PreInvocationAuthorizationAdviceVoter(new ExpressionBasedPreInvocationAdvice()); @Test public void hasRoleExpressionAllowsUserWithRole() throws Exception { diff --git a/core/src/test/java/org/springframework/security/access/expression/support/MethodSecurityExpressionRootTests.java b/core/src/test/java/org/springframework/security/access/expression/method/MethodSecurityExpressionRootTests.java similarity index 95% rename from core/src/test/java/org/springframework/security/access/expression/support/MethodSecurityExpressionRootTests.java rename to core/src/test/java/org/springframework/security/access/expression/method/MethodSecurityExpressionRootTests.java index 77e69b0b77..504af7dca9 100644 --- a/core/src/test/java/org/springframework/security/access/expression/support/MethodSecurityExpressionRootTests.java +++ b/core/src/test/java/org/springframework/security/access/expression/method/MethodSecurityExpressionRootTests.java @@ -1,4 +1,4 @@ -package org.springframework.security.access.expression.support; +package org.springframework.security.access.expression.method; import static org.junit.Assert.*; @@ -9,9 +9,9 @@ import org.junit.Test; import org.springframework.expression.Expression; import org.springframework.expression.spel.antlr.SpelAntlrExpressionParser; import org.springframework.expression.spel.support.StandardEvaluationContext; +import org.springframework.security.access.PermissionEvaluator; import org.springframework.security.access.expression.ExpressionUtils; -import org.springframework.security.access.expression.PermissionEvaluator; -import org.springframework.security.access.expression.support.MethodSecurityExpressionRoot; +import org.springframework.security.access.expression.method.MethodSecurityExpressionRoot; import org.springframework.security.authentication.AuthenticationTrustResolver; import org.springframework.security.core.Authentication; diff --git a/core/src/test/java/org/springframework/security/access/expression/method/ExpressionAnnotationMethodDefinitionSourceTests.java b/core/src/test/java/org/springframework/security/access/expression/method/PrePostAnnotationSecurityMetadataSourceTests.java similarity index 90% rename from core/src/test/java/org/springframework/security/access/expression/method/ExpressionAnnotationMethodDefinitionSourceTests.java rename to core/src/test/java/org/springframework/security/access/expression/method/PrePostAnnotationSecurityMetadataSourceTests.java index 420c14b87d..bac79a3786 100644 --- a/core/src/test/java/org/springframework/security/access/expression/method/ExpressionAnnotationMethodDefinitionSourceTests.java +++ b/core/src/test/java/org/springframework/security/access/expression/method/PrePostAnnotationSecurityMetadataSourceTests.java @@ -7,18 +7,22 @@ import java.util.List; import org.junit.Before; import org.junit.Test; import org.springframework.security.access.ConfigAttribute; -import org.springframework.security.access.expression.annotation.PostAuthorize; -import org.springframework.security.access.expression.annotation.PostFilter; -import org.springframework.security.access.expression.annotation.PreAuthorize; -import org.springframework.security.access.expression.annotation.PreFilter; -import org.springframework.security.access.expression.method.ExpressionAnnotationMethodSecurityMetadataSource; -import org.springframework.security.access.expression.method.PostInvocationExpressionAttribute; -import org.springframework.security.access.expression.method.PreInvocationExpressionAttribute; import org.springframework.security.access.intercept.method.MockMethodInvocation; +import org.springframework.security.access.prepost.PostAuthorize; +import org.springframework.security.access.prepost.PostFilter; +import org.springframework.security.access.prepost.PreAuthorize; +import org.springframework.security.access.prepost.PreFilter; +import org.springframework.security.access.prepost.PrePostAnnotationSecurityMetadataSource; - -public class ExpressionAnnotationMethodDefinitionSourceTests { - private ExpressionAnnotationMethodSecurityMetadataSource mds = new ExpressionAnnotationMethodSecurityMetadataSource(); +/** + * + * @author Luke Taylor + * @version $Id$ + * @since 3.0 + */ +public class PrePostAnnotationSecurityMetadataSourceTests { + private PrePostAnnotationSecurityMetadataSource mds = + new PrePostAnnotationSecurityMetadataSource(new ExpressionBasedAnnotationAttributeFactory(new DefaultMethodSecurityExpressionHandler())); private MockMethodInvocation voidImpl1; private MockMethodInvocation voidImpl2; diff --git a/core/src/test/java/org/springframework/security/authentication/dao/DaoAuthenticationProviderTests.java b/core/src/test/java/org/springframework/security/authentication/dao/DaoAuthenticationProviderTests.java index 2950b16a77..7f6e232876 100644 --- a/core/src/test/java/org/springframework/security/authentication/dao/DaoAuthenticationProviderTests.java +++ b/core/src/test/java/org/springframework/security/authentication/dao/DaoAuthenticationProviderTests.java @@ -29,7 +29,6 @@ import org.springframework.security.authentication.LockedException; import org.springframework.security.authentication.TestingAuthenticationToken; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.authentication.dao.DaoAuthenticationProvider; -import org.springframework.security.authentication.dao.salt.SystemWideSaltSource; import org.springframework.security.authentication.encoding.ShaPasswordEncoder; import org.springframework.security.core.Authentication; import org.springframework.security.core.GrantedAuthority; diff --git a/core/src/test/java/org/springframework/security/authentication/dao/salt/ReflectionSaltSourceTests.java b/core/src/test/java/org/springframework/security/authentication/dao/salt/ReflectionSaltSourceTests.java index 6f33b570a3..483c68bb23 100644 --- a/core/src/test/java/org/springframework/security/authentication/dao/salt/ReflectionSaltSourceTests.java +++ b/core/src/test/java/org/springframework/security/authentication/dao/salt/ReflectionSaltSourceTests.java @@ -19,7 +19,7 @@ import static junit.framework.Assert.assertEquals; import org.junit.Test; import org.springframework.security.authentication.AuthenticationServiceException; -import org.springframework.security.authentication.dao.salt.ReflectionSaltSource; +import org.springframework.security.authentication.dao.ReflectionSaltSource; import org.springframework.security.core.authority.AuthorityUtils; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; diff --git a/core/src/test/java/org/springframework/security/authentication/dao/salt/SystemWideSaltSourceTests.java b/core/src/test/java/org/springframework/security/authentication/dao/salt/SystemWideSaltSourceTests.java index 2756cbda43..2a46b57007 100644 --- a/core/src/test/java/org/springframework/security/authentication/dao/salt/SystemWideSaltSourceTests.java +++ b/core/src/test/java/org/springframework/security/authentication/dao/salt/SystemWideSaltSourceTests.java @@ -15,7 +15,7 @@ package org.springframework.security.authentication.dao.salt; -import org.springframework.security.authentication.dao.salt.SystemWideSaltSource; +import org.springframework.security.authentication.dao.SystemWideSaltSource; import junit.framework.TestCase; diff --git a/core/src/test/resources/someMethod.py b/core/src/test/resources/someMethod.py new file mode 100644 index 0000000000..f19e66bfa3 --- /dev/null +++ b/core/src/test/resources/someMethod.py @@ -0,0 +1,9 @@ + +print authentication.name; + +for authority in authentication.authorities: + print authority + +print "Granting access" + +allow = 1 diff --git a/itest/context/pom.xml b/itest/context/pom.xml index 35f73c463e..074fa32894 100644 --- a/itest/context/pom.xml +++ b/itest/context/pom.xml @@ -17,5 +17,10 @@ 2.4 test + + jython + jython + 2.1 + diff --git a/itest/context/src/main/java/org/springframework/security/integration/python/PythonInterpreterPostInvocationAdvice.java b/itest/context/src/main/java/org/springframework/security/integration/python/PythonInterpreterPostInvocationAdvice.java new file mode 100644 index 0000000000..dd665ff0be --- /dev/null +++ b/itest/context/src/main/java/org/springframework/security/integration/python/PythonInterpreterPostInvocationAdvice.java @@ -0,0 +1,15 @@ +package org.springframework.security.integration.python; + +import org.aopalliance.intercept.MethodInvocation; +import org.springframework.security.access.AccessDeniedException; +import org.springframework.security.access.prepost.PostInvocationAttribute; +import org.springframework.security.access.prepost.PostInvocationAuthorizationAdvice; +import org.springframework.security.core.Authentication; + +public class PythonInterpreterPostInvocationAdvice implements PostInvocationAuthorizationAdvice{ + + public Object after(Authentication authentication, MethodInvocation mi, PostInvocationAttribute pia, + Object returnedObject) throws AccessDeniedException { + return returnedObject; + } +} diff --git a/itest/context/src/main/java/org/springframework/security/integration/python/PythonInterpreterPreInvocationAdvice.java b/itest/context/src/main/java/org/springframework/security/integration/python/PythonInterpreterPreInvocationAdvice.java new file mode 100644 index 0000000000..80aa81c7e6 --- /dev/null +++ b/itest/context/src/main/java/org/springframework/security/integration/python/PythonInterpreterPreInvocationAdvice.java @@ -0,0 +1,62 @@ +package org.springframework.security.integration.python; + +import java.io.IOException; +import java.lang.reflect.Method; +import java.util.HashMap; +import java.util.Map; + +import org.aopalliance.intercept.MethodInvocation; +import org.python.core.Py; +import org.python.core.PyObject; +import org.python.util.PythonInterpreter; +import org.springframework.core.LocalVariableTableParameterNameDiscoverer; +import org.springframework.core.ParameterNameDiscoverer; +import org.springframework.core.io.Resource; +import org.springframework.core.io.support.PathMatchingResourcePatternResolver; +import org.springframework.security.access.prepost.PreInvocationAttribute; +import org.springframework.security.access.prepost.PreInvocationAuthorizationAdvice; +import org.springframework.security.core.Authentication; +import org.springframework.util.ClassUtils; + +public class PythonInterpreterPreInvocationAdvice implements PreInvocationAuthorizationAdvice{ + private ParameterNameDiscoverer parameterNameDiscoverer = new LocalVariableTableParameterNameDiscoverer(); + + public boolean before(Authentication authentication, MethodInvocation mi, PreInvocationAttribute preAttr) { + PythonInterpreterPreInvocationAttribute pythonAttr = (PythonInterpreterPreInvocationAttribute) preAttr; + String script = pythonAttr.getScript(); + + PythonInterpreter python = new PythonInterpreter(); + python.set("authentication", authentication); + python.set("args", createArgumentMap(mi)); + python.set("method", mi.getMethod().getName()); + Resource scriptResource = new PathMatchingResourcePatternResolver().getResource(script); + + try { + python.execfile(scriptResource.getInputStream()); + } catch (IOException e) { + throw new IllegalArgumentException("Couldn't run python script, " + script, e); + } + + PyObject allowed = python.get("allow"); + + if (allowed == null) { + throw new IllegalStateException("Python script did not set the permit flag"); + } + + return Py.tojava(allowed, Boolean.class); + } + + private Map createArgumentMap(MethodInvocation mi) { + Object[] args = mi.getArguments(); + Object targetObject = mi.getThis(); + Method method = ClassUtils.getMostSpecificMethod(mi.getMethod(), targetObject.getClass()); + String[] paramNames = parameterNameDiscoverer.getParameterNames(method); + + Map argMap = new HashMap(); + for(int i=0; i < args.length; i++) { + argMap.put(paramNames[i], args[i]); + } + + return argMap; + } +} diff --git a/itest/context/src/main/java/org/springframework/security/integration/python/PythonInterpreterPreInvocationAttribute.java b/itest/context/src/main/java/org/springframework/security/integration/python/PythonInterpreterPreInvocationAttribute.java new file mode 100644 index 0000000000..a1500810ba --- /dev/null +++ b/itest/context/src/main/java/org/springframework/security/integration/python/PythonInterpreterPreInvocationAttribute.java @@ -0,0 +1,19 @@ +package org.springframework.security.integration.python; + +import org.springframework.security.access.prepost.PreInvocationAttribute; + +public class PythonInterpreterPreInvocationAttribute implements PreInvocationAttribute { + private String script; + + PythonInterpreterPreInvocationAttribute(String script) { + this.script = script; + } + + public String getAttribute() { + return null; + } + + public String getScript() { + return script; + } +} diff --git a/itest/context/src/main/java/org/springframework/security/integration/python/PythonInterpreterPrePostInvocationAttributeFactory.java b/itest/context/src/main/java/org/springframework/security/integration/python/PythonInterpreterPrePostInvocationAttributeFactory.java new file mode 100644 index 0000000000..70f15f5dc9 --- /dev/null +++ b/itest/context/src/main/java/org/springframework/security/integration/python/PythonInterpreterPrePostInvocationAttributeFactory.java @@ -0,0 +1,26 @@ +package org.springframework.security.integration.python; + +import org.python.util.PythonInterpreter; +import org.springframework.security.access.prepost.PostAuthorize; +import org.springframework.security.access.prepost.PostFilter; +import org.springframework.security.access.prepost.PostInvocationAttribute; +import org.springframework.security.access.prepost.PreAuthorize; +import org.springframework.security.access.prepost.PreFilter; +import org.springframework.security.access.prepost.PreInvocationAttribute; +import org.springframework.security.access.prepost.PrePostInvocationAttributeFactory; + +public class PythonInterpreterPrePostInvocationAttributeFactory implements PrePostInvocationAttributeFactory{ + + public PythonInterpreterPrePostInvocationAttributeFactory() { + PythonInterpreter.initialize(System.getProperties(), null, new String[] {}); + } + + + public PreInvocationAttribute createPreInvocationAttribute(PreFilter preFilter, PreAuthorize preAuthorize) { + return new PythonInterpreterPreInvocationAttribute(preAuthorize.value()); + } + + public PostInvocationAttribute createPostInvocationAttribute(PostFilter postFilter, PostAuthorize postAuthorize) { + return null; + } +} diff --git a/itest/context/src/main/java/org/springframework/security/integration/python/TestService.java b/itest/context/src/main/java/org/springframework/security/integration/python/TestService.java new file mode 100644 index 0000000000..8786fd5d2f --- /dev/null +++ b/itest/context/src/main/java/org/springframework/security/integration/python/TestService.java @@ -0,0 +1,10 @@ +package org.springframework.security.integration.python; + +import org.springframework.security.access.prepost.PreAuthorize; + +public interface TestService { + + @PreAuthorize("someMethod.py") + public void someMethod(); + +} diff --git a/itest/context/src/main/java/org/springframework/security/integration/python/TestServiceImpl.java b/itest/context/src/main/java/org/springframework/security/integration/python/TestServiceImpl.java new file mode 100644 index 0000000000..f8f3530fdb --- /dev/null +++ b/itest/context/src/main/java/org/springframework/security/integration/python/TestServiceImpl.java @@ -0,0 +1,9 @@ +package org.springframework.security.integration.python; + +public class TestServiceImpl implements TestService { + + public void someMethod() { + System.out.print("Invoked someMethod()"); + } + +} diff --git a/itest/context/src/test/java/org/springframework/security/integration/python/PythonInterpreterBasedSecurityTests.java b/itest/context/src/test/java/org/springframework/security/integration/python/PythonInterpreterBasedSecurityTests.java new file mode 100644 index 0000000000..e93f623fe8 --- /dev/null +++ b/itest/context/src/test/java/org/springframework/security/integration/python/PythonInterpreterBasedSecurityTests.java @@ -0,0 +1,26 @@ +package org.springframework.security.integration.python; + +import org.junit.Test; +import org.junit.runner.RunWith; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; +import org.springframework.security.core.context.SecurityContextHolder; +import org.springframework.test.context.ContextConfiguration; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; + +@ContextConfiguration(locations={"/python-method-access-app-context.xml"}) +@RunWith(SpringJUnit4ClassRunner.class) +public class PythonInterpreterBasedSecurityTests { + + @Autowired + private TestService service; + + @Test + public void serviceMethod() throws Exception { + SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken("bob","bobspassword")); + +// for (int i=0; i < 1000; i++) { + service.someMethod(); +// } + } +} diff --git a/itest/context/src/test/resources/python-method-access-app-context.xml b/itest/context/src/test/resources/python-method-access-app-context.xml new file mode 100755 index 0000000000..95266d00aa --- /dev/null +++ b/itest/context/src/test/resources/python-method-access-app-context.xml @@ -0,0 +1,32 @@ + + + + + + + + + + + + + + + + + + + + + + + diff --git a/itest/context/src/test/resources/sec-933-app-context.xml b/itest/context/src/test/resources/sec-933-app-context.xml index 47962f22f8..1f6da97afe 100755 --- a/itest/context/src/test/resources/sec-933-app-context.xml +++ b/itest/context/src/test/resources/sec-933-app-context.xml @@ -1,30 +1,30 @@ + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xmlns:aop="http://www.springframework.org/schema/aop" + xmlns:tx="http://www.springframework.org/schema/tx" + xmlns:security="http://www.springframework.org/schema/security" + xsi:schemaLocation=" + http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd + http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-2.5.xsd + http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-2.5.xsd + http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd"> - + - - - - - + - - - - - - - \ No newline at end of file + + + + + + + + + + + diff --git a/itest/context/src/test/resources/sec-936-app-context.xml b/itest/context/src/test/resources/sec-936-app-context.xml index 228534d266..de1509ffb2 100755 --- a/itest/context/src/test/resources/sec-936-app-context.xml +++ b/itest/context/src/test/resources/sec-936-app-context.xml @@ -5,7 +5,7 @@ xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-2.5.xsd - http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.2.xsd"> + http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd"> diff --git a/samples/cas/client/src/main/webapp/WEB-INF/applicationContext-security.xml b/samples/cas/client/src/main/webapp/WEB-INF/applicationContext-security.xml index bbbb04f8be..0f4f0283cd 100644 --- a/samples/cas/client/src/main/webapp/WEB-INF/applicationContext-security.xml +++ b/samples/cas/client/src/main/webapp/WEB-INF/applicationContext-security.xml @@ -4,7 +4,7 @@ xmlns:sec="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd - http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd"> + http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd"> diff --git a/samples/contacts/src/main/java/sample/contact/AdminPermissionController.java b/samples/contacts/src/main/java/sample/contact/AdminPermissionController.java index e1815ec044..85bc7ebeb8 100644 --- a/samples/contacts/src/main/java/sample/contact/AdminPermissionController.java +++ b/samples/contacts/src/main/java/sample/contact/AdminPermissionController.java @@ -9,13 +9,13 @@ import org.springframework.context.MessageSource; import org.springframework.context.MessageSourceAware; import org.springframework.context.support.MessageSourceAccessor; import org.springframework.dao.DataAccessException; -import org.springframework.security.acls.Acl; -import org.springframework.security.acls.AclService; -import org.springframework.security.acls.Permission; import org.springframework.security.acls.domain.BasePermission; -import org.springframework.security.acls.objectidentity.ObjectIdentityImpl; -import org.springframework.security.acls.sid.PrincipalSid; -import org.springframework.security.acls.sid.Sid; +import org.springframework.security.acls.domain.ObjectIdentityImpl; +import org.springframework.security.acls.domain.PrincipalSid; +import org.springframework.security.acls.model.Acl; +import org.springframework.security.acls.model.AclService; +import org.springframework.security.acls.model.Permission; +import org.springframework.security.acls.model.Sid; import org.springframework.stereotype.Controller; import org.springframework.ui.ModelMap; import org.springframework.validation.BindingResult; diff --git a/samples/contacts/src/main/java/sample/contact/ContactManager.java b/samples/contacts/src/main/java/sample/contact/ContactManager.java index 965c4d2302..ea9a4c3039 100644 --- a/samples/contacts/src/main/java/sample/contact/ContactManager.java +++ b/samples/contacts/src/main/java/sample/contact/ContactManager.java @@ -14,10 +14,10 @@ */ package sample.contact; -import org.springframework.security.access.expression.annotation.PostFilter; -import org.springframework.security.access.expression.annotation.PreAuthorize; -import org.springframework.security.acls.Permission; -import org.springframework.security.acls.sid.Sid; +import org.springframework.security.access.prepost.PostFilter; +import org.springframework.security.access.prepost.PreAuthorize; +import org.springframework.security.acls.model.Permission; +import org.springframework.security.acls.model.Sid; import java.util.List; diff --git a/samples/contacts/src/main/java/sample/contact/ContactManagerBackend.java b/samples/contacts/src/main/java/sample/contact/ContactManagerBackend.java index c82940a8db..62a7168edf 100644 --- a/samples/contacts/src/main/java/sample/contact/ContactManagerBackend.java +++ b/samples/contacts/src/main/java/sample/contact/ContactManagerBackend.java @@ -15,16 +15,16 @@ package sample.contact; -import org.springframework.security.acls.AccessControlEntry; -import org.springframework.security.acls.MutableAcl; -import org.springframework.security.acls.MutableAclService; -import org.springframework.security.acls.NotFoundException; -import org.springframework.security.acls.Permission; import org.springframework.security.acls.domain.BasePermission; -import org.springframework.security.acls.objectidentity.ObjectIdentity; -import org.springframework.security.acls.objectidentity.ObjectIdentityImpl; -import org.springframework.security.acls.sid.PrincipalSid; -import org.springframework.security.acls.sid.Sid; +import org.springframework.security.acls.domain.ObjectIdentityImpl; +import org.springframework.security.acls.domain.PrincipalSid; +import org.springframework.security.acls.model.AccessControlEntry; +import org.springframework.security.acls.model.MutableAcl; +import org.springframework.security.acls.model.MutableAclService; +import org.springframework.security.acls.model.NotFoundException; +import org.springframework.security.acls.model.ObjectIdentity; +import org.springframework.security.acls.model.Permission; +import org.springframework.security.acls.model.Sid; import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContextHolder; diff --git a/samples/contacts/src/main/java/sample/contact/DataSourcePopulator.java b/samples/contacts/src/main/java/sample/contact/DataSourcePopulator.java index fc4bd133fe..8028c82743 100644 --- a/samples/contacts/src/main/java/sample/contact/DataSourcePopulator.java +++ b/samples/contacts/src/main/java/sample/contact/DataSourcePopulator.java @@ -20,14 +20,14 @@ import javax.sql.DataSource; import org.springframework.beans.factory.InitializingBean; import org.springframework.jdbc.core.JdbcTemplate; -import org.springframework.security.acls.MutableAcl; -import org.springframework.security.acls.MutableAclService; -import org.springframework.security.acls.Permission; import org.springframework.security.acls.domain.AclImpl; import org.springframework.security.acls.domain.BasePermission; -import org.springframework.security.acls.objectidentity.ObjectIdentity; -import org.springframework.security.acls.objectidentity.ObjectIdentityImpl; -import org.springframework.security.acls.sid.PrincipalSid; +import org.springframework.security.acls.domain.ObjectIdentityImpl; +import org.springframework.security.acls.domain.PrincipalSid; +import org.springframework.security.acls.model.MutableAcl; +import org.springframework.security.acls.model.MutableAclService; +import org.springframework.security.acls.model.ObjectIdentity; +import org.springframework.security.acls.model.Permission; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.Authentication; import org.springframework.security.core.authority.AuthorityUtils; diff --git a/samples/contacts/src/main/java/sample/contact/IndexController.java b/samples/contacts/src/main/java/sample/contact/IndexController.java index d6dde2eb23..5c1fec5347 100644 --- a/samples/contacts/src/main/java/sample/contact/IndexController.java +++ b/samples/contacts/src/main/java/sample/contact/IndexController.java @@ -5,10 +5,10 @@ import java.util.List; import java.util.Map; import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.security.access.expression.PermissionEvaluator; -import org.springframework.security.acls.Permission; +import org.springframework.security.access.PermissionEvaluator; +import org.springframework.security.acls.AclPermissionEvaluator; import org.springframework.security.acls.domain.BasePermission; -import org.springframework.security.acls.expression.AclPermissionEvaluator; +import org.springframework.security.acls.model.Permission; import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.stereotype.Controller; diff --git a/samples/contacts/src/main/webapp/WEB-INF/applicationContext-security.xml b/samples/contacts/src/main/webapp/WEB-INF/applicationContext-security.xml index cd0eb33ff8..8ca4184d6e 100644 --- a/samples/contacts/src/main/webapp/WEB-INF/applicationContext-security.xml +++ b/samples/contacts/src/main/webapp/WEB-INF/applicationContext-security.xml @@ -12,9 +12,9 @@ xmlns:b="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd - http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.5.xsd"> + http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd"> - + @@ -48,12 +48,11 @@ - - + + + + + + - - - - - diff --git a/samples/contacts/src/test/java/sample/contact/ContactManagerTests.java b/samples/contacts/src/test/java/sample/contact/ContactManagerTests.java index 7ab83be829..339b85e28a 100644 --- a/samples/contacts/src/test/java/sample/contact/ContactManagerTests.java +++ b/samples/contacts/src/test/java/sample/contact/ContactManagerTests.java @@ -24,7 +24,7 @@ import org.junit.Test; import org.junit.runner.RunWith; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.acls.domain.BasePermission; -import org.springframework.security.acls.sid.PrincipalSid; +import org.springframework.security.acls.domain.PrincipalSid; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContextHolder; diff --git a/samples/contacts/src/test/resources/applicationContext-contacts-test.xml b/samples/contacts/src/test/resources/applicationContext-contacts-test.xml index 77a5db5faf..5ec0ed0eba 100644 --- a/samples/contacts/src/test/resources/applicationContext-contacts-test.xml +++ b/samples/contacts/src/test/resources/applicationContext-contacts-test.xml @@ -11,25 +11,23 @@ xmlns:b="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd - http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.5.xsd"> + http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd"> - + - - - - - - - - + + + + + + diff --git a/samples/dms/src/main/java/sample/dms/secured/SecureDataSourcePopulator.java b/samples/dms/src/main/java/sample/dms/secured/SecureDataSourcePopulator.java index 9981f62076..e927c5b07f 100755 --- a/samples/dms/src/main/java/sample/dms/secured/SecureDataSourcePopulator.java +++ b/samples/dms/src/main/java/sample/dms/secured/SecureDataSourcePopulator.java @@ -2,16 +2,16 @@ package sample.dms.secured; import javax.sql.DataSource; -import org.springframework.security.acls.MutableAcl; -import org.springframework.security.acls.MutableAclService; -import org.springframework.security.acls.NotFoundException; -import org.springframework.security.acls.Permission; import org.springframework.security.acls.domain.BasePermission; -import org.springframework.security.acls.objectidentity.ObjectIdentity; -import org.springframework.security.acls.objectidentity.ObjectIdentityImpl; -import org.springframework.security.acls.sid.GrantedAuthoritySid; -import org.springframework.security.acls.sid.PrincipalSid; -import org.springframework.security.acls.sid.Sid; +import org.springframework.security.acls.domain.GrantedAuthoritySid; +import org.springframework.security.acls.domain.ObjectIdentityImpl; +import org.springframework.security.acls.domain.PrincipalSid; +import org.springframework.security.acls.model.MutableAcl; +import org.springframework.security.acls.model.MutableAclService; +import org.springframework.security.acls.model.NotFoundException; +import org.springframework.security.acls.model.ObjectIdentity; +import org.springframework.security.acls.model.Permission; +import org.springframework.security.acls.model.Sid; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.transaction.PlatformTransactionManager; import org.springframework.util.Assert; diff --git a/samples/dms/src/main/java/sample/dms/secured/SecureDocumentDaoImpl.java b/samples/dms/src/main/java/sample/dms/secured/SecureDocumentDaoImpl.java index 7394bcaf56..5dcad03ab3 100755 --- a/samples/dms/src/main/java/sample/dms/secured/SecureDocumentDaoImpl.java +++ b/samples/dms/src/main/java/sample/dms/secured/SecureDocumentDaoImpl.java @@ -4,12 +4,12 @@ import java.sql.ResultSet; import java.sql.SQLException; import org.springframework.jdbc.core.RowMapper; -import org.springframework.security.acls.MutableAcl; -import org.springframework.security.acls.MutableAclService; import org.springframework.security.acls.domain.BasePermission; -import org.springframework.security.acls.objectidentity.ObjectIdentity; -import org.springframework.security.acls.objectidentity.ObjectIdentityImpl; -import org.springframework.security.acls.sid.PrincipalSid; +import org.springframework.security.acls.domain.ObjectIdentityImpl; +import org.springframework.security.acls.domain.PrincipalSid; +import org.springframework.security.acls.model.MutableAcl; +import org.springframework.security.acls.model.MutableAclService; +import org.springframework.security.acls.model.ObjectIdentity; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.util.Assert; diff --git a/samples/dms/src/main/resources/applicationContext-dms-secure.xml b/samples/dms/src/main/resources/applicationContext-dms-secure.xml index 83a400502d..a4a7d14332 100755 --- a/samples/dms/src/main/resources/applicationContext-dms-secure.xml +++ b/samples/dms/src/main/resources/applicationContext-dms-secure.xml @@ -24,8 +24,8 @@ sample.dms.secured.SecureDocumentDao.*=PROPAGATION_REQUIRED sample.dms.DocumentDao.*=PROPAGATION_REQUIRED - org.springframework.security.acls.AclService.*=PROPAGATION_REQUIRED - org.springframework.security.acls.MutableAclService.*=PROPAGATION_REQUIRED + org.springframework.security.acls.model.AclService.*=PROPAGATION_REQUIRED + org.springframework.security.acls.model.MutableAclService.*=PROPAGATION_REQUIRED org.springframework.security.acls.jdbc.JdbcMutableAclService.*=PROPAGATION_REQUIRED org.springframework.security.acls.jdbc.JdbcAclService.*=PROPAGATION_REQUIRED @@ -114,7 +114,7 @@ - + @@ -128,7 +128,7 @@ - + diff --git a/samples/tutorial/src/main/java/bigbank/BankService.java b/samples/tutorial/src/main/java/bigbank/BankService.java index 4eeb49e196..e9bbce0fc2 100644 --- a/samples/tutorial/src/main/java/bigbank/BankService.java +++ b/samples/tutorial/src/main/java/bigbank/BankService.java @@ -1,6 +1,6 @@ package bigbank; -import org.springframework.security.access.expression.annotation.PreAuthorize; +import org.springframework.security.access.prepost.PreAuthorize; public interface BankService { diff --git a/samples/tutorial/src/main/webapp/WEB-INF/applicationContext-security.xml b/samples/tutorial/src/main/webapp/WEB-INF/applicationContext-security.xml index a8a2e3178c..59504fd5aa 100644 --- a/samples/tutorial/src/main/webapp/WEB-INF/applicationContext-security.xml +++ b/samples/tutorial/src/main/webapp/WEB-INF/applicationContext-security.xml @@ -10,9 +10,9 @@ xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd - http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.5.xsd"> + http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd"> - +