1
0
mirror of synced 2026-07-11 05:40:02 +00:00

Compare commits

...

16 Commits

Author SHA1 Message Date
Spring Buildmaster 3243a7cde2 Release version 3.2.9.RELEASE 2015-10-30 12:07:06 -07:00
Rob Winch 07848a1060 SEC-2848: LogoutConfigurer allows setting clearAuthentication 2015-10-30 13:56:07 -05:00
Rob Winch 8207a29e52 SEC-3135: antMatchers(<method>,new String[0]) now passive 2015-10-30 10:55:45 -05:00
Rob Winch 1c22ec19e6 SEC-3082: make SavedRequest parameters case sensitive 2015-10-29 16:52:10 -05:00
Rob Winch 56e41df964 SEC-3128: RoleVoter supports null Authentication 2015-10-29 14:04:55 -05:00
Rob Winch f232f5ef05 SEC-3135: antMatchers now allows method and no pattern
Previously, antMatchers(POST).authenticated() was not allowed. Instead
users had to use antMatchers(POST, "/**").authenticated().

Now we default the patterns to be "/**" if it is null or empty.
2015-10-29 12:58:40 -05:00
Rob Winch d467146e49 SEC-2190: Support WebApplicationContext in ServletContext 2015-10-28 15:52:05 -05:00
Rob Winch c64b80564e SEC-3108: DigestAuthenticationFilter should use SecurityContextHolder.createEmptyContext() 2015-10-27 14:00:02 -05:00
Rob Winch 90f230cbfa SEC-2521: Improve StandardPasswordEncoder performance 2015-10-27 11:25:31 -05:00
Rob Winch 4cc2ffaa2d SEC-3109: Fix web tests 2015-10-26 21:45:23 -05:00
Rob Winch a24065c361 SEC-3109: DelegatingSecurityContextExecutor fails with same Thread
Previously DelegatingSecurityContextRunnable and DelegatingSecurityContextCallable
would not setup the SecurityContext if it was on the same thread as it was created.
This was intended to fix SEC-3031 but simply caused more problems.

This commit changes the strategy to keep track of the previous SecurityContext
and restore it (or clear it out if it was originally empty).
2015-10-26 17:23:15 -05:00
Rob Winch 789d29b26b SEC-3057: Add *.txt to dist zip 2015-10-26 14:10:10 -05:00
Rob Winch 29632ee9ea SEC-3132: securityBuilder cannot be null
If a custom SecurityConfiguererAdapter applies another
SecurityConfigurerAdapter it caused an error securityBuilder cannot be null.

This commit fixes this.
2015-10-23 13:34:27 -05:00
Rob Winch 37aacc5e02 SEC-3070: Logout invalidate-session=false and Spring Session doesn't
work
2015-10-20 13:50:04 -05:00
Rob Winch 0284845289 SEC-3127: Upgrade to Powermock 1.6.2 2015-10-20 11:19:54 -05:00
Spring Buildmaster e6231584c8 Next development version 2015-07-22 22:00:32 -07:00
73 changed files with 1496 additions and 815 deletions
+3 -9
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-acl</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<name>spring-security-acl</name>
<description>spring-security-acl</description>
<url>http://spring.io/spring-security</url>
@@ -42,12 +42,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>aopalliance</groupId>
@@ -58,7 +52,7 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -138,7 +132,7 @@
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>1.9.5</version>
<version>1.10.19</version>
<scope>test</scope>
</dependency>
<dependency>
+3 -9
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-aspects</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<name>spring-security-aspects</name>
<description>spring-security-aspects</description>
<url>http://spring.io/spring-security</url>
@@ -42,17 +42,11 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -120,7 +114,7 @@
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>1.9.5</version>
<version>1.10.19</version>
<scope>test</scope>
</dependency>
<dependency>
+1
View File
@@ -146,6 +146,7 @@ task dist(type: Zip) {
into(zipRootDir) {
from(rootDir) {
include '*.adoc'
include '*.txt'
}
into('docs') {
with(project(':docs').apiSpec)
+4 -10
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-cas</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<name>spring-security-cas</name>
<description>spring-security-cas</description>
<url>http://spring.io/spring-security</url>
@@ -42,12 +42,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>org.jasig.cas.client</groupId>
@@ -58,13 +52,13 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -138,7 +132,7 @@
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>1.9.5</version>
<version>1.10.19</version>
<scope>test</scope>
</dependency>
<dependency>
+14 -20
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<name>spring-security-config</name>
<description>spring-security-config</description>
<url>http://spring.io/spring-security</url>
@@ -42,12 +42,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>aopalliance</groupId>
@@ -58,7 +52,7 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -108,28 +102,28 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-aspects</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-ldap</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-openid</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
<optional>true</optional>
</dependency>
@@ -278,7 +272,7 @@
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>1.9.5</version>
<version>1.10.19</version>
<scope>test</scope>
</dependency>
<dependency>
@@ -296,7 +290,7 @@
<dependency>
<groupId>org.powermock</groupId>
<artifactId>powermock-api-mockito</artifactId>
<version>1.6.1</version>
<version>1.6.2</version>
<scope>test</scope>
<exclusions>
<exclusion>
@@ -308,31 +302,31 @@
<dependency>
<groupId>org.powermock</groupId>
<artifactId>powermock-api-support</artifactId>
<version>1.6.1</version>
<version>1.6.2</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.powermock</groupId>
<artifactId>powermock-core</artifactId>
<version>1.6.1</version>
<version>1.6.2</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.powermock</groupId>
<artifactId>powermock-module-junit4</artifactId>
<version>1.6.1</version>
<version>1.6.2</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.powermock</groupId>
<artifactId>powermock-module-junit4-common</artifactId>
<version>1.6.1</version>
<version>1.6.2</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.powermock</groupId>
<artifactId>powermock-reflect</artifactId>
<version>1.6.1</version>
<version>1.6.2</version>
<scope>test</scope>
</dependency>
<dependency>
@@ -386,7 +380,7 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-cas</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>test</scope>
</dependency>
<dependency>
@@ -56,6 +56,8 @@ public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBui
private final LinkedHashMap<Class<? extends SecurityConfigurer<O, B>>, List<SecurityConfigurer<O, B>>> configurers =
new LinkedHashMap<Class<? extends SecurityConfigurer<O, B>>, List<SecurityConfigurer<O, B>>>();
private final List<SecurityConfigurer<O, B>> configurersAddedInInitializing = new ArrayList<SecurityConfigurer<O, B>>();
private final Map<Class<Object>,Object> sharedObjects = new HashMap<Class<Object>,Object>();
private final boolean allowConfigurersOfSameType;
@@ -122,9 +124,9 @@ public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBui
@SuppressWarnings("unchecked")
public <C extends SecurityConfigurerAdapter<O, B>> C apply(C configurer)
throws Exception {
add(configurer);
configurer.addObjectPostProcessor(objectPostProcessor);
configurer.setBuilder((B) this);
add(configurer);
return configurer;
}
@@ -198,7 +200,7 @@ public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBui
configs.add(configurer);
this.configurers.put(clazz, configs);
if(buildState.isInitializing()) {
configurer.init((B)this);
this.configurersAddedInInitializing.add(configurer);
}
}
}
@@ -363,7 +365,11 @@ public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBui
private void init() throws Exception {
Collection<SecurityConfigurer<O,B>> configurers = getConfigurers();
for(SecurityConfigurer<O,B> configurer : configurers ) {
for (SecurityConfigurer<O, B> configurer : configurers) {
configurer.init((B) this);
}
for (SecurityConfigurer<O, B> configurer : configurersAddedInInitializing) {
configurer.init((B) this);
}
}
@@ -25,6 +25,7 @@ import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.AnyRequestMatcher;
import org.springframework.security.web.util.matcher.RegexRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.ObjectUtils;
/**
* A base class for registering {@link RequestMatcher}'s. For example, it might allow for specifying which
@@ -51,6 +52,20 @@ public abstract class AbstractRequestMatcherRegistry<C> {
return requestMatchers(ANY_REQUEST);
}
/**
* Maps a {@link List} of
* {@link org.springframework.security.web.util.matcher.AntPathRequestMatcher}
* instances.
*
* @param method the {@link HttpMethod} to use for any
* {@link HttpMethod}.
*
* @return the object that is chained after creating the {@link RequestMatcher}
*/
public C antMatchers(HttpMethod method) {
return antMatchers(method, new String[] { "/**" });
}
/**
* Maps a {@link List} of {@link org.springframework.security.web.util.matcher.AntPathRequestMatcher} instances.
*
@@ -23,6 +23,7 @@ import javax.servlet.http.HttpSession;
import org.springframework.security.config.annotation.SecurityConfigurer;
import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.logout.CookieClearingLogoutHandler;
import org.springframework.security.web.authentication.logout.LogoutFilter;
import org.springframework.security.web.authentication.logout.LogoutHandler;
@@ -98,6 +99,16 @@ public final class LogoutConfigurer<H extends HttpSecurityBuilder<H>> extends Ab
return this;
}
/**
* Specifies if {@link SecurityContextLogoutHandler} should clear the {@link Authentication} at the time of logout.
* @param clearAuthentication true {@link SecurityContextLogoutHandler} should clear the {@link Authentication} (default), or false otherwise.
* @return the {@link LogoutConfigurer} for further customization
*/
public LogoutConfigurer<H> clearAuthentication(boolean clearAuthentication) {
contextLogoutHandler.setClearAuthentication(clearAuthentication);
return this;
}
/**
* The URL that triggers log out to occur (default is "/logout"). If CSRF
* protection is enabled (default), then the request must also be a POST.
@@ -0,0 +1,100 @@
/*
* Copyright 2002-2015 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.config.annotation.web.configurers;
import static org.fest.assertions.Assertions.assertThat;
import javax.servlet.http.HttpServletResponse;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.mock.web.MockFilterChain;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.FilterChainProxy;
import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
/**
* @author Rob Winch
*
*/
public class AuthorizeRequestsTests {
AnnotationConfigWebApplicationContext context;
MockHttpServletRequest request;
MockHttpServletResponse response;
MockFilterChain chain;
@Autowired
FilterChainProxy springSecurityFilterChain;
@Before
public void setup() {
request = new MockHttpServletRequest();
response = new MockHttpServletResponse();
chain = new MockFilterChain();
}
@After
public void cleanup() {
if(context != null) {
context.close();
}
}
// SEC-3135
@Test
public void antMatchersMethodAndNoPatterns() throws Exception {
loadConfig(AntMatchersNoPatternsConfig.class);
request.setMethod("POST");
springSecurityFilterChain.doFilter(request, response, chain);
assertThat(response.getStatus()).isEqualTo(HttpServletResponse.SC_FORBIDDEN);
}
@EnableWebSecurity
@Configuration
static class AntMatchersNoPatternsConfig extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers(HttpMethod.POST).denyAll();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication();
}
}
public void loadConfig(Class<?>... configs) {
context = new AnnotationConfigWebApplicationContext();
context.register(configs);
context.refresh();
context.getAutowireCapableBeanFactory().autowireBean(this);
}
}
@@ -0,0 +1,105 @@
/*
* Copyright 2002-2015 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.config.annotation.web.configurers;
import static org.fest.assertions.Assertions.assertThat;
import javax.servlet.http.HttpServletResponse;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.mock.web.MockFilterChain;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.FilterChainProxy;
import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
/**
* @author Rob Winch
*
*/
public class HttpSecurityAntMatchersTests {
AnnotationConfigWebApplicationContext context;
MockHttpServletRequest request;
MockHttpServletResponse response;
MockFilterChain chain;
@Autowired
FilterChainProxy springSecurityFilterChain;
@Before
public void setup() {
request = new MockHttpServletRequest();
response = new MockHttpServletResponse();
chain = new MockFilterChain();
}
@After
public void cleanup() {
if(context != null) {
context.close();
}
}
// SEC-3135
@Test
public void antMatchersMethodAndNoPatterns() throws Exception {
loadConfig(AntMatchersNoPatternsConfig.class);
request.setMethod("POST");
springSecurityFilterChain.doFilter(request, response, chain);
assertThat(response.getStatus()).isEqualTo(HttpServletResponse.SC_FORBIDDEN);
}
@EnableWebSecurity
@Configuration
static class AntMatchersNoPatternsConfig extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
.requestMatchers()
.antMatchers(HttpMethod.POST)
.and()
.authorizeRequests()
.anyRequest().denyAll();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication();
}
}
public void loadConfig(Class<?>... configs) {
context = new AnnotationConfigWebApplicationContext();
context.register(configs);
context.refresh();
context.getAutowireCapableBeanFactory().autowireBean(this);
}
}
@@ -0,0 +1,110 @@
/*
* Copyright 2002-2015 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.config.annotation.web.configurers;
import static org.fest.assertions.Assertions.assertThat;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.mock.web.MockFilterChain;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.FilterChainProxy;
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
/**
* @author Rob Winch
*
*/
public class HttpSecurityLogoutTests {
AnnotationConfigWebApplicationContext context;
MockHttpServletRequest request;
MockHttpServletResponse response;
MockFilterChain chain;
@Autowired
FilterChainProxy springSecurityFilterChain;
@Before
public void setup() {
request = new MockHttpServletRequest();
response = new MockHttpServletResponse();
chain = new MockFilterChain();
}
@After
public void cleanup() {
if(context != null) {
context.close();
}
}
// SEC-2848
@Test
public void clearAuthenticationFalse() throws Exception {
loadConfig(ClearAuthenticationFalseConfig.class);
SecurityContext currentContext = SecurityContextHolder.createEmptyContext();
currentContext.setAuthentication(new TestingAuthenticationToken("user", "password","ROLE_USER"));
request.getSession().setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, currentContext);
request.setMethod("POST");
request.setServletPath("/logout");
springSecurityFilterChain.doFilter(request, response, chain);
assertThat(currentContext.getAuthentication()).isNotNull();
}
@EnableWebSecurity
@Configuration
static class ClearAuthenticationFalseConfig extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.logout()
.clearAuthentication(false);
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication();
}
}
public void loadConfig(Class<?>... configs) {
context = new AnnotationConfigWebApplicationContext();
context.register(configs);
context.refresh();
context.getAutowireCapableBeanFactory().autowireBean(this);
}
}
@@ -0,0 +1,67 @@
/*
* Copyright 2002-2015 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.config.http.customconfigurer;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.ApplicationContext;
import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.FormLoginConfigurer;
import org.springframework.security.web.DefaultSecurityFilterChain;
/**
* @author Rob Winch
*
*/
public class CustomConfigurer extends SecurityConfigurerAdapter<DefaultSecurityFilterChain,HttpSecurity> {
@Value("${permitAllPattern}")
private String permitAllPattern;
private String loginPage = "/login";
/* (non-Javadoc)
* @see org.springframework.security.config.annotation.SecurityConfigurerAdapter#init(org.springframework.security.config.annotation.SecurityBuilder)
*/
@SuppressWarnings("unchecked")
@Override
public void init(HttpSecurity http) throws Exception {
// autowire this bean
ApplicationContext context = http.getSharedObject(ApplicationContext.class);
context.getAutowireCapableBeanFactory().autowireBean(this);
http
.authorizeRequests()
.antMatchers(permitAllPattern).permitAll()
.anyRequest().authenticated();
if(http.getConfigurer(FormLoginConfigurer.class) == null) {
// only apply if formLogin() was not invoked by the user
http
.formLogin()
.loginPage(loginPage);
}
}
public CustomConfigurer loginPage(String loginPage) {
this.loginPage = loginPage;
return this;
}
public static CustomConfigurer customConfigurer() {
return new CustomConfigurer();
}
}
@@ -0,0 +1,164 @@
/*
* Copyright 2002-2015 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.config.http.customconfigurer;
import static org.fest.assertions.Assertions.assertThat;
import static org.springframework.security.config.http.customconfigurer.CustomConfigurer.customConfigurer;
import java.util.Properties;
import javax.servlet.http.HttpServletResponse;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.config.PropertyPlaceholderConfigurer;
import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.context.annotation.AnnotationConfigApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.mock.web.MockFilterChain;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.FilterChainProxy;
/**
* @author Rob Winch
*
*/
public class CustomHttpSecurityConfigurerTests {
@Autowired
ConfigurableApplicationContext context;
@Autowired
FilterChainProxy springSecurityFilterChain;
MockHttpServletRequest request;
MockHttpServletResponse response;
MockFilterChain chain;
@Before
public void setup() {
request = new MockHttpServletRequest();
response = new MockHttpServletResponse();
chain = new MockFilterChain();
request.setMethod("GET");
}
@After
public void cleanup() {
if(context != null) {
context.close();
}
}
@Test
public void customConfiguerPermitAll() throws Exception {
loadContext(Config.class);
request.setPathInfo("/public/something");
springSecurityFilterChain.doFilter(request, response, chain);
assertThat(response.getStatus()).isEqualTo(HttpServletResponse.SC_OK);
}
@Test
public void customConfiguerFormLogin() throws Exception {
loadContext(Config.class);
request.setPathInfo("/requires-authentication");
springSecurityFilterChain.doFilter(request, response, chain);
assertThat(response.getRedirectedUrl()).endsWith("/custom");
}
@Test
public void customConfiguerCustomizeDisablesCsrf() throws Exception {
loadContext(ConfigCustomize.class);
request.setPathInfo("/public/something");
request.setMethod("POST");
springSecurityFilterChain.doFilter(request, response, chain);
assertThat(response.getStatus()).isEqualTo(HttpServletResponse.SC_OK);
}
@Test
public void customConfiguerCustomizeFormLogin() throws Exception {
loadContext(ConfigCustomize.class);
request.setPathInfo("/requires-authentication");
springSecurityFilterChain.doFilter(request, response, chain);
assertThat(response.getRedirectedUrl()).endsWith("/other");
}
private void loadContext(Class<?> clazz) {
AnnotationConfigApplicationContext context = new AnnotationConfigApplicationContext(clazz);
context.getAutowireCapableBeanFactory().autowireBean(this);
}
@EnableWebSecurity
static class Config extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.apply(customConfigurer())
.loginPage("/custom");
}
@Bean
public static PropertyPlaceholderConfigurer propertyPlaceholderConfigurer() {
// Typically externalize this as a properties file
Properties properties = new Properties();
properties.setProperty("permitAllPattern", "/public/**");
PropertyPlaceholderConfigurer propertyPlaceholderConfigurer = new PropertyPlaceholderConfigurer();
propertyPlaceholderConfigurer.setProperties(properties);
return propertyPlaceholderConfigurer;
}
}
@EnableWebSecurity
static class ConfigCustomize extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.apply(customConfigurer())
.and()
.csrf().disable()
.formLogin()
.loginPage("/other");
}
@Bean
public static PropertyPlaceholderConfigurer propertyPlaceholderConfigurer() {
// Typically externalize this as a properties file
Properties properties = new Properties();
properties.setProperty("permitAllPattern", "/public/**");
PropertyPlaceholderConfigurer propertyPlaceholderConfigurer = new PropertyPlaceholderConfigurer();
propertyPlaceholderConfigurer.setProperties(properties);
return propertyPlaceholderConfigurer;
}
}
}
+8 -14
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<name>spring-security-core</name>
<description>spring-security-core</description>
<url>http://spring.io/spring-security</url>
@@ -42,12 +42,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>aopalliance</groupId>
@@ -184,7 +178,7 @@
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>1.9.5</version>
<version>1.10.19</version>
<scope>test</scope>
<exclusions>
<exclusion>
@@ -196,7 +190,7 @@
<dependency>
<groupId>org.powermock</groupId>
<artifactId>powermock-api-mockito</artifactId>
<version>1.6.1</version>
<version>1.6.2</version>
<scope>test</scope>
<exclusions>
<exclusion>
@@ -208,7 +202,7 @@
<dependency>
<groupId>org.powermock</groupId>
<artifactId>powermock-api-support</artifactId>
<version>1.6.1</version>
<version>1.6.2</version>
<scope>test</scope>
<exclusions>
<exclusion>
@@ -220,7 +214,7 @@
<dependency>
<groupId>org.powermock</groupId>
<artifactId>powermock-core</artifactId>
<version>1.6.1</version>
<version>1.6.2</version>
<scope>test</scope>
<exclusions>
<exclusion>
@@ -232,7 +226,7 @@
<dependency>
<groupId>org.powermock</groupId>
<artifactId>powermock-module-junit4</artifactId>
<version>1.6.1</version>
<version>1.6.2</version>
<scope>test</scope>
<exclusions>
<exclusion>
@@ -244,7 +238,7 @@
<dependency>
<groupId>org.powermock</groupId>
<artifactId>powermock-module-junit4-common</artifactId>
<version>1.6.1</version>
<version>1.6.2</version>
<scope>test</scope>
<exclusions>
<exclusion>
@@ -256,7 +250,7 @@
<dependency>
<groupId>org.powermock</groupId>
<artifactId>powermock-reflect</artifactId>
<version>1.6.1</version>
<version>1.6.2</version>
<scope>test</scope>
<exclusions>
<exclusion>
@@ -92,6 +92,9 @@ public class RoleVoter implements AccessDecisionVoter<Object> {
}
public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) {
if(authentication == null) {
return ACCESS_DENIED;
}
int result = ACCESS_ABSTAIN;
Collection<? extends GrantedAuthority> authorities = extractAuthorities(authentication);
@@ -25,10 +25,8 @@ import org.springframework.util.Assert;
* then removing the {@link SecurityContext} after the delegate has completed.
* </p>
* <p>
* By default the {@link SecurityContext} is only setup if {@link #call()} is
* invoked on a separate {@link Thread} than the
* {@link DelegatingSecurityContextCallable} was created on. This can be
* overridden by setting {@link #setEnableOnOriginalThread(boolean)} to true.
* If there is a {@link SecurityContext} that already exists, it will be
* restored after the {@link #call()} method is invoked.
* </p>
*
* @author Rob Winch
@@ -38,63 +36,60 @@ public final class DelegatingSecurityContextCallable<V> implements Callable<V> {
private final Callable<V> delegate;
private final SecurityContext securityContext;
private final Thread originalThread;
private boolean enableOnOriginalThread;
/**
* Creates a new {@link DelegatingSecurityContextCallable} with a specific {@link SecurityContext}.
* @param delegate the delegate {@link DelegatingSecurityContextCallable} to run with the specified
* {@link SecurityContext}. Cannot be null.
* @param securityContext the {@link SecurityContext} to establish for the delegate {@link Callable}. Cannot be
* null.
* The {@link SecurityContext} that the delegate {@link Callable} will be
* ran as.
*/
public DelegatingSecurityContextCallable(Callable<V> delegate, SecurityContext securityContext) {
private final SecurityContext delegateSecurityContext;
/**
* The {@link SecurityContext} that was on the {@link SecurityContextHolder}
* prior to being set to the delegateSecurityContext.
*/
private SecurityContext originalSecurityContext;
/**
* Creates a new {@link DelegatingSecurityContextCallable} with a specific
* {@link SecurityContext}.
* @param delegate the delegate {@link DelegatingSecurityContextCallable} to run with
* the specified {@link SecurityContext}. Cannot be null.
* @param securityContext the {@link SecurityContext} to establish for the delegate
* {@link Callable}. Cannot be null.
*/
public DelegatingSecurityContextCallable(Callable<V> delegate,
SecurityContext securityContext) {
Assert.notNull(delegate, "delegate cannot be null");
Assert.notNull(securityContext, "securityContext cannot be null");
this.delegate = delegate;
this.securityContext = securityContext;
this.originalThread = Thread.currentThread();
this.delegateSecurityContext = securityContext;
}
/**
* Creates a new {@link DelegatingSecurityContextCallable} with the {@link SecurityContext} from the
* {@link SecurityContextHolder}.
* @param delegate the delegate {@link Callable} to run under the current {@link SecurityContext}. Cannot be null.
* Creates a new {@link DelegatingSecurityContextCallable} with the
* {@link SecurityContext} from the {@link SecurityContextHolder}.
* @param delegate the delegate {@link Callable} to run under the current
* {@link SecurityContext}. Cannot be null.
*/
public DelegatingSecurityContextCallable(Callable<V> delegate) {
this(delegate, SecurityContextHolder.getContext());
}
/**
* Determines if the SecurityContext should be transfered if {@link #call()}
* is invoked on the same {@link Thread} the
* {@link DelegatingSecurityContextCallable} was created on.
*
* @param enableOnOriginalThread
* if false (default), will only transfer the
* {@link SecurityContext} if {@link #call()} is invoked on a
* different {@link Thread} than the
* {@link DelegatingSecurityContextCallable} was created on.
*
* @since 4.0.2
*/
public void setEnableOnOriginalThread(boolean enableOnOriginalThread) {
this.enableOnOriginalThread = enableOnOriginalThread;
}
public V call() throws Exception {
if(!enableOnOriginalThread && originalThread == Thread.currentThread()) {
return delegate.call();
}
this.originalSecurityContext = SecurityContextHolder.getContext();
try {
SecurityContextHolder.setContext(securityContext);
SecurityContextHolder.setContext(delegateSecurityContext);
return delegate.call();
}
finally {
SecurityContextHolder.clearContext();
SecurityContext emptyContext = SecurityContextHolder.createEmptyContext();
if(emptyContext.equals(originalSecurityContext)) {
SecurityContextHolder.clearContext();
} else {
SecurityContextHolder.setContext(originalSecurityContext);
}
this.originalSecurityContext = null;
}
}
@@ -22,11 +22,10 @@ import org.springframework.util.Assert;
* before invoking the delegate {@link Runnable} and then removing the
* {@link SecurityContext} after the delegate has completed.
* </p>
*
* <p>
* By default the {@link SecurityContext} is only setup if {@link #run()} is
* invoked on a separate {@link Thread} than the
* {@link DelegatingSecurityContextRunnable} was created on. This can be
* overridden by setting {@link #setEnableOnOriginalThread(boolean)} to true.
* If there is a {@link SecurityContext} that already exists, it will be
* restored after the {@link #run()} method is invoked.
* </p>
*
* @author Rob Winch
@@ -36,62 +35,59 @@ public final class DelegatingSecurityContextRunnable implements Runnable {
private final Runnable delegate;
private final SecurityContext securityContext;
private final Thread originalThread;
private boolean enableOnOriginalThread;
/**
* The {@link SecurityContext} that the delegate {@link Runnable} will be
* ran as.
*/
private final SecurityContext delegateSecurityContext;
/**
* Creates a new {@link DelegatingSecurityContextRunnable} with a specific {@link SecurityContext}.
* @param delegate the delegate {@link Runnable} to run with the specified {@link SecurityContext}. Cannot be null.
* @param securityContext the {@link SecurityContext} to establish for the delegate {@link Runnable}. Cannot be
* null.
* The {@link SecurityContext} that was on the {@link SecurityContextHolder}
* prior to being set to the delegateSecurityContext.
*/
public DelegatingSecurityContextRunnable(Runnable delegate, SecurityContext securityContext) {
private SecurityContext originalSecurityContext;
/**
* Creates a new {@link DelegatingSecurityContextRunnable} with a specific
* {@link SecurityContext}.
* @param delegate the delegate {@link Runnable} to run with the specified
* {@link SecurityContext}. Cannot be null.
* @param securityContext the {@link SecurityContext} to establish for the delegate
* {@link Runnable}. Cannot be null.
*/
public DelegatingSecurityContextRunnable(Runnable delegate,
SecurityContext securityContext) {
Assert.notNull(delegate, "delegate cannot be null");
Assert.notNull(securityContext, "securityContext cannot be null");
this.delegate = delegate;
this.securityContext = securityContext;
this.originalThread = Thread.currentThread();
this.delegateSecurityContext = securityContext;
}
/**
* Creates a new {@link DelegatingSecurityContextRunnable} with the {@link SecurityContext} from the
* {@link SecurityContextHolder}.
* @param delegate the delegate {@link Runnable} to run under the current {@link SecurityContext}. Cannot be null.
* Creates a new {@link DelegatingSecurityContextRunnable} with the
* {@link SecurityContext} from the {@link SecurityContextHolder}.
* @param delegate the delegate {@link Runnable} to run under the current
* {@link SecurityContext}. Cannot be null.
*/
public DelegatingSecurityContextRunnable(Runnable delegate) {
this(delegate, SecurityContextHolder.getContext());
}
/**
* Determines if the SecurityContext should be transfered if {@link #call()}
* is invoked on the same {@link Thread} the
* {@link DelegatingSecurityContextCallable} was created on.
*
* @param enableOnOriginalThread
* if false (default), will only transfer the
* {@link SecurityContext} if {@link #call()} is invoked on a
* different {@link Thread} than the
* {@link DelegatingSecurityContextCallable} was created on.
* @since 4.0.2
*/
public void setEnableOnOriginalThread(boolean enableOnOriginalThread) {
this.enableOnOriginalThread = enableOnOriginalThread;
}
public void run() {
if(!enableOnOriginalThread && originalThread == Thread.currentThread()) {
delegate.run();
return;
}
this.originalSecurityContext = SecurityContextHolder.getContext();
try {
SecurityContextHolder.setContext(securityContext);
SecurityContextHolder.setContext(delegateSecurityContext);
delegate.run();
}
finally {
SecurityContextHolder.clearContext();
SecurityContext emptyContext = SecurityContextHolder.createEmptyContext();
if(emptyContext.equals(originalSecurityContext)) {
SecurityContextHolder.clearContext();
} else {
SecurityContextHolder.setContext(originalSecurityContext);
}
this.originalSecurityContext = null;
}
}
@@ -1,6 +1,7 @@
package org.springframework.security.access.vote;
import static org.junit.Assert.*;
import static org.fest.assertions.Assertions.*;
import org.junit.Test;
import org.springframework.security.access.AccessDecisionVoter;
@@ -21,4 +22,13 @@ public class RoleVoterTests {
// Vote on attribute list that has two attributes A and C (i.e. only one matching)
assertEquals(AccessDecisionVoter.ACCESS_GRANTED, voter.vote(userAB, this, SecurityConfig.createList("A","C")));
}
// SEC-3128
@Test
public void nullAuthenticationDenies() {
RoleVoter voter = new RoleVoter();
voter.setRolePrefix("");
Authentication notAuthenitcated = null;
assertThat(voter.vote(notAuthenitcated, this, SecurityConfig.createList("A"))).isEqualTo(AccessDecisionVoter.ACCESS_DENIED);
}
}
@@ -50,9 +50,12 @@ public class DelegatingSecurityContextCallableTests {
private ExecutorService executor;
private SecurityContext originalSecurityContext;
@Before
@SuppressWarnings("serial")
public void setUp() throws Exception {
originalSecurityContext = SecurityContextHolder.createEmptyContext();
when(delegate.call()).thenAnswer(new Returns(callableResult) {
@Override
public Object answer(InvocationOnMock invocation) throws Throwable {
@@ -111,17 +114,10 @@ public class DelegatingSecurityContextCallableTests {
// SEC-3031
@Test
public void callOnSameThread() throws Exception {
originalSecurityContext = securityContext;
SecurityContextHolder.setContext(originalSecurityContext);
callable = new DelegatingSecurityContextCallable<Object>(delegate,
securityContext);
securityContext = SecurityContextHolder.createEmptyContext();
assertWrapped(callable.call());
}
@Test
public void callOnSameThreadExplicitlyEnabled() throws Exception {
DelegatingSecurityContextCallable<Object> callable = new DelegatingSecurityContextCallable<Object>(delegate,
securityContext);
callable.setEnableOnOriginalThread(true);
assertWrapped(callable.call());
}
@@ -170,6 +166,6 @@ public class DelegatingSecurityContextCallableTests {
private void assertWrapped(Object callableResult) throws Exception {
verify(delegate).call();
assertThat(SecurityContextHolder.getContext()).isEqualTo(
SecurityContextHolder.createEmptyContext());
originalSecurityContext);
}
}
@@ -51,8 +51,11 @@ public class DelegatingSecurityContextRunnableTests {
private ExecutorService executor;
private SecurityContext originalSecurityContext;
@Before
public void setUp() throws Exception {
originalSecurityContext = SecurityContextHolder.createEmptyContext();
doAnswer(new Answer<Object>() {
public Object answer(InvocationOnMock invocation) throws Throwable {
assertThat(SecurityContextHolder.getContext()).isEqualTo(securityContext);
@@ -110,19 +113,11 @@ public class DelegatingSecurityContextRunnableTests {
// SEC-3031
@Test
public void callOnSameThread() throws Exception {
originalSecurityContext = securityContext;
SecurityContextHolder.setContext(originalSecurityContext);
executor = synchronousExecutor();
runnable = new DelegatingSecurityContextRunnable(delegate,
securityContext);
securityContext = SecurityContextHolder.createEmptyContext();
assertWrapped(runnable);
}
@Test
public void callOnSameThreadExplicitlyEnabled() throws Exception {
executor = synchronousExecutor();
DelegatingSecurityContextRunnable runnable = new DelegatingSecurityContextRunnable(delegate,
securityContext);
runnable.setEnableOnOriginalThread(true);
assertWrapped(runnable);
}
@@ -167,7 +162,7 @@ public class DelegatingSecurityContextRunnableTests {
submit.get();
verify(delegate).run();
assertThat(SecurityContextHolder.getContext()).isEqualTo(
SecurityContextHolder.createEmptyContext());
originalSecurityContext);
}
private static ExecutorService synchronousExecutor() {
+2 -8
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-crypto</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<name>spring-security-crypto</name>
<description>spring-security-crypto</description>
<url>http://spring.io/spring-security</url>
@@ -42,12 +42,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>commons-logging</groupId>
@@ -77,7 +71,7 @@
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>1.9.5</version>
<version>1.10.19</version>
<scope>test</scope>
</dependency>
<dependency>
@@ -17,19 +17,19 @@ package org.springframework.security.crypto.password;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
/**
* Helper for working with the MessageDigest API.
*
* Performs the configured number of iterations of the hashing algorithm per digest to aid in protecting against brute force attacks.
* Performs the configured number of iterations of the hashing algorithm per digest to aid
* in protecting against brute force attacks.
*
* @author Keith Donald
* @author Luke Taylor
*/
final class Digester {
private final MessageDigest messageDigest;
private final String algorithm;
private final int iterations;
@@ -39,21 +39,26 @@ final class Digester {
* @param iterations the number of times to apply the digest algorithm to the input
*/
public Digester(String algorithm, int iterations) {
try {
messageDigest = MessageDigest.getInstance(algorithm);
} catch (NoSuchAlgorithmException e) {
throw new IllegalStateException("No such hashing algorithm", e);
}
// eagerly validate the algorithm
createDigest(algorithm);
this.algorithm = algorithm;
this.iterations = iterations;
}
public byte[] digest(byte[] value) {
synchronized (messageDigest) {
for (int i = 0; i < iterations; i++) {
value = messageDigest.digest(value);
}
return value;
MessageDigest messageDigest = createDigest(algorithm);
for (int i = 0; i < iterations; i++) {
value = messageDigest.digest(value);
}
return value;
}
private static MessageDigest createDigest(String algorithm) {
try {
return MessageDigest.getInstance(algorithm);
}
catch (NoSuchAlgorithmException e) {
throw new IllegalStateException("No such hashing algorithm", e);
}
}
}
+1 -1
View File
@@ -1 +1 @@
version=3.2.8.CI-SNAPSHOT
version=3.2.9.RELEASE
+2 -2
View File
@@ -21,7 +21,7 @@ ext.hsqlVersion = '2.3.1'
ext.slf4jVersion = '1.7.5'
ext.logbackVersion = '0.9.29'
ext.cglibVersion = '2.2'
ext.powerMockVersion = '1.6.1'
ext.powerMockVersion = '1.6.2'
ext.servletApiVersion = '3.0.1'
ext.seleniumVersion = '2.33.0'
ext.groovyVersion = '2.0.5'
@@ -123,7 +123,7 @@ dependencies {
optional 'commons-logging:commons-logging:1.1.1'
testCompile 'junit:junit:4.11',
'org.mockito:mockito-core:1.9.5',
'org.mockito:mockito-core:1.10.19',
"org.springframework:spring-test:$springVersion",
'org.easytesting:fest-assert:1.4'
+5 -11
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>itest-context</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<name>itest-context</name>
<description>itest-context</description>
<url>http://spring.io/spring-security</url>
@@ -42,12 +42,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>aopalliance</groupId>
@@ -64,7 +58,7 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -131,7 +125,7 @@
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>1.9.5</version>
<version>1.10.19</version>
<scope>test</scope>
</dependency>
<dependency>
@@ -143,13 +137,13 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>test</scope>
</dependency>
<dependency>
+7 -13
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>itest-web</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<name>itest-web</name>
<description>itest-web</description>
<url>http://spring.io/spring-security</url>
@@ -42,12 +42,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>org.springframework</groupId>
@@ -123,7 +117,7 @@
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>1.9.5</version>
<version>1.10.19</version>
<scope>test</scope>
</dependency>
<dependency>
@@ -159,31 +153,31 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-ldap</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>test</scope>
</dependency>
<dependency>
+3 -9
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-ldap</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<name>spring-security-ldap</name>
<description>spring-security-ldap</description>
<url>http://spring.io/spring-security</url>
@@ -42,12 +42,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>org.springframework.ldap</groupId>
@@ -76,7 +70,7 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -186,7 +180,7 @@
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>1.9.5</version>
<version>1.10.19</version>
<scope>test</scope>
</dependency>
<dependency>
+4 -10
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-openid</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<name>spring-security-openid</name>
<description>spring-security-openid</description>
<url>http://spring.io/spring-security</url>
@@ -42,12 +42,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>com.google.inject</groupId>
@@ -70,13 +64,13 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -161,7 +155,7 @@
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>1.9.5</version>
<version>1.10.19</version>
<scope>test</scope>
</dependency>
<dependency>
+3 -9
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-remoting</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<name>spring-security-remoting</name>
<description>spring-security-remoting</description>
<url>http://spring.io/spring-security</url>
@@ -42,12 +42,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>aopalliance</groupId>
@@ -58,7 +52,7 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -119,7 +113,7 @@
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>1.9.5</version>
<version>1.10.19</version>
<scope>test</scope>
</dependency>
<dependency>
+5 -11
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-aspectj-jc</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<name>spring-security-samples-aspectj-jc</name>
<description>spring-security-samples-aspectj-jc</description>
<url>http://spring.io/spring-security</url>
@@ -42,23 +42,17 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -78,7 +72,7 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-aspects</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
@@ -102,7 +96,7 @@
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>1.9.5</version>
<version>1.10.19</version>
<scope>test</scope>
</dependency>
<dependency>
+5 -11
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-aspectj-xml</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<name>spring-security-samples-aspectj-xml</name>
<description>spring-security-samples-aspectj-xml</description>
<url>http://spring.io/spring-security</url>
@@ -42,17 +42,11 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -72,13 +66,13 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-aspects</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
@@ -102,7 +96,7 @@
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>1.9.5</version>
<version>1.10.19</version>
<scope>test</scope>
</dependency>
<dependency>
+6 -12
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-cassample-xml</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-cassample-xml</name>
<description>spring-security-samples-cassample-xml</description>
@@ -50,12 +50,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>org.jasig.cas.client</groupId>
@@ -66,13 +60,13 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-cas</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -109,13 +103,13 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
@@ -163,7 +157,7 @@
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>1.9.5</version>
<version>1.10.19</version>
<scope>test</scope>
</dependency>
<dependency>
+2 -8
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-casserver</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-casserver</name>
<description>spring-security-samples-casserver</description>
@@ -50,12 +50,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>commons-logging</groupId>
@@ -85,7 +79,7 @@
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>1.9.5</version>
<version>1.10.19</version>
<scope>test</scope>
</dependency>
<dependency>
+6 -12
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-concurrency-jc</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-concurrency-jc</name>
<description>spring-security-samples-concurrency-jc</description>
@@ -50,12 +50,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>javax.servlet.jsp.jstl</groupId>
@@ -102,25 +96,25 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-messages-jc</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -193,7 +187,7 @@
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>1.9.5</version>
<version>1.10.19</version>
<scope>test</scope>
</dependency>
<dependency>
+7 -13
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-contacts-xml</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-contacts-xml</name>
<description>spring-security-samples-contacts-xml</description>
@@ -50,23 +50,17 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-acl</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -163,19 +157,19 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
@@ -199,7 +193,7 @@
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>1.9.5</version>
<version>1.10.19</version>
<scope>test</scope>
</dependency>
<dependency>
+5 -11
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-dms-xml</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<name>spring-security-samples-dms-xml</name>
<description>spring-security-samples-dms-xml</description>
<url>http://spring.io/spring-security</url>
@@ -42,23 +42,17 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-acl</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -102,7 +96,7 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
@@ -132,7 +126,7 @@
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>1.9.5</version>
<version>1.10.19</version>
<scope>test</scope>
</dependency>
<dependency>
+6 -12
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-form-jc</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-form-jc</name>
<description>spring-security-samples-form-jc</description>
@@ -50,12 +50,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>javax.servlet.jsp.jstl</groupId>
@@ -102,25 +96,25 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-messages-jc</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -193,7 +187,7 @@
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>1.9.5</version>
<version>1.10.19</version>
<scope>test</scope>
</dependency>
<dependency>
+6 -12
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-gae-xml</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-gae-xml</name>
<description>spring-security-samples-gae-xml</description>
@@ -50,12 +50,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>com.google.appengine</groupId>
@@ -84,13 +78,13 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -151,13 +145,13 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
@@ -199,7 +193,7 @@
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>1.9.5</version>
<version>1.10.19</version>
<scope>test</scope>
</dependency>
<dependency>
+6 -12
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-hellojs-jc</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-hellojs-jc</name>
<description>spring-security-samples-hellojs-jc</description>
@@ -50,12 +50,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
@@ -108,25 +102,25 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-messages-jc</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -199,7 +193,7 @@
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>1.9.5</version>
<version>1.10.19</version>
<scope>test</scope>
</dependency>
<dependency>
+6 -12
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-hellomvc-jc</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-hellomvc-jc</name>
<description>spring-security-samples-hellomvc-jc</description>
@@ -50,12 +50,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>javax.servlet.jsp.jstl</groupId>
@@ -102,25 +96,25 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-messages-jc</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -193,7 +187,7 @@
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>1.9.5</version>
<version>1.10.19</version>
<scope>test</scope>
</dependency>
<dependency>
+4 -10
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-helloworld-jc</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-helloworld-jc</name>
<description>spring-security-samples-helloworld-jc</description>
@@ -50,12 +50,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>javax.servlet.jsp.jstl</groupId>
@@ -78,13 +72,13 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -127,7 +121,7 @@
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>1.9.5</version>
<version>1.10.19</version>
<scope>test</scope>
</dependency>
<dependency>
+6 -12
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-inmemory-jc</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-inmemory-jc</name>
<description>spring-security-samples-inmemory-jc</description>
@@ -50,12 +50,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>javax.servlet.jsp.jstl</groupId>
@@ -102,25 +96,25 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-messages-jc</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -193,7 +187,7 @@
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>1.9.5</version>
<version>1.10.19</version>
<scope>test</scope>
</dependency>
<dependency>
+2 -8
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-insecure</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-insecure</name>
<description>spring-security-samples-insecure</description>
@@ -50,12 +50,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>javax.servlet.jsp.jstl</groupId>
@@ -115,7 +109,7 @@
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>1.9.5</version>
<version>1.10.19</version>
<scope>test</scope>
</dependency>
<dependency>
+3 -9
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-insecuremvc</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-insecuremvc</name>
<description>spring-security-samples-insecuremvc</description>
@@ -50,12 +50,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>javax.servlet.jsp.jstl</groupId>
@@ -102,7 +96,7 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-messages-jc</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -175,7 +169,7 @@
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>1.9.5</version>
<version>1.10.19</version>
<scope>test</scope>
</dependency>
<dependency>
+6 -12
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-jaas-xml</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-jaas-xml</name>
<description>spring-security-samples-jaas-xml</description>
@@ -50,17 +50,11 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -121,19 +115,19 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
@@ -157,7 +151,7 @@
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>1.9.5</version>
<version>1.10.19</version>
<scope>test</scope>
</dependency>
<dependency>
+6 -12
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-jdbc-jc</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-jdbc-jc</name>
<description>spring-security-samples-jdbc-jc</description>
@@ -50,12 +50,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>javax.servlet.jsp.jstl</groupId>
@@ -102,25 +96,25 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-messages-jc</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -193,7 +187,7 @@
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>1.9.5</version>
<version>1.10.19</version>
<scope>test</scope>
</dependency>
<dependency>
+7 -13
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-ldap-jc</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-ldap-jc</name>
<description>spring-security-samples-ldap-jc</description>
@@ -50,12 +50,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>javax.servlet.jsp.jstl</groupId>
@@ -138,31 +132,31 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-ldap</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-messages-jc</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -235,7 +229,7 @@
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>1.9.5</version>
<version>1.10.19</version>
<scope>test</scope>
</dependency>
<dependency>
+5 -11
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-ldap-xml</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-ldap-xml</name>
<description>spring-security-samples-ldap-xml</description>
@@ -50,12 +50,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>commons-logging</groupId>
@@ -115,19 +109,19 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-ldap</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
@@ -145,7 +139,7 @@
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>1.9.5</version>
<version>1.10.19</version>
<scope>test</scope>
</dependency>
<dependency>
+4 -10
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-messages-jc</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<name>spring-security-samples-messages-jc</name>
<description>spring-security-samples-messages-jc</description>
<url>http://spring.io/spring-security</url>
@@ -42,12 +42,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>javax.validation</groupId>
@@ -100,13 +94,13 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -209,7 +203,7 @@
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>1.9.5</version>
<version>1.10.19</version>
<scope>test</scope>
</dependency>
<dependency>
+7 -13
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-openid-jc</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-openid-jc</name>
<description>spring-security-samples-openid-jc</description>
@@ -50,12 +50,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>javax.servlet.jsp.jstl</groupId>
@@ -102,31 +96,31 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-openid</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-messages-jc</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -205,7 +199,7 @@
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>1.9.5</version>
<version>1.10.19</version>
<scope>test</scope>
</dependency>
<dependency>
+6 -12
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-openid-xml</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-openid-xml</name>
<description>spring-security-samples-openid-xml</description>
@@ -50,23 +50,17 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-openid</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -109,13 +103,13 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
@@ -133,7 +127,7 @@
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>1.9.5</version>
<version>1.10.19</version>
<scope>test</scope>
</dependency>
<dependency>
+6 -12
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-preauth-jc</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-preauth-jc</name>
<description>spring-security-samples-preauth-jc</description>
@@ -50,12 +50,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>javax.servlet.jsp.jstl</groupId>
@@ -102,25 +96,25 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-messages-jc</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -193,7 +187,7 @@
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>1.9.5</version>
<version>1.10.19</version>
<scope>test</scope>
</dependency>
<dependency>
+4 -10
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-preauth-xml</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-preauth-xml</name>
<description>spring-security-samples-preauth-xml</description>
@@ -50,12 +50,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>commons-logging</groupId>
@@ -79,13 +73,13 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
@@ -103,7 +97,7 @@
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>1.9.5</version>
<version>1.10.19</version>
<scope>test</scope>
</dependency>
<dependency>
+6 -12
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-rememberme-jc</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-rememberme-jc</name>
<description>spring-security-samples-rememberme-jc</description>
@@ -50,12 +50,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>javax.servlet.jsp.jstl</groupId>
@@ -102,25 +96,25 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-messages-jc</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -193,7 +187,7 @@
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>1.9.5</version>
<version>1.10.19</version>
<scope>test</scope>
</dependency>
<dependency>
+6 -12
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-servletapi-xml</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-servletapi-xml</name>
<description>spring-security-samples-servletapi-xml</description>
@@ -50,12 +50,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>javax.servlet.jsp.jstl</groupId>
@@ -66,13 +60,13 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -133,13 +127,13 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
@@ -163,7 +157,7 @@
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>1.9.5</version>
<version>1.10.19</version>
<scope>test</scope>
</dependency>
<dependency>
+6 -12
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-tutorial-xml</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-tutorial-xml</name>
<description>spring-security-samples-tutorial-xml</description>
@@ -50,12 +50,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>org.slf4j</groupId>
@@ -66,7 +60,7 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -133,19 +127,19 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
@@ -163,7 +157,7 @@
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>1.9.5</version>
<version>1.10.19</version>
<scope>test</scope>
</dependency>
<dependency>
+6 -12
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-x509-jc</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-x509-jc</name>
<description>spring-security-samples-x509-jc</description>
@@ -50,12 +50,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>javax.servlet.jsp.jstl</groupId>
@@ -102,25 +96,25 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-messages-jc</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -193,7 +187,7 @@
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>1.9.5</version>
<version>1.10.19</version>
<scope>test</scope>
</dependency>
<dependency>
+5 -11
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<name>spring-security-taglibs</name>
<description>spring-security-taglibs</description>
<url>http://spring.io/spring-security</url>
@@ -42,29 +42,23 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-acl</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -161,7 +155,7 @@
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>1.9.5</version>
<version>1.10.19</version>
<scope>test</scope>
</dependency>
<dependency>
@@ -42,6 +42,7 @@ import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.FilterInvocation;
import org.springframework.security.web.WebAttributes;
import org.springframework.security.web.access.WebInvocationPrivilegeEvaluator;
import org.springframework.security.web.context.support.SecurityWebApplicationContextUtils;
import org.springframework.util.StringUtils;
import org.springframework.web.context.support.WebApplicationContextUtils;
@@ -312,8 +313,7 @@ public abstract class AbstractAuthorizeTag {
@SuppressWarnings({ "unchecked", "rawtypes" })
private SecurityExpressionHandler<FilterInvocation> getExpressionHandler() throws IOException {
ApplicationContext appContext = WebApplicationContextUtils
.getRequiredWebApplicationContext(getServletContext());
ApplicationContext appContext = SecurityWebApplicationContextUtils.findRequiredWebApplicationContext(getServletContext());
Map<String, SecurityExpressionHandler> handlers = appContext
.getBeansOfType(SecurityExpressionHandler.class);
@@ -335,8 +335,9 @@ public abstract class AbstractAuthorizeTag {
return privEvaluatorFromRequest;
}
ApplicationContext ctx = WebApplicationContextUtils.getRequiredWebApplicationContext(getServletContext());
Map<String, WebInvocationPrivilegeEvaluator> wipes = ctx.getBeansOfType(WebInvocationPrivilegeEvaluator.class);
ApplicationContext ctx = SecurityWebApplicationContextUtils.findRequiredWebApplicationContext(getServletContext());
Map<String, WebInvocationPrivilegeEvaluator> wipes = ctx
.getBeansOfType(WebInvocationPrivilegeEvaluator.class);
if (wipes.size() == 0) {
throw new IOException(
@@ -21,6 +21,7 @@ import org.springframework.security.access.PermissionEvaluator;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.taglibs.TagLibConfig;
import org.springframework.security.web.context.support.SecurityWebApplicationContextUtils;
import org.springframework.web.context.support.WebApplicationContextUtils;
import javax.servlet.ServletContext;
@@ -136,7 +137,7 @@ public class AccessControlListTag extends TagSupport {
protected ApplicationContext getContext(PageContext pageContext) {
ServletContext servletContext = pageContext.getServletContext();
return WebApplicationContextUtils.getRequiredWebApplicationContext(servletContext);
return SecurityWebApplicationContextUtils.findRequiredWebApplicationContext(servletContext);
}
public Object getDomainObject() {
@@ -12,12 +12,16 @@
*/
package org.springframework.security.taglibs.authz;
import static org.fest.assertions.Assertions.*;
import static org.mockito.Matchers.any;
import static org.mockito.Matchers.eq;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;
import java.io.IOException;
import java.util.Collections;
import javax.servlet.ServletContext;
import javax.servlet.ServletRequest;
@@ -29,10 +33,14 @@ import org.junit.Test;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.mock.web.MockServletContext;
import org.springframework.security.access.expression.SecurityExpressionHandler;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.WebAttributes;
import org.springframework.security.web.access.WebInvocationPrivilegeEvaluator;
import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
import org.springframework.web.context.WebApplicationContext;
/**
*
@@ -63,13 +71,41 @@ public class AbstractAuthorizeTagTests {
String uri = "/something";
WebInvocationPrivilegeEvaluator expected = mock(WebInvocationPrivilegeEvaluator.class);
tag.setUrl(uri);
request.setAttribute(WebAttributes.WEB_INVOCATION_PRIVILEGE_EVALUATOR_ATTRIBUTE, expected);
request.setAttribute(WebAttributes.WEB_INVOCATION_PRIVILEGE_EVALUATOR_ATTRIBUTE,
expected);
tag.authorizeUsingUrlCheck();
verify(expected).isAllowed(eq(""), eq(uri), eq("GET"), any(Authentication.class));
}
@Test
public void privilegeEvaluatorFromChildContext() throws IOException {
String uri = "/something";
WebInvocationPrivilegeEvaluator expected = mock(WebInvocationPrivilegeEvaluator.class);
tag.setUrl(uri);
WebApplicationContext wac = mock(WebApplicationContext.class);
when(wac.getBeansOfType(WebInvocationPrivilegeEvaluator.class)).thenReturn(Collections.singletonMap("wipe", expected));
servletContext.setAttribute("org.springframework.web.servlet.FrameworkServlet.CONTEXT.dispatcher", wac);
tag.authorizeUsingUrlCheck();
verify(expected).isAllowed(eq(""), eq(uri), eq("GET"), any(Authentication.class));
}
@Test
@SuppressWarnings("rawtypes")
public void expressionFromChildContext() throws IOException {
SecurityContextHolder.getContext().setAuthentication(new TestingAuthenticationToken("user", "pass","USER"));
DefaultWebSecurityExpressionHandler expected = new DefaultWebSecurityExpressionHandler();
tag.setAccess("permitAll");
WebApplicationContext wac = mock(WebApplicationContext.class);
when(wac.getBeansOfType(SecurityExpressionHandler.class)).thenReturn(Collections.<String,SecurityExpressionHandler>singletonMap("wipe", expected));
servletContext.setAttribute("org.springframework.web.servlet.FrameworkServlet.CONTEXT.dispatcher", wac);
assertThat(tag.authorize()).isTrue();
}
private class AuthzTag extends AbstractAuthorizeTag {
@Override
@@ -26,6 +26,7 @@ import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.context.WebApplicationContext;
import javax.servlet.ServletContext;
import javax.servlet.jsp.tagext.Tag;
import java.util.*;
@@ -40,7 +41,7 @@ public class AccessControlListTagTests {
AccessControlListTag tag;
PermissionEvaluator pe;
MockPageContext pageContext;
Authentication bob = new TestingAuthenticationToken("bob","bobspass","A");
Authentication bob = new TestingAuthenticationToken("bob", "bobspass", "A");
@Before
@SuppressWarnings("rawtypes")
@@ -56,8 +57,10 @@ public class AccessControlListTagTests {
when(ctx.getBeansOfType(PermissionEvaluator.class)).thenReturn(beanMap);
MockServletContext servletCtx = new MockServletContext();
servletCtx.setAttribute(WebApplicationContext.ROOT_WEB_APPLICATION_CONTEXT_ATTRIBUTE, ctx);
pageContext = new MockPageContext(servletCtx, new MockHttpServletRequest(), new MockHttpServletResponse());
servletCtx.setAttribute(
WebApplicationContext.ROOT_WEB_APPLICATION_CONTEXT_ATTRIBUTE, ctx);
pageContext = new MockPageContext(servletCtx, new MockHttpServletRequest(),
new MockHttpServletResponse());
tag.setPageContext(pageContext);
}
@@ -78,7 +81,28 @@ public class AccessControlListTagTests {
assertEquals("READ", tag.getHasPermission());
assertEquals(Tag.EVAL_BODY_INCLUDE, tag.doStartTag());
assertTrue((Boolean)pageContext.getAttribute("allowed"));
assertTrue((Boolean) pageContext.getAttribute("allowed"));
}
@Test
public void childContext() throws Exception {
ServletContext servletContext = pageContext.getServletContext();
WebApplicationContext wac = (WebApplicationContext) servletContext
.getAttribute(WebApplicationContext.ROOT_WEB_APPLICATION_CONTEXT_ATTRIBUTE);
servletContext.removeAttribute(WebApplicationContext.ROOT_WEB_APPLICATION_CONTEXT_ATTRIBUTE);
servletContext.setAttribute("org.springframework.web.servlet.FrameworkServlet.CONTEXT.dispatcher", wac);
Object domainObject = new Object();
when(pe.hasPermission(bob, domainObject, "READ")).thenReturn(true);
tag.setDomainObject(domainObject);
tag.setHasPermission("READ");
tag.setVar("allowed");
assertSame(domainObject, tag.getDomainObject());
assertEquals("READ", tag.getHasPermission());
assertEquals(Tag.EVAL_BODY_INCLUDE, tag.doStartTag());
assertTrue((Boolean) pageContext.getAttribute("allowed"));
}
// SEC-2022
@@ -95,7 +119,7 @@ public class AccessControlListTagTests {
assertEquals("READ,WRITE", tag.getHasPermission());
assertEquals(Tag.EVAL_BODY_INCLUDE, tag.doStartTag());
assertTrue((Boolean)pageContext.getAttribute("allowed"));
assertTrue((Boolean) pageContext.getAttribute("allowed"));
verify(pe).hasPermission(bob, domainObject, "READ");
verify(pe).hasPermission(bob, domainObject, "WRITE");
verifyNoMoreInteractions(pe);
@@ -115,7 +139,7 @@ public class AccessControlListTagTests {
assertEquals("1,2", tag.getHasPermission());
assertEquals(Tag.EVAL_BODY_INCLUDE, tag.doStartTag());
assertTrue((Boolean)pageContext.getAttribute("allowed"));
assertTrue((Boolean) pageContext.getAttribute("allowed"));
verify(pe).hasPermission(bob, domainObject, 1);
verify(pe).hasPermission(bob, domainObject, 2);
verifyNoMoreInteractions(pe);
@@ -134,7 +158,7 @@ public class AccessControlListTagTests {
assertEquals("1,WRITE", tag.getHasPermission());
assertEquals(Tag.EVAL_BODY_INCLUDE, tag.doStartTag());
assertTrue((Boolean)pageContext.getAttribute("allowed"));
assertTrue((Boolean) pageContext.getAttribute("allowed"));
verify(pe).hasPermission(bob, domainObject, 1);
verify(pe).hasPermission(bob, domainObject, "WRITE");
verifyNoMoreInteractions(pe);
@@ -150,6 +174,6 @@ public class AccessControlListTagTests {
tag.setVar("allowed");
assertEquals(Tag.SKIP_BODY, tag.doStartTag());
assertFalse((Boolean)pageContext.getAttribute("allowed"));
assertFalse((Boolean) pageContext.getAttribute("allowed"));
}
}
+9 -15
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<name>spring-security-web</name>
<description>spring-security-web</description>
<url>http://spring.io/spring-security</url>
@@ -42,12 +42,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>aopalliance</groupId>
@@ -58,7 +52,7 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.7.CI-SNAPSHOT</version>
<version>3.2.9.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -170,13 +164,13 @@
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>1.9.5</version>
<version>1.10.19</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.powermock</groupId>
<artifactId>powermock-api-mockito</artifactId>
<version>1.6.1</version>
<version>1.6.2</version>
<scope>test</scope>
<exclusions>
<exclusion>
@@ -188,31 +182,31 @@
<dependency>
<groupId>org.powermock</groupId>
<artifactId>powermock-api-support</artifactId>
<version>1.6.1</version>
<version>1.6.2</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.powermock</groupId>
<artifactId>powermock-core</artifactId>
<version>1.6.1</version>
<version>1.6.2</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.powermock</groupId>
<artifactId>powermock-module-junit4</artifactId>
<version>1.6.1</version>
<version>1.6.2</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.powermock</groupId>
<artifactId>powermock-module-junit4-common</artifactId>
<version>1.6.1</version>
<version>1.6.2</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.powermock</groupId>
<artifactId>powermock-reflect</artifactId>
<version>1.6.1</version>
<version>1.6.2</version>
<scope>test</scope>
</dependency>
<dependency>
@@ -38,6 +38,7 @@ import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.SpringSecurityMessageSource;
import org.springframework.security.crypto.codec.Base64;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserCache;
import org.springframework.security.core.userdetails.UserDetails;
@@ -49,46 +50,52 @@ import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
import org.springframework.web.filter.GenericFilterBean;
/**
* Processes a HTTP request's Digest authorization headers, putting the result into the
* <code>SecurityContextHolder</code>.
* <p>
* For a detailed background on what this filter is designed to process, refer to
* <a href="http://www.ietf.org/rfc/rfc2617.txt">RFC 2617</a> (which superseded RFC 2069, although this
* filter support clients that implement either RFC 2617 or RFC 2069).
* For a detailed background on what this filter is designed to process, refer to <a
* href="http://www.ietf.org/rfc/rfc2617.txt">RFC 2617</a> (which superseded RFC 2069,
* although this filter support clients that implement either RFC 2617 or RFC 2069).
* <p>
* This filter can be used to provide Digest authentication services to both remoting protocol clients (such as
* Hessian and SOAP) as well as standard user agents (such as Internet Explorer and FireFox).
* This filter can be used to provide Digest authentication services to both remoting
* protocol clients (such as Hessian and SOAP) as well as standard user agents (such as
* Internet Explorer and FireFox).
* <p>
* This Digest implementation has been designed to avoid needing to store session state between invocations.
* All session management information is stored in the "nonce" that is sent to the client by the {@link
* DigestAuthenticationEntryPoint}.
* This Digest implementation has been designed to avoid needing to store session state
* between invocations. All session management information is stored in the "nonce" that
* is sent to the client by the {@link DigestAuthenticationEntryPoint}.
* <p>
* If authentication is successful, the resulting {@link org.springframework.security.core.Authentication Authentication}
* object will be placed into the <code>SecurityContextHolder</code>.
* If authentication is successful, the resulting
* {@link org.springframework.security.core.Authentication Authentication} object will be
* placed into the <code>SecurityContextHolder</code>.
* <p>
* If authentication fails, an {@link org.springframework.security.web.AuthenticationEntryPoint AuthenticationEntryPoint}
* implementation is called. This must always be {@link DigestAuthenticationEntryPoint}, which will prompt the user
* to authenticate again via Digest authentication.
* If authentication fails, an
* {@link org.springframework.security.web.AuthenticationEntryPoint
* AuthenticationEntryPoint} implementation is called. This must always be
* {@link DigestAuthenticationEntryPoint}, which will prompt the user to authenticate
* again via Digest authentication.
* <p>
* Note there are limitations to Digest authentication, although it is a more comprehensive and secure solution
* than Basic authentication. Please see RFC 2617 section 4 for a full discussion on the advantages of Digest
* authentication over Basic authentication, including commentary on the limitations that it still imposes.
* Note there are limitations to Digest authentication, although it is a more
* comprehensive and secure solution than Basic authentication. Please see RFC 2617
* section 4 for a full discussion on the advantages of Digest authentication over Basic
* authentication, including commentary on the limitations that it still imposes.
*
* @author Ben Alex
* @author Luke Taylor
* @since 1.0.0
*/
public class DigestAuthenticationFilter extends GenericFilterBean implements MessageSourceAware {
//~ Static fields/initializers =====================================================================================
public class DigestAuthenticationFilter extends GenericFilterBean implements
MessageSourceAware {
// ~ Static fields/initializers
// =====================================================================================
private static final Log logger = LogFactory.getLog(DigestAuthenticationFilter.class);
//~ Instance fields ================================================================================================
// ~ Instance fields
// ================================================================================================
private AuthenticationDetailsSource<HttpServletRequest,?> authenticationDetailsSource = new WebAuthenticationDetailsSource();
private AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = new WebAuthenticationDetailsSource();
private DigestAuthenticationEntryPoint authenticationEntryPoint;
protected MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();
private UserCache userCache = new NullUserCache();
@@ -96,12 +103,14 @@ public class DigestAuthenticationFilter extends GenericFilterBean implements Mes
private boolean passwordAlreadyEncoded = false;
private boolean createAuthenticatedToken = false;
//~ Methods ========================================================================================================
// ~ Methods
// ========================================================================================================
@Override
public void afterPropertiesSet() {
Assert.notNull(userDetailsService, "A UserDetailsService is required");
Assert.notNull(authenticationEntryPoint, "A DigestAuthenticationEntryPoint is required");
Assert.notNull(authenticationEntryPoint,
"A DigestAuthenticationEntryPoint is required");
}
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
@@ -118,14 +127,17 @@ public class DigestAuthenticationFilter extends GenericFilterBean implements Mes
}
if (logger.isDebugEnabled()) {
logger.debug("Digest Authorization header received from user agent: " + header);
logger.debug("Digest Authorization header received from user agent: "
+ header);
}
DigestData digestAuth = new DigestData(header);
try {
digestAuth.validateAndDecode(authenticationEntryPoint.getKey(), authenticationEntryPoint.getRealmName());
} catch (BadCredentialsException e) {
digestAuth.validateAndDecode(authenticationEntryPoint.getKey(),
authenticationEntryPoint.getRealmName());
}
catch (BadCredentialsException e) {
fail(request, response, e);
return;
@@ -151,38 +163,45 @@ public class DigestAuthenticationFilter extends GenericFilterBean implements Mes
userCache.putUserInCache(user);
}
serverDigestMd5 = digestAuth.calculateServerDigest(user.getPassword(), request.getMethod());
serverDigestMd5 = digestAuth.calculateServerDigest(user.getPassword(),
request.getMethod());
// If digest is incorrect, try refreshing from backend and recomputing
if (!serverDigestMd5.equals(digestAuth.getResponse()) && cacheWasUsed) {
if (logger.isDebugEnabled()) {
logger.debug(
"Digest comparison failure; trying to refresh user from DAO in case password had changed");
logger.debug("Digest comparison failure; trying to refresh user from DAO in case password had changed");
}
user = userDetailsService.loadUserByUsername(digestAuth.getUsername());
userCache.putUserInCache(user);
serverDigestMd5 = digestAuth.calculateServerDigest(user.getPassword(), request.getMethod());
serverDigestMd5 = digestAuth.calculateServerDigest(user.getPassword(),
request.getMethod());
}
} catch (UsernameNotFoundException notFound) {
fail(request, response,
new BadCredentialsException(messages.getMessage("DigestAuthenticationFilter.usernameNotFound",
new Object[]{digestAuth.getUsername()}, "Username {0} not found")));
}
catch (UsernameNotFoundException notFound) {
fail(request,
response,
new BadCredentialsException(messages.getMessage(
"DigestAuthenticationFilter.usernameNotFound",
new Object[] { digestAuth.getUsername() },
"Username {0} not found")));
return;
}
// If digest is still incorrect, definitely reject authentication attempt
if (!serverDigestMd5.equals(digestAuth.getResponse())) {
if (logger.isDebugEnabled()) {
logger.debug("Expected response: '" + serverDigestMd5 + "' but received: '" + digestAuth.getResponse()
logger.debug("Expected response: '" + serverDigestMd5
+ "' but received: '" + digestAuth.getResponse()
+ "'; is AuthenticationDao returning clear text passwords?");
}
fail(request, response,
new BadCredentialsException(messages.getMessage("DigestAuthenticationFilter.incorrectResponse",
fail(request,
response,
new BadCredentialsException(messages.getMessage(
"DigestAuthenticationFilter.incorrectResponse",
"Incorrect response")));
return;
}
@@ -192,8 +211,10 @@ public class DigestAuthenticationFilter extends GenericFilterBean implements Mes
// We do this last so we can direct the user agent its nonce is stale
// but the request was otherwise appearing to be valid
if (digestAuth.isNonceExpired()) {
fail(request, response,
new NonceExpiredException(messages.getMessage("DigestAuthenticationFilter.nonceExpired",
fail(request,
response,
new NonceExpiredException(messages.getMessage(
"DigestAuthenticationFilter.nonceExpired",
"Nonce has expired/timed out")));
return;
@@ -204,27 +225,34 @@ public class DigestAuthenticationFilter extends GenericFilterBean implements Mes
+ "' with response: '" + digestAuth.getResponse() + "'");
}
SecurityContextHolder.getContext().setAuthentication(createSuccessfulAuthentication(request, user));
Authentication authentication = createSuccessfulAuthentication(request, user);
SecurityContext context = SecurityContextHolder.createEmptyContext();
context.setAuthentication(authentication);
SecurityContextHolder.setContext(context);
chain.doFilter(request, response);
}
private Authentication createSuccessfulAuthentication(HttpServletRequest request, UserDetails user) {
private Authentication createSuccessfulAuthentication(HttpServletRequest request,
UserDetails user) {
UsernamePasswordAuthenticationToken authRequest;
if (createAuthenticatedToken) {
authRequest = new UsernamePasswordAuthenticationToken(user, user.getPassword(), user.getAuthorities());
authRequest = new UsernamePasswordAuthenticationToken(user,
user.getPassword(), user.getAuthorities());
}
else {
authRequest = new UsernamePasswordAuthenticationToken(user, user.getPassword());
authRequest = new UsernamePasswordAuthenticationToken(user,
user.getPassword());
}
authRequest.setDetails(authenticationDetailsSource.buildDetails((HttpServletRequest) request));
authRequest.setDetails(authenticationDetailsSource
.buildDetails((HttpServletRequest) request));
return authRequest;
}
private void fail(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed)
throws IOException, ServletException {
private void fail(HttpServletRequest request, HttpServletResponse response,
AuthenticationException failed) throws IOException, ServletException {
SecurityContextHolder.getContext().setAuthentication(null);
if (logger.isDebugEnabled()) {
@@ -246,12 +274,15 @@ public class DigestAuthenticationFilter extends GenericFilterBean implements Mes
return userDetailsService;
}
public void setAuthenticationDetailsSource(AuthenticationDetailsSource<HttpServletRequest,?> authenticationDetailsSource) {
Assert.notNull(authenticationDetailsSource, "AuthenticationDetailsSource required");
public void setAuthenticationDetailsSource(
AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource) {
Assert.notNull(authenticationDetailsSource,
"AuthenticationDetailsSource required");
this.authenticationDetailsSource = authenticationDetailsSource;
}
public void setAuthenticationEntryPoint(DigestAuthenticationEntryPoint authenticationEntryPoint) {
public void setAuthenticationEntryPoint(
DigestAuthenticationEntryPoint authenticationEntryPoint) {
this.authenticationEntryPoint = authenticationEntryPoint;
}
@@ -271,18 +302,16 @@ public class DigestAuthenticationFilter extends GenericFilterBean implements Mes
this.userDetailsService = userDetailsService;
}
/**
* If you set this property, the Authentication object, which is
* created after the successful digest authentication will be marked
* as <b>authenticated</b> and filled with the authorities loaded by
* the UserDetailsService. It therefore will not be re-authenticated
* by your AuthenticationProvider. This means, that only the password
* If you set this property, the Authentication object, which is created after the
* successful digest authentication will be marked as <b>authenticated</b> and filled
* with the authorities loaded by the UserDetailsService. It therefore will not be
* re-authenticated by your AuthenticationProvider. This means, that only the password
* of the user is checked, but not the flags like isEnabled() or
* isAccountNonExpired(). You will save some time by enabling this flag,
* as otherwise your UserDetailsService will be called twice. A more secure
* option would be to introduce a cache around your UserDetailsService, but
* if you don't use these flags, you can also safely enable this option.
* isAccountNonExpired(). You will save some time by enabling this flag, as otherwise
* your UserDetailsService will be called twice. A more secure option would be to
* introduce a cache around your UserDetailsService, but if you don't use these flags,
* you can also safely enable this option.
*
* @param createAuthenticatedToken default is false
*/
@@ -304,8 +333,10 @@ public class DigestAuthenticationFilter extends GenericFilterBean implements Mes
DigestData(String header) {
section212response = header.substring(7);
String[] headerEntries = DigestAuthUtils.splitIgnoringQuotes(section212response, ',');
Map<String,String> headerMap = DigestAuthUtils.splitEachArrayElementAndCreateMap(headerEntries, "=", "\"");
String[] headerEntries = DigestAuthUtils.splitIgnoringQuotes(
section212response, ',');
Map<String, String> headerMap = DigestAuthUtils
.splitEachArrayElementAndCreateMap(headerEntries, "=", "\"");
username = headerMap.get("username");
realm = headerMap.get("realm");
@@ -317,69 +348,87 @@ public class DigestAuthenticationFilter extends GenericFilterBean implements Mes
cnonce = headerMap.get("cnonce"); // RFC 2617 extension
if (logger.isDebugEnabled()) {
logger.debug("Extracted username: '" + username + "'; realm: '" + realm + "'; nonce: '"
+ nonce + "'; uri: '" + uri + "'; response: '" + response + "'");
logger.debug("Extracted username: '" + username + "'; realm: '" + realm
+ "'; nonce: '" + nonce + "'; uri: '" + uri + "'; response: '"
+ response + "'");
}
}
void validateAndDecode(String entryPointKey, String expectedRealm) throws BadCredentialsException {
void validateAndDecode(String entryPointKey, String expectedRealm)
throws BadCredentialsException {
// Check all required parameters were supplied (ie RFC 2069)
if ((username == null) || (realm == null) || (nonce == null) || (uri == null) || (response == null)) {
throw new BadCredentialsException(messages.getMessage("DigestAuthenticationFilter.missingMandatory",
new Object[]{section212response}, "Missing mandatory digest value; received header {0}"));
if ((username == null) || (realm == null) || (nonce == null) || (uri == null)
|| (response == null)) {
throw new BadCredentialsException(messages.getMessage(
"DigestAuthenticationFilter.missingMandatory",
new Object[] { section212response },
"Missing mandatory digest value; received header {0}"));
}
// Check all required parameters for an "auth" qop were supplied (ie RFC 2617)
if ("auth".equals(qop)) {
if ((nc == null) || (cnonce == null)) {
if (logger.isDebugEnabled()) {
logger.debug("extracted nc: '" + nc + "'; cnonce: '" + cnonce + "'");
logger.debug("extracted nc: '" + nc + "'; cnonce: '" + cnonce
+ "'");
}
throw new BadCredentialsException(messages.getMessage("DigestAuthenticationFilter.missingAuth",
new Object[]{section212response}, "Missing mandatory digest value; received header {0}"));
throw new BadCredentialsException(messages.getMessage(
"DigestAuthenticationFilter.missingAuth",
new Object[] { section212response },
"Missing mandatory digest value; received header {0}"));
}
}
// Check realm name equals what we expected
if (!expectedRealm.equals(realm)) {
throw new BadCredentialsException(messages.getMessage("DigestAuthenticationFilter.incorrectRealm",
new Object[]{realm, expectedRealm},
"Response realm name '{0}' does not match system realm name of '{1}'"));
throw new BadCredentialsException(
messages.getMessage("DigestAuthenticationFilter.incorrectRealm",
new Object[] { realm, expectedRealm },
"Response realm name '{0}' does not match system realm name of '{1}'"));
}
// Check nonce was Base64 encoded (as sent by DigestAuthenticationEntryPoint)
if (!Base64.isBase64(nonce.getBytes())) {
throw new BadCredentialsException(messages.getMessage("DigestAuthenticationFilter.nonceEncoding",
new Object[]{nonce}, "Nonce is not encoded in Base64; received nonce {0}"));
throw new BadCredentialsException(messages.getMessage(
"DigestAuthenticationFilter.nonceEncoding",
new Object[] { nonce },
"Nonce is not encoded in Base64; received nonce {0}"));
}
// Decode nonce from Base64
// format of nonce is:
// base64(expirationTime + ":" + md5Hex(expirationTime + ":" + key))
String nonceAsPlainText = new String(Base64.decode(nonce.getBytes()));
String[] nonceTokens = StringUtils.delimitedListToStringArray(nonceAsPlainText, ":");
String[] nonceTokens = StringUtils.delimitedListToStringArray(
nonceAsPlainText, ":");
if (nonceTokens.length != 2) {
throw new BadCredentialsException(messages.getMessage("DigestAuthenticationFilter.nonceNotTwoTokens",
new Object[]{nonceAsPlainText}, "Nonce should have yielded two tokens but was {0}"));
throw new BadCredentialsException(messages.getMessage(
"DigestAuthenticationFilter.nonceNotTwoTokens",
new Object[] { nonceAsPlainText },
"Nonce should have yielded two tokens but was {0}"));
}
// Extract expiry time from nonce
try {
nonceExpiryTime = new Long(nonceTokens[0]).longValue();
} catch (NumberFormatException nfe) {
throw new BadCredentialsException(messages.getMessage("DigestAuthenticationFilter.nonceNotNumeric",
new Object[]{nonceAsPlainText},
}
catch (NumberFormatException nfe) {
throw new BadCredentialsException(
messages.getMessage("DigestAuthenticationFilter.nonceNotNumeric",
new Object[] { nonceAsPlainText },
"Nonce token should have yielded a numeric first token, but was {0}"));
}
// Check signature of nonce matches this expiry time
String expectedNonceSignature = DigestAuthUtils.md5Hex(nonceExpiryTime + ":" + entryPointKey);
String expectedNonceSignature = DigestAuthUtils.md5Hex(nonceExpiryTime + ":"
+ entryPointKey);
if (!expectedNonceSignature.equals(nonceTokens[1])) {
new BadCredentialsException(messages.getMessage("DigestAuthenticationFilter.nonceCompromised",
new Object[]{nonceAsPlainText}, "Nonce token compromised {0}"));
new BadCredentialsException(messages.getMessage(
"DigestAuthenticationFilter.nonceCompromised",
new Object[] { nonceAsPlainText }, "Nonce token compromised {0}"));
}
}
@@ -387,8 +436,8 @@ public class DigestAuthenticationFilter extends GenericFilterBean implements Mes
// Compute the expected response-digest (will be in hex form)
// Don't catch IllegalArgumentException (already checked validity)
return DigestAuthUtils.generateDigest(passwordAlreadyEncoded, username, realm, password,
httpMethod, uri, qop, nonce, nc, cnonce);
return DigestAuthUtils.generateDigest(passwordAlreadyEncoded, username,
realm, password, httpMethod, uri, qop, nonce, nc, cnonce);
}
boolean isNonceExpired() {
@@ -304,7 +304,7 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo
logger.debug("SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.");
}
if (httpSession != null && !contextObject.equals(contextBeforeExecution)) {
if (httpSession != null && authBeforeExecution != null) {
// SEC-1587 A non-anonymous context may still be in the session
// SEC-1735 remove if the contextBeforeExecution was not anonymous
httpSession.removeAttribute(springSecurityContextKey);
@@ -0,0 +1,88 @@
/*
* Copyright 2002-2015 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.web.context.support;
import java.util.Enumeration;
import javax.servlet.ServletContext;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.support.WebApplicationContextUtils;
/**
* Spring Security extension to Spring's {@link WebApplicationContextUtils}.
*
* @author Rob Winch
*/
public abstract class SecurityWebApplicationContextUtils extends WebApplicationContextUtils {
/**
* Find a unique {@code WebApplicationContext} for this web app: either the
* root web app context (preferred) or a unique {@code WebApplicationContext}
* among the registered {@code ServletContext} attributes (typically coming
* from a single {@code DispatcherServlet} in the current web application).
* <p>Note that {@code DispatcherServlet}'s exposure of its context can be
* controlled through its {@code publishContext} property, which is {@code true}
* by default but can be selectively switched to only publish a single context
* despite multiple {@code DispatcherServlet} registrations in the web app.
* @param sc ServletContext to find the web application context for
* @return the desired WebApplicationContext for this web app
* @see #getWebApplicationContext(ServletContext)
* @see ServletContext#getAttributeNames()
* @throws IllegalStateException if no WebApplicationContext can be found
*/
public static WebApplicationContext findRequiredWebApplicationContext(ServletContext servletContext) {
WebApplicationContext wac = findWebApplicationContext(servletContext);
if (wac == null) {
throw new IllegalStateException("No WebApplicationContext found: no ContextLoaderListener registered?");
}
return wac;
}
/**
* Find a unique {@code WebApplicationContext} for this web app: either the
* root web app context (preferred) or a unique {@code WebApplicationContext}
* among the registered {@code ServletContext} attributes (typically coming
* from a single {@code DispatcherServlet} in the current web application).
* <p>Note that {@code DispatcherServlet}'s exposure of its context can be
* controlled through its {@code publishContext} property, which is {@code true}
* by default but can be selectively switched to only publish a single context
* despite multiple {@code DispatcherServlet} registrations in the web app.
* @param sc ServletContext to find the web application context for
* @return the desired WebApplicationContext for this web app, or {@code null} if none
* @see #getWebApplicationContext(ServletContext)
* @see ServletContext#getAttributeNames()
*/
private static WebApplicationContext findWebApplicationContext(ServletContext sc) {
WebApplicationContext wac = getWebApplicationContext(sc);
if (wac == null) {
Enumeration<String> attrNames = sc.getAttributeNames();
while (attrNames.hasMoreElements()) {
String attrName = attrNames.nextElement();
Object attrValue = sc.getAttribute(attrName);
if (attrValue instanceof WebApplicationContext) {
if (wac != null) {
throw new IllegalStateException("No unique WebApplicationContext found: more than one " +
"DispatcherServlet registered with publishContext=true?");
}
wac = (WebApplicationContext) attrValue;
}
}
}
return wac;
}
}
@@ -57,7 +57,7 @@ public class DefaultSavedRequest implements SavedRequest {
private final ArrayList<SavedCookie> cookies = new ArrayList<SavedCookie>();
private final ArrayList<Locale> locales = new ArrayList<Locale>();
private final Map<String, List<String>> headers = new TreeMap<String, List<String>>(String.CASE_INSENSITIVE_ORDER);
private final Map<String, String[]> parameters = new TreeMap<String, String[]>(String.CASE_INSENSITIVE_ORDER);
private final Map<String, String[]> parameters = new TreeMap<String, String[]>();
private final String contextPath;
private final String method;
private final String pathInfo;
@@ -19,6 +19,7 @@ import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.context.ApplicationContext;
import org.springframework.security.web.context.support.SecurityWebApplicationContextUtils;
import org.springframework.web.context.support.WebApplicationContextUtils;
@@ -49,7 +50,7 @@ public class HttpSessionEventPublisher implements HttpSessionListener {
//~ Methods ========================================================================================================
ApplicationContext getContext(ServletContext servletContext) {
return WebApplicationContextUtils.getRequiredWebApplicationContext(servletContext);
return SecurityWebApplicationContextUtils.findRequiredWebApplicationContext(servletContext);
}
/**
@@ -15,11 +15,20 @@
package org.springframework.security.web.authentication.www;
import static org.junit.Assert.*;
import static org.mockito.Mockito.*;
import static org.fest.assertions.Assertions.*;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertTrue;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.times;
import static org.mockito.Mockito.verify;
import java.io.IOException;
import java.util.*;
import java.util.Map;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
@@ -32,7 +41,9 @@ import org.junit.Before;
import org.junit.Test;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
@@ -41,7 +52,6 @@ import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.core.userdetails.cache.NullUserCache;
import org.springframework.util.StringUtils;
/**
* Tests {@link DigestAuthenticationFilter}.
*
@@ -49,7 +59,8 @@ import org.springframework.util.StringUtils;
* @author Luke Taylor
*/
public class DigestAuthenticationFilterTests {
//~ Static fields/initializers =====================================================================================
// ~ Static fields/initializers
// =====================================================================================
private static final String NC = "00000002";
private static final String CNONCE = "c822c727a648aba7";
@@ -65,23 +76,26 @@ public class DigestAuthenticationFilterTests {
*/
private static final String NONCE = generateNonce(60);
//~ Instance fields ================================================================================================
// ~ Instance fields
// ================================================================================================
// private ApplicationContext ctx;
// private ApplicationContext ctx;
private DigestAuthenticationFilter filter;
private MockHttpServletRequest request;
// ~ Methods
// ========================================================================================================
//~ Methods ========================================================================================================
private String createAuthorizationHeader(String username, String realm, String nonce, String uri,
String responseDigest, String qop, String nc, String cnonce) {
return "Digest username=\"" + username + "\", realm=\"" + realm + "\", nonce=\"" + nonce + "\", uri=\"" + uri
+ "\", response=\"" + responseDigest + "\", qop=" + qop + ", nc=" + nc + ", cnonce=\"" + cnonce + "\"";
private String createAuthorizationHeader(String username, String realm, String nonce,
String uri, String responseDigest, String qop, String nc, String cnonce) {
return "Digest username=\"" + username + "\", realm=\"" + realm + "\", nonce=\""
+ nonce + "\", uri=\"" + uri + "\", response=\"" + responseDigest
+ "\", qop=" + qop + ", nc=" + nc + ", cnonce=\"" + cnonce + "\"";
}
private MockHttpServletResponse executeFilterInContainerSimulator(Filter filter, final ServletRequest request,
final boolean expectChainToProceed) throws ServletException, IOException {
private MockHttpServletResponse executeFilterInContainerSimulator(Filter filter,
final ServletRequest request, final boolean expectChainToProceed)
throws ServletException, IOException {
final MockHttpServletResponse response = new MockHttpServletResponse();
final FilterChain chain = mock(FilterChain.class);
@@ -111,8 +125,10 @@ public class DigestAuthenticationFilterTests {
// Create User Details Service
UserDetailsService uds = new UserDetailsService() {
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
return new User("rod,ok", "koala", AuthorityUtils.createAuthorityList("ROLE_ONE","ROLE_TWO"));
public UserDetails loadUserByUsername(String username)
throws UsernameNotFoundException {
return new User("rod,ok", "koala", AuthorityUtils.createAuthorityList(
"ROLE_ONE", "ROLE_TWO"));
}
};
@@ -129,25 +145,28 @@ public class DigestAuthenticationFilterTests {
}
@Test
public void testExpiredNonceReturnsForbiddenWithStaleHeader()
throws Exception {
public void testExpiredNonceReturnsForbiddenWithStaleHeader() throws Exception {
String nonce = generateNonce(0);
String responseDigest = DigestAuthUtils.generateDigest(false, USERNAME, REALM, PASSWORD, "GET",
REQUEST_URI, QOP, nonce, NC, CNONCE);
String responseDigest = DigestAuthUtils.generateDigest(false, USERNAME, REALM,
PASSWORD, "GET", REQUEST_URI, QOP, nonce, NC, CNONCE);
request.addHeader("Authorization",
createAuthorizationHeader(USERNAME, REALM, nonce, REQUEST_URI, responseDigest, QOP, NC, CNONCE));
request.addHeader(
"Authorization",
createAuthorizationHeader(USERNAME, REALM, nonce, REQUEST_URI,
responseDigest, QOP, NC, CNONCE));
Thread.sleep(1000); // ensures token expired
MockHttpServletResponse response = executeFilterInContainerSimulator(filter, request, false);
MockHttpServletResponse response = executeFilterInContainerSimulator(filter,
request, false);
assertNull(SecurityContextHolder.getContext().getAuthentication());
assertEquals(401, response.getStatus());
String header = response.getHeader("WWW-Authenticate").toString().substring(7);
String[] headerEntries = StringUtils.commaDelimitedListToStringArray(header);
Map<String,String> headerMap = DigestAuthUtils.splitEachArrayElementAndCreateMap(headerEntries, "=", "\"");
Map<String, String> headerMap = DigestAuthUtils
.splitEachArrayElementAndCreateMap(headerEntries, "=", "\"");
assertEquals("true", headerMap.get("stale"));
}
@@ -175,13 +194,14 @@ public class DigestAuthenticationFilterTests {
}
@Test
public void testInvalidDigestAuthorizationTokenGeneratesError()
throws Exception {
public void testInvalidDigestAuthorizationTokenGeneratesError() throws Exception {
String token = "NOT_A_VALID_TOKEN_AS_MISSING_COLON";
request.addHeader("Authorization", "Digest " + new String(Base64.encodeBase64(token.getBytes())));
request.addHeader("Authorization",
"Digest " + new String(Base64.encodeBase64(token.getBytes())));
MockHttpServletResponse response = executeFilterInContainerSimulator(filter, request, false);
MockHttpServletResponse response = executeFilterInContainerSimulator(filter,
request, false);
assertEquals(401, response.getStatus());
assertNull(SecurityContextHolder.getContext().getAuthentication());
@@ -191,7 +211,8 @@ public class DigestAuthenticationFilterTests {
public void testMalformedHeaderReturnsForbidden() throws Exception {
request.addHeader("Authorization", "Digest scsdcsdc");
MockHttpServletResponse response = executeFilterInContainerSimulator(filter, request, false);
MockHttpServletResponse response = executeFilterInContainerSimulator(filter,
request, false);
assertNull(SecurityContextHolder.getContext().getAuthentication());
assertEquals(401, response.getStatus());
@@ -201,28 +222,36 @@ public class DigestAuthenticationFilterTests {
public void testNonBase64EncodedNonceReturnsForbidden() throws Exception {
String nonce = "NOT_BASE_64_ENCODED";
String responseDigest = DigestAuthUtils.generateDigest(false, USERNAME, REALM, PASSWORD, "GET",
REQUEST_URI, QOP, nonce, NC, CNONCE);
String responseDigest = DigestAuthUtils.generateDigest(false, USERNAME, REALM,
PASSWORD, "GET", REQUEST_URI, QOP, nonce, NC, CNONCE);
request.addHeader("Authorization",
createAuthorizationHeader(USERNAME, REALM, nonce, REQUEST_URI, responseDigest, QOP, NC, CNONCE));
request.addHeader(
"Authorization",
createAuthorizationHeader(USERNAME, REALM, nonce, REQUEST_URI,
responseDigest, QOP, NC, CNONCE));
MockHttpServletResponse response = executeFilterInContainerSimulator(filter, request, false);
MockHttpServletResponse response = executeFilterInContainerSimulator(filter,
request, false);
assertNull(SecurityContextHolder.getContext().getAuthentication());
assertEquals(401, response.getStatus());
}
@Test
public void testNonceWithIncorrectSignatureForNumericFieldReturnsForbidden() throws Exception {
String nonce = new String(Base64.encodeBase64("123456:incorrectStringPassword".getBytes()));
String responseDigest = DigestAuthUtils.generateDigest(false, USERNAME, REALM, PASSWORD, "GET",
REQUEST_URI, QOP, nonce, NC, CNONCE);
public void testNonceWithIncorrectSignatureForNumericFieldReturnsForbidden()
throws Exception {
String nonce = new String(Base64.encodeBase64("123456:incorrectStringPassword"
.getBytes()));
String responseDigest = DigestAuthUtils.generateDigest(false, USERNAME, REALM,
PASSWORD, "GET", REQUEST_URI, QOP, nonce, NC, CNONCE);
request.addHeader("Authorization",
createAuthorizationHeader(USERNAME, REALM, nonce, REQUEST_URI, responseDigest, QOP, NC, CNONCE));
request.addHeader(
"Authorization",
createAuthorizationHeader(USERNAME, REALM, nonce, REQUEST_URI,
responseDigest, QOP, NC, CNONCE));
MockHttpServletResponse response = executeFilterInContainerSimulator(filter, request, false);
MockHttpServletResponse response = executeFilterInContainerSimulator(filter,
request, false);
assertNull(SecurityContextHolder.getContext().getAuthentication());
assertEquals(401, response.getStatus());
@@ -230,29 +259,38 @@ public class DigestAuthenticationFilterTests {
@Test
public void testNonceWithNonNumericFirstElementReturnsForbidden() throws Exception {
String nonce = new String(Base64.encodeBase64("hello:ignoredSecondElement".getBytes()));
String responseDigest = DigestAuthUtils.generateDigest(false, USERNAME, REALM, PASSWORD, "GET",
REQUEST_URI, QOP, nonce, NC, CNONCE);
String nonce = new String(Base64.encodeBase64("hello:ignoredSecondElement"
.getBytes()));
String responseDigest = DigestAuthUtils.generateDigest(false, USERNAME, REALM,
PASSWORD, "GET", REQUEST_URI, QOP, nonce, NC, CNONCE);
request.addHeader("Authorization",
createAuthorizationHeader(USERNAME, REALM, nonce, REQUEST_URI, responseDigest, QOP, NC, CNONCE));
request.addHeader(
"Authorization",
createAuthorizationHeader(USERNAME, REALM, nonce, REQUEST_URI,
responseDigest, QOP, NC, CNONCE));
MockHttpServletResponse response = executeFilterInContainerSimulator(filter, request, false);
MockHttpServletResponse response = executeFilterInContainerSimulator(filter,
request, false);
assertNull(SecurityContextHolder.getContext().getAuthentication());
assertEquals(401, response.getStatus());
}
@Test
public void testNonceWithoutTwoColonSeparatedElementsReturnsForbidden() throws Exception {
String nonce = new String(Base64.encodeBase64("a base 64 string without a colon".getBytes()));
String responseDigest = DigestAuthUtils.generateDigest(false, USERNAME, REALM, PASSWORD, "GET",
REQUEST_URI, QOP, nonce, NC, CNONCE);
public void testNonceWithoutTwoColonSeparatedElementsReturnsForbidden()
throws Exception {
String nonce = new String(Base64.encodeBase64("a base 64 string without a colon"
.getBytes()));
String responseDigest = DigestAuthUtils.generateDigest(false, USERNAME, REALM,
PASSWORD, "GET", REQUEST_URI, QOP, nonce, NC, CNONCE);
request.addHeader("Authorization",
createAuthorizationHeader(USERNAME, REALM, nonce, REQUEST_URI, responseDigest, QOP, NC, CNONCE));
request.addHeader(
"Authorization",
createAuthorizationHeader(USERNAME, REALM, nonce, REQUEST_URI,
responseDigest, QOP, NC, CNONCE));
MockHttpServletResponse response = executeFilterInContainerSimulator(filter, request, false);
MockHttpServletResponse response = executeFilterInContainerSimulator(filter,
request, false);
assertNull(SecurityContextHolder.getContext().getAuthentication());
assertEquals(401, response.getStatus());
@@ -260,58 +298,67 @@ public class DigestAuthenticationFilterTests {
@Test
public void testNormalOperationWhenPasswordIsAlreadyEncoded() throws Exception {
String encodedPassword = DigestAuthUtils.encodePasswordInA1Format(USERNAME, REALM, PASSWORD);
String responseDigest = DigestAuthUtils.generateDigest(true, USERNAME, REALM, encodedPassword, "GET",
REQUEST_URI, QOP, NONCE, NC, CNONCE);
String encodedPassword = DigestAuthUtils.encodePasswordInA1Format(USERNAME,
REALM, PASSWORD);
String responseDigest = DigestAuthUtils.generateDigest(true, USERNAME, REALM,
encodedPassword, "GET", REQUEST_URI, QOP, NONCE, NC, CNONCE);
request.addHeader("Authorization",
createAuthorizationHeader(USERNAME, REALM, NONCE, REQUEST_URI, responseDigest, QOP, NC, CNONCE));
request.addHeader(
"Authorization",
createAuthorizationHeader(USERNAME, REALM, NONCE, REQUEST_URI,
responseDigest, QOP, NC, CNONCE));
executeFilterInContainerSimulator(filter, request, true);
assertNotNull(SecurityContextHolder.getContext().getAuthentication());
assertEquals(USERNAME,
((UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal()).getUsername());
assertEquals(USERNAME, ((UserDetails) SecurityContextHolder.getContext()
.getAuthentication().getPrincipal()).getUsername());
}
@Test
public void testNormalOperationWhenPasswordNotAlreadyEncoded() throws Exception {
String responseDigest = DigestAuthUtils.generateDigest(false, USERNAME, REALM, PASSWORD, "GET",
REQUEST_URI, QOP, NONCE, NC, CNONCE);
String responseDigest = DigestAuthUtils.generateDigest(false, USERNAME, REALM,
PASSWORD, "GET", REQUEST_URI, QOP, NONCE, NC, CNONCE);
request.addHeader("Authorization",
createAuthorizationHeader(USERNAME, REALM, NONCE, REQUEST_URI, responseDigest, QOP, NC, CNONCE));
request.addHeader(
"Authorization",
createAuthorizationHeader(USERNAME, REALM, NONCE, REQUEST_URI,
responseDigest, QOP, NC, CNONCE));
executeFilterInContainerSimulator(filter, request, true);
assertNotNull(SecurityContextHolder.getContext().getAuthentication());
assertEquals(USERNAME,
((UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal()).getUsername());
assertFalse(SecurityContextHolder.getContext().getAuthentication().isAuthenticated());
assertEquals(USERNAME, ((UserDetails) SecurityContextHolder.getContext()
.getAuthentication().getPrincipal()).getUsername());
assertFalse(SecurityContextHolder.getContext().getAuthentication()
.isAuthenticated());
}
@Test
public void testNormalOperationWhenPasswordNotAlreadyEncodedAndWithoutReAuthentication() throws Exception {
String responseDigest = DigestAuthUtils.generateDigest(false, USERNAME, REALM, PASSWORD, "GET",
REQUEST_URI, QOP, NONCE, NC, CNONCE);
public void testNormalOperationWhenPasswordNotAlreadyEncodedAndWithoutReAuthentication()
throws Exception {
String responseDigest = DigestAuthUtils.generateDigest(false, USERNAME, REALM,
PASSWORD, "GET", REQUEST_URI, QOP, NONCE, NC, CNONCE);
request.addHeader("Authorization",
createAuthorizationHeader(USERNAME, REALM, NONCE, REQUEST_URI, responseDigest, QOP, NC, CNONCE));
request.addHeader(
"Authorization",
createAuthorizationHeader(USERNAME, REALM, NONCE, REQUEST_URI,
responseDigest, QOP, NC, CNONCE));
filter.setCreateAuthenticatedToken(true);
executeFilterInContainerSimulator(filter, request, true);
assertNotNull(SecurityContextHolder.getContext().getAuthentication());
assertEquals(USERNAME,
((UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal()).getUsername());
assertTrue(SecurityContextHolder.getContext().getAuthentication().isAuthenticated());
assertEquals(AuthorityUtils.createAuthorityList("ROLE_ONE","ROLE_TWO"),
assertEquals(USERNAME, ((UserDetails) SecurityContextHolder.getContext()
.getAuthentication().getPrincipal()).getUsername());
assertTrue(SecurityContextHolder.getContext().getAuthentication()
.isAuthenticated());
assertEquals(AuthorityUtils.createAuthorityList("ROLE_ONE", "ROLE_TWO"),
SecurityContextHolder.getContext().getAuthentication().getAuthorities());
}
@Test
public void otherAuthorizationSchemeIsIgnored()
throws Exception {
public void otherAuthorizationSchemeIsIgnored() throws Exception {
request.addHeader("Authorization", "SOME_OTHER_AUTHENTICATION_SCHEME");
executeFilterInContainerSimulator(filter, request, true);
@@ -319,14 +366,14 @@ public class DigestAuthenticationFilterTests {
assertNull(SecurityContextHolder.getContext().getAuthentication());
}
@Test(expected=IllegalArgumentException.class)
@Test(expected = IllegalArgumentException.class)
public void startupDetectsMissingAuthenticationEntryPoint() throws Exception {
DigestAuthenticationFilter filter = new DigestAuthenticationFilter();
filter.setUserDetailsService(mock(UserDetailsService.class));
filter.afterPropertiesSet();
}
@Test(expected=IllegalArgumentException.class)
@Test(expected = IllegalArgumentException.class)
public void startupDetectsMissingUserDetailsService() throws Exception {
DigestAuthenticationFilter filter = new DigestAuthenticationFilter();
filter.setAuthenticationEntryPoint(new DigestAuthenticationEntryPoint());
@@ -334,26 +381,32 @@ public class DigestAuthenticationFilterTests {
}
@Test
public void successfulLoginThenFailedLoginResultsInSessionLosingToken() throws Exception {
String responseDigest = DigestAuthUtils.generateDigest(false, USERNAME, REALM, PASSWORD, "GET",
REQUEST_URI, QOP, NONCE, NC, CNONCE);
public void successfulLoginThenFailedLoginResultsInSessionLosingToken()
throws Exception {
String responseDigest = DigestAuthUtils.generateDigest(false, USERNAME, REALM,
PASSWORD, "GET", REQUEST_URI, QOP, NONCE, NC, CNONCE);
request.addHeader("Authorization",
createAuthorizationHeader(USERNAME, REALM, NONCE, REQUEST_URI, responseDigest, QOP, NC, CNONCE));
request.addHeader(
"Authorization",
createAuthorizationHeader(USERNAME, REALM, NONCE, REQUEST_URI,
responseDigest, QOP, NC, CNONCE));
executeFilterInContainerSimulator(filter, request, true);
assertNotNull(SecurityContextHolder.getContext().getAuthentication());
// Now retry, giving an invalid nonce
responseDigest = DigestAuthUtils.generateDigest(false, USERNAME, REALM, "WRONG_PASSWORD", "GET",
REQUEST_URI, QOP, NONCE, NC, CNONCE);
responseDigest = DigestAuthUtils.generateDigest(false, USERNAME, REALM,
"WRONG_PASSWORD", "GET", REQUEST_URI, QOP, NONCE, NC, CNONCE);
request = new MockHttpServletRequest();
request.addHeader("Authorization",
createAuthorizationHeader(USERNAME, REALM, NONCE, REQUEST_URI, responseDigest, QOP, NC, CNONCE));
request.addHeader(
"Authorization",
createAuthorizationHeader(USERNAME, REALM, NONCE, REQUEST_URI,
responseDigest, QOP, NC, CNONCE));
MockHttpServletResponse response = executeFilterInContainerSimulator(filter, request, false);
MockHttpServletResponse response = executeFilterInContainerSimulator(filter,
request, false);
// Check we lost our previous authentication
assertNull(SecurityContextHolder.getContext().getAuthentication());
@@ -364,13 +417,16 @@ public class DigestAuthenticationFilterTests {
public void wrongCnonceBasedOnDigestReturnsForbidden() throws Exception {
String cnonce = "NOT_SAME_AS_USED_FOR_DIGEST_COMPUTATION";
String responseDigest = DigestAuthUtils.generateDigest(false, USERNAME, REALM, PASSWORD, "GET",
REQUEST_URI, QOP, NONCE, NC, "DIFFERENT_CNONCE");
String responseDigest = DigestAuthUtils.generateDigest(false, USERNAME, REALM,
PASSWORD, "GET", REQUEST_URI, QOP, NONCE, NC, "DIFFERENT_CNONCE");
request.addHeader("Authorization",
createAuthorizationHeader(USERNAME, REALM, NONCE, REQUEST_URI, responseDigest, QOP, NC, cnonce));
request.addHeader(
"Authorization",
createAuthorizationHeader(USERNAME, REALM, NONCE, REQUEST_URI,
responseDigest, QOP, NC, cnonce));
MockHttpServletResponse response = executeFilterInContainerSimulator(filter, request, false);
MockHttpServletResponse response = executeFilterInContainerSimulator(filter,
request, false);
assertNull(SecurityContextHolder.getContext().getAuthentication());
assertEquals(401, response.getStatus());
@@ -379,13 +435,16 @@ public class DigestAuthenticationFilterTests {
@Test
public void wrongDigestReturnsForbidden() throws Exception {
String password = "WRONG_PASSWORD";
String responseDigest = DigestAuthUtils.generateDigest(false, USERNAME, REALM, password, "GET",
REQUEST_URI, QOP, NONCE, NC, CNONCE);
String responseDigest = DigestAuthUtils.generateDigest(false, USERNAME, REALM,
password, "GET", REQUEST_URI, QOP, NONCE, NC, CNONCE);
request.addHeader("Authorization",
createAuthorizationHeader(USERNAME, REALM, NONCE, REQUEST_URI, responseDigest, QOP, NC, CNONCE));
request.addHeader(
"Authorization",
createAuthorizationHeader(USERNAME, REALM, NONCE, REQUEST_URI,
responseDigest, QOP, NC, CNONCE));
MockHttpServletResponse response = executeFilterInContainerSimulator(filter, request, false);
MockHttpServletResponse response = executeFilterInContainerSimulator(filter,
request, false);
assertNull(SecurityContextHolder.getContext().getAuthentication());
assertEquals(401, response.getStatus());
@@ -394,13 +453,16 @@ public class DigestAuthenticationFilterTests {
@Test
public void wrongRealmReturnsForbidden() throws Exception {
String realm = "WRONG_REALM";
String responseDigest = DigestAuthUtils.generateDigest(false, USERNAME, realm, PASSWORD, "GET",
REQUEST_URI, QOP, NONCE, NC, CNONCE);
String responseDigest = DigestAuthUtils.generateDigest(false, USERNAME, realm,
PASSWORD, "GET", REQUEST_URI, QOP, NONCE, NC, CNONCE);
request.addHeader("Authorization",
createAuthorizationHeader(USERNAME, realm, NONCE, REQUEST_URI, responseDigest, QOP, NC, CNONCE));
request.addHeader(
"Authorization",
createAuthorizationHeader(USERNAME, realm, NONCE, REQUEST_URI,
responseDigest, QOP, NC, CNONCE));
MockHttpServletResponse response = executeFilterInContainerSimulator(filter, request, false);
MockHttpServletResponse response = executeFilterInContainerSimulator(filter,
request, false);
assertNull(SecurityContextHolder.getContext().getAuthentication());
assertEquals(401, response.getStatus());
@@ -408,15 +470,41 @@ public class DigestAuthenticationFilterTests {
@Test
public void wrongUsernameReturnsForbidden() throws Exception {
String responseDigest = DigestAuthUtils.generateDigest(false, "NOT_A_KNOWN_USER", REALM, PASSWORD,
"GET", REQUEST_URI, QOP, NONCE, NC, CNONCE);
String responseDigest = DigestAuthUtils.generateDigest(false, "NOT_A_KNOWN_USER",
REALM, PASSWORD, "GET", REQUEST_URI, QOP, NONCE, NC, CNONCE);
request.addHeader("Authorization",
createAuthorizationHeader(USERNAME, REALM, NONCE, REQUEST_URI, responseDigest, QOP, NC, CNONCE));
request.addHeader(
"Authorization",
createAuthorizationHeader(USERNAME, REALM, NONCE, REQUEST_URI,
responseDigest, QOP, NC, CNONCE));
MockHttpServletResponse response = executeFilterInContainerSimulator(filter, request, false);
MockHttpServletResponse response = executeFilterInContainerSimulator(filter,
request, false);
assertNull(SecurityContextHolder.getContext().getAuthentication());
assertEquals(401, response.getStatus());
}
// SEC-3108
@Test
public void authenticationCreatesEmptyContext() throws Exception {
SecurityContext existingContext = SecurityContextHolder.createEmptyContext();
TestingAuthenticationToken existingAuthentication = new TestingAuthenticationToken("existingauthenitcated", "pass", "ROLE_USER");
existingContext.setAuthentication(existingAuthentication);
SecurityContextHolder.setContext(existingContext);
String responseDigest = DigestAuthUtils.generateDigest(false, USERNAME, REALM,
PASSWORD, "GET", REQUEST_URI, QOP, NONCE, NC, CNONCE);
request.addHeader(
"Authorization",
createAuthorizationHeader(USERNAME, REALM, NONCE, REQUEST_URI,
responseDigest, QOP, NC, CNONCE));
filter.setCreateAuthenticatedToken(true);
executeFilterInContainerSimulator(filter, request, true);
assertThat(existingAuthentication).isSameAs(existingContext.getAuthentication());
}
}
@@ -429,6 +429,25 @@ public class HttpSessionSecurityContextRepositoryTests {
assertSame(ctxInSession,request.getSession().getAttribute(SPRING_SECURITY_CONTEXT_KEY));
}
// SEC-3070
@Test
public void logoutInvalidateSessionFalseFails() throws Exception {
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
MockHttpServletRequest request = new MockHttpServletRequest();
SecurityContext ctxInSession = SecurityContextHolder.createEmptyContext();
ctxInSession.setAuthentication(testToken);
request.getSession().setAttribute(SPRING_SECURITY_CONTEXT_KEY, ctxInSession);
HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, new MockHttpServletResponse());
repo.loadContext(holder);
ctxInSession.setAuthentication(null);
repo.saveContext(ctxInSession, holder.getRequest(), holder.getResponse());
assertNull(request.getSession().getAttribute(SPRING_SECURITY_CONTEXT_KEY));
}
@Test
@SuppressWarnings("deprecation")
public void sessionDisableUrlRewritingPreventsSessionIdBeingWrittenToUrl() throws Exception {
@@ -30,12 +30,15 @@ public class DefaultSavedRequestTests {
assertTrue(saved.getHeaderValues("if-none-match").isEmpty());
}
// TODO: Why are parameters case insensitive. I think this is a mistake
// SEC-3082
@Test
public void parametersAreCaseInsensitive() throws Exception {
public void parametersAreCaseSensitive() throws Exception {
MockHttpServletRequest request = new MockHttpServletRequest();
request.addParameter("ThisIsATest", "Hi mom");
DefaultSavedRequest saved = new DefaultSavedRequest(request, new MockPortResolver(8080, 8443));
request.addParameter("AnotHerTest", "Hi dad");
request.addParameter("thisisatest", "Hi mom");
DefaultSavedRequest saved = new DefaultSavedRequest(request,
new MockPortResolver(8080, 8443));
assertEquals("Hi mom", saved.getParameterValues("thisisatest")[0]);
assertNull(saved.getParameterValues("anothertest"));
}
}
@@ -319,7 +319,7 @@ public class SecurityContextHolderAwareRequestFilterTests {
verify(asyncContext).start(runnableCaptor.capture());
DelegatingSecurityContextRunnable wrappedRunnable = (DelegatingSecurityContextRunnable) runnableCaptor
.getValue();
assertThat(WhiteboxImpl.getInternalState(wrappedRunnable, SecurityContext.class))
assertThat(WhiteboxImpl.getInternalState(wrappedRunnable, "delegateSecurityContext"))
.isEqualTo(context);
assertThat(WhiteboxImpl.getInternalState(wrappedRunnable, "delegate"))
.isEqualTo(runnable);
@@ -346,7 +346,7 @@ public class SecurityContextHolderAwareRequestFilterTests {
verify(asyncContext).start(runnableCaptor.capture());
DelegatingSecurityContextRunnable wrappedRunnable = (DelegatingSecurityContextRunnable) runnableCaptor
.getValue();
assertThat(WhiteboxImpl.getInternalState(wrappedRunnable, SecurityContext.class))
assertThat(WhiteboxImpl.getInternalState(wrappedRunnable, "delegateSecurityContext"))
.isEqualTo(context);
assertThat(WhiteboxImpl.getInternalState(wrappedRunnable, "delegate"))
.isEqualTo(runnable);
@@ -373,7 +373,7 @@ public class SecurityContextHolderAwareRequestFilterTests {
verify(asyncContext).start(runnableCaptor.capture());
DelegatingSecurityContextRunnable wrappedRunnable = (DelegatingSecurityContextRunnable) runnableCaptor
.getValue();
assertThat(WhiteboxImpl.getInternalState(wrappedRunnable, SecurityContext.class))
assertThat(WhiteboxImpl.getInternalState(wrappedRunnable, "delegateSecurityContext"))
.isEqualTo(context);
assertThat(WhiteboxImpl.getInternalState(wrappedRunnable, "delegate"))
.isEqualTo(runnable);
@@ -44,7 +44,45 @@ public class HttpSessionEventPublisherTests {
StaticWebApplicationContext context = new StaticWebApplicationContext();
MockServletContext servletContext = new MockServletContext();
servletContext.setAttribute(StaticWebApplicationContext.ROOT_WEB_APPLICATION_CONTEXT_ATTRIBUTE, context);
servletContext.setAttribute(
StaticWebApplicationContext.ROOT_WEB_APPLICATION_CONTEXT_ATTRIBUTE,
context);
context.setServletContext(servletContext);
context.registerSingleton("listener", MockApplicationListener.class, null);
context.refresh();
MockHttpSession session = new MockHttpSession(servletContext);
MockApplicationListener listener = (MockApplicationListener) context
.getBean("listener");
HttpSessionEvent event = new HttpSessionEvent(session);
publisher.sessionCreated(event);
assertNotNull(listener.getCreatedEvent());
assertNull(listener.getDestroyedEvent());
assertEquals(session, listener.getCreatedEvent().getSession());
listener.setCreatedEvent(null);
listener.setDestroyedEvent(null);
publisher.sessionDestroyed(event);
assertNotNull(listener.getDestroyedEvent());
assertNull(listener.getCreatedEvent());
assertEquals(session, listener.getDestroyedEvent().getSession());
}
@Test
public void publishedEventIsReceivedbyListenerChildContext() {
HttpSessionEventPublisher publisher = new HttpSessionEventPublisher();
StaticWebApplicationContext context = new StaticWebApplicationContext();
MockServletContext servletContext = new MockServletContext();
servletContext.setAttribute(
"org.springframework.web.servlet.FrameworkServlet.CONTEXT.dispatcher",
context);
context.setServletContext(servletContext);
context.registerSingleton("listener", MockApplicationListener.class, null);