Compare commits
46 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 7be99ff7fa | |||
| 0e9d9da46b | |||
| a3a78e50cb | |||
| 8c8f499a69 | |||
| 80ca441e88 | |||
| cfd576316f | |||
| 409a74330e | |||
| 87247318f2 | |||
| dbf883ba98 | |||
| 675ac80926 | |||
| 5f6e3855f1 | |||
| 19f88e9179 | |||
| cf9b6bc0de | |||
| fc67550ff2 | |||
| af2a431f23 | |||
| 8d9b06afb4 | |||
| 0ecdd0e856 | |||
| edd2751ff1 | |||
| 8663ac4173 | |||
| 72213b5c69 | |||
| 2bbe70501b | |||
| da606d50c0 | |||
| d648a56e16 | |||
| 9c39a0e83e | |||
| c8692b6d0b | |||
| 45bbabd485 | |||
| 43fbeab106 | |||
| b719e0fbcc | |||
| 09bf290583 | |||
| 9a6f026dff | |||
| 269127c2c6 | |||
| 7074daac0e | |||
| 69446ab80f | |||
| 48bc0ad5f9 | |||
| db9584104c | |||
| b0701ea770 | |||
| 8cc9108601 | |||
| 41c9431fcc | |||
| 453e6332da | |||
| 969f3a7d1b | |||
| 4c19768e54 | |||
| ad1d858e2b | |||
| 7317c090cc | |||
| 485fbdc1ee | |||
| 22aa91c8e1 | |||
| 3832647ecf |
@@ -1,3 +1,5 @@
|
||||
image::https://badges.gitter.im/Join%20Chat.svg[Gitter,link=https://gitter.im/spring-projects/spring-security?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge]
|
||||
|
||||
= Spring Security
|
||||
|
||||
Spring Security provides security services for the http://docs.spring.io[Spring IO Platform]. Spring Security 3.1 requires Spring 3.0.3 as
|
||||
|
||||
+3
-3
@@ -3,7 +3,7 @@
|
||||
<modelVersion>4.0.0</modelVersion>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-acl</artifactId>
|
||||
<version>4.0.2.RELEASE</version>
|
||||
<version>4.0.4.RELEASE</version>
|
||||
<name>spring-security-acl</name>
|
||||
<description>spring-security-acl</description>
|
||||
<url>http://spring.io/spring-security</url>
|
||||
@@ -40,7 +40,7 @@
|
||||
<dependency>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-core</artifactId>
|
||||
<version>4.0.2.RELEASE</version>
|
||||
<version>4.0.4.RELEASE</version>
|
||||
<scope>compile</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
@@ -145,7 +145,7 @@
|
||||
<dependency>
|
||||
<groupId>org.springframework</groupId>
|
||||
<artifactId>spring-framework-bom</artifactId>
|
||||
<version>4.1.6.RELEASE</version>
|
||||
<version>4.2.5.RELEASE</version>
|
||||
<type>pom</type>
|
||||
<scope>import</scope>
|
||||
</dependency>
|
||||
|
||||
@@ -83,14 +83,14 @@ import org.springframework.util.StringUtils;
|
||||
* Alternatively, you could have used a common superclass or interface for the
|
||||
* {@link #processDomainObjectClass} if both <code>BankAccount</code> and
|
||||
* <code>Customer</code> had common parents.
|
||||
* </p>
|
||||
*
|
||||
* <p>
|
||||
* If the principal does not have sufficient permissions, the voter will vote to deny
|
||||
* access.
|
||||
* </p>
|
||||
*
|
||||
* <p>
|
||||
* All comparisons and prefixes are case sensitive.
|
||||
* </p>
|
||||
*
|
||||
*
|
||||
* @author Ben Alex
|
||||
*/
|
||||
|
||||
+3
-3
@@ -3,7 +3,7 @@
|
||||
<modelVersion>4.0.0</modelVersion>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-aspects</artifactId>
|
||||
<version>4.0.2.RELEASE</version>
|
||||
<version>4.0.4.RELEASE</version>
|
||||
<name>spring-security-aspects</name>
|
||||
<description>spring-security-aspects</description>
|
||||
<url>http://spring.io/spring-security</url>
|
||||
@@ -34,7 +34,7 @@
|
||||
<dependency>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-core</artifactId>
|
||||
<version>4.0.2.RELEASE</version>
|
||||
<version>4.0.4.RELEASE</version>
|
||||
<scope>compile</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
@@ -124,7 +124,7 @@
|
||||
<dependency>
|
||||
<groupId>org.springframework</groupId>
|
||||
<artifactId>spring-framework-bom</artifactId>
|
||||
<version>4.1.6.RELEASE</version>
|
||||
<version>4.2.5.RELEASE</version>
|
||||
<type>pom</type>
|
||||
<scope>import</scope>
|
||||
</dependency>
|
||||
|
||||
+11
-6
@@ -25,7 +25,7 @@ allprojects {
|
||||
|
||||
ext.releaseBuild = version.endsWith('RELEASE')
|
||||
ext.snapshotBuild = version.endsWith('SNAPSHOT')
|
||||
ext.springVersion = '4.1.6.RELEASE'
|
||||
ext.springVersion = '4.2.5.RELEASE'
|
||||
ext.springLdapVersion = '2.0.2.RELEASE'
|
||||
|
||||
group = 'org.springframework.security'
|
||||
@@ -99,7 +99,7 @@ configure(coreModuleProjects) {
|
||||
apply plugin: 'emma'
|
||||
apply plugin: 'spring-io'
|
||||
|
||||
ext.springIoVersion = project.hasProperty('platformVersion') ? platformVersion : 'latest.integration'
|
||||
ext.springIoVersion = project.hasProperty('platformVersion') ? platformVersion : '2.0.1.RELEASE'
|
||||
|
||||
configurations {
|
||||
jacoco //Configuration Group used by Sonar to provide Code Coverage using JaCoCo
|
||||
@@ -113,7 +113,7 @@ configure(coreModuleProjects) {
|
||||
}
|
||||
}
|
||||
dependencies {
|
||||
jacoco "org.jacoco:org.jacoco.agent:0.6.2.201302030002:runtime"
|
||||
jacoco "org.jacoco:org.jacoco.agent:0.7.5.201505241946:runtime"
|
||||
}
|
||||
test {
|
||||
jvmArgs "-javaagent:${configurations.jacoco.asPath}=destfile=${buildDir}/jacoco.exec,includes=${project.group}.*"
|
||||
@@ -135,7 +135,7 @@ task coreBuild {
|
||||
// Task for creating the distro zip
|
||||
|
||||
task dist(type: Zip) {
|
||||
dependsOn subprojects*.tasks*.matching { task -> task.name == 'assemble' || task.name.endsWith('Zip') || task.name.endsWith('generatePom') }
|
||||
dependsOn { subprojects*.tasks*.matching { task -> task.name.endsWith('generatePom') } }
|
||||
classifier = 'dist'
|
||||
|
||||
evaluationDependsOn(':docs')
|
||||
@@ -145,14 +145,19 @@ task dist(type: Zip) {
|
||||
into(zipRootDir) {
|
||||
from(rootDir) {
|
||||
include '*.adoc'
|
||||
include '*.txt'
|
||||
}
|
||||
into('docs') {
|
||||
with(project(':docs').apiSpec)
|
||||
with(project(':docs:manual').spec)
|
||||
with(project(':docs:guides').spec)
|
||||
}
|
||||
into('dist') {
|
||||
from coreModuleProjects.collect {project -> project.libsDir }
|
||||
project.coreModuleProjects*.tasks*.withType(AbstractArchiveTask).flatten().each{ archiveTask ->
|
||||
if(archiveTask!=dist){
|
||||
into("$zipRootDir/dist") {
|
||||
from archiveTask.outputs.files
|
||||
}
|
||||
}
|
||||
}
|
||||
sampleProjects.each { project->
|
||||
into("$zipRootDir/samples/$project.name") {
|
||||
|
||||
+4
-4
@@ -3,7 +3,7 @@
|
||||
<modelVersion>4.0.0</modelVersion>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-cas</artifactId>
|
||||
<version>4.0.2.RELEASE</version>
|
||||
<version>4.0.4.RELEASE</version>
|
||||
<name>spring-security-cas</name>
|
||||
<description>spring-security-cas</description>
|
||||
<url>http://spring.io/spring-security</url>
|
||||
@@ -40,13 +40,13 @@
|
||||
<dependency>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-core</artifactId>
|
||||
<version>4.0.2.RELEASE</version>
|
||||
<version>4.0.4.RELEASE</version>
|
||||
<scope>compile</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-web</artifactId>
|
||||
<version>4.0.2.RELEASE</version>
|
||||
<version>4.0.4.RELEASE</version>
|
||||
<scope>compile</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
@@ -136,7 +136,7 @@
|
||||
<dependency>
|
||||
<groupId>org.springframework</groupId>
|
||||
<artifactId>spring-framework-bom</artifactId>
|
||||
<version>4.1.6.RELEASE</version>
|
||||
<version>4.2.5.RELEASE</version>
|
||||
<type>pom</type>
|
||||
<scope>import</scope>
|
||||
</dependency>
|
||||
|
||||
+9
-9
@@ -3,7 +3,7 @@
|
||||
<modelVersion>4.0.0</modelVersion>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-config</artifactId>
|
||||
<version>4.0.2.RELEASE</version>
|
||||
<version>4.0.4.RELEASE</version>
|
||||
<name>spring-security-config</name>
|
||||
<description>spring-security-config</description>
|
||||
<url>http://spring.io/spring-security</url>
|
||||
@@ -40,7 +40,7 @@
|
||||
<dependency>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-core</artifactId>
|
||||
<version>4.0.2.RELEASE</version>
|
||||
<version>4.0.4.RELEASE</version>
|
||||
<scope>compile</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
@@ -86,28 +86,28 @@
|
||||
<dependency>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-ldap</artifactId>
|
||||
<version>4.0.2.RELEASE</version>
|
||||
<version>4.0.4.RELEASE</version>
|
||||
<scope>compile</scope>
|
||||
<optional>true</optional>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-messaging</artifactId>
|
||||
<version>4.0.2.RELEASE</version>
|
||||
<version>4.0.4.RELEASE</version>
|
||||
<scope>compile</scope>
|
||||
<optional>true</optional>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-openid</artifactId>
|
||||
<version>4.0.2.RELEASE</version>
|
||||
<version>4.0.4.RELEASE</version>
|
||||
<scope>compile</scope>
|
||||
<optional>true</optional>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-web</artifactId>
|
||||
<version>4.0.2.RELEASE</version>
|
||||
<version>4.0.4.RELEASE</version>
|
||||
<scope>compile</scope>
|
||||
<optional>true</optional>
|
||||
</dependency>
|
||||
@@ -360,13 +360,13 @@
|
||||
<dependency>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-aspects</artifactId>
|
||||
<version>4.0.2.RELEASE</version>
|
||||
<version>4.0.4.RELEASE</version>
|
||||
<scope>test</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-cas</artifactId>
|
||||
<version>4.0.2.RELEASE</version>
|
||||
<version>4.0.4.RELEASE</version>
|
||||
<scope>test</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
@@ -390,7 +390,7 @@
|
||||
<dependency>
|
||||
<groupId>org.springframework</groupId>
|
||||
<artifactId>spring-framework-bom</artifactId>
|
||||
<version>4.1.6.RELEASE</version>
|
||||
<version>4.2.5.RELEASE</version>
|
||||
<type>pom</type>
|
||||
<scope>import</scope>
|
||||
</dependency>
|
||||
|
||||
+7
-2
@@ -55,6 +55,7 @@ public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBui
|
||||
private final Log logger = LogFactory.getLog(getClass());
|
||||
|
||||
private final LinkedHashMap<Class<? extends SecurityConfigurer<O, B>>, List<SecurityConfigurer<O, B>>> configurers = new LinkedHashMap<Class<? extends SecurityConfigurer<O, B>>, List<SecurityConfigurer<O, B>>>();
|
||||
private final List<SecurityConfigurer<O, B>> configurersAddedInInitializing = new ArrayList<SecurityConfigurer<O, B>>();
|
||||
|
||||
private final Map<Class<Object>, Object> sharedObjects = new HashMap<Class<Object>, Object>();
|
||||
|
||||
@@ -126,9 +127,9 @@ public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBui
|
||||
@SuppressWarnings("unchecked")
|
||||
public <C extends SecurityConfigurerAdapter<O, B>> C apply(C configurer)
|
||||
throws Exception {
|
||||
add(configurer);
|
||||
configurer.addObjectPostProcessor(objectPostProcessor);
|
||||
configurer.setBuilder((B) this);
|
||||
add(configurer);
|
||||
return configurer;
|
||||
}
|
||||
|
||||
@@ -202,7 +203,7 @@ public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBui
|
||||
configs.add(configurer);
|
||||
this.configurers.put(clazz, configs);
|
||||
if (buildState.isInitializing()) {
|
||||
configurer.init((B) this);
|
||||
this.configurersAddedInInitializing.add(configurer);
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -368,6 +369,10 @@ public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBui
|
||||
for (SecurityConfigurer<O, B> configurer : configurers) {
|
||||
configurer.init((B) this);
|
||||
}
|
||||
|
||||
for (SecurityConfigurer<O, B> configurer : configurersAddedInInitializing) {
|
||||
configurer.init((B) this);
|
||||
}
|
||||
}
|
||||
|
||||
@SuppressWarnings("unchecked")
|
||||
|
||||
+1
-1
@@ -58,7 +58,7 @@ public abstract class SecurityConfigurerAdapter<O, B extends SecurityBuilder<O>>
|
||||
* Gets the {@link SecurityBuilder}. Cannot be null.
|
||||
*
|
||||
* @return the {@link SecurityBuilder}
|
||||
* @throw {@link IllegalStateException} if {@link SecurityBuilder} is null
|
||||
* @throws IllegalStateException if {@link SecurityBuilder} is null
|
||||
*/
|
||||
protected final B getBuilder() {
|
||||
if (securityBuilder == null) {
|
||||
|
||||
+2
-1
@@ -36,9 +36,10 @@ public interface ProviderManagerBuilder<B extends ProviderManagerBuilder<B>> ext
|
||||
* customizations must be done externally and the {@link ProviderManagerBuilder} is
|
||||
* returned immediately.
|
||||
*
|
||||
* Note that an Exception is thrown if an error occurs when adding the {@link AuthenticationProvider}.
|
||||
*
|
||||
* @return a {@link ProviderManagerBuilder} to allow further authentication to be
|
||||
* provided to the {@link ProviderManagerBuilder}
|
||||
* @throws Exception if an error occurs when adding the {@link AuthenticationProvider}
|
||||
*/
|
||||
B authenticationProvider(AuthenticationProvider authenticationProvider);
|
||||
}
|
||||
|
||||
+3
-4
@@ -61,7 +61,7 @@ public class AuthenticationManagerBuilder
|
||||
|
||||
/**
|
||||
* Creates a new instance
|
||||
* @param the {@link ObjectPostProcessor} instance to use.
|
||||
* @param objectPostProcessor the {@link ObjectPostProcessor} instance to use.
|
||||
*/
|
||||
public AuthenticationManagerBuilder(ObjectPostProcessor<Object> objectPostProcessor) {
|
||||
super(objectPostProcessor, true);
|
||||
@@ -196,7 +196,6 @@ public class AuthenticationManagerBuilder
|
||||
* <p>
|
||||
* This method <b>does NOT</b> ensure that a {@link UserDetailsService} is available
|
||||
* for the {@link #getDefaultUserDetailsService()} method.
|
||||
* </p>
|
||||
*
|
||||
* @return a {@link LdapAuthenticationProviderConfigurer} to allow customization of
|
||||
* the LDAP authentication
|
||||
@@ -216,11 +215,11 @@ public class AuthenticationManagerBuilder
|
||||
* <p>
|
||||
* This method <b>does NOT</b> ensure that the {@link UserDetailsService} is available
|
||||
* for the {@link #getDefaultUserDetailsService()} method.
|
||||
* </p>
|
||||
*
|
||||
* Note that an {@link Exception} might be thrown if an error occurs when adding the {@link AuthenticationProvider}.
|
||||
*
|
||||
* @return a {@link AuthenticationManagerBuilder} to allow further authentication to
|
||||
* be provided to the {@link AuthenticationManagerBuilder}
|
||||
* @throws Exception if an error occurs when adding the {@link AuthenticationProvider}
|
||||
*/
|
||||
public AuthenticationManagerBuilder authenticationProvider(
|
||||
AuthenticationProvider authenticationProvider) {
|
||||
|
||||
+1
-1
@@ -27,7 +27,7 @@ import org.springframework.security.provisioning.InMemoryUserDetailsManager;
|
||||
* to have in memory authentication. It also allows easily adding users to the in memory
|
||||
* authentication.
|
||||
*
|
||||
* @param <B> the type of the {@link SecurityBuilder} that is being configured
|
||||
* @param <B> the type of the {@link ProviderManagerBuilder} that is being configured
|
||||
*
|
||||
* @author Rob Winch
|
||||
* @since 3.2
|
||||
|
||||
+4
-5
@@ -38,7 +38,6 @@ import org.springframework.security.provisioning.JdbcUserDetailsManager;
|
||||
* <p>
|
||||
* The only required method is the {@link #dataSource(javax.sql.DataSource)} all other
|
||||
* methods have reasonable defaults.
|
||||
* </p>
|
||||
*
|
||||
* @param <B> the type of the {@link ProviderManagerBuilder} that is being configured
|
||||
*
|
||||
@@ -82,7 +81,7 @@ public class JdbcUserDetailsManagerConfigurer<B extends ProviderManagerBuilder<B
|
||||
* </code>
|
||||
* @param query The query to use for selecting the username, password, and if the user
|
||||
* is enabled by username. Must contain a single parameter for the username.
|
||||
* @return The {@link JdbcUserDetailsManagerRegistry} used for additional
|
||||
* @return The {@link JdbcUserDetailsManagerConfigurer} used for additional
|
||||
* customizations
|
||||
* @throws Exception
|
||||
*/
|
||||
@@ -102,7 +101,7 @@ public class JdbcUserDetailsManagerConfigurer<B extends ProviderManagerBuilder<B
|
||||
*
|
||||
* @param query The query to use for selecting the username, authority by username.
|
||||
* Must contain a single parameter for the username.
|
||||
* @return The {@link JdbcUserDetailsManagerRegistry} used for additional
|
||||
* @return The {@link JdbcUserDetailsManagerConfigurer} used for additional
|
||||
* customizations
|
||||
* @throws Exception
|
||||
*/
|
||||
@@ -126,7 +125,7 @@ public class JdbcUserDetailsManagerConfigurer<B extends ProviderManagerBuilder<B
|
||||
*
|
||||
* @param query The query to use for selecting the authorities by group. Must contain
|
||||
* a single parameter for the username.
|
||||
* @return The {@link JdbcUserDetailsManagerRegistry} used for additional
|
||||
* @return The {@link JdbcUserDetailsManagerConfigurer} used for additional
|
||||
* customizations
|
||||
* @throws Exception
|
||||
*/
|
||||
@@ -181,7 +180,7 @@ public class JdbcUserDetailsManagerConfigurer<B extends ProviderManagerBuilder<B
|
||||
/**
|
||||
* Populates the default schema that allows users and authorities to be stored.
|
||||
*
|
||||
* @return The {@link JdbcUserDetailsManagerRegistry} used for additional
|
||||
* @return The {@link JdbcUserDetailsManagerConfigurer} used for additional
|
||||
* customizations
|
||||
*/
|
||||
public JdbcUserDetailsManagerConfigurer<B> withDefaultSchema() {
|
||||
|
||||
+2
-6
@@ -80,9 +80,6 @@ public class UserDetailsManagerConfigurer<B extends ProviderManagerBuilder<B>, C
|
||||
/**
|
||||
* Builds the user to be added. At minimum the username, password, and authorities
|
||||
* should provided. The remaining attributes have reasonable defaults.
|
||||
*
|
||||
* @param <T> the type of {@link UserDetailsManagerConfigurer} to return for chaining
|
||||
* methods.
|
||||
*/
|
||||
public class UserDetailsBuilder {
|
||||
private String username;
|
||||
@@ -103,11 +100,10 @@ public class UserDetailsManagerConfigurer<B extends ProviderManagerBuilder<B>, C
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the {@link UserDetailsManagerRegistry} for method chaining (i.e. to add
|
||||
* Returns the {@link UserDetailsManagerConfigurer} for method chaining (i.e. to add
|
||||
* another user)
|
||||
*
|
||||
* @return the {@link UserDetailsManagerRegistry} for method chaining (i.e. to add
|
||||
* another user)
|
||||
* @return the {@link UserDetailsManagerConfigurer} for method chaining
|
||||
*/
|
||||
public C and() {
|
||||
return builder;
|
||||
|
||||
+2
-2
@@ -27,8 +27,8 @@ import org.springframework.security.core.userdetails.UserDetailsService;
|
||||
* @author Rob Winch
|
||||
* @since 3.2
|
||||
*
|
||||
* @param <B> the type of the {@link SecurityBuilder}
|
||||
* @param <C> the {@link SecurityConfigurer} (or this)
|
||||
* @param <B> the type of the {@link ProviderManagerBuilder}
|
||||
* @param <C> the {@link UserDetailsServiceConfigurer} (or this)
|
||||
* @param <U> the type of UserDetailsService being used to allow for returning the
|
||||
* concrete UserDetailsService.
|
||||
*/
|
||||
|
||||
+1
-2
@@ -29,9 +29,8 @@ import org.springframework.security.config.annotation.configuration.ObjectPostPr
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Enables Spring Security global method security similar to the <global-method-security>
|
||||
* Enables Spring Security global method security similar to the <global-method-security>
|
||||
* xml support.
|
||||
* </p>
|
||||
*
|
||||
* <p>
|
||||
* More advanced configurations may wish to extend
|
||||
|
||||
+16
-1
@@ -25,6 +25,7 @@ import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.AnyRequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.RegexRequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.RequestMatcher;
|
||||
import org.springframework.util.ObjectUtils;
|
||||
|
||||
/**
|
||||
* A base class for registering {@link RequestMatcher}'s. For example, it might allow for
|
||||
@@ -48,6 +49,20 @@ public abstract class AbstractRequestMatcherRegistry<C> {
|
||||
return requestMatchers(ANY_REQUEST);
|
||||
}
|
||||
|
||||
/**
|
||||
* Maps a {@link List} of
|
||||
* {@link org.springframework.security.web.util.matcher.AntPathRequestMatcher}
|
||||
* instances.
|
||||
*
|
||||
* @param method the {@link HttpMethod} to use for any
|
||||
* {@link HttpMethod}.
|
||||
*
|
||||
* @return the object that is chained after creating the {@link RequestMatcher}
|
||||
*/
|
||||
public C antMatchers(HttpMethod method) {
|
||||
return antMatchers(method, new String[] { "/**" });
|
||||
}
|
||||
|
||||
/**
|
||||
* Maps a {@link List} of
|
||||
* {@link org.springframework.security.web.util.matcher.AntPathRequestMatcher}
|
||||
@@ -55,7 +70,7 @@ public abstract class AbstractRequestMatcherRegistry<C> {
|
||||
*
|
||||
* @param method the {@link HttpMethod} to use or {@code null} for any
|
||||
* {@link HttpMethod}.
|
||||
* @param antPatterns the ant patterns to create
|
||||
* @param antPatterns the ant patterns to create. If {@code null} or empty, then matches on nothing.
|
||||
* {@link org.springframework.security.web.util.matcher.AntPathRequestMatcher} from
|
||||
*
|
||||
* @return the object that is chained after creating the {@link RequestMatcher}
|
||||
|
||||
+2
-2
@@ -142,11 +142,11 @@ public interface HttpSecurityBuilder<H extends HttpSecurityBuilder<H>> extends
|
||||
* <li>{@link LogoutFilter}</li>
|
||||
* <li>{@link X509AuthenticationFilter}</li>
|
||||
* <li>{@link AbstractPreAuthenticatedProcessingFilter}</li>
|
||||
* <li>{@link org.springframework.security.cas.web.CasAuthenticationFilter}</li>
|
||||
* <li><a href="{@docRoot}/org/springframework/security/cas/web/CasAuthenticationFilter.html">CasAuthenticationFilter</a></li>
|
||||
* <li>{@link UsernamePasswordAuthenticationFilter}</li>
|
||||
* <li>{@link ConcurrentSessionFilter}</li>
|
||||
* <li>{@link OpenIDAuthenticationFilter}</li>
|
||||
* <li>{@link DefaultLoginPageGeneratingFilter}</li>
|
||||
* <li>{@link org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter}</li>
|
||||
* <li>{@link ConcurrentSessionFilter}</li>
|
||||
* <li>{@link DigestAuthenticationFilter}</li>
|
||||
* <li>{@link BasicAuthenticationFilter}</li>
|
||||
|
||||
+10
-6
@@ -71,7 +71,7 @@ import org.springframework.security.web.util.matcher.RequestMatcher;
|
||||
import org.springframework.util.Assert;
|
||||
|
||||
/**
|
||||
* A {@link HttpSecurity} is similar to Spring Security's XML <http> element in the
|
||||
* A {@link HttpSecurity} is similar to Spring Security's XML <http> element in the
|
||||
* namespace configuration. It allows configuring web based security for specific http
|
||||
* requests. By default it will be applied to all requests, but can be restricted using
|
||||
* {@link #requestMatcher(RequestMatcher)} or other similar methods.
|
||||
@@ -283,7 +283,7 @@ public final class HttpSecurity extends
|
||||
*
|
||||
* @return
|
||||
* @throws Exception
|
||||
* @see {@link HeadersConfigurer}
|
||||
* @see HeadersConfigurer
|
||||
*/
|
||||
public HeadersConfigurer<HttpSecurity> headers() throws Exception {
|
||||
return getOrApply(new HeadersConfigurer<HttpSecurity>());
|
||||
@@ -326,8 +326,8 @@ public final class HttpSecurity extends
|
||||
*
|
||||
* <pre>
|
||||
* <listener>
|
||||
* <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
|
||||
* </listener>
|
||||
* <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
|
||||
* </listener>
|
||||
* </pre>
|
||||
*
|
||||
* Alternatively,
|
||||
@@ -378,7 +378,7 @@ public final class HttpSecurity extends
|
||||
*
|
||||
* @return the {@link PortMapperConfigurer} for further customizations
|
||||
* @throws Exception
|
||||
* @see {@link #requiresChannel()}
|
||||
* @see #requiresChannel()
|
||||
*/
|
||||
public PortMapperConfigurer<HttpSecurity> portMapper() throws Exception {
|
||||
return getOrApply(new PortMapperConfigurer<HttpSecurity>());
|
||||
@@ -716,7 +716,7 @@ public final class HttpSecurity extends
|
||||
* {@link org.springframework.security.authentication.AnonymousAuthenticationToken}
|
||||
* and contain the role "ROLE_ANONYMOUS".
|
||||
*
|
||||
* <h2>Example Configuration</h2
|
||||
* <h2>Example Configuration</h2>
|
||||
*
|
||||
* The following configuration demonstrates how to specify that anonymous users should
|
||||
* contain the role "ROLE_ANON" instead.
|
||||
@@ -908,6 +908,10 @@ public final class HttpSecurity extends
|
||||
return getOrApply(new HttpBasicConfigurer<HttpSecurity>());
|
||||
}
|
||||
|
||||
public <C> void setSharedObject(Class<C> sharedType, C object) {
|
||||
super.setSharedObject(sharedType, object);
|
||||
}
|
||||
|
||||
@Override
|
||||
protected void beforeConfigure() throws Exception {
|
||||
setSharedObject(AuthenticationManager.class, getAuthenticationRegistry().build());
|
||||
|
||||
-13
@@ -1,13 +0,0 @@
|
||||
package org.springframework.security.config.annotation.web.configuration;
|
||||
|
||||
import org.springframework.context.annotation.Conditional;
|
||||
|
||||
/**
|
||||
* @author Rob Winch
|
||||
* @since 4.0
|
||||
*/
|
||||
@Conditional(OnMissingBeanCondition.class)
|
||||
@interface ConditionalOnMissingBean {
|
||||
|
||||
Class<?> value();
|
||||
}
|
||||
-40
@@ -1,40 +0,0 @@
|
||||
/*
|
||||
* Copyright 2002-2015 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
||||
* use this file except in compliance with the License. You may obtain a copy of
|
||||
* the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
* License for the specific language governing permissions and limitations under
|
||||
* the License.
|
||||
*/
|
||||
package org.springframework.security.config.annotation.web.configuration;
|
||||
|
||||
import java.util.Map;
|
||||
|
||||
import org.springframework.context.annotation.ConditionContext;
|
||||
import org.springframework.context.annotation.ConfigurationCondition;
|
||||
import org.springframework.core.type.AnnotatedTypeMetadata;
|
||||
|
||||
/**
|
||||
* @author Rob Winch
|
||||
*/
|
||||
class OnMissingBeanCondition implements ConfigurationCondition {
|
||||
public ConfigurationPhase getConfigurationPhase() {
|
||||
return ConfigurationPhase.REGISTER_BEAN;
|
||||
}
|
||||
|
||||
public boolean matches(ConditionContext context, AnnotatedTypeMetadata metadata) {
|
||||
Map<String, Object> attrs = metadata
|
||||
.getAnnotationAttributes(ConditionalOnMissingBean.class.getName());
|
||||
|
||||
Class<?> type = (Class<?>) attrs.get("value");
|
||||
final Map<String, ?> beans = context.getBeanFactory().getBeansOfType(type);
|
||||
return beans.isEmpty();
|
||||
}
|
||||
}
|
||||
+1
-2
@@ -29,7 +29,7 @@ import java.util.List;
|
||||
/**
|
||||
* Used to add a {@link RequestDataValueProcessor} for Spring MVC and Spring Security CSRF
|
||||
* integration. This configuration is added whenever {@link EnableWebMvc} is added by
|
||||
* {@link SpringWebMvcImportSelector} and the DispatcherServlet is present on the
|
||||
* <a href="{@docRoot}/org/springframework/security/config/annotation/web/configuration/SpringWebMvcImportSelector.html">SpringWebMvcImportSelector</a> and the DispatcherServlet is present on the
|
||||
* classpath. It also adds the {@link AuthenticationPrincipalArgumentResolver} as a
|
||||
* {@link HandlerMethodArgumentResolver}.
|
||||
*
|
||||
@@ -47,7 +47,6 @@ class WebMvcSecurityConfiguration extends WebMvcConfigurerAdapter {
|
||||
argumentResolvers.add(new CsrfTokenArgumentResolver());
|
||||
}
|
||||
|
||||
@ConditionalOnMissingBean(RequestDataValueProcessor.class)
|
||||
@Bean
|
||||
public RequestDataValueProcessor requestDataValueProcessor() {
|
||||
return new CsrfRequestDataValueProcessor();
|
||||
|
||||
+2
-2
@@ -262,7 +262,7 @@ public abstract class WebSecurityConfigurerAdapter implements
|
||||
* {@link #userDetailsService()} instead
|
||||
* @return
|
||||
* @throws Exception
|
||||
* @see {@link #userDetailsService()}
|
||||
* @see #userDetailsService()
|
||||
*/
|
||||
public UserDetailsService userDetailsServiceBean() throws Exception {
|
||||
AuthenticationManagerBuilder globalAuthBuilder = context
|
||||
@@ -273,7 +273,7 @@ public abstract class WebSecurityConfigurerAdapter implements
|
||||
|
||||
/**
|
||||
* Allows modifying and accessing the {@link UserDetailsService} from
|
||||
* {@link #userDetailsServiceBean()()} without interacting with the
|
||||
* {@link #userDetailsServiceBean()} without interacting with the
|
||||
* {@link ApplicationContext}. Developers should override this method when changing
|
||||
* the instance of {@link #userDetailsServiceBean()}.
|
||||
*
|
||||
|
||||
+2
-2
@@ -178,8 +178,8 @@ public abstract class AbstractAuthenticationFilterConfigurer<B extends HttpSecur
|
||||
}
|
||||
|
||||
/**
|
||||
* Ensures the urls for {@link #failureUrl(String)} and
|
||||
* {@link #authenticationUrls(String)} are granted access to any user.
|
||||
* Ensures the urls for {@link #failureUrl(String)} as well as for the {@link HttpSecurityBuilder}, the
|
||||
* {@link #getLoginPage} and {@link #getLoginProcessingUrl} are granted access to any user.
|
||||
*
|
||||
* @param permitAll true to grant access to the URLs false to skip this step
|
||||
* @return the {@link FormLoginConfigurer} for additional customization
|
||||
|
||||
+3
-3
@@ -51,7 +51,7 @@ import org.springframework.security.web.access.intercept.FilterSecurityIntercept
|
||||
*
|
||||
* <ul>
|
||||
* <li>
|
||||
* {@link org.springframework.security.config.annotation.web.builders.HttpSecurity#getAuthenticationManager()}
|
||||
* {@link AuthenticationManager}
|
||||
* </li>
|
||||
* </ul>
|
||||
*
|
||||
@@ -115,7 +115,7 @@ abstract class AbstractInterceptUrlConfigurer<C extends AbstractInterceptUrlConf
|
||||
|
||||
/**
|
||||
* Allows setting the {@link AccessDecisionManager}. If none is provided, a
|
||||
* default {@l AccessDecisionManager} is created.
|
||||
* default {@link AccessDecisionManager} is created.
|
||||
*
|
||||
* @param accessDecisionManager the {@link AccessDecisionManager} to use
|
||||
* @return the {@link AbstractInterceptUrlConfigurer} for further customization
|
||||
@@ -162,7 +162,7 @@ abstract class AbstractInterceptUrlConfigurer<C extends AbstractInterceptUrlConf
|
||||
|
||||
/**
|
||||
* If currently null, creates a default {@link AccessDecisionManager} using
|
||||
* {@link #createDefaultAccessDecisionManager()}. Otherwise returns the
|
||||
* {@link #createDefaultAccessDecisionManager(HttpSecurityBuilder)}. Otherwise returns the
|
||||
* {@link AccessDecisionManager}.
|
||||
*
|
||||
* @param http the builder to use
|
||||
|
||||
+1
-1
@@ -84,7 +84,7 @@ public final class ExceptionHandlingConfigurer<H extends HttpSecurityBuilder<H>>
|
||||
* @param accessDeniedUrl the URL to the access denied page (i.e. /errors/401)
|
||||
* @return the {@link ExceptionHandlingConfigurer} for further customization
|
||||
* @see AccessDeniedHandlerImpl
|
||||
* @see {@link #accessDeniedHandler(org.springframework.security.web.access.AccessDeniedHandler)}
|
||||
* @see #accessDeniedHandler(org.springframework.security.web.access.AccessDeniedHandler)
|
||||
*/
|
||||
public ExceptionHandlingConfigurer<H> accessDeniedPage(String accessDeniedUrl) {
|
||||
AccessDeniedHandlerImpl accessDeniedHandler = new AccessDeniedHandlerImpl();
|
||||
|
||||
+3
-3
@@ -70,7 +70,7 @@ import org.springframework.util.StringUtils;
|
||||
*
|
||||
* @author Rob Winch
|
||||
* @since 3.2
|
||||
* @see {@link org.springframework.security.config.annotation.web.builders.HttpSecurity#authorizeRequests()}
|
||||
* @see org.springframework.security.config.annotation.web.builders.HttpSecurity#authorizeRequests()
|
||||
*/
|
||||
public final class ExpressionUrlAuthorizationConfigurer<H extends HttpSecurityBuilder<H>>
|
||||
extends
|
||||
@@ -339,7 +339,7 @@ public final class ExpressionUrlAuthorizationConfigurer<H extends HttpSecurityBu
|
||||
*
|
||||
* @return the {@link ExpressionUrlAuthorizationConfigurer} for further
|
||||
* customization
|
||||
* @see {@link RememberMeConfigurer}
|
||||
* @see RememberMeConfigurer
|
||||
*/
|
||||
public ExpressionInterceptUrlRegistry rememberMe() {
|
||||
return access(rememberMe);
|
||||
@@ -371,7 +371,7 @@ public final class ExpressionUrlAuthorizationConfigurer<H extends HttpSecurityBu
|
||||
*
|
||||
* @return the {@link ExpressionUrlAuthorizationConfigurer} for further
|
||||
* customization
|
||||
* @see {@link RememberMeConfigurer}
|
||||
* @see RememberMeConfigurer
|
||||
*/
|
||||
public ExpressionInterceptUrlRegistry fullyAuthenticated() {
|
||||
return access(fullyAuthenticated);
|
||||
|
||||
+1
-1
@@ -53,7 +53,7 @@ import org.springframework.security.web.util.matcher.RequestMatcher;
|
||||
* The following shared objects are used:
|
||||
*
|
||||
* <ul>
|
||||
* <li>{@link AuthenticationManager}</li>
|
||||
* <li>{@link org.springframework.security.authentication.AuthenticationManager}</li>
|
||||
* <li>{@link RememberMeServices} - is optionally used. See {@link RememberMeConfigurer}</li>
|
||||
* <li>{@link SessionAuthenticationStrategy} - is optionally used. See
|
||||
* {@link SessionManagementConfigurer}</li>
|
||||
|
||||
+1
-1
@@ -186,7 +186,7 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>> extends
|
||||
* X-XSS-Protection: 1
|
||||
* </pre>
|
||||
*
|
||||
* or if {@link #setBlock(boolean)} is true
|
||||
* or if {@link XXssProtectionHeaderWriter#setBlock(boolean)} of the given {@link XXssProtectionHeaderWriter} is true
|
||||
*
|
||||
*
|
||||
* <pre>
|
||||
|
||||
+1
-1
@@ -83,7 +83,7 @@ public final class HttpBasicConfigurer<B extends HttpSecurityBuilder<B>> extends
|
||||
/**
|
||||
* Creates a new instance
|
||||
* @throws Exception
|
||||
* @see {@link HttpSecurity#httpBasic()}
|
||||
* @see HttpSecurity#httpBasic()
|
||||
*/
|
||||
public HttpBasicConfigurer() throws Exception {
|
||||
realmName(DEFAULT_REALM);
|
||||
|
||||
+1
-1
@@ -187,7 +187,7 @@ public final class JeeConfigurer<H extends HttpSecurityBuilder<H>> extends
|
||||
* Populates a {@link PreAuthenticatedAuthenticationProvider} into
|
||||
* {@link HttpSecurity#authenticationProvider(org.springframework.security.authentication.AuthenticationProvider)}
|
||||
* and a {@link Http403ForbiddenEntryPoint} into
|
||||
* {@link HttpSecurity#authenticationEntryPoint(org.springframework.security.web.AuthenticationEntryPoint)}
|
||||
* {@link HttpSecurityBuilder#setSharedObject(Class, Object)}
|
||||
*
|
||||
* @see org.springframework.security.config.annotation.SecurityConfigurerAdapter#init(org.springframework.security.config.annotation.SecurityBuilder)
|
||||
*/
|
||||
|
||||
+13
-1
@@ -23,6 +23,7 @@ import javax.servlet.http.HttpSession;
|
||||
import org.springframework.security.config.annotation.SecurityConfigurer;
|
||||
import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.web.authentication.logout.CookieClearingLogoutHandler;
|
||||
import org.springframework.security.web.authentication.logout.LogoutFilter;
|
||||
import org.springframework.security.web.authentication.logout.LogoutHandler;
|
||||
@@ -35,7 +36,7 @@ import org.springframework.security.web.util.matcher.RequestMatcher;
|
||||
|
||||
/**
|
||||
* Adds logout support. Other {@link SecurityConfigurer} instances may invoke
|
||||
* {@link #addLogoutHandler(LogoutHandler)} in the {@link #init(HttpSecurity)} phase.
|
||||
* {@link #addLogoutHandler(LogoutHandler)} in the {@link #init(HttpSecurityBuilder)} phase.
|
||||
*
|
||||
* <h2>Security Filters</h2>
|
||||
*
|
||||
@@ -88,6 +89,17 @@ public final class LogoutConfigurer<H extends HttpSecurityBuilder<H>> extends
|
||||
return this;
|
||||
}
|
||||
|
||||
/**
|
||||
* Specifies if {@link SecurityContextLogoutHandler} should clear the {@link Authentication} at the time of logout.
|
||||
* @param clearAuthentication true {@link SecurityContextLogoutHandler} should clear the {@link Authentication} (default), or false otherwise.
|
||||
* @return the {@link LogoutConfigurer} for further customization
|
||||
*/
|
||||
public LogoutConfigurer<H> clearAuthentication(boolean clearAuthentication) {
|
||||
contextLogoutHandler.setClearAuthentication(clearAuthentication);
|
||||
return this;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Configures {@link SecurityContextLogoutHandler} to invalidate the
|
||||
* {@link HttpSession} at the time of logout.
|
||||
|
||||
+1
-1
@@ -199,7 +199,7 @@ public final class OpenIDLoginConfigurer<H extends HttpSecurityBuilder<H>>
|
||||
* {@link HttpServletRequest} matches this URL the {@link OpenIDAuthenticationFilter}
|
||||
* will attempt to authenticate the request. The default is "/login/openid".
|
||||
*
|
||||
* @param loginUrl the URL used to perform authentication
|
||||
* @param loginProcessingUrl the URL used to perform authentication
|
||||
* @return the {@link OpenIDLoginConfigurer} for additional customization
|
||||
*/
|
||||
public OpenIDLoginConfigurer<H> loginProcessingUrl(String loginProcessingUrl) {
|
||||
|
||||
+5
-5
@@ -105,7 +105,7 @@ public class MessageSecurityMetadataSourceRegistry {
|
||||
* {@link MessageSecurityMetadataSourceRegistry#simpDestPathMatcher(PathMatcher)} .
|
||||
*
|
||||
* @return the {@link Constraint} that is associated to the {@link MessageMatcher}
|
||||
* @see {@link MessageSecurityMetadataSourceRegistry#simpDestPathMatcher(PathMatcher)}
|
||||
* @see MessageSecurityMetadataSourceRegistry#simpDestPathMatcher(PathMatcher)
|
||||
*/
|
||||
public Constraint simpDestMatchers(String... patterns) {
|
||||
return simpDestMatchers(null, patterns);
|
||||
@@ -122,7 +122,7 @@ public class MessageSecurityMetadataSourceRegistry {
|
||||
* {@link MessageSecurityMetadataSourceRegistry#simpDestPathMatcher(PathMatcher)}.
|
||||
*
|
||||
* @return the {@link Constraint} that is associated to the {@link MessageMatcher}
|
||||
* @see {@link MessageSecurityMetadataSourceRegistry#simpDestPathMatcher(PathMatcher)}
|
||||
* @see MessageSecurityMetadataSourceRegistry#simpDestPathMatcher(PathMatcher)
|
||||
*/
|
||||
public Constraint simpMessageDestMatchers(String... patterns) {
|
||||
return simpDestMatchers(SimpMessageType.MESSAGE, patterns);
|
||||
@@ -139,7 +139,7 @@ public class MessageSecurityMetadataSourceRegistry {
|
||||
* {@link MessageSecurityMetadataSourceRegistry#simpDestPathMatcher(PathMatcher)}.
|
||||
*
|
||||
* @return the {@link Constraint} that is associated to the {@link MessageMatcher}
|
||||
* @see {@link MessageSecurityMetadataSourceRegistry#simpDestPathMatcher(PathMatcher)}
|
||||
* @see MessageSecurityMetadataSourceRegistry#simpDestPathMatcher(PathMatcher)
|
||||
*/
|
||||
public Constraint simpSubscribeDestMatchers(String... patterns) {
|
||||
return simpDestMatchers(SimpMessageType.SUBSCRIBE, patterns);
|
||||
@@ -353,7 +353,7 @@ public class MessageSecurityMetadataSourceRegistry {
|
||||
*
|
||||
* @return the {@link MessageSecurityMetadataSourceRegistry} for further
|
||||
* customization
|
||||
* @see {@link RememberMeConfigurer}
|
||||
* @see RememberMeConfigurer
|
||||
*/
|
||||
public MessageSecurityMetadataSourceRegistry rememberMe() {
|
||||
return access(rememberMe);
|
||||
@@ -385,7 +385,7 @@ public class MessageSecurityMetadataSourceRegistry {
|
||||
*
|
||||
* @return the {@link MessageSecurityMetadataSourceRegistry} for further
|
||||
* customization
|
||||
* @see {@link RememberMeConfigurer}
|
||||
* @see RememberMeConfigurer
|
||||
*/
|
||||
public MessageSecurityMetadataSourceRegistry fullyAuthenticated() {
|
||||
return access(fullyAuthenticated);
|
||||
|
||||
+1
-1
@@ -30,7 +30,7 @@ import org.springframework.web.servlet.support.RequestDataValueProcessor;
|
||||
/**
|
||||
* Used to add a {@link RequestDataValueProcessor} for Spring MVC and Spring Security CSRF
|
||||
* integration. This configuration is added whenever {@link EnableWebMvc} is added by
|
||||
* {@link SpringWebMvcImportSelector} and the DispatcherServlet is present on the
|
||||
* <a href="{@docRoot}/org/springframework/security/config/annotation/web/configuration/SpringWebMvcImportSelector.html">SpringWebMvcImportSelector</a> and the DispatcherServlet is present on the
|
||||
* classpath. It also adds the {@link AuthenticationPrincipalArgumentResolver} as a
|
||||
* {@link HandlerMethodArgumentResolver}.
|
||||
*
|
||||
|
||||
+1
-1
@@ -25,7 +25,7 @@ import org.springframework.util.xml.DomUtils;
|
||||
import org.w3c.dom.Element;
|
||||
|
||||
/**
|
||||
* Stateful parser for the <password-encoder> element.
|
||||
* Stateful parser for the <password-encoder> element.
|
||||
*
|
||||
* Will produce a PasswordEncoder and (optionally) a SaltSource.
|
||||
*
|
||||
|
||||
+4
-3
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2012 the original author or authors.
|
||||
* Copyright 2002-2015 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -33,6 +33,7 @@ import org.w3c.dom.Element;
|
||||
* @author Luke Taylor
|
||||
* @author Ben Alex
|
||||
* @author Rob Winch
|
||||
* @author Kazuki Shimizu
|
||||
*/
|
||||
public class FormLoginBeanDefinitionParser {
|
||||
protected final Log logger = LogFactory.getLog(getClass());
|
||||
@@ -209,9 +210,9 @@ public class FormLoginBeanDefinitionParser {
|
||||
BeanDefinitionBuilder failureHandler = BeanDefinitionBuilder
|
||||
.rootBeanDefinition(SimpleUrlAuthenticationFailureHandler.class);
|
||||
if (!StringUtils.hasText(authenticationFailureUrl)) {
|
||||
// Fall back to redisplaying the custom login page, if one was specified.
|
||||
// Fall back to re-displaying the custom login page, if one was specified.
|
||||
if (StringUtils.hasText(loginPage)) {
|
||||
authenticationFailureUrl = loginPage;
|
||||
authenticationFailureUrl = loginPage + "?" + DefaultLoginPageGeneratingFilter.ERROR_PARAMETER_NAME;
|
||||
}
|
||||
else {
|
||||
authenticationFailureUrl = DEF_FORM_LOGIN_AUTHENTICATION_FAILURE_URL;
|
||||
|
||||
+28
-28
@@ -310,36 +310,36 @@ class CsrfConfigTests extends AbstractHttpConfigTests {
|
||||
verify(repo).saveToken(eq(null),any(HttpServletRequest), any(HttpServletResponse))
|
||||
}
|
||||
|
||||
def "SEC-2495: csrf disables logout on GET"() {
|
||||
setup:
|
||||
httpAutoConfig {
|
||||
'csrf'()
|
||||
}
|
||||
createAppContext()
|
||||
login()
|
||||
request.method = "GET"
|
||||
request.requestURI = "/logout"
|
||||
when:
|
||||
springSecurityFilterChain.doFilter(request,response,chain)
|
||||
then:
|
||||
getAuthentication(request) != null
|
||||
}
|
||||
def "SEC-2495: csrf disables logout on GET"() {
|
||||
setup:
|
||||
httpAutoConfig {
|
||||
'csrf'()
|
||||
}
|
||||
createAppContext()
|
||||
login()
|
||||
request.method = "GET"
|
||||
request.requestURI = "/logout"
|
||||
when:
|
||||
springSecurityFilterChain.doFilter(request,response,chain)
|
||||
then:
|
||||
getAuthentication(request) != null
|
||||
}
|
||||
|
||||
|
||||
def login(String username="user", String role="ROLE_USER") {
|
||||
login(new UsernamePasswordAuthenticationToken(username, null, AuthorityUtils.createAuthorityList(role)))
|
||||
}
|
||||
def login(String username="user", String role="ROLE_USER") {
|
||||
login(new UsernamePasswordAuthenticationToken(username, null, AuthorityUtils.createAuthorityList(role)))
|
||||
}
|
||||
|
||||
def login(Authentication auth) {
|
||||
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository()
|
||||
HttpRequestResponseHolder requestResponseHolder = new HttpRequestResponseHolder(request, response)
|
||||
repo.loadContext(requestResponseHolder)
|
||||
repo.saveContext(new SecurityContextImpl(authentication:auth), requestResponseHolder.request, requestResponseHolder.response)
|
||||
}
|
||||
def login(Authentication auth) {
|
||||
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository()
|
||||
HttpRequestResponseHolder requestResponseHolder = new HttpRequestResponseHolder(request, response)
|
||||
repo.loadContext(requestResponseHolder)
|
||||
repo.saveContext(new SecurityContextImpl(authentication:auth), requestResponseHolder.request, requestResponseHolder.response)
|
||||
}
|
||||
|
||||
def getAuthentication(HttpServletRequest request) {
|
||||
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository()
|
||||
HttpRequestResponseHolder requestResponseHolder = new HttpRequestResponseHolder(request, response)
|
||||
repo.loadContext(requestResponseHolder)?.authentication
|
||||
}
|
||||
def getAuthentication(HttpServletRequest request) {
|
||||
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository()
|
||||
HttpRequestResponseHolder requestResponseHolder = new HttpRequestResponseHolder(request, response)
|
||||
repo.loadContext(requestResponseHolder)?.authentication
|
||||
}
|
||||
}
|
||||
|
||||
+47
-5
@@ -1,14 +1,19 @@
|
||||
package org.springframework.security.config.http
|
||||
|
||||
import javax.servlet.http.HttpServletResponse
|
||||
|
||||
import org.springframework.beans.factory.BeanCreationException
|
||||
import org.springframework.mock.web.MockFilterChain
|
||||
import org.springframework.mock.web.MockHttpServletRequest
|
||||
import org.springframework.mock.web.MockHttpServletResponse
|
||||
import org.springframework.security.util.FieldUtils
|
||||
import org.springframework.security.web.access.ExceptionTranslationFilter
|
||||
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
|
||||
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
|
||||
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler
|
||||
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler
|
||||
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
|
||||
import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
|
||||
import org.springframework.test.util.ReflectionTestUtils;
|
||||
import org.springframework.util.ReflectionUtils;
|
||||
import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter
|
||||
|
||||
import spock.lang.Unroll;
|
||||
|
||||
/**
|
||||
*
|
||||
@@ -116,4 +121,41 @@ class FormLoginConfigTests extends AbstractHttpConfigTests {
|
||||
then:
|
||||
getFilter(DefaultLoginPageGeneratingFilter) == null
|
||||
}
|
||||
|
||||
@Unroll
|
||||
def 'Form Login requires CSRF Token #csrfDisabled'(int status, boolean csrfDisabled) {
|
||||
setup:
|
||||
MockHttpServletRequest request = new MockHttpServletRequest(method:'POST',servletPath:'/login')
|
||||
request.setParameter('username','user')
|
||||
request.setParameter('password','password')
|
||||
MockHttpServletResponse response = new MockHttpServletResponse()
|
||||
MockFilterChain chain = new MockFilterChain()
|
||||
httpAutoConfig {
|
||||
'form-login'()
|
||||
csrf(disabled:csrfDisabled) {}
|
||||
}
|
||||
createAppContext()
|
||||
when:
|
||||
springSecurityFilterChain.doFilter(request,response,chain)
|
||||
then:
|
||||
response.status == status
|
||||
where:
|
||||
status | csrfDisabled
|
||||
HttpServletResponse.SC_FORBIDDEN | false
|
||||
HttpServletResponse.SC_MOVED_TEMPORARILY | true
|
||||
}
|
||||
|
||||
def 'SEC-3147: authentication-failure-url should be contained "error" parameter if login-page="/login"'() {
|
||||
xml.http {
|
||||
'form-login'('login-page':'/login')
|
||||
}
|
||||
createAppContext()
|
||||
|
||||
def apf = getFilter(UsernamePasswordAuthenticationFilter.class);
|
||||
|
||||
expect:
|
||||
apf.failureHandler.defaultFailureUrl == '/login?error'
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
|
||||
+100
@@ -0,0 +1,100 @@
|
||||
/*
|
||||
* Copyright 2002-2015 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.springframework.security.config.annotation.web.configurers;
|
||||
|
||||
import static org.fest.assertions.Assertions.assertThat;
|
||||
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
|
||||
import org.junit.After;
|
||||
import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.http.HttpMethod;
|
||||
import org.springframework.mock.web.MockFilterChain;
|
||||
import org.springframework.mock.web.MockHttpServletRequest;
|
||||
import org.springframework.mock.web.MockHttpServletResponse;
|
||||
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
|
||||
import org.springframework.security.web.FilterChainProxy;
|
||||
import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
|
||||
|
||||
/**
|
||||
* @author Rob Winch
|
||||
*
|
||||
*/
|
||||
public class AuthorizeRequestsTests {
|
||||
AnnotationConfigWebApplicationContext context;
|
||||
|
||||
MockHttpServletRequest request;
|
||||
MockHttpServletResponse response;
|
||||
MockFilterChain chain;
|
||||
|
||||
@Autowired
|
||||
FilterChainProxy springSecurityFilterChain;
|
||||
|
||||
@Before
|
||||
public void setup() {
|
||||
request = new MockHttpServletRequest();
|
||||
response = new MockHttpServletResponse();
|
||||
chain = new MockFilterChain();
|
||||
}
|
||||
|
||||
@After
|
||||
public void cleanup() {
|
||||
if(context != null) {
|
||||
context.close();
|
||||
}
|
||||
}
|
||||
|
||||
// SEC-3135
|
||||
@Test
|
||||
public void antMatchersMethodAndNoPatterns() throws Exception {
|
||||
loadConfig(AntMatchersNoPatternsConfig.class);
|
||||
request.setMethod("POST");
|
||||
|
||||
springSecurityFilterChain.doFilter(request, response, chain);
|
||||
|
||||
assertThat(response.getStatus()).isEqualTo(HttpServletResponse.SC_FORBIDDEN);
|
||||
}
|
||||
|
||||
@EnableWebSecurity
|
||||
@Configuration
|
||||
static class AntMatchersNoPatternsConfig extends WebSecurityConfigurerAdapter {
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers(HttpMethod.POST).denyAll();
|
||||
}
|
||||
|
||||
@Override
|
||||
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
|
||||
auth
|
||||
.inMemoryAuthentication();
|
||||
}
|
||||
}
|
||||
|
||||
public void loadConfig(Class<?>... configs) {
|
||||
context = new AnnotationConfigWebApplicationContext();
|
||||
context.register(configs);
|
||||
context.refresh();
|
||||
|
||||
context.getAutowireCapableBeanFactory().autowireBean(this);
|
||||
}
|
||||
}
|
||||
+2
@@ -24,6 +24,7 @@ import org.springframework.context.ConfigurableApplicationContext;
|
||||
import org.springframework.context.annotation.AnnotationConfigApplicationContext;
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.context.annotation.Primary;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
|
||||
@@ -78,6 +79,7 @@ public class CsrfConfigurerNoWebMvcTests {
|
||||
@EnableWebSecurity
|
||||
static class EnableWebOverrideRequestDataConfig {
|
||||
@Bean
|
||||
@Primary
|
||||
public RequestDataValueProcessor requestDataValueProcessor() {
|
||||
return mock(RequestDataValueProcessor.class);
|
||||
}
|
||||
|
||||
+136
@@ -0,0 +1,136 @@
|
||||
/*
|
||||
* Copyright 2002-2015 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.springframework.security.config.annotation.web.configurers;
|
||||
|
||||
import static org.fest.assertions.Assertions.assertThat;
|
||||
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
|
||||
import org.junit.After;
|
||||
import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.http.HttpMethod;
|
||||
import org.springframework.mock.web.MockFilterChain;
|
||||
import org.springframework.mock.web.MockHttpServletRequest;
|
||||
import org.springframework.mock.web.MockHttpServletResponse;
|
||||
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
|
||||
import org.springframework.security.web.FilterChainProxy;
|
||||
import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
|
||||
|
||||
/**
|
||||
* @author Rob Winch
|
||||
*
|
||||
*/
|
||||
public class HttpSecurityAntMatchersTests {
|
||||
AnnotationConfigWebApplicationContext context;
|
||||
|
||||
MockHttpServletRequest request;
|
||||
MockHttpServletResponse response;
|
||||
MockFilterChain chain;
|
||||
|
||||
@Autowired
|
||||
FilterChainProxy springSecurityFilterChain;
|
||||
|
||||
@Before
|
||||
public void setup() {
|
||||
request = new MockHttpServletRequest();
|
||||
response = new MockHttpServletResponse();
|
||||
chain = new MockFilterChain();
|
||||
}
|
||||
|
||||
@After
|
||||
public void cleanup() {
|
||||
if(context != null) {
|
||||
context.close();
|
||||
}
|
||||
}
|
||||
|
||||
// SEC-3135
|
||||
@Test
|
||||
public void antMatchersMethodAndNoPatterns() throws Exception {
|
||||
loadConfig(AntMatchersNoPatternsConfig.class);
|
||||
request.setMethod("POST");
|
||||
|
||||
springSecurityFilterChain.doFilter(request, response, chain);
|
||||
|
||||
assertThat(response.getStatus()).isEqualTo(HttpServletResponse.SC_FORBIDDEN);
|
||||
}
|
||||
|
||||
@EnableWebSecurity
|
||||
@Configuration
|
||||
static class AntMatchersNoPatternsConfig extends WebSecurityConfigurerAdapter {
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.requestMatchers()
|
||||
.antMatchers(HttpMethod.POST)
|
||||
.and()
|
||||
.authorizeRequests()
|
||||
.anyRequest().denyAll();
|
||||
}
|
||||
|
||||
@Override
|
||||
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
|
||||
auth
|
||||
.inMemoryAuthentication();
|
||||
}
|
||||
}
|
||||
|
||||
// SEC-3135
|
||||
@Test
|
||||
public void antMatchersMethodAndEmptyPatterns() throws Exception {
|
||||
loadConfig(AntMatchersEmptyPatternsConfig.class);
|
||||
request.setMethod("POST");
|
||||
|
||||
springSecurityFilterChain.doFilter(request, response, chain);
|
||||
|
||||
assertThat(response.getStatus()).isEqualTo(HttpServletResponse.SC_OK);
|
||||
}
|
||||
|
||||
@EnableWebSecurity
|
||||
@Configuration
|
||||
static class AntMatchersEmptyPatternsConfig extends WebSecurityConfigurerAdapter {
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.requestMatchers()
|
||||
.antMatchers("/never/")
|
||||
.antMatchers(HttpMethod.POST, new String[0])
|
||||
.and()
|
||||
.authorizeRequests()
|
||||
.anyRequest().denyAll();
|
||||
}
|
||||
|
||||
@Override
|
||||
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
|
||||
auth
|
||||
.inMemoryAuthentication();
|
||||
}
|
||||
}
|
||||
|
||||
public void loadConfig(Class<?>... configs) {
|
||||
context = new AnnotationConfigWebApplicationContext();
|
||||
context.register(configs);
|
||||
context.refresh();
|
||||
|
||||
context.getAutowireCapableBeanFactory().autowireBean(this);
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
+112
@@ -0,0 +1,112 @@
|
||||
/*
|
||||
* Copyright 2002-2015 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.springframework.security.config.annotation.web.configurers;
|
||||
|
||||
import static org.fest.assertions.Assertions.assertThat;
|
||||
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
|
||||
import org.junit.After;
|
||||
import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.mock.web.MockFilterChain;
|
||||
import org.springframework.mock.web.MockHttpServletRequest;
|
||||
import org.springframework.mock.web.MockHttpServletResponse;
|
||||
import org.springframework.security.authentication.TestingAuthenticationToken;
|
||||
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
|
||||
import org.springframework.security.core.context.SecurityContext;
|
||||
import org.springframework.security.core.context.SecurityContextHolder;
|
||||
import org.springframework.security.web.FilterChainProxy;
|
||||
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
|
||||
import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
|
||||
|
||||
/**
|
||||
* @author Rob Winch
|
||||
*
|
||||
*/
|
||||
public class HttpSecurityLogoutTests {
|
||||
AnnotationConfigWebApplicationContext context;
|
||||
|
||||
MockHttpServletRequest request;
|
||||
MockHttpServletResponse response;
|
||||
MockFilterChain chain;
|
||||
|
||||
@Autowired
|
||||
FilterChainProxy springSecurityFilterChain;
|
||||
|
||||
@Before
|
||||
public void setup() {
|
||||
request = new MockHttpServletRequest();
|
||||
response = new MockHttpServletResponse();
|
||||
chain = new MockFilterChain();
|
||||
}
|
||||
|
||||
@After
|
||||
public void cleanup() {
|
||||
if(context != null) {
|
||||
context.close();
|
||||
}
|
||||
}
|
||||
|
||||
// SEC-2848
|
||||
@Test
|
||||
public void clearAuthenticationFalse() throws Exception {
|
||||
loadConfig(ClearAuthenticationFalseConfig.class);
|
||||
|
||||
SecurityContext currentContext = SecurityContextHolder.createEmptyContext();
|
||||
currentContext.setAuthentication(new TestingAuthenticationToken("user", "password","ROLE_USER"));
|
||||
|
||||
request.getSession().setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, currentContext);
|
||||
request.setMethod("POST");
|
||||
request.setServletPath("/logout");
|
||||
|
||||
springSecurityFilterChain.doFilter(request, response, chain);
|
||||
|
||||
assertThat(currentContext.getAuthentication()).isNotNull();
|
||||
}
|
||||
|
||||
@EnableWebSecurity
|
||||
@Configuration
|
||||
static class ClearAuthenticationFalseConfig extends WebSecurityConfigurerAdapter {
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.csrf().disable()
|
||||
.logout()
|
||||
.clearAuthentication(false);
|
||||
}
|
||||
|
||||
@Override
|
||||
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
|
||||
auth
|
||||
.inMemoryAuthentication();
|
||||
}
|
||||
}
|
||||
|
||||
public void loadConfig(Class<?>... configs) {
|
||||
context = new AnnotationConfigWebApplicationContext();
|
||||
context.register(configs);
|
||||
context.refresh();
|
||||
|
||||
context.getAutowireCapableBeanFactory().autowireBean(this);
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
+67
@@ -0,0 +1,67 @@
|
||||
/*
|
||||
* Copyright 2002-2015 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.springframework.security.config.http.customconfigurer;
|
||||
|
||||
import org.springframework.beans.factory.annotation.Value;
|
||||
import org.springframework.context.ApplicationContext;
|
||||
import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.config.annotation.web.configurers.FormLoginConfigurer;
|
||||
import org.springframework.security.web.DefaultSecurityFilterChain;
|
||||
|
||||
/**
|
||||
* @author Rob Winch
|
||||
*
|
||||
*/
|
||||
public class CustomConfigurer extends SecurityConfigurerAdapter<DefaultSecurityFilterChain,HttpSecurity> {
|
||||
|
||||
@Value("${permitAllPattern}")
|
||||
private String permitAllPattern;
|
||||
|
||||
private String loginPage = "/login";
|
||||
|
||||
/* (non-Javadoc)
|
||||
* @see org.springframework.security.config.annotation.SecurityConfigurerAdapter#init(org.springframework.security.config.annotation.SecurityBuilder)
|
||||
*/
|
||||
@SuppressWarnings("unchecked")
|
||||
@Override
|
||||
public void init(HttpSecurity http) throws Exception {
|
||||
// autowire this bean
|
||||
ApplicationContext context = http.getSharedObject(ApplicationContext.class);
|
||||
context.getAutowireCapableBeanFactory().autowireBean(this);
|
||||
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers(permitAllPattern).permitAll()
|
||||
.anyRequest().authenticated();
|
||||
|
||||
if(http.getConfigurer(FormLoginConfigurer.class) == null) {
|
||||
// only apply if formLogin() was not invoked by the user
|
||||
http
|
||||
.formLogin()
|
||||
.loginPage(loginPage);
|
||||
}
|
||||
}
|
||||
|
||||
public CustomConfigurer loginPage(String loginPage) {
|
||||
this.loginPage = loginPage;
|
||||
return this;
|
||||
}
|
||||
|
||||
public static CustomConfigurer customConfigurer() {
|
||||
return new CustomConfigurer();
|
||||
}
|
||||
}
|
||||
+164
@@ -0,0 +1,164 @@
|
||||
/*
|
||||
* Copyright 2002-2015 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.springframework.security.config.http.customconfigurer;
|
||||
|
||||
import static org.fest.assertions.Assertions.assertThat;
|
||||
import static org.springframework.security.config.http.customconfigurer.CustomConfigurer.customConfigurer;
|
||||
|
||||
import java.util.Properties;
|
||||
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
|
||||
import org.junit.After;
|
||||
import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.beans.factory.config.PropertyPlaceholderConfigurer;
|
||||
import org.springframework.context.ConfigurableApplicationContext;
|
||||
import org.springframework.context.annotation.AnnotationConfigApplicationContext;
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.mock.web.MockFilterChain;
|
||||
import org.springframework.mock.web.MockHttpServletRequest;
|
||||
import org.springframework.mock.web.MockHttpServletResponse;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
|
||||
import org.springframework.security.web.FilterChainProxy;
|
||||
|
||||
/**
|
||||
* @author Rob Winch
|
||||
*
|
||||
*/
|
||||
public class CustomHttpSecurityConfigurerTests {
|
||||
@Autowired
|
||||
ConfigurableApplicationContext context;
|
||||
|
||||
@Autowired
|
||||
FilterChainProxy springSecurityFilterChain;
|
||||
|
||||
MockHttpServletRequest request;
|
||||
MockHttpServletResponse response;
|
||||
MockFilterChain chain;
|
||||
|
||||
@Before
|
||||
public void setup() {
|
||||
request = new MockHttpServletRequest();
|
||||
response = new MockHttpServletResponse();
|
||||
chain = new MockFilterChain();
|
||||
request.setMethod("GET");
|
||||
}
|
||||
|
||||
@After
|
||||
public void cleanup() {
|
||||
if(context != null) {
|
||||
context.close();
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void customConfiguerPermitAll() throws Exception {
|
||||
loadContext(Config.class);
|
||||
|
||||
request.setPathInfo("/public/something");
|
||||
|
||||
springSecurityFilterChain.doFilter(request, response, chain);
|
||||
|
||||
assertThat(response.getStatus()).isEqualTo(HttpServletResponse.SC_OK);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void customConfiguerFormLogin() throws Exception {
|
||||
loadContext(Config.class);
|
||||
request.setPathInfo("/requires-authentication");
|
||||
|
||||
springSecurityFilterChain.doFilter(request, response, chain);
|
||||
|
||||
assertThat(response.getRedirectedUrl()).endsWith("/custom");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void customConfiguerCustomizeDisablesCsrf() throws Exception {
|
||||
loadContext(ConfigCustomize.class);
|
||||
request.setPathInfo("/public/something");
|
||||
request.setMethod("POST");
|
||||
|
||||
springSecurityFilterChain.doFilter(request, response, chain);
|
||||
|
||||
assertThat(response.getStatus()).isEqualTo(HttpServletResponse.SC_OK);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void customConfiguerCustomizeFormLogin() throws Exception {
|
||||
loadContext(ConfigCustomize.class);
|
||||
request.setPathInfo("/requires-authentication");
|
||||
|
||||
springSecurityFilterChain.doFilter(request, response, chain);
|
||||
|
||||
assertThat(response.getRedirectedUrl()).endsWith("/other");
|
||||
}
|
||||
|
||||
private void loadContext(Class<?> clazz) {
|
||||
AnnotationConfigApplicationContext context = new AnnotationConfigApplicationContext(clazz);
|
||||
context.getAutowireCapableBeanFactory().autowireBean(this);
|
||||
}
|
||||
|
||||
@EnableWebSecurity
|
||||
static class Config extends WebSecurityConfigurerAdapter {
|
||||
|
||||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.apply(customConfigurer())
|
||||
.loginPage("/custom");
|
||||
}
|
||||
|
||||
@Bean
|
||||
public static PropertyPlaceholderConfigurer propertyPlaceholderConfigurer() {
|
||||
// Typically externalize this as a properties file
|
||||
Properties properties = new Properties();
|
||||
properties.setProperty("permitAllPattern", "/public/**");
|
||||
|
||||
PropertyPlaceholderConfigurer propertyPlaceholderConfigurer = new PropertyPlaceholderConfigurer();
|
||||
propertyPlaceholderConfigurer.setProperties(properties);
|
||||
return propertyPlaceholderConfigurer;
|
||||
}
|
||||
}
|
||||
|
||||
@EnableWebSecurity
|
||||
static class ConfigCustomize extends WebSecurityConfigurerAdapter {
|
||||
|
||||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.apply(customConfigurer())
|
||||
.and()
|
||||
.csrf().disable()
|
||||
.formLogin()
|
||||
.loginPage("/other");
|
||||
}
|
||||
|
||||
@Bean
|
||||
public static PropertyPlaceholderConfigurer propertyPlaceholderConfigurer() {
|
||||
// Typically externalize this as a properties file
|
||||
Properties properties = new Properties();
|
||||
properties.setProperty("permitAllPattern", "/public/**");
|
||||
|
||||
PropertyPlaceholderConfigurer propertyPlaceholderConfigurer = new PropertyPlaceholderConfigurer();
|
||||
propertyPlaceholderConfigurer.setProperties(properties);
|
||||
return propertyPlaceholderConfigurer;
|
||||
}
|
||||
}
|
||||
}
|
||||
+2
-2
@@ -3,7 +3,7 @@
|
||||
<modelVersion>4.0.0</modelVersion>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-core</artifactId>
|
||||
<version>4.0.2.RELEASE</version>
|
||||
<version>4.0.4.RELEASE</version>
|
||||
<name>spring-security-core</name>
|
||||
<description>spring-security-core</description>
|
||||
<url>http://spring.io/spring-security</url>
|
||||
@@ -269,7 +269,7 @@
|
||||
<dependency>
|
||||
<groupId>org.springframework</groupId>
|
||||
<artifactId>spring-framework-bom</artifactId>
|
||||
<version>4.1.6.RELEASE</version>
|
||||
<version>4.2.5.RELEASE</version>
|
||||
<type>pom</type>
|
||||
<scope>import</scope>
|
||||
</dependency>
|
||||
|
||||
+2
-2
@@ -45,7 +45,7 @@ public interface SecurityExpressionOperations {
|
||||
* is converted may depend on the implementation settings.
|
||||
* </p>
|
||||
*
|
||||
* @param authority the authority to test (i.e. "USER")
|
||||
* @param role the authority to test (i.e. "USER")
|
||||
* @return true if the authority is found, else false
|
||||
*/
|
||||
boolean hasRole(String role);
|
||||
@@ -62,7 +62,7 @@ public interface SecurityExpressionOperations {
|
||||
* is converted may depend on the implementation settings.
|
||||
* </p>
|
||||
*
|
||||
* @param authorities the authorities to test (i.e. "USER", "ADMIN")
|
||||
* @param roles the authorities to test (i.e. "USER", "ADMIN")
|
||||
* @return true if any of the authorities is found, else false
|
||||
*/
|
||||
boolean hasAnyRole(String... roles);
|
||||
|
||||
+2
-2
@@ -195,8 +195,8 @@ public class DefaultMethodSecurityExpressionHandler extends
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Sets the default prefix to be added to {@link #hasAnyRole(String...)} or
|
||||
* {@link #hasRole(String)}. For example, if hasRole("ADMIN") or hasRole("ROLE_ADMIN")
|
||||
* Sets the default prefix to be added to {@link org.springframework.security.access.expression.SecurityExpressionRoot#hasAnyRole(String...)} or
|
||||
* {@link org.springframework.security.access.expression.SecurityExpressionRoot#hasRole(String)}. For example, if hasRole("ADMIN") or hasRole("ROLE_ADMIN")
|
||||
* is passed in, then the role ROLE_ADMIN will be used when the defaultRolePrefix is
|
||||
* "ROLE_" (default).
|
||||
* </p>
|
||||
|
||||
+1
-1
@@ -32,7 +32,7 @@ public interface RoleHierarchy {
|
||||
* that are (transitively) reachable from them in the role hierarchy.
|
||||
* <p>
|
||||
* Example:<br>
|
||||
* Role hierarchy: ROLE_A > ROLE_B and ROLE_B > ROLE_C.<br>
|
||||
* Role hierarchy: ROLE_A > ROLE_B and ROLE_B > ROLE_C.<br>
|
||||
* Directly assigned authority: ROLE_A.<br>
|
||||
* Reachable authorities: ROLE_A, ROLE_B, ROLE_C.
|
||||
*
|
||||
|
||||
+4
-7
@@ -27,7 +27,7 @@ import java.util.regex.Pattern;
|
||||
/**
|
||||
* <p>
|
||||
* This class defines a role hierarchy for use with the UserDetailsServiceWrapper.
|
||||
* </p>
|
||||
*
|
||||
* <p>
|
||||
* Here is an example configuration of a role hierarchy (hint: read the ">" sign as
|
||||
* "includes"):
|
||||
@@ -41,19 +41,18 @@ import java.util.regex.Pattern;
|
||||
* </value>
|
||||
* </property>
|
||||
* </pre>
|
||||
*
|
||||
* </p>
|
||||
*
|
||||
* <p>
|
||||
* Explanation of the above:<br>
|
||||
* In effect every user with ROLE_A also has ROLE_B, ROLE_AUTHENTICATED and
|
||||
* ROLE_UNAUTHENTICATED;<br>
|
||||
* every user with ROLE_B also has ROLE_AUTHENTICATED and ROLE_UNAUTHENTICATED;<br>
|
||||
* every user with ROLE_AUTHENTICATED also has ROLE_UNAUTHENTICATED.
|
||||
* </p>
|
||||
*
|
||||
* <p>
|
||||
* Hierarchical Roles will dramatically shorten your access rules (and also make the
|
||||
* access rules much more elegant).
|
||||
* </p>
|
||||
*
|
||||
* <p>
|
||||
* Consider this access rule for Spring Security's RoleVoter (background: every user that
|
||||
* is authenticated should be able to log out):<br>
|
||||
@@ -62,10 +61,8 @@ import java.util.regex.Pattern;
|
||||
* /logout.html=ROLE_AUTHENTICATED<br>
|
||||
* In addition to shorter rules this will also make your access rules more readable and
|
||||
* your intentions clearer.
|
||||
* </p>
|
||||
*
|
||||
* @author Michael Mayr
|
||||
*
|
||||
*/
|
||||
public class RoleHierarchyImpl implements RoleHierarchy {
|
||||
|
||||
|
||||
@@ -8,7 +8,7 @@
|
||||
* security facilities provided for it by Spring Security.
|
||||
* For example, one secure object would be <code>MethodInvocation</code>,
|
||||
* whilst another would be HTTP
|
||||
* {@link org.springframework.security.web.FilterInvocation}. Note these are
|
||||
* {@code org.springframework.security.web.FilterInvocation}. Note these are
|
||||
* infrastructure objects and their design allows them to represent a large
|
||||
* variety of actual resources that might need to be secured, such as business
|
||||
* objects or HTTP request URLs.
|
||||
|
||||
+2
-2
@@ -107,7 +107,7 @@ public class MapBasedMethodSecurityMetadataSource extends
|
||||
|
||||
/**
|
||||
* Add configuration attributes for a secure method. Method names can end or start
|
||||
* with <code>*</code> for matching multiple methods.
|
||||
* with <code>*</code> for matching multiple methods.
|
||||
*
|
||||
* @param name type and method name, separated by a dot
|
||||
* @param attr the security attributes associated with the method
|
||||
@@ -131,7 +131,7 @@ public class MapBasedMethodSecurityMetadataSource extends
|
||||
|
||||
/**
|
||||
* Add configuration attributes for a secure method. Mapped method names can end or
|
||||
* start with <code>*</code> for matching multiple methods.
|
||||
* start with <code>*</code> for matching multiple methods.
|
||||
*
|
||||
* @param javaType target interface or class the security configuration attribute
|
||||
* applies to
|
||||
|
||||
+3
-4
@@ -33,11 +33,11 @@ import org.springframework.util.Assert;
|
||||
|
||||
/**
|
||||
* Abstract implementation of {@link AccessDecisionManager}.
|
||||
* <p/>
|
||||
*
|
||||
* <p>
|
||||
* Handles configuration of a bean context defined list of {@link AccessDecisionVoter}s
|
||||
* and the access control behaviour if all voters abstain from voting (defaults to deny
|
||||
* access).
|
||||
* </p>
|
||||
*/
|
||||
public abstract class AbstractAccessDecisionManager implements AccessDecisionManager,
|
||||
InitializingBean, MessageSourceAware {
|
||||
@@ -101,10 +101,9 @@ public abstract class AbstractAccessDecisionManager implements AccessDecisionMan
|
||||
/**
|
||||
* Iterates through all <code>AccessDecisionVoter</code>s and ensures each can support
|
||||
* the presented class.
|
||||
* <p/>
|
||||
* <p>
|
||||
* If one or more voters cannot support the presented class, <code>false</code> is
|
||||
* returned.
|
||||
* </p>
|
||||
*
|
||||
* @param clazz the type of secured object being presented
|
||||
* @return true if this type is supported
|
||||
|
||||
@@ -95,6 +95,9 @@ public class RoleVoter implements AccessDecisionVoter<Object> {
|
||||
|
||||
public int vote(Authentication authentication, Object object,
|
||||
Collection<ConfigAttribute> attributes) {
|
||||
if(authentication == null) {
|
||||
return ACCESS_DENIED;
|
||||
}
|
||||
int result = ACCESS_ABSTAIN;
|
||||
Collection<? extends GrantedAuthority> authorities = extractAuthorities(authentication);
|
||||
|
||||
|
||||
+2
-2
@@ -24,7 +24,7 @@ package org.springframework.security.authentication.encoding;
|
||||
* </p>
|
||||
* <p>
|
||||
* As SHA is a one-way hash, the salt can contain any characters. The default strength for
|
||||
* the SHA encoding is SHA-1. If you wish to use higher strengths use the argumented
|
||||
* the SHA encoding is SHA-1. If you wish to use higher strengths use the parametrised
|
||||
* constructor. {@link #ShaPasswordEncoder(int strength)}
|
||||
* </p>
|
||||
* <p>
|
||||
@@ -32,7 +32,7 @@ package org.springframework.security.authentication.encoding;
|
||||
*
|
||||
* <pre>
|
||||
* <bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder">
|
||||
* <constructor-arg value="256"/>
|
||||
* <constructor-arg value="256"/>
|
||||
* </bean>
|
||||
* </pre>
|
||||
*
|
||||
|
||||
+4
-5
@@ -51,7 +51,7 @@ import org.springframework.util.ObjectUtils;
|
||||
* This <code>AuthenticationProvider</code> is capable of validating
|
||||
* {@link org.springframework.security.authentication.UsernamePasswordAuthenticationToken}
|
||||
* requests contain the correct username and password.
|
||||
* </p>
|
||||
*
|
||||
* <p>
|
||||
* This implementation is backed by a <a
|
||||
* href="http://java.sun.com/j2se/1.5.0/docs/guide/security/jaas/JAASRefGuide.html"
|
||||
@@ -68,7 +68,7 @@ import org.springframework.util.ObjectUtils;
|
||||
* in the ApplicationContext. When the LoginContext calls the internal CallbackHandler,
|
||||
* control is passed to each {@link JaasAuthenticationCallbackHandler} for each Callback
|
||||
* passed.
|
||||
* </p>
|
||||
*
|
||||
* <p>
|
||||
* {@link JaasAuthenticationCallbackHandler}s are passed to the
|
||||
* AbstractJaasAuthenticationProvider through the
|
||||
@@ -84,8 +84,7 @@ import org.springframework.util.ObjectUtils;
|
||||
* </list>
|
||||
* </property>
|
||||
* </pre>
|
||||
*
|
||||
* </p>
|
||||
*
|
||||
* <p>
|
||||
* After calling LoginContext.login(), the AbstractJaasAuthenticationProvider will
|
||||
* retrieve the returned Principals from the Subject
|
||||
@@ -95,7 +94,7 @@ import org.springframework.util.ObjectUtils;
|
||||
* Authorization a role, it returns that role name from it's
|
||||
* {@link AuthorityGranter#grant(java.security.Principal)} method. The returned role will
|
||||
* be applied to the Authorization object as a {@link GrantedAuthority}.
|
||||
* </p>
|
||||
*
|
||||
* <p>
|
||||
* AuthorityGranters are configured in spring xml as follows...
|
||||
*
|
||||
|
||||
+3
-7
@@ -61,8 +61,7 @@ import java.security.Security;
|
||||
* <value>/WEB-INF/login.conf</value>
|
||||
* </property>
|
||||
* </pre>
|
||||
*
|
||||
* </p>
|
||||
*
|
||||
* <p>
|
||||
* The loginContextName should coincide with a given index in the loginConfig specifed.
|
||||
* The loginConfig file used in the JUnit tests appears as the following...
|
||||
@@ -80,7 +79,6 @@ import java.security.Security;
|
||||
* <property name="loginContextName"> <value>JAASTest</value> </property>
|
||||
* </pre>
|
||||
*
|
||||
* </p>
|
||||
* <p>
|
||||
* When using JAAS login modules as the authentication source, sometimes the <a href=
|
||||
* "http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/LoginContext.html"
|
||||
@@ -91,7 +89,7 @@ import java.security.Security;
|
||||
* in the ApplicationContext. When the LoginContext calls the internal CallbackHandler,
|
||||
* control is passed to each {@link JaasAuthenticationCallbackHandler} for each Callback
|
||||
* passed.
|
||||
* </p>
|
||||
*
|
||||
* <p>
|
||||
* {@link JaasAuthenticationCallbackHandler}s are passed to the JaasAuthenticationProvider
|
||||
* through the
|
||||
@@ -108,7 +106,6 @@ import java.security.Security;
|
||||
* </property>
|
||||
* </pre>
|
||||
*
|
||||
* </p>
|
||||
* <p>
|
||||
* After calling LoginContext.login(), the JaasAuthenticationProvider will retrieve the
|
||||
* returned Principals from the Subject (LoginContext.getSubject().getPrincipals). Each
|
||||
@@ -130,10 +127,9 @@ import java.security.Security;
|
||||
* </pre>
|
||||
*
|
||||
* A configuration note: The JaasAuthenticationProvider uses the security properites
|
||||
* "e;login.config.url.X"e; to configure jaas. If you would like to customize the
|
||||
* "login.config.url.X" to configure jaas. If you would like to customize the
|
||||
* way Jaas gets configured, create a subclass of this and override the
|
||||
* {@link #configureJaas(Resource)} method.
|
||||
* </p>
|
||||
*
|
||||
* @author Ray Krueger
|
||||
* @author Rob Winch
|
||||
|
||||
+23
-31
@@ -25,10 +25,8 @@ import org.springframework.util.Assert;
|
||||
* then removing the {@link SecurityContext} after the delegate has completed.
|
||||
* </p>
|
||||
* <p>
|
||||
* By default the {@link SecurityContext} is only setup if {@link #call()} is
|
||||
* invoked on a separate {@link Thread} than the
|
||||
* {@link DelegatingSecurityContextCallable} was created on. This can be
|
||||
* overridden by setting {@link #setEnableOnOriginalThread(boolean)} to true.
|
||||
* If there is a {@link SecurityContext} that already exists, it will be
|
||||
* restored after the {@link #call()} method is invoked.
|
||||
* </p>
|
||||
*
|
||||
* @author Rob Winch
|
||||
@@ -38,11 +36,18 @@ public final class DelegatingSecurityContextCallable<V> implements Callable<V> {
|
||||
|
||||
private final Callable<V> delegate;
|
||||
|
||||
private final SecurityContext securityContext;
|
||||
|
||||
private final Thread originalThread;
|
||||
/**
|
||||
* The {@link SecurityContext} that the delegate {@link Callable} will be
|
||||
* ran as.
|
||||
*/
|
||||
private final SecurityContext delegateSecurityContext;
|
||||
|
||||
private boolean enableOnOriginalThread;
|
||||
/**
|
||||
* The {@link SecurityContext} that was on the {@link SecurityContextHolder}
|
||||
* prior to being set to the delegateSecurityContext.
|
||||
*/
|
||||
private SecurityContext originalSecurityContext;
|
||||
|
||||
/**
|
||||
* Creates a new {@link DelegatingSecurityContextCallable} with a specific
|
||||
@@ -57,8 +62,7 @@ public final class DelegatingSecurityContextCallable<V> implements Callable<V> {
|
||||
Assert.notNull(delegate, "delegate cannot be null");
|
||||
Assert.notNull(securityContext, "securityContext cannot be null");
|
||||
this.delegate = delegate;
|
||||
this.securityContext = securityContext;
|
||||
this.originalThread = Thread.currentThread();
|
||||
this.delegateSecurityContext = securityContext;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -71,33 +75,21 @@ public final class DelegatingSecurityContextCallable<V> implements Callable<V> {
|
||||
this(delegate, SecurityContextHolder.getContext());
|
||||
}
|
||||
|
||||
/**
|
||||
* Determines if the SecurityContext should be transfered if {@link #call()}
|
||||
* is invoked on the same {@link Thread} the
|
||||
* {@link DelegatingSecurityContextCallable} was created on.
|
||||
*
|
||||
* @param enableOnOriginalThread
|
||||
* if false (default), will only transfer the
|
||||
* {@link SecurityContext} if {@link #call()} is invoked on a
|
||||
* different {@link Thread} than the
|
||||
* {@link DelegatingSecurityContextCallable} was created on.
|
||||
*
|
||||
* @since 4.0.2
|
||||
*/
|
||||
public void setEnableOnOriginalThread(boolean enableOnOriginalThread) {
|
||||
this.enableOnOriginalThread = enableOnOriginalThread;
|
||||
}
|
||||
|
||||
public V call() throws Exception {
|
||||
if(!enableOnOriginalThread && originalThread == Thread.currentThread()) {
|
||||
return delegate.call();
|
||||
}
|
||||
this.originalSecurityContext = SecurityContextHolder.getContext();
|
||||
|
||||
try {
|
||||
SecurityContextHolder.setContext(securityContext);
|
||||
SecurityContextHolder.setContext(delegateSecurityContext);
|
||||
return delegate.call();
|
||||
}
|
||||
finally {
|
||||
SecurityContextHolder.clearContext();
|
||||
SecurityContext emptyContext = SecurityContextHolder.createEmptyContext();
|
||||
if(emptyContext.equals(originalSecurityContext)) {
|
||||
SecurityContextHolder.clearContext();
|
||||
} else {
|
||||
SecurityContextHolder.setContext(originalSecurityContext);
|
||||
}
|
||||
this.originalSecurityContext = null;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
+1
-1
@@ -55,7 +55,7 @@ public class DelegatingSecurityContextExecutorService extends
|
||||
* Creates a new {@link DelegatingSecurityContextExecutorService} that uses the
|
||||
* current {@link SecurityContext} from the {@link SecurityContextHolder}.
|
||||
*
|
||||
* @param delegateTaskExecutor the {@link TaskExecutor} to delegate to. Cannot be
|
||||
* @param delegate the {@link ExecutorService} to delegate to. Cannot be
|
||||
* null.
|
||||
*/
|
||||
public DelegatingSecurityContextExecutorService(ExecutorService delegate) {
|
||||
|
||||
+23
-32
@@ -23,10 +23,8 @@ import org.springframework.util.Assert;
|
||||
* {@link SecurityContext} after the delegate has completed.
|
||||
* </p>
|
||||
* <p>
|
||||
* By default the {@link SecurityContext} is only setup if {@link #run()} is
|
||||
* invoked on a separate {@link Thread} than the
|
||||
* {@link DelegatingSecurityContextRunnable} was created on. This can be
|
||||
* overridden by setting {@link #setEnableOnOriginalThread(boolean)} to true.
|
||||
* If there is a {@link SecurityContext} that already exists, it will be
|
||||
* restored after the {@link #run()} method is invoked.
|
||||
* </p>
|
||||
*
|
||||
* @author Rob Winch
|
||||
@@ -36,11 +34,17 @@ public final class DelegatingSecurityContextRunnable implements Runnable {
|
||||
|
||||
private final Runnable delegate;
|
||||
|
||||
private final SecurityContext securityContext;
|
||||
/**
|
||||
* The {@link SecurityContext} that the delegate {@link Runnable} will be
|
||||
* ran as.
|
||||
*/
|
||||
private final SecurityContext delegateSecurityContext;
|
||||
|
||||
private final Thread originalThread;
|
||||
|
||||
private boolean enableOnOriginalThread;
|
||||
/**
|
||||
* The {@link SecurityContext} that was on the {@link SecurityContextHolder}
|
||||
* prior to being set to the delegateSecurityContext.
|
||||
*/
|
||||
private SecurityContext originalSecurityContext;
|
||||
|
||||
/**
|
||||
* Creates a new {@link DelegatingSecurityContextRunnable} with a specific
|
||||
@@ -55,8 +59,7 @@ public final class DelegatingSecurityContextRunnable implements Runnable {
|
||||
Assert.notNull(delegate, "delegate cannot be null");
|
||||
Assert.notNull(securityContext, "securityContext cannot be null");
|
||||
this.delegate = delegate;
|
||||
this.securityContext = securityContext;
|
||||
this.originalThread = Thread.currentThread();
|
||||
this.delegateSecurityContext = securityContext;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -69,33 +72,21 @@ public final class DelegatingSecurityContextRunnable implements Runnable {
|
||||
this(delegate, SecurityContextHolder.getContext());
|
||||
}
|
||||
|
||||
/**
|
||||
* Determines if the SecurityContext should be transfered if {@link #call()}
|
||||
* is invoked on the same {@link Thread} the
|
||||
* {@link DelegatingSecurityContextCallable} was created on.
|
||||
*
|
||||
* @param enableOnOriginalThread
|
||||
* if false (default), will only transfer the
|
||||
* {@link SecurityContext} if {@link #call()} is invoked on a
|
||||
* different {@link Thread} than the
|
||||
* {@link DelegatingSecurityContextCallable} was created on.
|
||||
* @since 4.0.2
|
||||
*/
|
||||
public void setEnableOnOriginalThread(boolean enableOnOriginalThread) {
|
||||
this.enableOnOriginalThread = enableOnOriginalThread;
|
||||
}
|
||||
|
||||
public void run() {
|
||||
if(!enableOnOriginalThread && originalThread == Thread.currentThread()) {
|
||||
delegate.run();
|
||||
return;
|
||||
}
|
||||
this.originalSecurityContext = SecurityContextHolder.getContext();
|
||||
|
||||
try {
|
||||
SecurityContextHolder.setContext(securityContext);
|
||||
SecurityContextHolder.setContext(delegateSecurityContext);
|
||||
delegate.run();
|
||||
}
|
||||
finally {
|
||||
SecurityContextHolder.clearContext();
|
||||
SecurityContext emptyContext = SecurityContextHolder.createEmptyContext();
|
||||
if(emptyContext.equals(originalSecurityContext)) {
|
||||
SecurityContextHolder.clearContext();
|
||||
} else {
|
||||
SecurityContextHolder.setContext(originalSecurityContext);
|
||||
}
|
||||
this.originalSecurityContext = null;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
+1
-1
@@ -51,7 +51,7 @@ public final class DelegatingSecurityContextScheduledExecutorService extends
|
||||
* Creates a new {@link DelegatingSecurityContextScheduledExecutorService} that uses
|
||||
* the current {@link SecurityContext} from the {@link SecurityContextHolder}.
|
||||
*
|
||||
* @param delegateTaskExecutor the {@link TaskExecutor} to delegate to. Cannot be
|
||||
* @param delegate the {@link ScheduledExecutorService} to delegate to. Cannot be
|
||||
* null.
|
||||
*/
|
||||
public DelegatingSecurityContextScheduledExecutorService(
|
||||
|
||||
@@ -24,7 +24,7 @@ public class SpringSecurityCoreVersion {
|
||||
*/
|
||||
public static final long SERIAL_VERSION_UID = 400L;
|
||||
|
||||
static final String MIN_SPRING_VERSION = "4.1.6.RELEASE";
|
||||
static final String MIN_SPRING_VERSION = "4.2.5.RELEASE";
|
||||
|
||||
static {
|
||||
performVersionChecks();
|
||||
|
||||
+3
-1
@@ -30,7 +30,9 @@ import org.springframework.security.core.Authentication;
|
||||
* @author Rob Winch
|
||||
* @since 4.0
|
||||
*
|
||||
* @see org.springframework.security.messaging.context.AuthenticationPrincipalArgumentResolver
|
||||
* See: <a href="{@docRoot}/org/springframework/security/messaging/context/AuthenticationPrincipalArgumentResolver.html">
|
||||
* AuthenticationPrincipalArgumentResolver
|
||||
* </a>
|
||||
*/
|
||||
@Target({ ElementType.PARAMETER, ElementType.ANNOTATION_TYPE })
|
||||
@Retention(RetentionPolicy.RUNTIME)
|
||||
|
||||
+2
-2
@@ -40,7 +40,7 @@ import org.springframework.util.ReflectionUtils;
|
||||
* <pre>
|
||||
* import org.springframework.security.access.method.P;
|
||||
*
|
||||
* @PostAuthorize("#to == returnObject.to")
|
||||
* {@code @PostAuthorize("#to == returnObject.to")}
|
||||
* public Message findMessageByTo(@P("to") String to);
|
||||
* </pre>
|
||||
*
|
||||
@@ -70,7 +70,7 @@ import org.springframework.util.ReflectionUtils;
|
||||
* <pre>
|
||||
* import org.springframework.security.access.method.P;
|
||||
*
|
||||
* @PostAuthorize("#to == returnObject.to")
|
||||
* {@code @PostAuthorize("#to == returnObject.to")}
|
||||
* public Message findMessageByToAndFrom(@P("to") User to, User from);
|
||||
* </pre>
|
||||
*
|
||||
|
||||
+2
-3
@@ -32,9 +32,8 @@ import java.util.concurrent.CopyOnWriteArraySet;
|
||||
* SessionDestroyedEvent}s published in the Spring application context.
|
||||
* <p>
|
||||
* For this class to function correctly in a web application, it is important that you
|
||||
* register an {@link org.springframework.security.web.session.HttpSessionEventPublisher
|
||||
* HttpSessionEventPublisher} in the <tt>web.xml</tt> file so that this class is notified
|
||||
* of sessions that expire.
|
||||
* register an <a href="{@docRoot}/org/springframework/security/web/session/HttpSessionEventPublisher.html">HttpSessionEventPublisher</a>
|
||||
* in the <tt>web.xml</tt> file so that this class is notified of sessions that expire.
|
||||
*
|
||||
* @author Ben Alex
|
||||
* @author Luke Taylor
|
||||
|
||||
+1
-1
@@ -145,7 +145,7 @@ public class KeyBasedPersistenceTokenService implements TokenService, Initializi
|
||||
}
|
||||
|
||||
/**
|
||||
* @param pseudoRandomNumberBytes changes the number of bytes issued (must be >= 0;
|
||||
* @param pseudoRandomNumberBytes changes the number of bytes issued (must be >= 0;
|
||||
* defaults to 256)
|
||||
*/
|
||||
public void setPseudoRandomNumberBytes(int pseudoRandomNumberBytes) {
|
||||
|
||||
@@ -38,7 +38,7 @@ public interface TokenService {
|
||||
Token allocateToken(String extendedInformation);
|
||||
|
||||
/**
|
||||
* Permits verification the <{@link Token#getKey()} was issued by this
|
||||
* Permits verification the {@link Token#getKey()} was issued by this
|
||||
* <code>TokenService</code> and reconstructs the corresponding <code>Token</code>.
|
||||
*
|
||||
* @param key as obtained from {@link Token#getKey()} and created by this
|
||||
|
||||
+2
-2
@@ -47,7 +47,7 @@ import org.springframework.util.Assert;
|
||||
*
|
||||
* This table contains the login name, password and enabled status of the user.
|
||||
*
|
||||
* <table>
|
||||
* <table summary="The Users Table">
|
||||
* <tr>
|
||||
* <th>Column</th>
|
||||
* </tr>
|
||||
@@ -64,7 +64,7 @@ import org.springframework.util.Assert;
|
||||
*
|
||||
* <h4>The Authorities Table</h4>
|
||||
*
|
||||
* <table>
|
||||
* <table summary="The Authorities Table">
|
||||
* <tr>
|
||||
* <th>Column</th>
|
||||
* </tr>
|
||||
|
||||
+3
-3
@@ -23,7 +23,7 @@ import org.springframework.security.core.GrantedAuthority;
|
||||
import org.springframework.security.core.authority.SimpleGrantedAuthority;
|
||||
|
||||
/**
|
||||
* Used by {@link InMemoryDaoImpl} to temporarily store the attributes associated with a
|
||||
* Used by {@link org.springframework.security.provisioning.InMemoryUserDetailsManager} to temporarily store the attributes associated with a
|
||||
* user.
|
||||
*
|
||||
* @author Ben Alex
|
||||
@@ -50,7 +50,7 @@ public class UserAttribute {
|
||||
/**
|
||||
* Set all authorities for this user.
|
||||
*
|
||||
* @param authorities {@link List} <{@link GrantedAuthority}>
|
||||
* @param authorities {@link List} <{@link GrantedAuthority}>
|
||||
* @since 1.1
|
||||
*/
|
||||
public void setAuthorities(List<GrantedAuthority> authorities) {
|
||||
@@ -61,7 +61,7 @@ public class UserAttribute {
|
||||
* Set all authorities for this user from String values. It will create the necessary
|
||||
* {@link GrantedAuthority} objects.
|
||||
*
|
||||
* @param authoritiesAsStrings {@link List} <{@link String}>
|
||||
* @param authoritiesAsStrings {@link List} <{@link String}>
|
||||
* @since 1.1
|
||||
*/
|
||||
public void setAuthoritiesAsString(List<String> authoritiesAsStrings) {
|
||||
|
||||
+1
-1
@@ -45,7 +45,7 @@ public class DelegatingSecurityContextTaskExecutor extends
|
||||
* Creates a new {@link DelegatingSecurityContextTaskExecutor} that uses the current
|
||||
* {@link SecurityContext} from the {@link SecurityContextHolder}.
|
||||
*
|
||||
* @param delegateTaskExecutor the {@link TaskExecutor} to delegate to. Cannot be
|
||||
* @param delegate the {@link TaskExecutor} to delegate to. Cannot be
|
||||
* null.
|
||||
*/
|
||||
public DelegatingSecurityContextTaskExecutor(TaskExecutor delegate) {
|
||||
|
||||
@@ -4,48 +4,48 @@
|
||||
# Translation by Valentin Crettaz (valentin.crettaz@consulthys.com)
|
||||
AbstractAccessDecisionManager.accessDenied=Acc\u00E8s refus\u00E9
|
||||
AbstractLdapAuthenticationProvider.emptyPassword=Le mot de passe est obligatoire
|
||||
AbstractSecurityInterceptor.authenticationNotFound=Aucun objet Authentication n'a \u00E9t\u00E9 trouv\u00E9 dans le SecurityContext
|
||||
AbstractSecurityInterceptor.authenticationNotFound=Aucun objet Authentication n''a \u00E9t\u00E9 trouv\u00E9 dans le SecurityContext
|
||||
AbstractUserDetailsAuthenticationProvider.badCredentials=Les identifications sont erron\u00E9es
|
||||
AbstractUserDetailsAuthenticationProvider.credentialsExpired=Les identifications de l'utilisateur ont expir\u00E9
|
||||
AbstractUserDetailsAuthenticationProvider.credentialsExpired=Les identifications de l''utilisateur ont expir\u00E9
|
||||
AbstractUserDetailsAuthenticationProvider.disabled=Le compte utilisateur est d\u00E9sactiv\u00E9
|
||||
AbstractUserDetailsAuthenticationProvider.expired=Le compte utilisateur a expir\u00E9
|
||||
AbstractUserDetailsAuthenticationProvider.locked=Le compte utilisateur est bloqu\u00E9
|
||||
AbstractUserDetailsAuthenticationProvider.onlySupports=Seul UsernamePasswordAuthenticationToken est pris en charge
|
||||
AccountStatusUserDetailsChecker.credentialsExpired=Les identifications de l'utilisateur ont expir\u00E9
|
||||
AccountStatusUserDetailsChecker.credentialsExpired=Les identifications de l''utilisateur ont expir\u00E9
|
||||
AccountStatusUserDetailsChecker.disabled=Le compte utilisateur est d\u00E9sactiv\u00E9
|
||||
AccountStatusUserDetailsChecker.expired=Le compte utilisateur a expir\u00E9
|
||||
AccountStatusUserDetailsChecker.locked=Le compte utilisateur est bloqu\u00E9
|
||||
AclEntryAfterInvocationProvider.noPermission=L'authentification {0} n'a AUCUNE permission pour l'objet de domaine {1}
|
||||
AnonymousAuthenticationProvider.incorrectKey=L'AnonymousAuthenticationToken pr\u00E9sent\u00E9 ne contient pas la cl\u00E9 attendue
|
||||
AclEntryAfterInvocationProvider.noPermission=L''authentification {0} n''a AUCUNE permission pour l''objet de domaine {1}
|
||||
AnonymousAuthenticationProvider.incorrectKey=L''AnonymousAuthenticationToken pr\u00E9sent\u00E9 ne contient pas la cl\u00E9 attendue
|
||||
BindAuthenticator.badCredentials=Les identifications sont erron\u00E9es
|
||||
BindAuthenticator.emptyPassword=Le mot de passe est obligatoire
|
||||
CasAuthenticationProvider.incorrectKey=Le CasAuthenticationToken pr\u00E9sent\u00E9 ne contient pas la cl\u00E9 attendue
|
||||
CasAuthenticationProvider.noServiceTicket=Echec d'obtention d'un ticket CAS \u00E0 valider
|
||||
CasAuthenticationProvider.noServiceTicket=Echec d''obtention d''un ticket CAS \u00E0 valider
|
||||
ConcurrentSessionControlStrategy.exceededAllowed=Le maximum de {0} sessions a \u00E9t\u00E9 d\u00E9pass\u00E9 pour cet utilisateur
|
||||
DigestAuthenticationFilter.incorrectRealm=Le nom de domaine de la r\u00E9ponse {0} ne correspond pas au nom de domaine du syst\u00E8me {1}
|
||||
DigestAuthenticationFilter.incorrectResponse=R\u00E9ponse incorrecte
|
||||
DigestAuthenticationFilter.missingAuth=Une valeur obligatoire manque au condens\u00E9 pour 'auth' QOP; re\u00E7u l'ent\u00EAte {0}
|
||||
DigestAuthenticationFilter.missingMandatory=Une valeur obligatoire manque au condens\u00E9; re\u00E7u l'ent\u00EAte {0}
|
||||
DigestAuthenticationFilter.missingAuth=Une valeur obligatoire manque au condens\u00E9 pour ''auth'' QOP; re\u00E7u l''ent\u00EAte {0}
|
||||
DigestAuthenticationFilter.missingMandatory=Une valeur obligatoire manque au condens\u00E9; re\u00E7u l''ent\u00EAte {0}
|
||||
DigestAuthenticationFilter.nonceCompromised=Le jeton nonce est compromis {0}
|
||||
DigestAuthenticationFilter.nonceEncoding=Le nonce n'est pas encod\u00E9 en Base64; re\u00E7u le nonce {0}
|
||||
DigestAuthenticationFilter.nonceEncoding=Le nonce n''est pas encod\u00E9 en Base64; re\u00E7u le nonce {0}
|
||||
DigestAuthenticationFilter.nonceExpired=Le nonce a expir\u00E9
|
||||
DigestAuthenticationFilter.nonceNotNumeric=Le jeton nonce aurait d\u00FB g\u00E9n\u00E9rer d'abord un jeton num\u00E9rique, mais \u00E9tait {0}
|
||||
DigestAuthenticationFilter.nonceNotNumeric=Le jeton nonce aurait d\u00FB g\u00E9n\u00E9rer d''abord un jeton num\u00E9rique, mais \u00E9tait {0}
|
||||
DigestAuthenticationFilter.nonceNotTwoTokens=Le nonce aurait d\u00FB g\u00E9n\u00E9rer deux jetons, mais \u00E9tait {0}
|
||||
DigestAuthenticationFilter.usernameNotFound=Le nom d'utilisateur {0} n'a pas \u00E9t\u00E9 trouv\u00E9
|
||||
JdbcDaoImpl.noAuthority=Le compte utilisateur {0} n'a pas de permission
|
||||
JdbcDaoImpl.notFound=Le nom d'utilisateur {0} n'a pas \u00E9t\u00E9 trouv\u00E9
|
||||
DigestAuthenticationFilter.usernameNotFound=Le nom d''utilisateur {0} n''a pas \u00E9t\u00E9 trouv\u00E9
|
||||
JdbcDaoImpl.noAuthority=Le compte utilisateur {0} n''a pas de permission
|
||||
JdbcDaoImpl.notFound=Le nom d''utilisateur {0} n''a pas \u00E9t\u00E9 trouv\u00E9
|
||||
LdapAuthenticationProvider.badCredentials=Les identifications sont erron\u00E9es
|
||||
LdapAuthenticationProvider.credentialsExpired=Les identifications de l'utilisateur ont expir\u00E9
|
||||
LdapAuthenticationProvider.credentialsExpired=Les identifications de l''utilisateur ont expir\u00E9
|
||||
LdapAuthenticationProvider.disabled=Le compte utilisateur est d\u00E9sactiv\u00E9
|
||||
LdapAuthenticationProvider.expired=Le compte utilisateur a expir\u00E9
|
||||
LdapAuthenticationProvider.locked=Le compte utilisateur est bloqu\u00E9
|
||||
LdapAuthenticationProvider.emptyUsername=Le nom d'utilisateur est obligatoire
|
||||
LdapAuthenticationProvider.emptyUsername=Le nom d''utilisateur est obligatoire
|
||||
LdapAuthenticationProvider.onlySupports=Seul UsernamePasswordAuthenticationToken est pris en charge
|
||||
PasswordComparisonAuthenticator.badCredentials=Les identifications sont erron\u00E9es
|
||||
PersistentTokenBasedRememberMeServices.cookieStolen=Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack.
|
||||
ProviderManager.providerNotFound=Aucun AuthenticationProvider n'a \u00E9t\u00E9 trouv\u00E9 pour {0}
|
||||
ProviderManager.providerNotFound=Aucun AuthenticationProvider n''a \u00E9t\u00E9 trouv\u00E9 pour {0}
|
||||
RememberMeAuthenticationProvider.incorrectKey=Le RememberMeAuthenticationToken pr\u00E9sent\u00E9 ne contient pas la cl\u00E9 attendue
|
||||
RunAsImplAuthenticationProvider.incorrectKey=Le RunAsUserToken pr\u00E9sent\u00E9 ne contient pas la cl\u00E9 attendue
|
||||
SubjectDnX509PrincipalExtractor.noMatching=Aucun motif concordant n'a \u00E9t\u00E9 trouv\u00E9 dans le subjectDN\: {0}
|
||||
SwitchUserFilter.noCurrentUser=Aucun utilisateur n'est associ\u00E9 \u00E0 la requ\u00EAte en cours
|
||||
SwitchUserFilter.noOriginalAuthentication=L'objet Authentication original n'a pas \u00E9t\u00E9 trouv\u00E9
|
||||
SubjectDnX509PrincipalExtractor.noMatching=Aucun motif concordant n''a \u00E9t\u00E9 trouv\u00E9 dans le subjectDN\: {0}
|
||||
SwitchUserFilter.noCurrentUser=Aucun utilisateur n''est associ\u00E9 \u00E0 la requ\u00EAte en cours
|
||||
SwitchUserFilter.noOriginalAuthentication=L''objet Authentication original n''a pas \u00E9t\u00E9 trouv\u00E9
|
||||
|
||||
@@ -1,5 +1,6 @@
|
||||
package org.springframework.security.access.vote;
|
||||
|
||||
import static org.fest.assertions.Assertions.assertThat;
|
||||
import static org.junit.Assert.*;
|
||||
|
||||
import org.junit.Test;
|
||||
@@ -22,4 +23,13 @@ public class RoleVoterTests {
|
||||
assertEquals(AccessDecisionVoter.ACCESS_GRANTED,
|
||||
voter.vote(userAB, this, SecurityConfig.createList("A", "C")));
|
||||
}
|
||||
|
||||
// SEC-3128
|
||||
@Test
|
||||
public void nullAuthenticationDenies() {
|
||||
RoleVoter voter = new RoleVoter();
|
||||
voter.setRolePrefix("");
|
||||
Authentication notAuthenitcated = null;
|
||||
assertThat(voter.vote(notAuthenitcated, this, SecurityConfig.createList("A"))).isEqualTo(AccessDecisionVoter.ACCESS_DENIED);
|
||||
}
|
||||
}
|
||||
|
||||
+6
-10
@@ -50,9 +50,12 @@ public class DelegatingSecurityContextCallableTests {
|
||||
|
||||
private ExecutorService executor;
|
||||
|
||||
private SecurityContext originalSecurityContext;
|
||||
|
||||
@Before
|
||||
@SuppressWarnings("serial")
|
||||
public void setUp() throws Exception {
|
||||
originalSecurityContext = SecurityContextHolder.createEmptyContext();
|
||||
when(delegate.call()).thenAnswer(new Returns(callableResult) {
|
||||
@Override
|
||||
public Object answer(InvocationOnMock invocation) throws Throwable {
|
||||
@@ -111,17 +114,10 @@ public class DelegatingSecurityContextCallableTests {
|
||||
// SEC-3031
|
||||
@Test
|
||||
public void callOnSameThread() throws Exception {
|
||||
originalSecurityContext = securityContext;
|
||||
SecurityContextHolder.setContext(originalSecurityContext);
|
||||
callable = new DelegatingSecurityContextCallable<Object>(delegate,
|
||||
securityContext);
|
||||
securityContext = SecurityContextHolder.createEmptyContext();
|
||||
assertWrapped(callable.call());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void callOnSameThreadExplicitlyEnabled() throws Exception {
|
||||
DelegatingSecurityContextCallable<Object> callable = new DelegatingSecurityContextCallable<Object>(delegate,
|
||||
securityContext);
|
||||
callable.setEnableOnOriginalThread(true);
|
||||
assertWrapped(callable.call());
|
||||
}
|
||||
|
||||
@@ -170,6 +166,6 @@ public class DelegatingSecurityContextCallableTests {
|
||||
private void assertWrapped(Object callableResult) throws Exception {
|
||||
verify(delegate).call();
|
||||
assertThat(SecurityContextHolder.getContext()).isEqualTo(
|
||||
SecurityContextHolder.createEmptyContext());
|
||||
originalSecurityContext);
|
||||
}
|
||||
}
|
||||
+6
-11
@@ -51,8 +51,11 @@ public class DelegatingSecurityContextRunnableTests {
|
||||
|
||||
private ExecutorService executor;
|
||||
|
||||
private SecurityContext originalSecurityContext;
|
||||
|
||||
@Before
|
||||
public void setUp() throws Exception {
|
||||
originalSecurityContext = SecurityContextHolder.createEmptyContext();
|
||||
doAnswer(new Answer<Object>() {
|
||||
public Object answer(InvocationOnMock invocation) throws Throwable {
|
||||
assertThat(SecurityContextHolder.getContext()).isEqualTo(securityContext);
|
||||
@@ -110,19 +113,11 @@ public class DelegatingSecurityContextRunnableTests {
|
||||
// SEC-3031
|
||||
@Test
|
||||
public void callOnSameThread() throws Exception {
|
||||
originalSecurityContext = securityContext;
|
||||
SecurityContextHolder.setContext(originalSecurityContext);
|
||||
executor = synchronousExecutor();
|
||||
runnable = new DelegatingSecurityContextRunnable(delegate,
|
||||
securityContext);
|
||||
securityContext = SecurityContextHolder.createEmptyContext();
|
||||
assertWrapped(runnable);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void callOnSameThreadExplicitlyEnabled() throws Exception {
|
||||
executor = synchronousExecutor();
|
||||
DelegatingSecurityContextRunnable runnable = new DelegatingSecurityContextRunnable(delegate,
|
||||
securityContext);
|
||||
runnable.setEnableOnOriginalThread(true);
|
||||
assertWrapped(runnable);
|
||||
}
|
||||
|
||||
@@ -167,7 +162,7 @@ public class DelegatingSecurityContextRunnableTests {
|
||||
submit.get();
|
||||
verify(delegate).run();
|
||||
assertThat(SecurityContextHolder.getContext()).isEqualTo(
|
||||
SecurityContextHolder.createEmptyContext());
|
||||
originalSecurityContext);
|
||||
}
|
||||
|
||||
private static ExecutorService synchronousExecutor() {
|
||||
|
||||
+2
-2
@@ -3,7 +3,7 @@
|
||||
<modelVersion>4.0.0</modelVersion>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-crypto</artifactId>
|
||||
<version>4.0.2.RELEASE</version>
|
||||
<version>4.0.4.RELEASE</version>
|
||||
<name>spring-security-crypto</name>
|
||||
<description>spring-security-crypto</description>
|
||||
<url>http://spring.io/spring-security</url>
|
||||
@@ -79,7 +79,7 @@
|
||||
<dependency>
|
||||
<groupId>org.springframework</groupId>
|
||||
<artifactId>spring-framework-bom</artifactId>
|
||||
<version>4.1.6.RELEASE</version>
|
||||
<version>4.2.5.RELEASE</version>
|
||||
<type>pom</type>
|
||||
<scope>import</scope>
|
||||
</dependency>
|
||||
|
||||
@@ -31,25 +31,25 @@ import java.security.SecureRandom;
|
||||
* with a random salt, like this:
|
||||
* <p>
|
||||
* <code>
|
||||
* String pw_hash = BCrypt.hashpw(plain_password, BCrypt.gensalt()); <br />
|
||||
* String pw_hash = BCrypt.hashpw(plain_password, BCrypt.gensalt()); <br>
|
||||
* </code>
|
||||
* <p>
|
||||
* To check whether a plaintext password matches one that has been hashed previously, use
|
||||
* the checkpw method:
|
||||
* <p>
|
||||
* <code>
|
||||
* if (BCrypt.checkpw(candidate_password, stored_hash))<br />
|
||||
* System.out.println("It matches");<br />
|
||||
* else<br />
|
||||
* System.out.println("It does not match");<br />
|
||||
* if (BCrypt.checkpw(candidate_password, stored_hash))<br>
|
||||
* System.out.println("It matches");<br>
|
||||
* else<br>
|
||||
* System.out.println("It does not match");<br>
|
||||
* </code>
|
||||
* <p>
|
||||
* The gensalt() method takes an optional parameter (log_rounds) that determines the
|
||||
* computational complexity of the hashing:
|
||||
* <p>
|
||||
* <code>
|
||||
* String strong_salt = BCrypt.gensalt(10)<br />
|
||||
* String stronger_salt = BCrypt.gensalt(12)<br />
|
||||
* String strong_salt = BCrypt.gensalt(10)<br>
|
||||
* String stronger_salt = BCrypt.gensalt(12)<br>
|
||||
* </code>
|
||||
* <p>
|
||||
* The amount of work increases exponentially (2**log_rounds), so each increment is twice
|
||||
|
||||
-2
@@ -15,8 +15,6 @@
|
||||
*/
|
||||
package org.springframework.security.crypto.keygen;
|
||||
|
||||
import java.security.NoSuchAlgorithmException;
|
||||
import java.security.NoSuchProviderException;
|
||||
import java.security.SecureRandom;
|
||||
|
||||
/**
|
||||
|
||||
@@ -17,7 +17,6 @@ package org.springframework.security.crypto.password;
|
||||
|
||||
import java.security.MessageDigest;
|
||||
import java.security.NoSuchAlgorithmException;
|
||||
import java.security.NoSuchProviderException;
|
||||
|
||||
/**
|
||||
* Helper for working with the MessageDigest API.
|
||||
@@ -30,7 +29,7 @@ import java.security.NoSuchProviderException;
|
||||
*/
|
||||
final class Digester {
|
||||
|
||||
private final MessageDigest messageDigest;
|
||||
private final String algorithm;
|
||||
|
||||
private final int iterations;
|
||||
|
||||
@@ -40,22 +39,26 @@ final class Digester {
|
||||
* @param iterations the number of times to apply the digest algorithm to the input
|
||||
*/
|
||||
public Digester(String algorithm, int iterations) {
|
||||
try {
|
||||
messageDigest = MessageDigest.getInstance(algorithm);
|
||||
}
|
||||
catch (NoSuchAlgorithmException e) {
|
||||
throw new IllegalStateException("No such hashing algorithm", e);
|
||||
}
|
||||
|
||||
// eagerly validate the algorithm
|
||||
createDigest(algorithm);
|
||||
this.algorithm = algorithm;
|
||||
this.iterations = iterations;
|
||||
}
|
||||
|
||||
public byte[] digest(byte[] value) {
|
||||
synchronized (messageDigest) {
|
||||
for (int i = 0; i < iterations; i++) {
|
||||
value = messageDigest.digest(value);
|
||||
}
|
||||
return value;
|
||||
MessageDigest messageDigest = createDigest(algorithm);
|
||||
for (int i = 0; i < iterations; i++) {
|
||||
value = messageDigest.digest(value);
|
||||
}
|
||||
return value;
|
||||
}
|
||||
|
||||
private static MessageDigest createDigest(String algorithm) {
|
||||
try {
|
||||
return MessageDigest.getInstance(algorithm);
|
||||
}
|
||||
catch (NoSuchAlgorithmException e) {
|
||||
throw new IllegalStateException("No such hashing algorithm", e);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
+3
-3
@@ -3,7 +3,7 @@
|
||||
<modelVersion>4.0.0</modelVersion>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-data</artifactId>
|
||||
<version>4.0.2.RELEASE</version>
|
||||
<version>4.0.4.RELEASE</version>
|
||||
<name>spring-security-data</name>
|
||||
<description>spring-security-data</description>
|
||||
<url>http://spring.io/spring-security</url>
|
||||
@@ -40,7 +40,7 @@
|
||||
<dependency>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-core</artifactId>
|
||||
<version>4.0.2.RELEASE</version>
|
||||
<version>4.0.4.RELEASE</version>
|
||||
<scope>compile</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
@@ -102,7 +102,7 @@
|
||||
<dependency>
|
||||
<groupId>org.springframework</groupId>
|
||||
<artifactId>spring-framework-bom</artifactId>
|
||||
<version>4.1.6.RELEASE</version>
|
||||
<version>4.2.5.RELEASE</version>
|
||||
<type>pom</type>
|
||||
<scope>import</scope>
|
||||
</dependency>
|
||||
|
||||
+9
-11
@@ -29,41 +29,39 @@ import java.util.Map;
|
||||
* <p>
|
||||
* By defining this object as a Bean, Spring Security is exposed as SpEL expressions for
|
||||
* creating Spring Data queries.
|
||||
* </p>
|
||||
*
|
||||
* <p>
|
||||
* With Java based configuration, we can define the bean using the following:
|
||||
* </p>
|
||||
*
|
||||
* <p>
|
||||
* For example, if you return a UserDetails that extends the following User object:
|
||||
* </p>
|
||||
*
|
||||
* <pre>
|
||||
* @Entity
|
||||
* @Entity
|
||||
* public class User {
|
||||
* @GeneratedValue(strategy = GenerationType.AUTO)
|
||||
* @Id
|
||||
* @GeneratedValue(strategy = GenerationType.AUTO)
|
||||
* @Id
|
||||
* private Long id;
|
||||
*
|
||||
* ...
|
||||
* }
|
||||
* </pre>
|
||||
*
|
||||
* <p>
|
||||
* And you have a Message object that looks like the following:
|
||||
* </p>
|
||||
*
|
||||
* <pre>
|
||||
* @Entity
|
||||
* @Entity
|
||||
* public class Message {
|
||||
* @Id
|
||||
* @GeneratedValue(strategy = GenerationType.AUTO)
|
||||
* @Id
|
||||
* @GeneratedValue(strategy = GenerationType.AUTO)
|
||||
* private Long id;
|
||||
*
|
||||
* @OneToOne
|
||||
* @OneToOne
|
||||
* private User to;
|
||||
*
|
||||
* ...
|
||||
* }
|
||||
* </pre>
|
||||
*
|
||||
* You can use the following {@code Query} annotation to search for only messages that are
|
||||
|
||||
@@ -188,6 +188,7 @@ For example, we might create an annotation named `@WithMockCustomUser` as shown
|
||||
|
||||
[source,java]
|
||||
----
|
||||
@Retention(RetentionPolicy.RUNTIME)
|
||||
@WithSecurityContext(factory = WithMockCustomUserSecurityContextFactory.class)
|
||||
public @interface WithMockCustomUser {
|
||||
|
||||
@@ -506,7 +507,7 @@ For example, this is the above request modified to include the username on the H
|
||||
[source,java]
|
||||
----
|
||||
mvc
|
||||
.perform(formLogin("/auth").user("a","admin").password("p","pass"))
|
||||
.perform(formLogin("/auth").user("u","admin").password("p","pass"))
|
||||
----
|
||||
|
||||
[[test-logout]]
|
||||
|
||||
@@ -388,7 +388,7 @@ For example:
|
||||
|
||||
<b:bean id="csrfMatcher"
|
||||
class="AndRequestMatcher">
|
||||
<b:constructor-arg value="#{T(org.springframework.security.web.csrf.CsrfFilter).DEFAULT_MATCHER}"/>
|
||||
<b:constructor-arg value="#{T(org.springframework.security.web.csrf.CsrfFilter).DEFAULT_CSRF_MATCHER}"/>
|
||||
<b:constructor-arg>
|
||||
<b:bean class="org.springframework.security.web.util.matcher.NegatedRequestMatcher">
|
||||
<b:bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
|
||||
|
||||
@@ -3510,18 +3510,16 @@ You can easily do this with the following Java Configuration:
|
||||
----
|
||||
@EnableWebSecurity
|
||||
public class WebSecurityConfig extends
|
||||
WebSecurityConfigurerAdapter {
|
||||
WebSecurityConfigurerAdapter {
|
||||
|
||||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
// ...
|
||||
.headers()
|
||||
.frameOptions()
|
||||
.sameOrigin()
|
||||
.and()
|
||||
.hsts().disable();
|
||||
}
|
||||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
// ...
|
||||
.headers()
|
||||
.frameOptions().sameOrigin()
|
||||
.httpStrictTransportSecurity().disable();
|
||||
}
|
||||
}
|
||||
----
|
||||
|
||||
|
||||
+1
-1
@@ -1 +1 @@
|
||||
version=4.0.2.RELEASE
|
||||
version=4.0.5.CI-SNAPSHOT
|
||||
|
||||
@@ -143,7 +143,6 @@ task springSnapshotTest(type: Test) {
|
||||
junitXml.destination = project.file("$buildDir/reports/spring-snapshot-tests/")
|
||||
}
|
||||
}
|
||||
check.dependsOn springSnapshotTest
|
||||
|
||||
dependencies {
|
||||
optional "commons-logging:commons-logging:$commonsLoggingVersion"
|
||||
|
||||
@@ -3,7 +3,7 @@
|
||||
<modelVersion>4.0.0</modelVersion>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>itest-context</artifactId>
|
||||
<version>4.0.2.RELEASE</version>
|
||||
<version>4.0.4.RELEASE</version>
|
||||
<name>itest-context</name>
|
||||
<description>itest-context</description>
|
||||
<url>http://spring.io/spring-security</url>
|
||||
@@ -46,7 +46,7 @@
|
||||
<dependency>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-core</artifactId>
|
||||
<version>4.0.2.RELEASE</version>
|
||||
<version>4.0.4.RELEASE</version>
|
||||
<scope>compile</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
@@ -121,13 +121,13 @@
|
||||
<dependency>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-config</artifactId>
|
||||
<version>4.0.2.RELEASE</version>
|
||||
<version>4.0.4.RELEASE</version>
|
||||
<scope>test</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-web</artifactId>
|
||||
<version>4.0.2.RELEASE</version>
|
||||
<version>4.0.4.RELEASE</version>
|
||||
<scope>test</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
@@ -146,7 +146,7 @@
|
||||
<dependency>
|
||||
<groupId>org.springframework</groupId>
|
||||
<artifactId>spring-framework-bom</artifactId>
|
||||
<version>4.1.6.RELEASE</version>
|
||||
<version>4.2.5.RELEASE</version>
|
||||
<type>pom</type>
|
||||
<scope>import</scope>
|
||||
</dependency>
|
||||
|
||||
+7
-7
@@ -3,7 +3,7 @@
|
||||
<modelVersion>4.0.0</modelVersion>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>itest-web</artifactId>
|
||||
<version>4.0.2.RELEASE</version>
|
||||
<version>4.0.4.RELEASE</version>
|
||||
<name>itest-web</name>
|
||||
<description>itest-web</description>
|
||||
<url>http://spring.io/spring-security</url>
|
||||
@@ -139,31 +139,31 @@
|
||||
<dependency>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-config</artifactId>
|
||||
<version>4.0.2.RELEASE</version>
|
||||
<version>4.0.4.RELEASE</version>
|
||||
<scope>test</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-core</artifactId>
|
||||
<version>4.0.2.RELEASE</version>
|
||||
<version>4.0.4.RELEASE</version>
|
||||
<scope>test</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-ldap</artifactId>
|
||||
<version>4.0.2.RELEASE</version>
|
||||
<version>4.0.4.RELEASE</version>
|
||||
<scope>test</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-taglibs</artifactId>
|
||||
<version>4.0.2.RELEASE</version>
|
||||
<version>4.0.4.RELEASE</version>
|
||||
<scope>test</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-web</artifactId>
|
||||
<version>4.0.2.RELEASE</version>
|
||||
<version>4.0.4.RELEASE</version>
|
||||
<scope>test</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
@@ -194,7 +194,7 @@
|
||||
<dependency>
|
||||
<groupId>org.springframework</groupId>
|
||||
<artifactId>spring-framework-bom</artifactId>
|
||||
<version>4.1.6.RELEASE</version>
|
||||
<version>4.2.5.RELEASE</version>
|
||||
<type>pom</type>
|
||||
<scope>import</scope>
|
||||
</dependency>
|
||||
|
||||
+11
-11
@@ -3,7 +3,7 @@
|
||||
<modelVersion>4.0.0</modelVersion>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-ldap</artifactId>
|
||||
<version>4.0.2.RELEASE</version>
|
||||
<version>4.0.4.RELEASE</version>
|
||||
<name>spring-security-ldap</name>
|
||||
<description>spring-security-ldap</description>
|
||||
<url>http://spring.io/spring-security</url>
|
||||
@@ -38,31 +38,31 @@
|
||||
<scope>compile</scope>
|
||||
<exclusions>
|
||||
<exclusion>
|
||||
<artifactId>spring-beans</artifactId>
|
||||
<groupId>org.springframework</groupId>
|
||||
<artifactId>spring-data-commons</artifactId>
|
||||
<groupId>org.springframework.data</groupId>
|
||||
</exclusion>
|
||||
<exclusion>
|
||||
<artifactId>spring-core</artifactId>
|
||||
<groupId>org.springframework</groupId>
|
||||
</exclusion>
|
||||
<exclusion>
|
||||
<artifactId>spring-data-commons</artifactId>
|
||||
<groupId>org.springframework.data</groupId>
|
||||
<artifactId>spring-tx</artifactId>
|
||||
<groupId>org.springframework</groupId>
|
||||
</exclusion>
|
||||
<exclusion>
|
||||
<artifactId>spring-beans</artifactId>
|
||||
<groupId>org.springframework</groupId>
|
||||
</exclusion>
|
||||
<exclusion>
|
||||
<artifactId>commons-logging</artifactId>
|
||||
<groupId>commons-logging</groupId>
|
||||
</exclusion>
|
||||
<exclusion>
|
||||
<artifactId>spring-tx</artifactId>
|
||||
<groupId>org.springframework</groupId>
|
||||
</exclusion>
|
||||
</exclusions>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-core</artifactId>
|
||||
<version>4.0.2.RELEASE</version>
|
||||
<version>4.0.4.RELEASE</version>
|
||||
<scope>compile</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
@@ -194,7 +194,7 @@
|
||||
<dependency>
|
||||
<groupId>org.springframework</groupId>
|
||||
<artifactId>spring-framework-bom</artifactId>
|
||||
<version>4.1.6.RELEASE</version>
|
||||
<version>4.2.5.RELEASE</version>
|
||||
<type>pom</type>
|
||||
<scope>import</scope>
|
||||
</dependency>
|
||||
|
||||
+1
-1
@@ -40,7 +40,7 @@ public class DefaultSpringSecurityContextSource extends LdapContextSource {
|
||||
* you want to use more than one server for fail-over, rather use the
|
||||
* {@link #DefaultSpringSecurityContextSource(List, String)} constructor.
|
||||
*
|
||||
* @param providerUrl an LDAP URL of the form <code>ldap://localhost:389/base_dn<code>
|
||||
* @param providerUrl an LDAP URL of the form <code>ldap://localhost:389/base_dn</code>
|
||||
*/
|
||||
public DefaultSpringSecurityContextSource(String providerUrl) {
|
||||
Assert.hasLength(providerUrl, "An LDAP connection URL must be supplied.");
|
||||
|
||||
@@ -22,8 +22,7 @@ import org.springframework.security.core.userdetails.UsernameNotFoundException;
|
||||
* Obtains a user's information from the LDAP directory given a login name.
|
||||
* <p>
|
||||
* May be optionally used to configure the LDAP authentication implementation when a more
|
||||
* sophisticated approach is required than just using a simple username->DN mapping.
|
||||
* </p>
|
||||
* sophisticated approach is required than just using a simple username->DN mapping.
|
||||
*
|
||||
* @author Luke Taylor
|
||||
*/
|
||||
|
||||
+16
-16
@@ -75,15 +75,15 @@ import java.util.Set;
|
||||
*
|
||||
* <pre>
|
||||
* <bean id="ldapAuthoritiesPopulator"
|
||||
* class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
|
||||
* <constructor-arg ref="contextSource"/>
|
||||
* <constructor-arg value="ou=groups"/>
|
||||
* <property name="groupRoleAttribute" value="ou"/>
|
||||
* <!-- the following properties are shown with their default values -->
|
||||
* <property name="searchSubtree" value="false"/>
|
||||
* <property name="rolePrefix" value="ROLE_"/>
|
||||
* <property name="convertToUpperCase" value="true"/>
|
||||
* </bean>
|
||||
* class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
|
||||
* <constructor-arg ref="contextSource"/>
|
||||
* <constructor-arg value="ou=groups"/>
|
||||
* <property name="groupRoleAttribute" value="ou"/>
|
||||
* <!-- the following properties are shown with their default values -->
|
||||
* <property name="searchSubtree" value="false"/>
|
||||
* <property name="rolePrefix" value="ROLE_"/>
|
||||
* <property name="convertToUpperCase" value="true"/>
|
||||
* </bean>
|
||||
* </pre>
|
||||
*
|
||||
* A search for roles for user "uid=ben,ou=people,dc=springframework,dc=org" would return
|
||||
@@ -292,7 +292,7 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
|
||||
|
||||
/**
|
||||
* Sets the prefix which will be prepended to the values loaded from the directory.
|
||||
* Defaults to "ROLE_" for compatibility with <tt>RoleVoter/tt>.
|
||||
* Defaults to "ROLE_" for compatibility with <tt>RoleVoter</tt>.
|
||||
*/
|
||||
public void setRolePrefix(String rolePrefix) {
|
||||
Assert.notNull(rolePrefix, "rolePrefix must not be null");
|
||||
@@ -326,7 +326,7 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
|
||||
* Returns the current LDAP template. Method available so that classes extending this
|
||||
* can override the template used
|
||||
* @return the LDAP template
|
||||
* @see {@link org.springframework.security.ldap.SpringSecurityLdapTemplate}
|
||||
* @see org.springframework.security.ldap.SpringSecurityLdapTemplate
|
||||
*/
|
||||
protected SpringSecurityLdapTemplate getLdapTemplate() {
|
||||
return ldapTemplate;
|
||||
@@ -336,7 +336,7 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
|
||||
* Returns the attribute name of the LDAP attribute that will be mapped to the role
|
||||
* name Method available so that classes extending this can override
|
||||
* @return the attribute name used for role mapping
|
||||
* @see {@link #setGroupRoleAttribute(String)}
|
||||
* @see #setGroupRoleAttribute(String)
|
||||
*/
|
||||
protected final String getGroupRoleAttribute() {
|
||||
return groupRoleAttribute;
|
||||
@@ -346,7 +346,7 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
|
||||
* Returns the search filter configured for this populator Method available so that
|
||||
* classes extending this can override
|
||||
* @return the search filter
|
||||
* @see {@link #setGroupSearchFilter(String)}
|
||||
* @see #setGroupSearchFilter(String)
|
||||
*/
|
||||
protected final String getGroupSearchFilter() {
|
||||
return groupSearchFilter;
|
||||
@@ -356,7 +356,7 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
|
||||
* Returns the role prefix used by this populator Method available so that classes
|
||||
* extending this can override
|
||||
* @return the role prefix
|
||||
* @see {@link #setRolePrefix(String)}
|
||||
* @see #setRolePrefix(String)
|
||||
*/
|
||||
protected final String getRolePrefix() {
|
||||
return rolePrefix;
|
||||
@@ -366,7 +366,7 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
|
||||
* Returns true if role names are converted to uppercase Method available so that
|
||||
* classes extending this can override
|
||||
* @return true if role names are converted to uppercase.
|
||||
* @see {@link #setConvertToUpperCase(boolean)}
|
||||
* @see #setConvertToUpperCase(boolean)
|
||||
*/
|
||||
protected final boolean isConvertToUpperCase() {
|
||||
return convertToUpperCase;
|
||||
@@ -376,7 +376,7 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
|
||||
* Returns the default role Method available so that classes extending this can
|
||||
* override
|
||||
* @return the default role used
|
||||
* @see {@link #setDefaultRole(String)}
|
||||
* @see #setDefaultRole(String)
|
||||
*/
|
||||
private GrantedAuthority getDefaultRole() {
|
||||
return defaultRole;
|
||||
|
||||
-3
@@ -110,9 +110,6 @@ import java.util.*;
|
||||
* ou: jdeveloper
|
||||
* member: uid=scaladude,ou=people,dc=springframework,dc=org *
|
||||
* </pre>
|
||||
*
|
||||
* </pre>
|
||||
* </p>
|
||||
*
|
||||
* @author Filip Hanik
|
||||
*/
|
||||
|
||||
+4
-4
@@ -3,7 +3,7 @@
|
||||
<modelVersion>4.0.0</modelVersion>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-messaging</artifactId>
|
||||
<version>4.0.2.RELEASE</version>
|
||||
<version>4.0.4.RELEASE</version>
|
||||
<name>spring-security-messaging</name>
|
||||
<description>spring-security-messaging</description>
|
||||
<url>http://spring.io/spring-security</url>
|
||||
@@ -40,7 +40,7 @@
|
||||
<dependency>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-core</artifactId>
|
||||
<version>4.0.2.RELEASE</version>
|
||||
<version>4.0.4.RELEASE</version>
|
||||
<scope>compile</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
@@ -91,7 +91,7 @@
|
||||
<dependency>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-web</artifactId>
|
||||
<version>4.0.2.RELEASE</version>
|
||||
<version>4.0.4.RELEASE</version>
|
||||
<scope>compile</scope>
|
||||
<optional>true</optional>
|
||||
</dependency>
|
||||
@@ -226,7 +226,7 @@
|
||||
<dependency>
|
||||
<groupId>org.springframework</groupId>
|
||||
<artifactId>spring-framework-bom</artifactId>
|
||||
<version>4.1.6.RELEASE</version>
|
||||
<version>4.2.5.RELEASE</version>
|
||||
<type>pom</type>
|
||||
<scope>import</scope>
|
||||
</dependency>
|
||||
|
||||
+2
-4
@@ -45,7 +45,7 @@ public final class ExpressionBasedMessageSecurityMetadataSourceFactory {
|
||||
* For example:
|
||||
*
|
||||
* <pre>
|
||||
* LinkedHashMap<MessageMatcher<?> matcherToExpression = new LinkedHashMap<MessageMatcher<Object>();
|
||||
* LinkedHashMap<MessageMatcher<?>,String> matcherToExpression = new LinkedHashMap<MessageMatcher<Object>,String>();
|
||||
* matcherToExpression.put(new SimDestinationMessageMatcher("/public/**"), "permitAll");
|
||||
* matcherToExpression.put(new SimDestinationMessageMatcher("/admin/**"), "hasRole('ROLE_ADMIN')");
|
||||
* matcherToExpression.put(new SimDestinationMessageMatcher("/**"), "authenticated");
|
||||
@@ -57,11 +57,9 @@ public final class ExpressionBasedMessageSecurityMetadataSourceFactory {
|
||||
* If our destination is "/public/hello", it would match on "/public/**" and on "/**".
|
||||
* However, only "/public/**" would be used since it is the first entry. That means
|
||||
* that a destination of "/public/hello" will be mapped to "permitAll".
|
||||
* </p>
|
||||
*
|
||||
* <p>
|
||||
* For a complete listing of expressions see {@link MessageSecurityExpressionRoot}
|
||||
* </p>
|
||||
*
|
||||
* @param matcherToExpression an ordered mapping of {@link MessageMatcher} to Strings
|
||||
* that are turned into an Expression using
|
||||
@@ -81,7 +79,7 @@ public final class ExpressionBasedMessageSecurityMetadataSourceFactory {
|
||||
* For example:
|
||||
*
|
||||
* <pre>
|
||||
* LinkedHashMap<MessageMatcher<?> matcherToExpression = new LinkedHashMap<MessageMatcher<Object>();
|
||||
* LinkedHashMap<MessageMatcher<?>,String> matcherToExpression = new LinkedHashMap<MessageMatcher<Object>,String>();
|
||||
* matcherToExpression.put(new SimDestinationMessageMatcher("/public/**"), "permitAll");
|
||||
* matcherToExpression.put(new SimDestinationMessageMatcher("/admin/**"), "hasRole('ROLE_ADMIN')");
|
||||
* matcherToExpression.put(new SimDestinationMessageMatcher("/**"), "authenticated");
|
||||
|
||||
+1
-3
@@ -30,12 +30,10 @@ import org.springframework.util.Assert;
|
||||
* <p>
|
||||
* The <code>SecurityMetadataSource</code> required by this security interceptor is of
|
||||
* type {@link MessageSecurityMetadataSource}.
|
||||
* </p>
|
||||
* <p>
|
||||
* Refer to {@link AbstractSecurityInterceptor} for details on the workflow.
|
||||
* </p>
|
||||
*
|
||||
* @see 4.0
|
||||
* @since 4.0
|
||||
* @author Rob Winch
|
||||
*/
|
||||
public final class ChannelSecurityInterceptor extends AbstractSecurityInterceptor
|
||||
|
||||
+6
-7
@@ -32,12 +32,13 @@ import org.springframework.stereotype.Controller;
|
||||
* {@link Controller}:
|
||||
*
|
||||
* <pre>
|
||||
* @Controller
|
||||
* @Controller
|
||||
* public class MyController {
|
||||
* @MessageMapping("/im")
|
||||
* @MessageMapping("/im")
|
||||
* public void im(@AuthenticationPrincipal CustomUser customUser) {
|
||||
* // do something with CustomUser
|
||||
* }
|
||||
* }
|
||||
* </pre>
|
||||
*
|
||||
* <p>
|
||||
@@ -47,11 +48,9 @@ import org.springframework.stereotype.Controller;
|
||||
* match, null will be returned unless
|
||||
* {@link AuthenticationPrincipal#errorOnInvalidType()} is true in which case a
|
||||
* {@link ClassCastException} will be thrown.
|
||||
* </p>
|
||||
*
|
||||
* <p>
|
||||
* Alternatively, users can create a custom meta annotation as shown below:
|
||||
* </p>
|
||||
*
|
||||
* <pre>
|
||||
* @Target({ ElementType.PARAMETER })
|
||||
@@ -63,15 +62,15 @@ import org.springframework.stereotype.Controller;
|
||||
*
|
||||
* <p>
|
||||
* The custom annotation can then be used instead. For example:
|
||||
* </p>
|
||||
*
|
||||
* <pre>
|
||||
* @Controller
|
||||
* @Controller
|
||||
* public class MyController {
|
||||
* @MessageMapping("/im")
|
||||
* @MessageMapping("/im")
|
||||
* public void im(@CurrentUser CustomUser customUser) {
|
||||
* // do something with CustomUser
|
||||
* }
|
||||
* }
|
||||
* </pre>
|
||||
*
|
||||
* @author Rob Winch
|
||||
|
||||
+2
-7
@@ -55,7 +55,6 @@ public final class SimpDestinationMessageMatcher implements MessageMatcher<Objec
|
||||
* Creates a new instance with the specified pattern, null {@link SimpMessageType}
|
||||
* (matches any type), and a {@link AntPathMatcher} created from the default
|
||||
* constructor.
|
||||
* </p>
|
||||
*
|
||||
* <p>
|
||||
* The mapping matches destinations despite the using the following rules:
|
||||
@@ -87,7 +86,6 @@ public final class SimpDestinationMessageMatcher implements MessageMatcher<Objec
|
||||
/**
|
||||
* <p>
|
||||
* Creates a new instance with the specified pattern and {@link PathMatcher}.
|
||||
* </p>
|
||||
*
|
||||
* @param pattern the pattern to use
|
||||
* @param pathMatcher the {@link PathMatcher} to use.
|
||||
@@ -100,7 +98,6 @@ public final class SimpDestinationMessageMatcher implements MessageMatcher<Objec
|
||||
* <p>
|
||||
* Creates a new instance with the specified pattern, {@link SimpMessageType}, and
|
||||
* {@link PathMatcher}.
|
||||
* </p>
|
||||
*
|
||||
* @param pattern the pattern to use
|
||||
* @param type the {@link SimpMessageType} to match on or null if any
|
||||
@@ -155,10 +152,9 @@ public final class SimpDestinationMessageMatcher implements MessageMatcher<Objec
|
||||
* <p>
|
||||
* Creates a new instance with the specified pattern,
|
||||
* {@code SimpMessageType.SUBSCRIBE}, and {@link PathMatcher}.
|
||||
* </p>
|
||||
*
|
||||
* @param pattern the pattern to use
|
||||
* @param pathMatcher the {@link PathMatcher} to use.
|
||||
* @param matcher the {@link PathMatcher} to use.
|
||||
*/
|
||||
public static SimpDestinationMessageMatcher createSubscribeMatcher(String pattern,
|
||||
PathMatcher matcher) {
|
||||
@@ -170,10 +166,9 @@ public final class SimpDestinationMessageMatcher implements MessageMatcher<Objec
|
||||
* <p>
|
||||
* Creates a new instance with the specified pattern, {@code SimpMessageType.MESSAGE},
|
||||
* and {@link PathMatcher}.
|
||||
* </p>
|
||||
*
|
||||
* @param pattern the pattern to use
|
||||
* @param pathMatcher the {@link PathMatcher} to use.
|
||||
* @param matcher the {@link PathMatcher} to use.
|
||||
*/
|
||||
public static SimpDestinationMessageMatcher createMessageMatcher(String pattern,
|
||||
PathMatcher matcher) {
|
||||
|
||||
+4
-4
@@ -3,7 +3,7 @@
|
||||
<modelVersion>4.0.0</modelVersion>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-openid</artifactId>
|
||||
<version>4.0.2.RELEASE</version>
|
||||
<version>4.0.4.RELEASE</version>
|
||||
<name>spring-security-openid</name>
|
||||
<description>spring-security-openid</description>
|
||||
<url>http://spring.io/spring-security</url>
|
||||
@@ -52,13 +52,13 @@
|
||||
<dependency>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-core</artifactId>
|
||||
<version>4.0.2.RELEASE</version>
|
||||
<version>4.0.4.RELEASE</version>
|
||||
<scope>compile</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-web</artifactId>
|
||||
<version>4.0.2.RELEASE</version>
|
||||
<version>4.0.4.RELEASE</version>
|
||||
<scope>compile</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
@@ -158,7 +158,7 @@
|
||||
<dependency>
|
||||
<groupId>org.springframework</groupId>
|
||||
<artifactId>spring-framework-bom</artifactId>
|
||||
<version>4.1.6.RELEASE</version>
|
||||
<version>4.2.5.RELEASE</version>
|
||||
<type>pom</type>
|
||||
<scope>import</scope>
|
||||
</dependency>
|
||||
|
||||
+4
-4
@@ -246,17 +246,17 @@ public class OpenIDAuthenticationFilter extends AbstractAuthenticationProcessing
|
||||
|
||||
/**
|
||||
* Maps the <tt>return_to url</tt> to a realm, for example:
|
||||
*
|
||||
*
|
||||
* <pre>
|
||||
* http://www.example.com/login/openid -> http://www.example.com/realm</tt>
|
||||
* http://www.example.com/login/openid -> http://www.example.com/realm
|
||||
* </pre>
|
||||
*
|
||||
*
|
||||
* If no mapping is provided then the returnToUrl will be parsed to extract the
|
||||
* protocol, hostname and port followed by a trailing slash. This means that
|
||||
* <tt>http://www.example.com/login/openid</tt> will automatically become
|
||||
* <tt>http://www.example.com:80/</tt>
|
||||
*
|
||||
* @param realmMapping containing returnToUrl -> realm mappings
|
||||
* @param realmMapping containing returnToUrl -> realm mappings
|
||||
*/
|
||||
public void setRealmMapping(Map<String, String> realmMapping) {
|
||||
this.realmMapping = realmMapping;
|
||||
|
||||
+3
-3
@@ -3,7 +3,7 @@
|
||||
<modelVersion>4.0.0</modelVersion>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-remoting</artifactId>
|
||||
<version>4.0.2.RELEASE</version>
|
||||
<version>4.0.4.RELEASE</version>
|
||||
<name>spring-security-remoting</name>
|
||||
<description>spring-security-remoting</description>
|
||||
<url>http://spring.io/spring-security</url>
|
||||
@@ -40,7 +40,7 @@
|
||||
<dependency>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-core</artifactId>
|
||||
<version>4.0.2.RELEASE</version>
|
||||
<version>4.0.4.RELEASE</version>
|
||||
<scope>compile</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
@@ -117,7 +117,7 @@
|
||||
<dependency>
|
||||
<groupId>org.springframework</groupId>
|
||||
<artifactId>spring-framework-bom</artifactId>
|
||||
<version>4.1.6.RELEASE</version>
|
||||
<version>4.2.5.RELEASE</version>
|
||||
<type>pom</type>
|
||||
<scope>import</scope>
|
||||
</dependency>
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user