1
0
mirror of synced 2026-07-08 12:20:02 +00:00

Compare commits

...

25 Commits

Author SHA1 Message Date
Luke Taylor beb0ec4ba9 Version 2.0.6.RELEASE 2010-10-25 17:18:16 +01:00
Luke Taylor dec2e59fba SEC-1584: Backport of namespace support for injecting custom HttpFirewall instance into FilterChainProxy. 2010-10-14 20:32:01 +01:00
Luke Taylor ed7f589998 SEC-1584: Additional integration tests. 2010-10-13 00:05:38 +01:00
Luke Taylor 8f6ddb0f17 SEC-1584: Backport to 2.0.x branch of request firewalling (normalization checks and path-parameter stripping from servletPath and pathInfo). 2010-10-13 00:04:44 +01:00
Luke Taylor 62a8aca853 .gitignore updates 2010-10-03 23:39:33 +01:00
Luke Taylor 9c6a5135a3 SEC-1532: Patch applied to 2.0.x branch 2010-08-26 14:13:01 +01:00
Luke Taylor 0acf262546 SEC-1462: Added suggested patch (effectively the same as changes in 3.0.x and master branches). 2010-04-20 18:16:45 +01:00
Luke Taylor 6ad652ae97 Update 2.0 branch pom versions. 2010-04-20 18:15:51 +01:00
Luke Taylor 068b3d48ec Add .gitignore to 2.0.x branch 2010-04-16 15:15:54 +01:00
Luke Taylor d6f6a54455 SEC-1444: Backport of changes to 2.0.x 2010-04-16 15:14:01 +01:00
Luke Taylor 4361211c21 Change release from milestone to release 2009-07-14 12:29:51 +00:00
Luke Taylor 71adc26b0f [maven-release-plugin] prepare release spring-security-2.0.5.RELEASE 2009-07-14 00:29:53 +00:00
Luke Taylor eb3288ca34 Removing unnecessary repository declarations 2009-07-13 23:53:12 +00:00
Luke Taylor f3f4cfe804 Minor changes to readme 2009-07-13 23:48:55 +00:00
Luke Taylor 40fa884860 Updated release plugin version 2009-07-13 23:47:53 +00:00
Luke Taylor 3e393c9df6 Tidying test class 2009-07-13 23:47:33 +00:00
Luke Taylor a61aca1abf Update to bundlor M5 2009-07-13 13:07:44 +00:00
Luke Taylor 52d2c904f9 Disable adapters build 2009-07-09 12:38:59 +00:00
Luke Taylor 149fd5d8de Add bundlor templates 2009-07-09 12:26:11 +00:00
Luke Taylor f3f02d8aed Update sec-2.0.x branch to use bundlor 2009-07-09 11:51:26 +00:00
Luke Taylor 781c99f257 SEC-1145: Updated LDAP code to make sure pooling flag is removed when binding as a specific user (for real this time) 2009-06-03 16:57:33 +00:00
Luke Taylor b77f780993 SEC-1145: Updated LDAP code to make sure pooling flag is removed when binding as a specific user 2009-06-03 16:12:54 +00:00
Scott Battaglia 22964837e9 SEC-1066
upgraded to CAS Client for Java 3.1.5
2008-12-22 19:37:50 +00:00
Scott Battaglia 7566802a08 SEC-1046
upgrade to CAS Client for Java 3.1.4
2008-12-16 14:50:04 +00:00
Luke Taylor 4c3867718e SEC-1031: Ported change from trunk. 2008-11-11 23:36:47 +00:00
70 changed files with 2612 additions and 763 deletions
+14
View File
@@ -0,0 +1,14 @@
target
.gradle
build/
.idea
out/
*.ipr
*.iml
*.iws
intellij/
.settings
.classpath
.project
.DS_Store
atlassian-ide-plugin.xml
+12 -27
View File
@@ -3,13 +3,13 @@
<parent>
<artifactId>spring-security-parent</artifactId>
<groupId>org.springframework.security</groupId>
<version>2.0.5-SNAPSHOT</version>
<version>2.0.6.RELEASE</version>
</parent>
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-acl</artifactId>
<name>Spring Security - ACL module</name>
<packaging>bundle</packaging>
<packaging>jar</packaging>
<dependencies>
<dependency>
@@ -51,29 +51,14 @@
<scope>test</scope>
</dependency>
</dependencies>
<properties>
<spring.osgi.export>
org.springframework.security.*;version=${pom.version.osgi}
</spring.osgi.export>
<spring.osgi.import>
net.sf.ehcache.*;version="[1.4.1, 2.0.0)";resolution:=optional,
org.springframework.security.*;version="[${pom.version.osgi},${pom.version.osgi}]",
org.springframework.context.*;version="${spring.version.osgi}",
org.springframework.dao.*;version="${spring.version.osgi}";resolution:=optional,
org.springframework.jdbc.*;version="${spring.version.osgi}";resolution:=optional,
org.springframework.transaction.support.*;version="${spring.version.osgi}";resolution:=optional,
org.springframework.util.*;version="${spring.version.osgi}",
org.apache.commons.logging.*;version="[1.1.1, 2.0.0)",
javax.sql.*
</spring.osgi.import>
<spring.osgi.private.pkg>
!org.springframework.security.*
</spring.osgi.private.pkg>
<spring.osgi.symbolic.name>org.springframework.security.acls</spring.osgi.symbolic.name>
</properties>
<!--
<build>
<plugins>
<plugin>
<groupId>com.springsource.bundlor</groupId>
<artifactId>com.springsource.bundlor.maven</artifactId>
</plugin>
</plugins>
</build>
-->
</project>
+19
View File
@@ -0,0 +1,19 @@
Bundle-SymbolicName: org.springframework.security.acls
Bundle-Name: Spring Security Acls
Bundle-Vendor: SpringSource
Bundle-Version: ${version}
Bundle-ManifestVersion: 2
Ignored-Existing-Headers:
Import-Package,
Export-Package
Import-Template:
org.apache.commons.logging.*;version="[1.0.4, 2.0.0)",
org.springframework.security.*;version="[${version}, ${version}]",
org.springframework.context.*;version="[2.0.8, 3.1.0)";resolution:=optional,
org.springframework.dao.*;version="[2.0.8, 3.1.0)";resolution:=optional,
org.springframework.jdbc.core.*;version="[2.0.8, 3.1.0)";resolution:=optional,
org.springframework.transaction.support.*;version="[2.0.8, 3.1.0)";resolution:=optional,
org.springframework.util.*;version="[2.0.8, 3.1.0)";resolution:=optional,
net.sf.ehcache.*;version="[1.4.1, 2.0.0)";resolution:=optional,
javax.sql.*;version="0";resolution:=optional
+1 -1
View File
@@ -3,7 +3,7 @@
<parent>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-adapters</artifactId>
<version>2.0.5-SNAPSHOT</version>
<version>2.0.5.CI-SNAPSHOT</version>
</parent>
<artifactId>spring-security-catalina</artifactId>
<name>Spring Security - Catalina adapter</name>
+1 -1
View File
@@ -3,7 +3,7 @@
<parent>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-adapters</artifactId>
<version>2.0.5-SNAPSHOT</version>
<version>2.0.5.CI-SNAPSHOT</version>
</parent>
<artifactId>spring-security-jboss</artifactId>
<name>Spring Security - JBoss adapter</name>
+1 -1
View File
@@ -3,7 +3,7 @@
<parent>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-adapters</artifactId>
<version>2.0.5-SNAPSHOT</version>
<version>2.0.5.CI-SNAPSHOT</version>
</parent>
<artifactId>spring-security-jetty</artifactId>
<name>Spring Security - Jetty adapter</name>
+1 -1
View File
@@ -3,7 +3,7 @@
<parent>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-parent</artifactId>
<version>2.0.5-SNAPSHOT</version>
<version>2.0.5.CI-SNAPSHOT</version>
</parent>
<artifactId>spring-security-adapters</artifactId>
<name>Spring Security - Adapters</name>
+1 -1
View File
@@ -3,7 +3,7 @@
<parent>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-adapters</artifactId>
<version>2.0.5-SNAPSHOT</version>
<version>2.0.5.CI-SNAPSHOT</version>
</parent>
<artifactId>spring-security-resin</artifactId>
<name>Spring Security - Resin adapter</name>
+11 -27
View File
@@ -3,11 +3,11 @@
<parent>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-parent</artifactId>
<version>2.0.5-SNAPSHOT</version>
<version>2.0.6.RELEASE</version>
</parent>
<artifactId>spring-security-cas-client</artifactId>
<name>Spring Security - CAS support</name>
<packaging>bundle</packaging>
<packaging>jar</packaging>
<dependencies>
<dependency>
@@ -38,7 +38,7 @@
<dependency>
<groupId>org.jasig.cas</groupId>
<artifactId>cas-client-core</artifactId>
<version>3.1.3</version>
<version>3.1.5</version>
</dependency>
<dependency>
<groupId>net.sf.ehcache</groupId>
@@ -47,28 +47,12 @@
</dependency>
</dependencies>
<properties>
<spring.osgi.export>
org.springframework.security.*;version=${pom.version.osgi}
</spring.osgi.export>
<spring.osgi.import>
org.springframework.security.*;version="[${pom.version.osgi},${pom.version.osgi}]",
org.springframework.beans.*;version="${spring.version.osgi}",
org.springframework.context.*;version="${spring.version.osgi}",
org.springframework.dao.*;version="${spring.version.osgi}";resolution:=optional,
org.springframework.util.*;version="${spring.version.osgi}",
javax.servlet.*;version="[2.4.0, 3.0.0)";resolution:=optional,
net.sf.ehcache.*;version="[1.4.1, 2.0.0)";resolution:=optional,
org.apache.commons.logging.*;version="[1.1.1, 2.0.0)",
org.jasig.cas.client.*;version="[3.1.3, 4.0.0)"
</spring.osgi.import>
<spring.osgi.private.pkg>
!org.springframework.security.*
</spring.osgi.private.pkg>
<spring.osgi.symbolic.name>org.springframework.security.cas</spring.osgi.symbolic.name>
</properties>
<build>
<plugins>
<plugin>
<groupId>com.springsource.bundlor</groupId>
<artifactId>com.springsource.bundlor.maven</artifactId>
</plugin>
</plugins>
</build>
</project>
+19
View File
@@ -0,0 +1,19 @@
Bundle-SymbolicName: org.springframework.security.cas
Bundle-Name: Spring Security CAS
Bundle-Vendor: SpringSource
Bundle-Version: ${version}
Bundle-ManifestVersion: 2
Ignored-Existing-Headers:
Import-Package,
Export-Package
Import-Template:
org.apache.commons.logging.*;version="[1.0.4, 2.0.0)",
org.jasig.cas.client.*;version="[3.1.1,3.2)",
org.springframework.security.*;version="[${version}, ${version}]",
org.springframework.beans.factory;version="[2.0.8, 3.1.0)",
org.springframework.context.*;version="[2.0.8, 3.1.0)",
org.springframework.dao;version="[2.0.8, 3.1.0)",
org.springframework.util;version="[2.0.8, 3.1.0)",
net.sf.ehcache.*;version="[1.4.1, 2.0.0)";resolution:=optional,
javax.servlet.*;version="0"
+6 -35
View File
@@ -3,9 +3,9 @@
<parent>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-parent</artifactId>
<version>2.0.5-SNAPSHOT</version>
<version>2.0.6.RELEASE</version>
</parent>
<packaging>bundle</packaging>
<packaging>jar</packaging>
<artifactId>spring-security-core-tiger</artifactId>
<name>Spring Security - Java 5 (Tiger)</name>
@@ -59,39 +59,10 @@
<target>1.5</target>
</configuration>
</plugin>
<plugin>
<groupId>com.springsource.bundlor</groupId>
<artifactId>com.springsource.bundlor.maven</artifactId>
</plugin>
</plugins>
</build>
<reporting>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-pmd-plugin</artifactId>
<configuration>
<targetJdk>1.5</targetJdk>
</configuration>
</plugin>
</plugins>
</reporting>
<properties>
<spring.osgi.export>
org.springframework.security.*;version=${pom.version}
</spring.osgi.export>
<spring.osgi.import>
javax.annotation.*;version="[1.0.0, 2.0.0)",
org.springframework.security.*;version="[${pom.version.osgi},${pom.version.osgi}]",
org.springframework.core.*;version="${spring.version.osgi}"
</spring.osgi.import>
<spring.osgi.private.pkg>
!org.springframework.security.*
</spring.osgi.private.pkg>
<spring.osgi.include.res>
src/main/resources
</spring.osgi.include.res>
<spring.osgi.symbolic.name>org.springframework.security.annotation</spring.osgi.symbolic.name>
</properties>
</project>
+12
View File
@@ -0,0 +1,12 @@
Bundle-SymbolicName: org.springframework.security.annotation
Bundle-Name: Spring Security Annotations
Bundle-Vendor: SpringSource
Bundle-Version: ${version}
Bundle-ManifestVersion: 2
Ignored-Existing-Headers:
Import-Package,
Export-Package
Import-Template:
javax.annotation.security.*;version="0";resolution:=optional,
org.springframework.security.*;version="[${version},${version}]",
org.springframework.core.*;version="[2.0.8, 3.1.0)"
+11
View File
@@ -0,0 +1,11 @@
#! /bin/sh
pushd src/main/resources/org/springframework/security/config/
echo "Converting rnc file to xsd ..."
java -jar ~/bin/trang.jar spring-security-2.0.6.rnc spring-security-2.0.6.xsd
echo "Applying XSL transformation to xsd ..."
xsltproc --output spring-security-2.0.6.xsd spring-security.xsl spring-security-2.0.6.xsd
popd
+33 -72
View File
@@ -3,9 +3,9 @@
<parent>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-parent</artifactId>
<version>2.0.5-SNAPSHOT</version>
<version>2.0.6.RELEASE</version>
</parent>
<packaging>bundle</packaging>
<packaging>jar</packaging>
<artifactId>spring-security-core</artifactId>
<name>Spring Security - Core</name>
@@ -47,27 +47,27 @@
<artifactId>spring-mock</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.aspectj</groupId>
<artifactId>aspectjrt</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.aspectj</groupId>
<artifactId>aspectjweaver</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.aspectj</groupId>
<artifactId>aspectjrt</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.aspectj</groupId>
<artifactId>aspectjweaver</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.ldap</groupId>
<artifactId>spring-ldap</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>cglib</groupId>
<artifactId>cglib-nodep</artifactId>
<scope>test</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>cglib</groupId>
<artifactId>cglib-nodep</artifactId>
<scope>test</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>net.sf.ehcache</groupId>
<artifactId>ehcache</artifactId>
@@ -95,7 +95,7 @@
<artifactId>jaxen</artifactId>
<version>1.1.1</version>
<optional>true</optional>
</dependency>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
@@ -135,64 +135,25 @@
<version>1.0.1</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-all</artifactId>
<version>1.8.5</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<optional>true</optional>
</dependency>
</dependencies>
<properties>
<spring.osgi.export>
org.springframework.security.*;version=${pom.version}
</spring.osgi.export>
<spring.osgi.import>
!com.ibm.websphere.security,
javax.servlet.*;version="[2.4.0, 3.0.0)";resolution:=optional,
net.sf.ehcache.*;version="[1.4.1, 2.0.0)";resolution:=optional,
org.aopalliance.*;version="[1.0.0, 2.0.0)",
org.apache.commons.codec.*;version="[1.3.0, 2.0.0)",
org.apache.commons.collections.*;version="[3.2.0, 4.0.0)",
org.apache.commons.lang.*;version="[2.1.0, 3.0.0)",
org.apache.commons.logging.*;version="[1.1.1, 2.0.0)",
org.apache.directory.server.configuration.*;version="[1.0.2, 2.0.0)";resolution:=optional,
org.apache.directory.server.core.*;version="[1.0.2, 2.0.0)";resolution:=optional,
org.apache.directory.server.protocol.*;version="[1.0.2, 2.0.0)";resolution:=optional,
org.aspectj.*;version="[1.5.4, 2.0.0)";resolution:=optional,
org.jaxen.*;version="[1.1.1, 2.0.0)";resolution:=optional,
org.springframework.aop.*;version="${spring.version.osgi}",
org.springframework.beans.*;version="${spring.version.osgi}",
org.springframework.context.*;version="${spring.version.osgi}",
org.springframework.core.*;version="${spring.version.osgi}",
org.springframework.dao.*;version="${spring.version.osgi}";resolution:=optional,
org.springframework.jdbc.*;version="${spring.version.osgi}";resolution:=optional,
org.springframework.ldap.*;version="[1.2.1.A, 2.0.0)";resolution:=optional,
org.springframework.metadata.*;version="${spring.version.osgi}",
org.springframework.mock.*;version="${spring.version.osgi}";resolution:=optional,
org.springframework.remoting.*;version="${spring.version.osgi}";resolution:=optional,
org.springframework.util.*;version="${spring.version.osgi}",
org.springframework.web.*;version="${spring.version.osgi}";resolution:=optional,
javax.crypto.*,
javax.naming.*,
javax.rmi.*,
javax.security.*,
javax.sql.*,
javax.xml.parsers.*,
org.w3c.dom.*,
org.xml.sax.*,
*;resolution:=optional
</spring.osgi.import>
<spring.osgi.private.pkg>
!org.springframework.security.*
</spring.osgi.private.pkg>
<!--
<spring.osgi.include.res>
src/main/resources
</spring.osgi.include.res>
-->
<spring.osgi.symbolic.name>org.springframework.security.core</spring.osgi.symbolic.name>
</properties>
<build>
<plugins>
<plugin>
<groupId>com.springsource.bundlor</groupId>
<artifactId>com.springsource.bundlor.maven</artifactId>
</plugin>
</plugins>
</build>
</project>
@@ -10,34 +10,35 @@ abstract class Elements {
public static final String AUTHENTICATION_MANAGER = "authentication-manager";
public static final String USER_SERVICE = "user-service";
public static final String JDBC_USER_SERVICE = "jdbc-user-service";
public static final String FILTER_CHAIN_MAP = "filter-chain-map";
public static final String INTERCEPT_METHODS = "intercept-methods";
public static final String INTERCEPT_URL = "intercept-url";
public static final String AUTHENTICATION_PROVIDER = "authentication-provider";
public static final String HTTP = "http";
public static final String LDAP_PROVIDER = "ldap-authentication-provider";
public static final String LDAP_SERVER = "ldap-server";
public static final String JDBC_USER_SERVICE = "jdbc-user-service";
public static final String FILTER_CHAIN_MAP = "filter-chain-map";
public static final String INTERCEPT_METHODS = "intercept-methods";
public static final String INTERCEPT_URL = "intercept-url";
public static final String AUTHENTICATION_PROVIDER = "authentication-provider";
public static final String HTTP = "http";
public static final String LDAP_PROVIDER = "ldap-authentication-provider";
public static final String LDAP_SERVER = "ldap-server";
public static final String LDAP_USER_SERVICE = "ldap-user-service";
public static final String PROTECT_POINTCUT = "protect-pointcut";
public static final String PROTECT = "protect";
public static final String CONCURRENT_SESSIONS = "concurrent-session-control";
public static final String LOGOUT = "logout";
public static final String FORM_LOGIN = "form-login";
public static final String OPENID_LOGIN = "openid-login";
public static final String BASIC_AUTH = "http-basic";
public static final String REMEMBER_ME = "remember-me";
public static final String ANONYMOUS = "anonymous";
public static final String FILTER_CHAIN = "filter-chain";
public static final String GLOBAL_METHOD_SECURITY = "global-method-security";
public static final String PASSWORD_ENCODER = "password-encoder";
public static final String SALT_SOURCE = "salt-source";
public static final String PORT_MAPPINGS = "port-mappings";
public static final String CONCURRENT_SESSIONS = "concurrent-session-control";
public static final String LOGOUT = "logout";
public static final String FORM_LOGIN = "form-login";
public static final String OPENID_LOGIN = "openid-login";
public static final String BASIC_AUTH = "http-basic";
public static final String REMEMBER_ME = "remember-me";
public static final String ANONYMOUS = "anonymous";
public static final String FILTER_CHAIN = "filter-chain";
public static final String GLOBAL_METHOD_SECURITY = "global-method-security";
public static final String PASSWORD_ENCODER = "password-encoder";
public static final String SALT_SOURCE = "salt-source";
public static final String PORT_MAPPINGS = "port-mappings";
public static final String PORT_MAPPING = "port-mapping";
public static final String CUSTOM_FILTER = "custom-filter";
public static final String CUSTOM_AUTH_PROVIDER = "custom-authentication-provider";
public static final String CUSTOM_AFTER_INVOCATION_PROVIDER = "custom-after-invocation-provider";
public static final String CUSTOM_AFTER_INVOCATION_PROVIDER = "custom-after-invocation-provider";
public static final String X509 = "x509";
public static final String FILTER_INVOCATION_DEFINITION_SOURCE = "filter-invocation-definition-source";
public static final String FILTER_INVOCATION_DEFINITION_SOURCE = "filter-invocation-definition-source";
public static final String LDAP_PASSWORD_COMPARE = "password-compare";
public static final String HTTP_FIREWALL = "http-firewall";
}
@@ -0,0 +1,31 @@
package org.springframework.security.config;
import org.springframework.beans.factory.config.BeanDefinition;
import org.springframework.beans.factory.support.BeanDefinitionBuilder;
import org.springframework.beans.factory.xml.BeanDefinitionParser;
import org.springframework.beans.factory.xml.ParserContext;
import org.springframework.util.StringUtils;
import org.w3c.dom.Element;
/**
* Injects the supplied {@code HttpFirewall} bean reference into the {@code FilterChainProxy}.
*
* @author Luke Taylor
*/
public class HttpFirewallBeanDefinitionParser implements BeanDefinitionParser {
public BeanDefinition parse(Element element, ParserContext pc) {
String ref = element.getAttribute("ref");
if (!StringUtils.hasText(ref)) {
pc.getReaderContext().error("ref attribute is required", pc.extractSource(element));
}
BeanDefinitionBuilder injector = BeanDefinitionBuilder.rootBeanDefinition(HttpFirewallInjectionBeanPostProcessor.class);
injector.addConstructorArg(ref);
pc.getReaderContext().registerWithGeneratedName(injector.getBeanDefinition());
return null;
}
}
@@ -0,0 +1,40 @@
package org.springframework.security.config;
import org.springframework.beans.BeansException;
import org.springframework.beans.factory.BeanFactory;
import org.springframework.beans.factory.BeanFactoryAware;
import org.springframework.beans.factory.config.BeanPostProcessor;
import org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
import org.springframework.security.config.BeanIds;
import org.springframework.security.util.FilterChainProxy;
import org.springframework.security.firewall.HttpFirewall;
/**
* @author Luke Taylor
*/
public class HttpFirewallInjectionBeanPostProcessor implements BeanPostProcessor, BeanFactoryAware {
private ConfigurableListableBeanFactory beanFactory;
private String ref;
public HttpFirewallInjectionBeanPostProcessor(String ref) {
this.ref = ref;
}
public Object postProcessBeforeInitialization(Object bean, String beanName) throws BeansException {
if (BeanIds.FILTER_CHAIN_PROXY.equals(beanName)) {
HttpFirewall fw = (HttpFirewall) beanFactory.getBean(ref);
((FilterChainProxy)bean).setFirewall(fw);
}
return bean;
}
public Object postProcessAfterInitialization(Object bean, String beanName) throws BeansException {
return bean;
}
public void setBeanFactory(BeanFactory beanFactory) throws BeansException {
this.beanFactory = (ConfigurableListableBeanFactory) beanFactory;
}
}
@@ -24,6 +24,7 @@ public class SecurityNamespaceHandler extends NamespaceHandlerSupport {
registerBeanDefinitionParser(Elements.GLOBAL_METHOD_SECURITY, new GlobalMethodSecurityBeanDefinitionParser());
registerBeanDefinitionParser(Elements.AUTHENTICATION_MANAGER, new AuthenticationManagerBeanDefinitionParser());
registerBeanDefinitionParser(Elements.FILTER_INVOCATION_DEFINITION_SOURCE, new FilterInvocationDefinitionSourceBeanDefinitionParser());
registerBeanDefinitionParser(Elements.HTTP_FIREWALL, new HttpFirewallBeanDefinitionParser());
// Decorators
registerBeanDefinitionDecorator(Elements.INTERCEPT_METHODS, new InterceptMethodsBeanDefinitionDecorator());
@@ -0,0 +1,67 @@
package org.springframework.security.firewall;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/**
* Default implementation which wraps requests in order to provide consistent values of the {@code servletPath} and
* {@code pathInfo}, which do not contain path parameters (as defined in
* <a href="http://www.ietf.org/rfc/rfc2396.txt">RFC 2396</a>). Different servlet containers
* interpret the servlet spec differently as to how path parameters are treated and it is possible they might be added
* in order to bypass particular security constraints. When using this implementation, they will be removed for all
* requests as the request passes through the security filter chain. Note that this means that any segments in the
* decoded path which contain a semi-colon, will have the part following the semi-colon removed for
* request matching. Your application should not contain any valid paths which contain semi-colons.
* <p>
* If any un-normalized paths are found (containing directory-traversal character sequences), the request will be
* rejected immediately. Most containers normalize the paths before performing the servlet-mapping, but again this is
* not guaranteed by the servlet spec.
*
* @author Luke Taylor
*/
public class DefaultHttpFirewall implements HttpFirewall {
public FirewalledRequest getFirewalledRequest(HttpServletRequest request) throws RequestRejectedException {
FirewalledRequest fwr = new RequestWrapper(request);
if (!isNormalized(fwr.getServletPath()) || !isNormalized(fwr.getPathInfo())) {
throw new RequestRejectedException("Un-normalized paths are not supported: " + fwr.getServletPath() +
(fwr.getPathInfo() != null ? fwr.getPathInfo() : ""));
}
return fwr;
}
public HttpServletResponse getFirewalledResponse(HttpServletResponse response) {
return response;
}
/**
* Checks whether a path is normalized (doesn't contain path traversal sequences like "./", "/../" or "/.")
*
* @param path the path to test
* @return true if the path doesn't contain any path-traversal character sequences.
*/
private boolean isNormalized(String path) {
if (path == null) {
return true;
}
for (int j = path.length(); j > 0;) {
int i = path.lastIndexOf('/', j - 1);
int gap = j - i;
if (gap == 2 && path.charAt(i+1) == '.') {
// ".", "/./" or "/."
return false;
} else if (gap == 3 && path.charAt(i+1) == '.'&& path.charAt(i+2) == '.') {
return false;
}
j = i;
}
return true;
}
}
@@ -0,0 +1,34 @@
package org.springframework.security.firewall;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
/**
* Request wrapper which is returned by the {@code HttpFirewall} interface.
* <p>
* The only difference is the {@code reset} method which allows some
* or all of the state to be reset by the {@code FilterChainProxy} when the
* request leaves the security filter chain.
*
* @author Luke Taylor
*/
public abstract class FirewalledRequest extends HttpServletRequestWrapper {
/**
* Constructs a request object wrapping the given request.
*
* @throws IllegalArgumentException if the request is null
*/
public FirewalledRequest(HttpServletRequest request) {
super(request);
}
/**
* This method will be called once the request has passed through the
* security filter chain, when it is about to proceed to the application
* proper.
* <p>
* An implementation can thus choose to modify the state of the request
* for the security infrastructure, while still maintaining the
*/
public abstract void reset();
}
@@ -0,0 +1,32 @@
package org.springframework.security.firewall;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/**
* Interface which can be used to reject potentially dangerous requests and/or wrap them to
* control their behaviour.
* <p>
* The implementation is injected into the {@code FilterChainProxy} and will be invoked before
* sending any request through the filter chain. It can also provide a response wrapper if the response
* behaviour should also be restricted.
*
* @author Luke Taylor
*/
public interface HttpFirewall {
/**
* Provides the request object which will be passed through the filter chain.
*
* @throws RequestRejectedException if the request should be rejected immediately
*/
FirewalledRequest getFirewalledRequest(HttpServletRequest request) throws RequestRejectedException;
/**
* Provides the response which will be passed through the filter chain.
*
* @param response the original response
* @return either the original response or a replacement/wrapper.
*/
HttpServletResponse getFirewalledResponse(HttpServletResponse response);
}
@@ -0,0 +1,10 @@
package org.springframework.security.firewall;
/**
* @author Luke Taylor
*/
public class RequestRejectedException extends RuntimeException {
public RequestRejectedException(String message) {
super(message);
}
}
@@ -0,0 +1,98 @@
package org.springframework.security.firewall;
import javax.servlet.http.HttpServletRequest;
import java.util.*;
/**
* Request wrapper which ensures values of {@code servletPath} and {@code pathInfo} are returned which are suitable for
* pattern matching against. It strips out path parameters and extra consecutive '/' characters.
*
* <h3>Path Parameters</h3>
* Parameters (as defined in <a href="http://www.ietf.org/rfc/rfc2396.txt">RFC 2396</a>) are stripped from the path
* segments of the {@code servletPath} and {@code pathInfo} values of the request.
* <p>
* The parameter sequence is demarcated by a semi-colon, so each segment is checked for the occurrence of a ";"
* character and truncated at that point if it is present.
* <p>
* The behaviour differs between servlet containers in how they interpret the servlet spec, which
* does not clearly state what the behaviour should be. For consistency, we make sure they are always removed, to
* avoid the risk of URL matching rules being bypassed by the malicious addition of parameters to the path component.
*
* @author Luke Taylor
*/
final class RequestWrapper extends FirewalledRequest {
private final String strippedServletPath;
private final String strippedPathInfo;
private boolean stripPaths = true;
public RequestWrapper(HttpServletRequest request) {
super(request);
strippedServletPath = strip(request.getServletPath());
String pathInfo = strip(request.getPathInfo());
if (pathInfo != null && pathInfo.length() == 0) {
pathInfo = null;
}
strippedPathInfo = pathInfo;
}
/**
* Removes path parameters from each path segment in the supplied path and truncates sequences of multiple '/'
* characters to a single '/'.
*
* @param path either the {@code servletPath} and {@code pathInfo} from the original request
*
* @return the supplied value, with path parameters removed and sequences of multiple '/' characters truncated,
* or null if the supplied path was null.
*/
private String strip(String path) {
if (path == null) {
return null;
}
int scIndex = path.indexOf(';');
if (scIndex < 0) {
int doubleSlashIndex = path.indexOf("//");
if (doubleSlashIndex < 0) {
// Most likely case, no parameters in any segment and no '//', so no stripping required
return path;
}
}
StringTokenizer st = new StringTokenizer(path, "/");
StringBuilder stripped = new StringBuilder(path.length());
if (path.charAt(0) == '/') {
stripped.append('/');
}
while(st.hasMoreTokens()) {
String segment = st.nextToken();
scIndex = segment.indexOf(';');
if (scIndex >= 0) {
segment = segment.substring(0, scIndex);
}
stripped.append(segment).append('/');
}
// Remove the trailing slash if the original path didn't have one
if (path.charAt(path.length() - 1) != '/') {
stripped.deleteCharAt(stripped.length() - 1);
}
return stripped.toString();
}
public String getPathInfo() {
return stripPaths ? strippedPathInfo : super.getPathInfo();
}
public String getServletPath() {
return stripPaths ? strippedServletPath : super.getServletPath();
}
public void reset() {
this.stripPaths = false;
}
}
@@ -60,6 +60,7 @@ public final class ProtectPointcutPostProcessor implements BeanPostProcessor {
private Map pointcutMap = new LinkedHashMap(); /** Key: string-based pointcut, value: ConfigAttributeDefinition */
private MapBasedMethodDefinitionSource mapBasedMethodDefinitionSource;
private PointcutParser parser;
private final Set processedBeans = new HashSet();
public ProtectPointcutPostProcessor(MapBasedMethodDefinitionSource mapBasedMethodDefinitionSource) {
Assert.notNull(mapBasedMethodDefinitionSource, "MapBasedMethodDefinitionSource to populate is required");
@@ -85,6 +86,11 @@ public final class ProtectPointcutPostProcessor implements BeanPostProcessor {
}
public Object postProcessBeforeInitialization(Object bean, String beanName) throws BeansException {
if (processedBeans.contains(beanName)) {
// We already have the metadata for this bean
return bean;
}
// Obtain methods for the present bean
Method[] methods;
try {
@@ -110,6 +116,8 @@ public final class ProtectPointcutPostProcessor implements BeanPostProcessor {
}
}
processedBeans.add(beanName);
return bean;
}
@@ -71,6 +71,7 @@ public class DefaultSpringSecurityContextSource extends LdapContextSource implem
env.put(Context.SECURITY_PRINCIPAL, userDn);
env.put(Context.SECURITY_CREDENTIALS, credentials);
env.remove(SUN_LDAP_POOLING_FLAG);
if (logger.isDebugEnabled()) {
logger.debug("Creating context with principal: '" + userDn + "'");
@@ -193,22 +193,27 @@ public class SpringSecurityLdapTemplate extends LdapTemplate {
return (DirContextOperations) executeReadOnly(new ContextExecutor() {
public Object executeWithContext(DirContext ctx) throws NamingException {
DistinguishedName ctxBaseDn = new DistinguishedName(ctx.getNameInNamespace());
if (logger.isDebugEnabled()) {
logger.debug("Searching for entry in under DN '" + ctxBaseDn
+ "', base = '" + base + "', filter = '" + filter + "'");
}
NamingEnumeration resultsEnum = ctx.search(base, filter, params, searchControls);
Set results = new HashSet();
try {
while (resultsEnum.hasMore()) {
SearchResult searchResult = (SearchResult) resultsEnum.next();
// Work out the DN of the matched entry
StringBuffer dn = new StringBuffer(searchResult.getName());
DistinguishedName dn = new DistinguishedName(searchResult.getName());
if (base.length() > 0) {
dn.append(",");
dn.append(base);
dn.prepend(new DistinguishedName(base));
}
results.add(new DirContextAdapter(searchResult.getAttributes(),
new DistinguishedName(dn.toString()), ctxBaseDn));
if (logger.isDebugEnabled()) {
logger.debug("Found DN: " + dn);
}
results.add(new DirContextAdapter(searchResult.getAttributes(), dn, ctxBaseDn));
}
} catch (PartialResultException e) {
logger.info("Ignoring PartialResultException");
@@ -15,22 +15,26 @@
package org.springframework.security.providers.ldap.authenticator;
import org.springframework.security.Authentication;
import org.springframework.security.BadCredentialsException;
import org.springframework.security.ldap.SpringSecurityContextSource;
import org.springframework.security.ldap.SpringSecurityLdapTemplate;
import org.springframework.security.providers.UsernamePasswordAuthenticationToken;
import org.springframework.dao.DataAccessException;
import org.springframework.ldap.core.ContextSource;
import org.springframework.ldap.core.DirContextOperations;
import org.springframework.ldap.core.DistinguishedName;
import org.springframework.util.Assert;
import java.util.Iterator;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import javax.naming.directory.DirContext;
import java.util.Iterator;
import org.springframework.dao.DataAccessException;
import org.springframework.ldap.NamingException;
import org.springframework.ldap.core.ContextSource;
import org.springframework.ldap.core.DirContextAdapter;
import org.springframework.ldap.core.DirContextOperations;
import org.springframework.ldap.core.DistinguishedName;
import org.springframework.ldap.core.support.BaseLdapPathContextSource;
import org.springframework.ldap.support.LdapUtils;
import org.springframework.security.Authentication;
import org.springframework.security.BadCredentialsException;
import org.springframework.security.ldap.SpringSecurityContextSource;
import org.springframework.security.providers.UsernamePasswordAuthenticationToken;
import org.springframework.util.Assert;
/**
@@ -91,21 +95,42 @@ public class BindAuthenticator extends AbstractLdapAuthenticator {
return user;
}
private DirContextOperations bindWithDn(String userDn, String username, String password) {
SpringSecurityLdapTemplate template = new SpringSecurityLdapTemplate(
new BindWithSpecificDnContextSource((SpringSecurityContextSource) getContextSource(), userDn, password));
private DirContextOperations bindWithDn(String userDnStr, String username, String password) {
BaseLdapPathContextSource ctxSource = (BaseLdapPathContextSource) getContextSource();
DistinguishedName userDn = new DistinguishedName(userDnStr);
DistinguishedName fullDn = new DistinguishedName(userDn);
fullDn.prepend(ctxSource.getBaseLdapPath());
BindWithSpecificDnContextSource specificDnContextSource = new BindWithSpecificDnContextSource(
(SpringSecurityContextSource) getContextSource(), fullDn,
password);
logger.debug("Attemptimg to bind as " + fullDn);
DirContext ctx = null;
try {
ctx = specificDnContextSource.getReadOnlyContext();
try {
return template.retrieveEntry(userDn, getUserAttributes());
Attributes attrs = ctx.getAttributes(userDn, getUserAttributes());
} catch (BadCredentialsException e) {
// This will be thrown if an invalid user name is used and the method may
// be called multiple times to try different names, so we trap the exception
// unless a subclass wishes to implement more specialized behaviour.
handleBindException(userDn, username, e.getCause());
}
DirContextAdapter result = new DirContextAdapter(attrs, userDn, ctxSource.getBaseLdapPath());
return result;
} catch (NamingException e) {
// This will be thrown if an invalid user name is used and the method may
// be called multiple times to try different names, so we trap the exception
// unless a subclass wishes to implement more specialized behaviour.
if ((e instanceof org.springframework.ldap.AuthenticationException)
|| (e instanceof org.springframework.ldap.OperationNotSupportedException)) {
handleBindException(userDnStr, username, e);
} else {
throw e;
}
} catch (javax.naming.NamingException e) {
throw LdapUtils.convertLdapException(e);
} finally {
LdapUtils.closeContext(ctx);
}
return null;
return null;
}
/**
@@ -120,13 +145,12 @@ public class BindAuthenticator extends AbstractLdapAuthenticator {
private class BindWithSpecificDnContextSource implements ContextSource {
private SpringSecurityContextSource ctxFactory;
DistinguishedName userDn;
private DistinguishedName userDn;
private String password;
public BindWithSpecificDnContextSource(SpringSecurityContextSource ctxFactory, String userDn, String password) {
public BindWithSpecificDnContextSource(SpringSecurityContextSource ctxFactory, DistinguishedName userDn, String password) {
this.ctxFactory = ctxFactory;
this.userDn = new DistinguishedName(userDn);
this.userDn.prepend(ctxFactory.getBaseLdapPath());
this.userDn = userDn;
this.password = password;
}
@@ -86,9 +86,9 @@ public class LdapShaPasswordEncoder implements PasswordEncoder {
sha.update(rawPass.getBytes("UTF-8"));
} catch (java.security.NoSuchAlgorithmException e) {
throw new IllegalStateException("No SHA implementation available!");
} catch (UnsupportedEncodingException ue) {
throw new IllegalStateException("UTF-8 not supported!");
}
} catch (UnsupportedEncodingException ue) {
throw new IllegalStateException("UTF-8 not supported!");
}
if (salt != null) {
Assert.isInstanceOf(byte[].class, salt, "Salt value must be a byte array");
@@ -131,7 +131,7 @@ public class LdapShaPasswordEncoder implements PasswordEncoder {
*/
public boolean isPasswordValid(final String encPass, final String rawPass, Object salt) {
String prefix = extractPrefix(encPass);
if (prefix == null) {
return encPass.equals(rawPass);
}
@@ -141,32 +141,32 @@ public class LdapShaPasswordEncoder implements PasswordEncoder {
} else if (!prefix.equals(SHA_PREFIX) && !prefix.equals(SHA_PREFIX_LC)) {
throw new IllegalArgumentException("Unsupported password prefix '" + prefix + "'");
} else {
// Standard SHA
salt = null;
// Standard SHA
salt = null;
}
int startOfHash = prefix.length() + 1;
int startOfHash = prefix.length();
String encodedRawPass = encodePassword(rawPass, salt).substring(startOfHash);
return encodedRawPass.equals(encPass.substring(startOfHash));
}
/**
* Returns the hash prefix or null if there isn't one.
* Returns the hash prefix or null if there isn't one.
*/
private String extractPrefix(String encPass) {
if (!encPass.startsWith("{")) {
return null;
return null;
}
int secondBrace = encPass.lastIndexOf('}');
if (secondBrace < 0) {
throw new IllegalArgumentException("Couldn't find closing brace for SHA prefix");
}
return encPass.substring(0, secondBrace + 1);
int secondBrace = encPass.lastIndexOf('}');
if (secondBrace < 0) {
throw new IllegalArgumentException("Couldn't find closing brace for SHA prefix");
}
return encPass.substring(0, secondBrace + 1);
}
public void setForceLowerCasePrefix(boolean forceLowerCasePrefix) {
@@ -48,7 +48,7 @@ public class SessionFixationProtectionFilter extends SpringSecurityFilter {
protected void doFilterHttp(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
throws IOException, ServletException {
// Session fixation isn't a problem if there's no session
if(request.getSession(false) == null || request.getAttribute(FILTER_APPLIED) != null) {
if(request.getSession(false) == null || request.getAttribute(FILTER_APPLIED) != null || !request.isRequestedSessionIdValid()) {
chain.doFilter(request, response);
return;
}
@@ -21,11 +21,17 @@ import org.springframework.beans.BeansException;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.context.ApplicationContext;
import org.springframework.context.ApplicationContextAware;
import org.springframework.security.firewall.DefaultHttpFirewall;
import org.springframework.security.firewall.FirewalledRequest;
import org.springframework.security.firewall.HttpFirewall;
import org.springframework.security.intercept.web.*;
import org.springframework.util.Assert;
import org.springframework.web.filter.DelegatingFilterProxy;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.*;
@@ -34,7 +40,7 @@ import java.util.*;
* Delegates <code>Filter</code> requests to a list of Spring-managed beans.
* As of version 2.0, you shouldn't need to explicitly configure a <tt>FilterChainProxy</tt> bean in your application
* context unless you need very fine control over the filter chain contents. Most cases should be adequately covered
* by the default <tt>&lt;security:http /&gt</tt> namespace configuration options.
* by the default <tt>&lt;security:http /&gt;</tt> namespace configuration options.
*
* <p>The <code>FilterChainProxy</code> is loaded via a standard Spring {@link DelegatingFilterProxy} declaration in
* <code>web.xml</code>. <code>FilterChainProxy</code> will then pass {@link #init(FilterConfig)}, {@link #destroy()}
@@ -109,6 +115,7 @@ public class FilterChainProxy implements Filter, InitializingBean, ApplicationCo
private UrlMatcher matcher = new AntUrlPathMatcher();
private boolean stripQueryStringFromUrls = true;
private DefaultFilterInvocationDefinitionSource fids;
private HttpFirewall firewall = new DefaultHttpFirewall();
//~ Methods ========================================================================================================
@@ -154,10 +161,13 @@ public class FilterChainProxy implements Filter, InitializingBean, ApplicationCo
}
}
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
public void doFilter(ServletRequest servletRequest, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
FilterInvocation fi = new FilterInvocation(request, response, chain);
FirewalledRequest fwRequest = firewall.getFirewalledRequest((HttpServletRequest) servletRequest);
HttpServletResponse fwResponse = firewall.getFirewalledResponse((HttpServletResponse) response);
FilterInvocation fi = new FilterInvocation(fwRequest, fwResponse, chain);
List filters = getFilters(fi.getRequestUrl());
if (filters == null || filters.size() == 0) {
@@ -166,7 +176,7 @@ public class FilterChainProxy implements Filter, InitializingBean, ApplicationCo
filters == null ? " has no matching filters" : " has an empty filter list");
}
chain.doFilter(request, response);
chain.doFilter(fwRequest, response);
return;
}
@@ -330,6 +340,10 @@ public class FilterChainProxy implements Filter, InitializingBean, ApplicationCo
return matcher;
}
public void setFirewall(HttpFirewall firewall) {
this.firewall = firewall;
}
/**
* If set to 'true', the query string will be stripped from the request URL before
* attempting to find a matching filter chain. This is the default value.
@@ -374,6 +388,8 @@ public class FilterChainProxy implements Filter, InitializingBean, ApplicationCo
logger.debug(fi.getRequestUrl()
+ " reached end of additional filter chain; proceeding with original chain");
}
// Deactivate path stripping as we exit the security filter chain
resetWrapper(request);
fi.getChain().doFilter(request, response);
} else {
@@ -390,6 +406,16 @@ public class FilterChainProxy implements Filter, InitializingBean, ApplicationCo
nextFilter.doFilter(request, response, this);
}
}
private void resetWrapper(ServletRequest request) {
while (request instanceof ServletRequestWrapper) {
if (request instanceof FirewalledRequest) {
((FirewalledRequest)request).reset();
break;
}
request = ((ServletRequestWrapper)request).getRequest();
}
}
}
}
@@ -15,7 +15,7 @@ public class InMemoryXmlApplicationContext extends AbstractXmlApplicationContext
" xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'\n" +
" xsi:schemaLocation='http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd\n" +
"http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-2.0.xsd\n" +
"http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.2.xsd'>\n";
"http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.6.xsd'>\n";
private static final String BEANS_CLOSE = "</b:beans>\n";
Resource inMemoryXml;
@@ -1,5 +1,6 @@
http\://www.springframework.org/schema/security/spring-security.xsd=org/springframework/security/config/spring-security-2.0.4.xsd
http\://www.springframework.org/schema/security/spring-security.xsd=org/springframework/security/config/spring-security-2.0.6.xsd
http\://www.springframework.org/schema/security/spring-security-2.0.xsd=org/springframework/security/config/spring-security-2.0.xsd
http\://www.springframework.org/schema/security/spring-security-2.0.1.xsd=org/springframework/security/config/spring-security-2.0.1.xsd
http\://www.springframework.org/schema/security/spring-security-2.0.2.xsd=org/springframework/security/config/spring-security-2.0.2.xsd
http\://www.springframework.org/schema/security/spring-security-2.0.4.xsd=org/springframework/security/config/spring-security-2.0.4.xsd
http\://www.springframework.org/schema/security/spring-security-2.0.6.xsd=org/springframework/security/config/spring-security-2.0.6.xsd
@@ -8,7 +8,7 @@ start = http | ldap-server | authentication-provider | ldap-authentication-provi
hash =
## Defines the hashing algorithm used on user passwords. We recommend strongly against using MD4, as it is a very weak hashing algorithm.
attribute hash {"plaintext" | "sha" | "sha-256" | "md5" | "md4" | "{sha}" | "{ssha}"}
base64 =
base64 =
## Whether a string should be base64 encoded
attribute base64 {"true" | "false"}
path-type =
@@ -20,9 +20,9 @@ port =
url =
## Specifies a URL.
attribute url { xsd:string }
id =
id =
## A bean identifier, used for referring to the bean elsewhere in the context.
attribute id {xsd:ID}
attribute id {xsd:ID}
ref =
## Defines a reference to a Spring bean Id.
attribute ref {xsd:string}
@@ -35,26 +35,26 @@ user-service-ref =
## A reference to a user-service (or UserDetailsService bean) Id
attribute user-service-ref {xsd:string}
data-source-ref =
data-source-ref =
## A reference to a DataSource bean
attribute data-source-ref {xsd:string}
password-encoder =
attribute data-source-ref {xsd:string}
password-encoder =
## element which defines a password encoding strategy. Used by an authentication provider to convert submitted passwords to hashed versions, for example.
element password-encoder {password-encoder.attlist, salt-source?}
element password-encoder {password-encoder.attlist, salt-source?}
password-encoder.attlist &=
ref | (hash? & base64?)
salt-source =
## Password salting strategy. A system-wide constant or a property from the UserDetails object can be used.
element salt-source {user-property | system-wide}
user-property =
## A property of the UserDetails object which will be used as salt by a password encoder. Typically something like "username" might be used.
## A property of the UserDetails object which will be used as salt by a password encoder. Typically something like "username" might be used.
attribute user-property {xsd:string}
system-wide =
## A single value that will be used as the salt for a password encoder.
## A single value that will be used as the salt for a password encoder.
attribute system-wide {xsd:string}
boolean = "true" | "false"
role-prefix =
@@ -63,16 +63,16 @@ role-prefix =
ldap-server =
## Defines an LDAP server location or starts an embedded server. The url indicates the location of a remote server. If no url is given, an embedded server will be started, listening on the supplied port number. The port is optional and defaults to 33389. A Spring LDAP ContextSource bean will be registered for the server with the id supplied.
## Defines an LDAP server location or starts an embedded server. The url indicates the location of a remote server. If no url is given, an embedded server will be started, listening on the supplied port number. The port is optional and defaults to 33389. A Spring LDAP ContextSource bean will be registered for the server with the id supplied.
element ldap-server {ldap-server.attlist}
ldap-server.attlist &= id?
ldap-server.attlist &= (url | port)?
ldap-server.attlist &=
## Username (DN) of the "manager" user identity which will be used to authenticate to a (non-embedded) LDAP server. If omitted, anonymous access will be used.
## Username (DN) of the "manager" user identity which will be used to authenticate to a (non-embedded) LDAP server. If omitted, anonymous access will be used.
attribute manager-dn {xsd:string}?
ldap-server.attlist &=
## The password for the manager DN.
attribute manager-password {xsd:string}?
attribute manager-password {xsd:string}?
ldap-server.attlist &=
## Explicitly specifies an ldif file resource to load into an embedded LDAP server
attribute ldif { xsd:string }?
@@ -81,14 +81,14 @@ ldap-server.attlist &=
attribute root { xsd:string }?
ldap-server-ref-attribute =
## The optional server to use. If omitted, and a default LDAP server is registered (using <ldap-server> with no Id), that server will be used.
## The optional server to use. If omitted, and a default LDAP server is registered (using <ldap-server> with no Id), that server will be used.
attribute server-ref {xsd:string}
group-search-filter-attribute =
group-search-filter-attribute =
## Group search filter. Defaults to (uniqueMember={0}). The substituted parameter is the DN of the user.
attribute group-search-filter {xsd:string}
group-search-base-attribute =
group-search-base-attribute =
## Search base for group membership searches. Defaults to "" (searching from the root).
attribute group-search-base {xsd:string}
user-search-filter-attribute =
@@ -100,14 +100,14 @@ user-search-base-attribute =
group-role-attribute-attribute =
## The LDAP attribute name which contains the role name which will be used within Spring Security. Defaults to "cn".
attribute group-role-attribute {xsd:string}
user-details-class-attribute =
user-details-class-attribute =
## Allows the objectClass of the user entry to be specified. If set, the framework will attempt to load standard attributes for the defined class into the returned UserDetails object
attribute user-details-class {"person" | "inetOrgPerson"}
ldap-user-service =
element ldap-user-service {ldap-us.attlist}
ldap-us.attlist &= id?
ldap-us.attlist &= id?
ldap-us.attlist &=
ldap-server-ref-attribute?
ldap-us.attlist &=
@@ -138,7 +138,7 @@ ldap-ap.attlist &=
user-search-filter-attribute?
ldap-ap.attlist &=
group-search-base-attribute?
ldap-ap.attlist &=
ldap-ap.attlist &=
group-search-filter-attribute?
ldap-ap.attlist &=
group-role-attribute-attribute?
@@ -153,7 +153,7 @@ ldap-ap.attlist &=
password-compare-element =
## Specifies that an LDAP provider should use an LDAP compare operation of the user's password to authenticate the user
element password-compare {password-compare.attlist, password-encoder?}
password-compare.attlist &=
## The attribute in the directory which contains the user password. Defaults to "userPassword".
attribute password-attribute {xsd:string}?
@@ -181,7 +181,7 @@ protect.attlist &=
global-method-security =
## Provides method security for all beans registered in the Spring application context. Specifically, beans will be scanned for Spring Security annotations and/or matches with the ordered list of "protect-pointcut" sub-elements. Where there is a match, the beans will automatically be proxied and security authorization applied to the methods accordingly. If you use and enable all three sources of method security metadata (ie "protect-pointcut" declarations, @Secured and also JSR 250 security annotations), the metadata sources will be queried in that order. In practical terms, this enables you to use XML to override method security metadata expressed by way of @Secured annotations, with @Secured annotations overriding method security metadata expressed by JSR 250 annotations. It is perfectly acceptable to mix and match, with a given Java type using a combination of XML, @Secured and JSR 250 to express method security metadata (albeit on different methods).
element global-method-security {global-method-security.attlist, protect-pointcut*}
element global-method-security {global-method-security.attlist, protect-pointcut*}
global-method-security.attlist &=
## Specifies whether the use of Spring Security's @Secured annotations should be enabled for this application context. Please ensure you have the spring-security-tiger-xxx.jar on the classpath. Defaults to "disabled".
attribute secured-annotations {"disabled" | "enabled" }?
@@ -206,6 +206,9 @@ protect-pointcut.attlist &=
## Access configuration attributes list that applies to all methods matching the pointcut, e.g. "ROLE_A,ROLE_B"
attribute access {xsd:string}
http-firewall =
## Allows a custom instance of HttpFirewall to be injected into the FilterChainProxy created by the namespace.
element http-firewall {ref}
http =
## Container element for HTTP security configuration
@@ -265,16 +268,16 @@ intercept-url.attlist &=
attribute requires-channel {"http" | "https" | "any"}?
logout =
## Incorporates a logout processing filter. Most web applications require a logout filter, although you may not require one if you write a controller to provider similar logic.
## Incorporates a logout processing filter. Most web applications require a logout filter, although you may not require one if you write a controller to provider similar logic.
element logout {logout.attlist, empty}
logout.attlist &=
## Specifies the URL that will cause a logout. Spring Security will initialize a filter that responds to this particular URL. Defaults to /j_spring_security_logout if unspecified.
## Specifies the URL that will cause a logout. Spring Security will initialize a filter that responds to this particular URL. Defaults to /j_spring_security_logout if unspecified.
attribute logout-url {xsd:string}?
logout.attlist &=
## Specifies the URL to display once the user has logged out. If not specified, defaults to /.
## Specifies the URL to display once the user has logged out. If not specified, defaults to /.
attribute logout-success-url {xsd:string}?
logout.attlist &=
## Specifies whether a logout also causes HttpSession invalidation, which is generally desirable. If unspecified, defaults to true.
## Specifies whether a logout also causes HttpSession invalidation, which is generally desirable. If unspecified, defaults to true.
attribute invalidate-session {boolean}?
form-login =
@@ -287,8 +290,8 @@ form-login.attlist &=
## The URL that will be redirected to after successful authentication, if the user's previous action could not be resumed. This generally happens if the user visits a login page without having first requested a secured operation that triggers authentication. If unspecified, defaults to the root of the application.
attribute default-target-url {xsd:string}?
form-login.attlist &=
## Whether the user should always be redirected to the default-target-url after login.
attribute always-use-default-target {boolean}?
## Whether the user should always be redirected to the default-target-url after login.
attribute always-use-default-target {boolean}?
form-login.attlist &=
## The URL for the login page. If no login URL is specified, Spring Security will automatically create a login URL at /spring_security_login and a corresponding filter to render that login URL when requested.
attribute login-page {xsd:string}?
@@ -296,7 +299,7 @@ form-login.attlist &=
## The URL for the login failure page. If no login failure URL is specified, Spring Security will automatically create a failure login URL at /spring_security_login?login_error and a corresponding filter to render that login failure URL when requested.
attribute authentication-failure-url {xsd:string}?
openid-login =
openid-login =
## Sets up form login for authentication with an Open ID identity
element openid-login {form-login.attlist, user-service-ref?, empty}
@@ -316,7 +319,7 @@ filter-chain.attlist &=
attribute filters {xsd:string}
filter-invocation-definition-source =
## Used to explicitly configure a FilterInvocationDefinitionSource bean for use with a FilterSecurityInterceptor. Usually only needed if you are configuring a FilterChainProxy explicitly, rather than using the <http> element. The intercept-url elements used should only contain pattern, method and access attributes. Any others will result in a configuration error.
## Used to explicitly configure a FilterInvocationDefinitionSource bean for use with a FilterSecurityInterceptor. Usually only needed if you are configuring a FilterChainProxy explicitly, rather than using the <http> element. The intercept-url elements used should only contain pattern, method and access attributes. Any others will result in a configuration error.
element filter-invocation-definition-source {fids.attlist, intercept-url+}
fids.attlist &=
id?
@@ -348,34 +351,34 @@ concurrent-sessions.attlist &=
## Allows you to define an alias for the SessionRegistry bean in order to access it in your own configuration
attribute session-registry-alias {xsd:string}?
concurrent-sessions.attlist &=
## A reference to an external SessionRegistry implementation which will be used in place of the standard one.
## A reference to an external SessionRegistry implementation which will be used in place of the standard one.
attribute session-registry-ref {xsd:string}?
remember-me =
## Sets up remember-me authentication. If used with the "key" attribute (or no attributes) the cookie-only implementation will be used. Specifying "token-repository-ref" or "remember-me-data-source-ref" will use the more secure, persisten token approach.
## Sets up remember-me authentication. If used with the "key" attribute (or no attributes) the cookie-only implementation will be used. Specifying "token-repository-ref" or "remember-me-data-source-ref" will use the more secure, persisten token approach.
element remember-me {remember-me.attlist}
remember-me.attlist &=
## The "key" used to identify cookies from a specific token-based remember-me application. You should set this to a unique value for your application.
attribute key {xsd:string}?
remember-me.attlist &=
(token-repository-ref | remember-me-data-source-ref | remember-me-services-ref)
remember-me.attlist &=
user-service-ref?
remember-me.attlist &=
## The period (in seconds) for which the remember-me cookie should be valid.
## The period (in seconds) for which the remember-me cookie should be valid.
attribute token-validity-seconds {xsd:positiveInteger}?
token-repository-ref =
## Reference to a PersistentTokenRepository bean for use with the persistent token remember-me implementation.
## Reference to a PersistentTokenRepository bean for use with the persistent token remember-me implementation.
attribute token-repository-ref {xsd:string}
remember-me-services-ref =
## Allows a custom implementation of RememberMeServices to be used. Note that this implementation should return RememberMeAuthenticationToken instances with the same "key" value as specified in the remember-me element. Alternatively it should register its own AuthenticationProvider.
remember-me-services-ref =
## Allows a custom implementation of RememberMeServices to be used. Note that this implementation should return RememberMeAuthenticationToken instances with the same "key" value as specified in the remember-me element. Alternatively it should register its own AuthenticationProvider.
attribute services-ref {xsd:string}?
remember-me-data-source-ref =
## DataSource bean for the database that contains the token repository schema.
## DataSource bean for the database that contains the token repository schema.
data-source-ref
anonymous =
@@ -384,39 +387,39 @@ anonymous =
anonymous.attlist &=
## The key shared between the provider and filter. This generally does not need to be set. If unset, it will default to "doesNotMatter".
attribute key {xsd:string}?
anonymous.attlist &=
anonymous.attlist &=
## The username that should be assigned to the anonymous request. This allows the principal to be identified, which may be important for logging and auditing. if unset, defaults to "anonymousUser".
attribute username {xsd:string}?
anonymous.attlist &=
## The granted authority that should be assigned to the anonymous request. Commonly this is used to assign the anonymous request particular roles, which can subsequently be used in authorization decisions. If unset, defaults to "ROLE_ANONYMOUS".
attribute granted-authority {xsd:string}?
port-mappings =
port-mappings =
## Defines the list of mappings between http and https ports for use in redirects
element port-mappings {port-mappings.attlist, port-mapping+}
port-mappings.attlist &= empty
port-mapping =
port-mapping =
element port-mapping {http-port, https-port}
http-port = attribute http {xsd:string}
https-port = attribute https {xsd:string}
x509 =
x509 =
## Adds support for X.509 client authentication.
element x509 {x509.attlist}
x509.attlist &=
x509.attlist &=
## The regular expression used to obtain the username from the certificate's subject. Defaults to matching on the common name using the pattern "CN=(.*?),".
attribute subject-principal-regex {xsd:string}?
x509.attlist &=
## Explicitly specifies which user-service should be used to load user data for X.509 authenticated clients. If ommitted, the default user-service will be used.
## Explicitly specifies which user-service should be used to load user data for X.509 authenticated clients. If ommitted, the default user-service will be used.
user-service-ref?
authentication-manager =
## If you are using namespace configuration with Spring Security, an AuthenticationManager will automatically be registered. This element allows you to define an alias to allow you to reference the authentication-manager in your own beans.
## If you are using namespace configuration with Spring Security, an AuthenticationManager will automatically be registered. This element allows you to define an alias to allow you to reference the authentication-manager in your own beans.
element authentication-manager {authman.attlist}
authman.attlist &=
## The alias you wish to use for the AuthenticationManager bean
@@ -427,10 +430,10 @@ authman.attlist &=
authentication-provider =
## Indicates that the contained user-service should be used as an authentication source.
## Indicates that the contained user-service should be used as an authentication source.
element authentication-provider {ap.attlist & any-user-service & password-encoder?}
ap.attlist &=
## Specifies a reference to a separately configured UserDetailsService from which to obtain authentication data.
## Specifies a reference to a separately configured UserDetailsService from which to obtain authentication data.
user-service-ref?
custom-authentication-provider =
@@ -443,31 +446,31 @@ user-service =
element user-service {id? & (properties-file | (user*))}
properties-file =
attribute properties {xsd:string}?
user =
## Represents a user in the application.
## Represents a user in the application.
element user {user.attlist, empty}
user.attlist &=
## The username assigned to the user.
## The username assigned to the user.
attribute name {xsd:string}
user.attlist &=
## The password assigned to the user. This may be hashed if the corresponding authentication provider supports hashing (remember to set the "hash" attribute of the "user-service" element).
## The password assigned to the user. This may be hashed if the corresponding authentication provider supports hashing (remember to set the "hash" attribute of the "user-service" element).
attribute password {xsd:string}
user.attlist &=
## One of more authorities granted to the user. Separate authorities with a comma (but no space). For example, "ROLE_USER,ROLE_ADMINISTRATOR"
## One of more authorities granted to the user. Separate authorities with a comma (but no space). For example, "ROLE_USER,ROLE_ADMINISTRATOR"
attribute authorities {xsd:string}
user.attlist &=
## Can be set to "true" to mark an account as locked and unusable.
## Can be set to "true" to mark an account as locked and unusable.
attribute locked {boolean}?
user.attlist &=
## Can be set to "true" to mark an account as disabled and unusable.
## Can be set to "true" to mark an account as disabled and unusable.
attribute disabled {boolean}?
jdbc-user-service =
## Causes creation of a JDBC-based UserDetailsService.
element jdbc-user-service {id? & jdbc-user-service.attlist}
## Causes creation of a JDBC-based UserDetailsService.
element jdbc-user-service {id? & jdbc-user-service.attlist}
jdbc-user-service.attlist &=
## The bean ID of the DataSource which provides the required tables.
## The bean ID of the DataSource which provides the required tables.
attribute data-source-ref {xsd:string}
jdbc-user-service.attlist &=
cache-ref?
@@ -482,15 +485,15 @@ jdbc-user-service.attlist &=
attribute group-authorities-by-username-query {xsd:string}?
jdbc-user-service.attlist &=
role-prefix?
any-user-service = user-service | jdbc-user-service | ldap-user-service
custom-filter =
## Used to indicate that a filter bean declaration should be incorporated into the security filter chain. If neither the 'after' or 'before' options are supplied, then the filter must implement the Ordered interface directly.
## Used to indicate that a filter bean declaration should be incorporated into the security filter chain. If neither the 'after' or 'before' options are supplied, then the filter must implement the Ordered interface directly.
element custom-filter {after | before | position}?
after =
## The filter immediately after which the custom-filter should be placed in the chain. This feature will only be needed by advanced users who wish to mix their own filters into the security filter chain and have some knowledge of the standard Spring Security filters. The filter names map to specific Spring Security implementation filters.
## The filter immediately after which the custom-filter should be placed in the chain. This feature will only be needed by advanced users who wish to mix their own filters into the security filter chain and have some knowledge of the standard Spring Security filters. The filter names map to specific Spring Security implementation filters.
attribute after {named-security-filter}
before =
## The filter immediately before which the custom-filter should be placed in the chain
@@ -502,5 +505,3 @@ position =
named-security-filter = "FIRST" | "CHANNEL_FILTER" | "CONCURRENT_SESSION_FILTER" | "SESSION_CONTEXT_INTEGRATION_FILTER" | "LOGOUT_FILTER" | "X509_FILTER" | "PRE_AUTH_FILTER" | "CAS_PROCESSING_FILTER" | "AUTHENTICATION_PROCESSING_FILTER" | "OPENID_PROCESSING_FILTER" |"BASIC_PROCESSING_FILTER" | "SERVLET_API_SUPPORT_FILTER" | "REMEMBER_ME_FILTER" | "ANONYMOUS_FILTER" | "EXCEPTION_TRANSLATION_FILTER" | "NTLM_FILTER" | "FILTER_SECURITY_INTERCEPTOR" | "SWITCH_USER_FILTER" | "LAST"
@@ -24,6 +24,7 @@ import org.springframework.security.concurrent.ConcurrentLoginException;
import org.springframework.security.concurrent.ConcurrentSessionControllerImpl;
import org.springframework.security.concurrent.ConcurrentSessionFilter;
import org.springframework.security.context.HttpSessionContextIntegrationFilter;
import org.springframework.security.firewall.DefaultHttpFirewall;
import org.springframework.security.intercept.web.FilterInvocation;
import org.springframework.security.intercept.web.FilterInvocationDefinitionSource;
import org.springframework.security.intercept.web.FilterSecurityInterceptor;
@@ -661,6 +662,19 @@ public class HttpSecurityBeanDefinitionParserTests {
assertTrue(attrDef.contains(new SecurityConfig("ROLE_B")));
}
@Test
public void httpFirewallInjectionIsSupported() throws Exception {
setContext(
"<http-firewall ref='fw'/>" +
"<http>" +
" <form-login />" +
"</http>" +
"<b:bean id='fw' class='" + DefaultHttpFirewall.class.getName() +"'/>" +
AUTH_PROVIDER_XML);
FilterChainProxy fcp = (FilterChainProxy) appContext.getBean(BeanIds.FILTER_CHAIN_PROXY);
assertSame(appContext.getBean("fw"), FieldUtils.getFieldValue(fcp, "firewall"));
}
private void setContext(String context) {
appContext = new InMemoryXmlApplicationContext(context);
}
@@ -0,0 +1,44 @@
package org.springframework.security.firewall;
import static org.junit.Assert.fail;
import org.junit.Test;
import org.springframework.mock.web.MockHttpServletRequest;
/**
* @author Luke Taylor
*/
public class DefaultHttpFirewallTests {
public String[] unnormalizedPaths = {
"/..",
"/./path/",
"/path/path/.",
"/path/path//.",
"./path/../path//.",
"./path",
".//path",
"."
};
@Test
public void unnormalizedPathsAreRejected() throws Exception {
DefaultHttpFirewall fw = new DefaultHttpFirewall();
MockHttpServletRequest request;
for (String path : unnormalizedPaths) {
request = new MockHttpServletRequest();
request.setServletPath(path);
try {
fw.getFirewalledRequest(request);
fail(path + " is un-normalized");
} catch (RequestRejectedException expected) {
}
request.setPathInfo(path);
try {
fw.getFirewalledRequest(request);
fail(path + " is un-normalized");
} catch (RequestRejectedException expected) {
}
}
}
}
@@ -0,0 +1,62 @@
package org.springframework.security.firewall;
import static org.junit.Assert.assertEquals;
import org.junit.BeforeClass;
import org.junit.Test;
import org.springframework.mock.web.MockHttpServletRequest;
import java.util.*;
/**
* @author Luke Taylor
*/
public class RequestWrapperTests {
private static Map<String, String> testPaths = new LinkedHashMap<String,String>();
@BeforeClass
// Some of these may be unrealistic values, but we can't be sure because of the
// inconsistency in the spec.
public static void createTestMap() {
testPaths.put("/path1;x=y;z=w/path2;x=y/path3;x=y", "/path1/path2/path3");
testPaths.put("/path1;x=y/path2;x=y/", "/path1/path2/");
testPaths.put("/path1//path2/", "/path1/path2/");
testPaths.put("//path1/path2//", "/path1/path2/");
testPaths.put(";x=y;z=w", "");
}
@Test
public void pathParametersAreRemovedFromServletPath() {
MockHttpServletRequest request = new MockHttpServletRequest();
for (Map.Entry<String,String> entry : testPaths.entrySet()) {
String path = entry.getKey();
String expectedResult = entry.getValue();
request.setServletPath(path);
RequestWrapper wrapper = new RequestWrapper(request);
assertEquals(expectedResult, wrapper.getServletPath());
wrapper.reset();
assertEquals(path, wrapper.getServletPath());
}
}
@Test
public void pathParametersAreRemovedFromPathInfo() {
MockHttpServletRequest request = new MockHttpServletRequest();
for (Map.Entry<String,String> entry : testPaths.entrySet()) {
String path = entry.getKey();
String expectedResult = entry.getValue();
// Should be null when stripped value is empty
if (expectedResult.length() == 0) {
expectedResult = null;
}
request.setPathInfo(path);
RequestWrapper wrapper = new RequestWrapper(request);
assertEquals(expectedResult, wrapper.getPathInfo());
wrapper.reset();
assertEquals(path, wrapper.getPathInfo());
}
}
}
@@ -1,12 +1,17 @@
package org.springframework.security.ldap;
import static org.junit.Assert.assertNull;
import javax.naming.directory.DirContext;
import org.junit.Test;
import org.springframework.security.BadCredentialsException;
/**
* @author Luke Taylor
* @version $Id$
*/
public class DefaultSpringSecurityContextSourceTests {
public class DefaultSpringSecurityContextSourceTests extends AbstractLdapIntegrationTests {
@Test
public void instantiationSucceeds() {
@@ -15,7 +20,27 @@ public class DefaultSpringSecurityContextSourceTests {
@Test
public void supportsSpacesInUrl() {
new DefaultSpringSecurityContextSource("ldap://myhost:10389/dc=spring%20framework,dc=org");
new DefaultSpringSecurityContextSource("ldap://myhost:10389/dc=spring%20framework,dc=org");
}
@Test
public void poolingIsntUsedForSingleUser() throws Exception {
DirContext ctx = getContextSource().getReadWriteContext("uid=Bob,ou=people,dc=springframework,dc=org", "bobspassword");
//com.sun.jndi.ldap.LdapPoolManager.showStats(System.out);
assertNull(ctx.getEnvironment().get("com.sun.jndi.ldap.connect.pool"));
ctx.close();
}
@Test(expected=BadCredentialsException.class)
public void poolingIsntUsedForSingleUser2() throws Exception {
DirContext ctx = getContextSource().getReadWriteContext("uid=Bob,ou=people,dc=springframework,dc=org", "bobspassword");
com.sun.jndi.ldap.LdapPoolManager.showStats(System.out);
ctx.close();
com.sun.jndi.ldap.LdapPoolManager.showStats(System.out);
// Now get it gain, with wrong password
ctx = getContextSource().getReadWriteContext("uid=Bob,ou=people,dc=springframework,dc=org", "wrongpassword");
com.sun.jndi.ldap.LdapPoolManager.showStats(System.out);
}
}
@@ -71,13 +71,11 @@ public class FilterBasedLdapUserSearchTests extends AbstractLdapIntegrationTests
@Test
public void extraFilterPartToExcludeBob() throws Exception {
FilterBasedLdapUserSearch locator = new FilterBasedLdapUserSearch("ou=people",
"(&(cn=*)(!(|(uid={0})(uid=rod)(uid=jerry))))", dirCtxFactory);
"(&(cn=*)(!(|(uid={0})(uid=rod)(uid=jerry)(uid=slashguy))))", dirCtxFactory);
// Search for bob, get back ben...
DirContextOperations ben = locator.searchForUser("bob");
assertEquals("Ben Alex", ben.getStringAttribute("cn"));
// assertEquals("uid=ben,ou=people,"+ROOT_DN, ben.getDn());
}
@Test(expected=IncorrectResultSizeDataAccessException.class)
@@ -15,18 +15,17 @@
package org.springframework.security.providers.ldap.authenticator;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.fail;
import org.junit.Test;
import org.springframework.ldap.core.DirContextOperations;
import org.springframework.security.Authentication;
import org.springframework.security.BadCredentialsException;
import org.springframework.security.SpringSecurityMessageSource;
import org.springframework.security.ldap.AbstractLdapIntegrationTests;
import org.springframework.security.ldap.search.FilterBasedLdapUserSearch;
import org.springframework.security.providers.UsernamePasswordAuthenticationToken;
import org.springframework.ldap.core.DirContextAdapter;
import org.springframework.ldap.core.DirContextOperations;
import org.springframework.ldap.core.DistinguishedName;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.fail;
import org.junit.Test;
/**
* Tests for {@link BindAuthenticator}.
@@ -39,7 +38,6 @@ public class BindAuthenticatorTests extends AbstractLdapIntegrationTests {
private BindAuthenticator authenticator;
private Authentication bob;
// private Authentication ben;
//~ Methods ========================================================================================================
@@ -48,7 +46,6 @@ public class BindAuthenticatorTests extends AbstractLdapIntegrationTests {
authenticator = new BindAuthenticator(getContextSource());
authenticator.setMessageSource(new SpringSecurityMessageSource());
bob = new UsernamePasswordAuthenticationToken("bob", "bobspassword");
// ben = new UsernamePasswordAuthenticationToken("ben", "benspassword");
}
@@ -72,11 +69,14 @@ public class BindAuthenticatorTests extends AbstractLdapIntegrationTests {
@Test
public void testAuthenticationWithUserSearch() throws Exception {
DirContextAdapter ctx = new DirContextAdapter(new DistinguishedName("uid=bob,ou=people"));
authenticator.setUserSearch(new MockUserSearch(ctx));
authenticator.afterPropertiesSet();
authenticator.authenticate(bob);
// DirContextAdapter ctx = new DirContextAdapter(new DistinguishedName("uid=bob,ou=people"));
authenticator.setUserSearch(new FilterBasedLdapUserSearch("ou=people", "(uid={0})", getContextSource()));
authenticator.afterPropertiesSet();
authenticator.authenticate(bob);
// SEC-1444
authenticator.setUserSearch(new FilterBasedLdapUserSearch("ou=people", "(cn={0})", getContextSource()));
authenticator.authenticate(new UsernamePasswordAuthenticationToken("mouse, jerry", "jerryspassword"));
authenticator.authenticate(new UsernamePasswordAuthenticationToken("slash/guy", "slashguyspassword"));
}
@Test
@@ -0,0 +1,237 @@
/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.util;
import org.springframework.security.ConfigAttribute;
import org.springframework.security.ConfigAttributeDefinition;
import org.springframework.security.MockFilterConfig;
import org.springframework.security.context.HttpSessionContextIntegrationFilter;
import org.springframework.security.intercept.web.MockFilterInvocationDefinitionSource;
import org.springframework.security.intercept.web.DefaultFilterInvocationDefinitionSource;
import org.springframework.security.intercept.web.RequestKey;
import org.springframework.security.ui.webapp.AuthenticationProcessingFilter;
import org.springframework.beans.factory.BeanCreationException;
import org.springframework.context.support.ClassPathXmlApplicationContext;
import org.springframework.context.support.StaticApplicationContext;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.junit.After;
import static org.junit.Assert.*;
import org.junit.Before;
import org.junit.Test;
import java.util.LinkedHashMap;
import java.util.List;
/**
* Tests {@link FilterChainProxy}.
*
* @author Carlos Sanchez
* @author Ben Alex
* @version $Id$
*/
public class FilterChainProxyConfigTests {
private ClassPathXmlApplicationContext appCtx;
//~ Methods ========================================================================================================
@Before
public void loadContext() {
appCtx = new ClassPathXmlApplicationContext("org/springframework/security/util/filtertest-valid.xml");
}
@After
public void closeContext() {
if (appCtx != null) {
appCtx.close();
}
}
@Test(expected=IllegalArgumentException.class)
public void testDetectsFilterInvocationDefinitionSourceThatDoesNotReturnAllConfigAttributes() throws Exception {
FilterChainProxy filterChainProxy = new FilterChainProxy();
filterChainProxy.setApplicationContext(new StaticApplicationContext());
filterChainProxy.setFilterInvocationDefinitionSource(new MockFilterInvocationDefinitionSource(false, false));
filterChainProxy.afterPropertiesSet();
}
@Test(expected=IllegalArgumentException.class)
public void testDetectsIfConfigAttributeDoesNotReturnValueForGetAttributeMethod() throws Exception {
FilterChainProxy filterChainProxy = new FilterChainProxy();
filterChainProxy.setApplicationContext(new StaticApplicationContext());
ConfigAttributeDefinition cad = new ConfigAttributeDefinition(new MockConfigAttribute());
LinkedHashMap map = new LinkedHashMap();
map.put(new RequestKey("/**"), cad);
DefaultFilterInvocationDefinitionSource fids =
new DefaultFilterInvocationDefinitionSource(new AntUrlPathMatcher(), map);
filterChainProxy.setFilterInvocationDefinitionSource(fids);
filterChainProxy.afterPropertiesSet();
filterChainProxy.init(new MockFilterConfig());
}
@Test(expected = IllegalArgumentException.class)
public void testDetectsMissingFilterInvocationDefinitionSource() throws Exception {
FilterChainProxy filterChainProxy = new FilterChainProxy();
filterChainProxy.setApplicationContext(new StaticApplicationContext());
filterChainProxy.afterPropertiesSet();
}
@Test
public void testDoNotFilter() throws Exception {
FilterChainProxy filterChainProxy = (FilterChainProxy) appCtx.getBean("filterChain", FilterChainProxy.class);
MockFilter filter = (MockFilter) appCtx.getBean("mockFilter", MockFilter.class);
MockHttpServletRequest request = new MockHttpServletRequest();
request.setServletPath("/do/not/filter/somefile.html");
MockHttpServletResponse response = new MockHttpServletResponse();
MockFilterChain chain = new MockFilterChain(true);
filterChainProxy.doFilter(request, response, chain);
assertFalse(filter.isWasInitialized());
assertFalse(filter.isWasDoFiltered());
assertFalse(filter.isWasDestroyed());
}
@Test
public void misplacedUniversalPathShouldBeDetected() throws Exception {
try {
appCtx.getBean("newFilterChainProxyWrongPathOrder", FilterChainProxy.class);
fail("Expected BeanCreationException");
} catch (BeanCreationException expected) {
}
}
@Test
public void normalOperation() throws Exception {
FilterChainProxy filterChainProxy = (FilterChainProxy) appCtx.getBean("filterChain", FilterChainProxy.class);
doNormalOperation(filterChainProxy);
}
@Test
public void proxyPathWithoutLowerCaseConversionShouldntMatchDifferentCasePath() throws Exception {
FilterChainProxy filterChainProxy = (FilterChainProxy) appCtx.getBean("filterChainNonLowerCase", FilterChainProxy.class);
assertNull(filterChainProxy.getFilters("/some/other/path/blah"));
}
@Test
public void normalOperationWithNewConfig() throws Exception {
FilterChainProxy filterChainProxy = (FilterChainProxy) appCtx.getBean("newFilterChainProxy", FilterChainProxy.class);
checkPathAndFilterOrder(filterChainProxy);
doNormalOperation(filterChainProxy);
}
@Test
public void normalOperationWithNewConfigRegex() throws Exception {
FilterChainProxy filterChainProxy = (FilterChainProxy) appCtx.getBean("newFilterChainProxyRegex", FilterChainProxy.class);
checkPathAndFilterOrder(filterChainProxy);
doNormalOperation(filterChainProxy);
}
@Test
public void normalOperationWithNewConfigNonNamespace() throws Exception {
FilterChainProxy filterChainProxy = (FilterChainProxy) appCtx.getBean("newFilterChainProxyNonNamespace", FilterChainProxy.class);
checkPathAndFilterOrder(filterChainProxy);
doNormalOperation(filterChainProxy);
}
@Test
public void pathWithNoMatchHasNoFilters() throws Exception {
FilterChainProxy filterChainProxy = (FilterChainProxy) appCtx.getBean("newFilterChainProxyNoDefaultPath", FilterChainProxy.class);
assertEquals(null, filterChainProxy.getFilters("/nomatch"));
}
@Test
public void urlStrippingPropertyIsRespected() throws Exception {
FilterChainProxy filterChainProxy = (FilterChainProxy) appCtx.getBean("newFilterChainProxyNoDefaultPath", FilterChainProxy.class);
// Should only match if we are stripping the query string
String url = "/blah.bar?x=something";
assertNotNull(filterChainProxy.getFilters(url));
assertEquals(2, filterChainProxy.getFilters(url).size());
filterChainProxy.setStripQueryStringFromUrls(false);
assertNull(filterChainProxy.getFilters(url));
}
private void checkPathAndFilterOrder(FilterChainProxy filterChainProxy) throws Exception {
List filters = filterChainProxy.getFilters("/foo/blah");
assertEquals(1, filters.size());
assertTrue(filters.get(0) instanceof MockFilter);
filters = filterChainProxy.getFilters("/some/other/path/blah");
assertNotNull(filters);
assertEquals(3, filters.size());
assertTrue(filters.get(0) instanceof HttpSessionContextIntegrationFilter);
assertTrue(filters.get(1) instanceof MockFilter);
assertTrue(filters.get(2) instanceof MockFilter);
filters = filterChainProxy.getFilters("/do/not/filter");
assertEquals(0, filters.size());
filters = filterChainProxy.getFilters("/another/nonspecificmatch");
assertEquals(3, filters.size());
assertTrue(filters.get(0) instanceof HttpSessionContextIntegrationFilter);
assertTrue(filters.get(1) instanceof AuthenticationProcessingFilter);
assertTrue(filters.get(2) instanceof MockFilter);
}
private void doNormalOperation(FilterChainProxy filterChainProxy) throws Exception {
MockFilter filter = (MockFilter) appCtx.getBean("mockFilter", MockFilter.class);
assertFalse(filter.isWasInitialized());
assertFalse(filter.isWasDoFiltered());
assertFalse(filter.isWasDestroyed());
filterChainProxy.init(new MockFilterConfig());
assertTrue(filter.isWasInitialized());
assertFalse(filter.isWasDoFiltered());
assertFalse(filter.isWasDestroyed());
MockHttpServletRequest request = new MockHttpServletRequest();
request.setServletPath("/foo/secure/super/somefile.html");
MockHttpServletResponse response = new MockHttpServletResponse();
MockFilterChain chain = new MockFilterChain(true);
filterChainProxy.doFilter(request, response, chain);
assertTrue(filter.isWasInitialized());
assertTrue(filter.isWasDoFiltered());
assertFalse(filter.isWasDestroyed());
request.setServletPath("/a/path/which/doesnt/match/any/filter.html");
filterChainProxy.doFilter(request, response, chain);
filterChainProxy.destroy();
assertTrue(filter.isWasInitialized());
assertTrue(filter.isWasDoFiltered());
assertTrue(filter.isWasDestroyed());
}
//~ Inner Classes ==================================================================================================
private class MockConfigAttribute implements ConfigAttribute {
public String getAttribute() {
return null;
}
}
}
@@ -1,237 +1,103 @@
/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.util;
import org.springframework.security.ConfigAttribute;
import org.springframework.security.ConfigAttributeDefinition;
import org.springframework.security.MockFilterConfig;
import org.springframework.security.context.HttpSessionContextIntegrationFilter;
import org.springframework.security.intercept.web.MockFilterInvocationDefinitionSource;
import org.springframework.security.intercept.web.DefaultFilterInvocationDefinitionSource;
import org.springframework.security.intercept.web.RequestKey;
import org.springframework.security.ui.webapp.AuthenticationProcessingFilter;
import static org.junit.Assert.assertEquals;
import static org.mockito.Mockito.*;
import org.springframework.beans.factory.BeanCreationException;
import org.springframework.context.support.ClassPathXmlApplicationContext;
import org.springframework.context.support.StaticApplicationContext;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.junit.After;
import static org.junit.Assert.*;
import org.junit.Before;
import org.junit.Test;
import org.mockito.invocation.InvocationOnMock;
import org.mockito.stubbing.Answer;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.firewall.FirewalledRequest;
import java.util.LinkedHashMap;
import java.util.List;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.util.*;
/**
* Tests {@link FilterChainProxy}.
*
* @author Carlos Sanchez
* @author Ben Alex
* @version $Id$
* @author Luke Taylor
*/
@SuppressWarnings({"unchecked"})
public class FilterChainProxyTests {
private ClassPathXmlApplicationContext appCtx;
//~ Methods ========================================================================================================
private FilterChainProxy fcp;
private MockHttpServletRequest request;
private MockHttpServletResponse response;
private FilterChain chain;
private Filter filter;
@Before
public void loadContext() {
appCtx = new ClassPathXmlApplicationContext("org/springframework/security/util/filtertest-valid.xml");
}
@After
public void closeContext() {
if (appCtx != null) {
appCtx.close();
}
}
@Test(expected=IllegalArgumentException.class)
public void testDetectsFilterInvocationDefinitionSourceThatDoesNotReturnAllConfigAttributes() throws Exception {
FilterChainProxy filterChainProxy = new FilterChainProxy();
filterChainProxy.setApplicationContext(new StaticApplicationContext());
filterChainProxy.setFilterInvocationDefinitionSource(new MockFilterInvocationDefinitionSource(false, false));
filterChainProxy.afterPropertiesSet();
}
@Test(expected=IllegalArgumentException.class)
public void testDetectsIfConfigAttributeDoesNotReturnValueForGetAttributeMethod() throws Exception {
FilterChainProxy filterChainProxy = new FilterChainProxy();
filterChainProxy.setApplicationContext(new StaticApplicationContext());
ConfigAttributeDefinition cad = new ConfigAttributeDefinition(new MockConfigAttribute());
public void setup() throws Exception {
fcp = new FilterChainProxy();
filter = mock(Filter.class);
doAnswer(new Answer() {
public Object answer(InvocationOnMock inv) throws Throwable {
Object[] args = inv.getArguments();
FilterChain fc = (FilterChain) args[2];
fc.doFilter((HttpServletRequest) args[0], (HttpServletResponse) args[1]);
return null;
}
}).when(filter).doFilter(any(HttpServletRequest.class), any(HttpServletResponse.class), any(FilterChain.class));
LinkedHashMap map = new LinkedHashMap();
map.put(new RequestKey("/**"), cad);
DefaultFilterInvocationDefinitionSource fids =
new DefaultFilterInvocationDefinitionSource(new AntUrlPathMatcher(), map);
filterChainProxy.setFilterInvocationDefinitionSource(fids);
filterChainProxy.afterPropertiesSet();
filterChainProxy.init(new MockFilterConfig());
}
@Test(expected = IllegalArgumentException.class)
public void testDetectsMissingFilterInvocationDefinitionSource() throws Exception {
FilterChainProxy filterChainProxy = new FilterChainProxy();
filterChainProxy.setApplicationContext(new StaticApplicationContext());
filterChainProxy.afterPropertiesSet();
map.put("/match", Arrays.asList(filter));
fcp.setFilterChainMap(map);
request = new MockHttpServletRequest();
request.setServletPath("/match");
response = new MockHttpServletResponse();
chain = mock(FilterChain.class);
}
@Test
public void testDoNotFilter() throws Exception {
FilterChainProxy filterChainProxy = (FilterChainProxy) appCtx.getBean("filterChain", FilterChainProxy.class);
MockFilter filter = (MockFilter) appCtx.getBean("mockFilter", MockFilter.class);
MockHttpServletRequest request = new MockHttpServletRequest();
request.setServletPath("/do/not/filter/somefile.html");
MockHttpServletResponse response = new MockHttpServletResponse();
MockFilterChain chain = new MockFilterChain(true);
filterChainProxy.doFilter(request, response, chain);
assertFalse(filter.isWasInitialized());
assertFalse(filter.isWasDoFiltered());
assertFalse(filter.isWasDestroyed());
public void toStringCallSucceeds() throws Exception {
fcp.afterPropertiesSet();
fcp.toString();
}
@Test
public void misplacedUniversalPathShouldBeDetected() throws Exception {
try {
appCtx.getBean("newFilterChainProxyWrongPathOrder", FilterChainProxy.class);
fail("Expected BeanCreationException");
} catch (BeanCreationException expected) {
}
public void securityFilterChainIsNotInvokedIfMatchFails() throws Exception {
request.setServletPath("/nomatch");
fcp.doFilter(request, response, chain);
assertEquals(1, fcp.getFilterChainMap().size());
verifyZeroInteractions(filter);
// The actual filter chain should be invoked though
verify(chain).doFilter(any(HttpServletRequest.class), any(HttpServletResponse.class));
}
@Test
public void normalOperation() throws Exception {
FilterChainProxy filterChainProxy = (FilterChainProxy) appCtx.getBean("filterChain", FilterChainProxy.class);
doNormalOperation(filterChainProxy);
public void originalChainIsInvokedAfterSecurityChainIfMatchSucceeds() throws Exception {
fcp.doFilter(request, response, chain);
verify(filter).doFilter(any(HttpServletRequest.class), any(HttpServletResponse.class), any(FilterChain.class));
verify(chain).doFilter(any(HttpServletRequest.class), any(HttpServletResponse.class));
}
@Test
public void proxyPathWithoutLowerCaseConversionShouldntMatchDifferentCasePath() throws Exception {
FilterChainProxy filterChainProxy = (FilterChainProxy) appCtx.getBean("filterChainNonLowerCase", FilterChainProxy.class);
assertNull(filterChainProxy.getFilters("/some/other/path/blah"));
public void originalFilterChainIsInvokedIfMatchingSecurityChainIsEmpty() throws Exception {
LinkedHashMap map = new LinkedHashMap();
map.put("/match", Collections.emptyList());
fcp.setFilterChainMap(map);
fcp.doFilter(request, response, chain);
verify(chain).doFilter(any(HttpServletRequest.class), any(HttpServletResponse.class));
}
@Test
public void normalOperationWithNewConfig() throws Exception {
FilterChainProxy filterChainProxy = (FilterChainProxy) appCtx.getBean("newFilterChainProxy", FilterChainProxy.class);
checkPathAndFilterOrder(filterChainProxy);
doNormalOperation(filterChainProxy);
public void requestIsWrappedForFilteringWhenMatchIsFound() throws Exception {
fcp.doFilter(request, response, chain);
verify(filter).doFilter(any(FirewalledRequest.class), any(HttpServletResponse.class), any(FilterChain.class));
verify(chain).doFilter(any(FirewalledRequest.class), any(HttpServletResponse.class));
}
@Test
public void normalOperationWithNewConfigRegex() throws Exception {
FilterChainProxy filterChainProxy = (FilterChainProxy) appCtx.getBean("newFilterChainProxyRegex", FilterChainProxy.class);
checkPathAndFilterOrder(filterChainProxy);
doNormalOperation(filterChainProxy);
public void requestIsWrappedForFilteringWhenMatchIsNotFound() throws Exception {
request.setServletPath("/nomatch");
fcp.doFilter(request, response, chain);
verifyZeroInteractions(filter);
verify(chain).doFilter(any(FirewalledRequest.class), any(HttpServletResponse.class));
}
@Test
public void normalOperationWithNewConfigNonNamespace() throws Exception {
FilterChainProxy filterChainProxy = (FilterChainProxy) appCtx.getBean("newFilterChainProxyNonNamespace", FilterChainProxy.class);
checkPathAndFilterOrder(filterChainProxy);
doNormalOperation(filterChainProxy);
}
@Test
public void pathWithNoMatchHasNoFilters() throws Exception {
FilterChainProxy filterChainProxy = (FilterChainProxy) appCtx.getBean("newFilterChainProxyNoDefaultPath", FilterChainProxy.class);
assertEquals(null, filterChainProxy.getFilters("/nomatch"));
}
@Test
public void urlStrippingPropertyIsRespected() throws Exception {
FilterChainProxy filterChainProxy = (FilterChainProxy) appCtx.getBean("newFilterChainProxyNoDefaultPath", FilterChainProxy.class);
// Should only match if we are stripping the query string
String url = "/blah.bar?x=something";
assertNotNull(filterChainProxy.getFilters(url));
assertEquals(2, filterChainProxy.getFilters(url).size());
filterChainProxy.setStripQueryStringFromUrls(false);
assertNull(filterChainProxy.getFilters(url));
}
private void checkPathAndFilterOrder(FilterChainProxy filterChainProxy) throws Exception {
List filters = filterChainProxy.getFilters("/foo/blah");
assertEquals(1, filters.size());
assertTrue(filters.get(0) instanceof MockFilter);
filters = filterChainProxy.getFilters("/some/other/path/blah");
assertNotNull(filters);
assertEquals(3, filters.size());
assertTrue(filters.get(0) instanceof HttpSessionContextIntegrationFilter);
assertTrue(filters.get(1) instanceof MockFilter);
assertTrue(filters.get(2) instanceof MockFilter);
filters = filterChainProxy.getFilters("/do/not/filter");
assertEquals(0, filters.size());
filters = filterChainProxy.getFilters("/another/nonspecificmatch");
assertEquals(3, filters.size());
assertTrue(filters.get(0) instanceof HttpSessionContextIntegrationFilter);
assertTrue(filters.get(1) instanceof AuthenticationProcessingFilter);
assertTrue(filters.get(2) instanceof MockFilter);
}
private void doNormalOperation(FilterChainProxy filterChainProxy) throws Exception {
MockFilter filter = (MockFilter) appCtx.getBean("mockFilter", MockFilter.class);
assertFalse(filter.isWasInitialized());
assertFalse(filter.isWasDoFiltered());
assertFalse(filter.isWasDestroyed());
filterChainProxy.init(new MockFilterConfig());
assertTrue(filter.isWasInitialized());
assertFalse(filter.isWasDoFiltered());
assertFalse(filter.isWasDestroyed());
MockHttpServletRequest request = new MockHttpServletRequest();
request.setServletPath("/foo/secure/super/somefile.html");
MockHttpServletResponse response = new MockHttpServletResponse();
MockFilterChain chain = new MockFilterChain(true);
filterChainProxy.doFilter(request, response, chain);
assertTrue(filter.isWasInitialized());
assertTrue(filter.isWasDoFiltered());
assertFalse(filter.isWasDestroyed());
request.setServletPath("/a/path/which/doesnt/match/any/filter.html");
filterChainProxy.doFilter(request, response, chain);
filterChainProxy.destroy();
assertTrue(filter.isWasInitialized());
assertTrue(filter.isWasDoFiltered());
assertTrue(filter.isWasDestroyed());
}
//~ Inner Classes ==================================================================================================
private class MockConfigAttribute implements ConfigAttribute {
public String getAttribute() {
return null;
}
}
}
@@ -35,15 +35,6 @@ import java.util.Vector;
* @version $Id$
*/
public class AffirmativeBasedTests extends TestCase {
//~ Constructors ===================================================================================================
public AffirmativeBasedTests() {
super();
}
public AffirmativeBasedTests(String arg0) {
super(arg0);
}
//~ Methods ========================================================================================================
@@ -53,25 +44,24 @@ public class AffirmativeBasedTests extends TestCase {
private AffirmativeBased makeDecisionManager() {
AffirmativeBased decisionManager = new AffirmativeBased();
RoleVoter roleVoter = new RoleVoter();
DenyVoter denyForSureVoter = new DenyVoter();
DenyAgainVoter denyAgainForSureVoter = new DenyAgainVoter();
List voters = new Vector();
voters.add(roleVoter);
voters.add(denyForSureVoter);
voters.add(denyAgainForSureVoter);
voters.add(new RoleVoter());
voters.add(new DenyVoter());
voters.add(new DenyAgainVoter());
decisionManager.setDecisionVoters(voters);
return decisionManager;
}
private TestingAuthenticationToken makeTestToken() {
return new TestingAuthenticationToken("somebody", "password",
new GrantedAuthority[] {new GrantedAuthorityImpl("ROLE_1"), new GrantedAuthorityImpl("ROLE_2")});
return new TestingAuthenticationToken("somebody", "password", "ROLE_1","ROLE_2");
}
public final void setUp() throws Exception {
super.setUp();
public void testOneAffirmativeGrantsAccess(){
AffirmativeBased mgr = makeDecisionManager();
ConfigAttributeDefinition config = new ConfigAttributeDefinition(new String[]{"ROLE_1", "ROLE_2"});
mgr.decide(new TestingAuthenticationToken("somebody", "password", "ROLE_1"), new Object(), config);
}
public void testOneAffirmativeVoteOneDenyVoteOneAbstainVoteGrantsAccess()
@@ -82,7 +72,6 @@ public class AffirmativeBasedTests extends TestCase {
ConfigAttributeDefinition config = new ConfigAttributeDefinition(new String[]{"ROLE_1", "DENY_FOR_SURE"});
mgr.decide(auth, new Object(), config);
assertTrue(true);
}
public void testOneAffirmativeVoteTwoAbstainVotesGrantsAccess()
@@ -93,7 +82,6 @@ public class AffirmativeBasedTests extends TestCase {
ConfigAttributeDefinition config = new ConfigAttributeDefinition("ROLE_2");
mgr.decide(auth, new Object(), config);
assertTrue(true);
}
public void testOneDenyVoteTwoAbstainVotesDeniesAccess()
@@ -107,7 +95,6 @@ public class AffirmativeBasedTests extends TestCase {
mgr.decide(auth, new Object(), config);
fail("Should have thrown AccessDeniedException");
} catch (AccessDeniedException expected) {
assertTrue(true);
}
}
@@ -124,7 +111,6 @@ public class AffirmativeBasedTests extends TestCase {
mgr.decide(auth, new Object(), config);
fail("Should have thrown AccessDeniedException");
} catch (AccessDeniedException expected) {
assertTrue(true);
}
}
@@ -138,10 +124,9 @@ public class AffirmativeBasedTests extends TestCase {
ConfigAttributeDefinition config = new ConfigAttributeDefinition("IGNORED_BY_ALL");
mgr.decide(auth, new Object(), config);
assertTrue(true);
}
public void testTwoAffirmativeVotesTwoAbstainVotesGrantsAccess()
public void testOneAffirmativeVotesTwoAbstainVotesGrantsAccess()
throws Exception {
TestingAuthenticationToken auth = makeTestToken();
AffirmativeBased mgr = makeDecisionManager();
@@ -149,6 +134,5 @@ public class AffirmativeBasedTests extends TestCase {
ConfigAttributeDefinition config = new ConfigAttributeDefinition(new String[]{"ROLE_1", "ROLE_2"});
mgr.decide(auth, new Object(), config);
assertTrue(true);
}
}
+10
View File
@@ -58,6 +58,16 @@ sn: Mouse
uid: jerry
userPassword: jerryspassword
dn: cn=slash/guy,ou=people,dc=springframework,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: slash/guy
sn: Slash
uid: slashguy
userPassword: slashguyspassword
dn: cn=developers,ou=groups,dc=springframework,dc=org
objectclass: top
objectclass: groupOfNames
+41
View File
@@ -0,0 +1,41 @@
Bundle-SymbolicName: org.springframework.security.core
Bundle-Name: Spring Security Core
Bundle-Vendor: SpringSource
Bundle-Version: ${version}
Bundle-ManifestVersion: 2
Ignored-Existing-Headers:
Import-Package,
Export-Package
Import-Template:
org.aopalliance.*;version="[1.0.0, 2.0.0)",
org.aspectj.*;version="[1.5.2, 1.7.0)";resolution:=optional,
org.apache.commons.codec.*;version="[1.3, 2.0)";resolution:=optional,
org.apache.commons.logging.*;version="[1.0.4, 2.0.0)",
org.apache.commons.collections.*;version="[3.2.0, 4.0.0)",
org.jaxen.*;version="[1.1.1, 1.2.0)";resolution:=optional,
org.springframework.aop.*;version="[2.0.8, 3.1.0)";resolution:=optional,
org.springframework.beans.*;version="[2.0.8, 3.1.0)",
org.springframework.context.*;version="[2.0.8, 3.1.0)",
org.springframework.core.*;version="[2.0.8, 3.1.0)",
org.springframework.metadata.*;version="[2.0.8, 3.1.0)";resolution:=optional,
org.springframework.expression.*;version="[2.0.8, 3.1.0)";resolution:=optional,
org.springframework.remoting.*;version="[2.0.8, 3.1.0)";resolution:=optional,
org.springframework.dao.*;version="[2.0.8, 3.1.0)";resolution:=optional,
org.springframework.jdbc.*;version="[2.0.8, 3.1.0)";resolution:=optional,
org.springframework.transaction.*;version="[2.0.8, 3.1.0)";resolution:=optional,
org.springframework.web.context.*;version="[2.0.8, 3.1.0)";resolution:=optional,
org.springframework.util;version="[2.0.8, 3.1.0)",
org.springframework.mock.web;version="[2.0.8, 3.1.0)";resolution:=optional,
org.springframework.util.xml;version="[2.0.8, 3.1.0)";resolution:=optional,
org.springframework.ldap.*;version="[1.2.1.A, 1.3.0)";resolution:=optional,
org.apache.directory.server.*;version="[1.0.2, 1.5)";resolution:=optional,
net.sf.ehcache.*;version="[1.4.1, 2.0.0)";resolution:=optional,
javax.crypto.*;version="0";resolution:=optional,
javax.security.auth.*;version="0";resolution:=optional,
javax.servlet.*;version="[2.4.0, 3.0.0)";resolution:=optional,
javax.naming.*;version="0";resolution:=optional,
javax.rmi.*;version="0";resolution:=optional,
javax.sql.*;version="0";resolution:=optional,
javax.xml.parsers;version="0";resolution:=optional,
org.w3c.dom.*;version="0";resolution:=optional,
org.xml.sax.*;version="0";resolution:=optional
+6 -1
View File
@@ -5,13 +5,18 @@
<parent>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-itest</artifactId>
<version>2.0.4-SNAPSHOT</version>
<version>2.0.6.RELEASE</version>
</parent>
<artifactId>spring-security-itest-context</artifactId>
<name>Spring Security - Miscellaneous Application Context Integration Tests</name>
<packaging>jar</packaging>
<dependencies>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
<version>2.5</version>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
@@ -0,0 +1,67 @@
package org.springframework.security.integration;
import static org.junit.Assert.assertEquals;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.mock.web.MockFilterChain;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.mock.web.MockHttpSession;
import org.springframework.security.context.HttpSessionContextIntegrationFilter;
import org.springframework.security.context.SecurityContextHolder;
import org.springframework.security.providers.UsernamePasswordAuthenticationToken;
import org.springframework.security.util.AuthorityUtils;
import org.springframework.security.util.FilterChainProxy;
import org.springframework.test.context.ContextConfiguration;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import javax.servlet.http.HttpSession;
@ContextConfiguration(locations={"/http-path-param-stripping-app-context.xml"})
@RunWith(SpringJUnit4ClassRunner.class)
public class HttpPathParameterStrippingTests {
@Autowired
private FilterChainProxy fcp;
@Test
public void securedFilterChainCannotBeBypassedByAddingPathParameters() throws Exception {
MockHttpServletRequest request = new MockHttpServletRequest();
request.setPathInfo("/secured;x=y/admin.html");
request.setSession(createAuthenticatedSession("ROLE_USER"));
MockHttpServletResponse response = new MockHttpServletResponse();
fcp.doFilter(request, response, new MockFilterChain());
assertEquals(403, response.getStatus());
}
@Test
public void adminFilePatternCannotBeBypassedByAddingPathParameters() throws Exception {
MockHttpServletRequest request = new MockHttpServletRequest();
request.setServletPath("/secured/admin.html;x=user.html");
request.setSession(createAuthenticatedSession("ROLE_USER"));
MockHttpServletResponse response = new MockHttpServletResponse();
fcp.doFilter(request, response, new MockFilterChain());
assertEquals(403, response.getStatus());
// Try with pathInfo
request = new MockHttpServletRequest();
request.setServletPath("/secured");
request.setPathInfo("/admin.html;x=user.html");
request.setSession(createAuthenticatedSession("ROLE_USER"));
response = new MockHttpServletResponse();
fcp.doFilter(request, response, new MockFilterChain());
assertEquals(403, response.getStatus());
}
public HttpSession createAuthenticatedSession(String... roles) {
MockHttpSession session = new MockHttpSession();
SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken("bob", "bobspassword",
AuthorityUtils.stringArrayToAuthorityArray(roles)));
session.setAttribute(HttpSessionContextIntegrationFilter.SPRING_SECURITY_CONTEXT_KEY, SecurityContextHolder.getContext());
SecurityContextHolder.clearContext();
return session;
}
}
@@ -0,0 +1,28 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
-
-->
<b:beans xmlns="http://www.springframework.org/schema/security"
xmlns:b="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">
<http>
<intercept-url pattern="/secured/*user.html" access="ROLE_USER" />
<intercept-url pattern="/secured/admin.html" access="ROLE_ADMIN" />
<intercept-url pattern="/secured/user/**" access="ROLE_USER" />
<intercept-url pattern="/secured/admin/*" access="ROLE_ADMIN" />
<intercept-url pattern="/**" filters="none" />
<form-login />
</http>
<authentication-provider>
<user-service id="userService">
<user name="notused" password="notused" authorities="ROLE_0,ROLE_1"/>
</user-service>
</authentication-provider>
</b:beans>
+24 -24
View File
@@ -1,20 +1,20 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-itest</artifactId>
<name>Spring Security - Integration Tests</name>
<packaging>pom</packaging>
<version>2.0.4-SNAPSHOT</version>
<version>2.0.6.RELEASE</version>
<modules>
<module>web</module>
<!-- module>webflow</module-->
<module>context</module>
</modules>
<dependencies>
<dependencies>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring</artifactId>
<version>2.5.5</version>
<version>2.5.6.SEC02</version>
<exclusions>
<exclusion>
<groupId>commons-logging</groupId>
@@ -25,14 +25,14 @@
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-test</artifactId>
<version>2.5.5</version>
<version>2.5.6.SEC02</version>
<exclusions>
<exclusion>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
@@ -58,7 +58,7 @@
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</exclusion>
</exclusions>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
@@ -69,18 +69,18 @@
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</exclusion>
</exclusions>
</exclusions>
</dependency>
<dependency>
<groupId>org.aspectj</groupId>
<artifactId>aspectjrt</artifactId>
<version>1.6.1</version>
</dependency>
<dependency>
<groupId>org.aspectj</groupId>
<artifactId>aspectjweaver</artifactId>
<version>1.6.1</version>
</dependency>
<dependency>
<groupId>org.aspectj</groupId>
<artifactId>aspectjrt</artifactId>
<version>1.6.1</version>
</dependency>
<dependency>
<groupId>org.aspectj</groupId>
<artifactId>aspectjweaver</artifactId>
<version>1.6.1</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
@@ -97,7 +97,7 @@
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</exclusion>
</exclusions>
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.directory.server</groupId>
@@ -128,9 +128,9 @@
<exclusion>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
@@ -195,10 +195,10 @@
</property>
</systemProperties>
</configuration>
</plugin>
</plugin>
</plugins>
</build>
<properties>
<jetty.version>6.1.11</jetty.version>
</properties>
</properties>
</project>
+8 -8
View File
@@ -5,7 +5,7 @@
<parent>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-itest</artifactId>
<version>2.0.4-SNAPSHOT</version>
<version>2.0.6.RELEASE</version>
</parent>
<artifactId>spring-security-itest-web</artifactId>
<name>Spring Security - Web Integration Tests</name>
@@ -36,7 +36,7 @@
<artifactId>jetty-naming</artifactId>
<version>${jetty.version}</version>
<scope>test</scope>
</dependency>
</dependency>
<dependency>
<groupId>org.mortbay.jetty</groupId>
<artifactId>jetty-plus</artifactId>
@@ -53,8 +53,8 @@
<groupId>org.mortbay.jetty</groupId>
<artifactId>jsp-api-2.1</artifactId>
<version>${jetty.version}</version>
</dependency>
<!--
</dependency>
<!--
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>
@@ -67,10 +67,10 @@
<scope>runtime</scope>
<version>1.1.2</version>
</dependency>
-->
-->
</dependencies>
<!--
<!--
<build>
<plugins>
<plugin>
@@ -88,7 +88,7 @@
</execution>
</executions>
</plugin>
</plugins>
</build>
</plugins>
</build>
-->
</project>
+1 -1
View File
@@ -3,7 +3,7 @@
<parent>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-parent</artifactId>
<version>2.0.5-SNAPSHOT</version>
<version>2.0.6.RELEASE</version>
</parent>
<packaging>jar</packaging>
<artifactId>spring-security-ntlm</artifactId>
+12 -24
View File
@@ -3,13 +3,13 @@
<parent>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-parent</artifactId>
<version>2.0.5-SNAPSHOT</version>
<version>2.0.6.RELEASE</version>
</parent>
<artifactId>spring-security-openid</artifactId>
<name>Spring Security - OpenID support</name>
<description>Spring Security - Support for OpenID</description>
<version>2.0.5-SNAPSHOT</version>
<packaging>bundle</packaging>
<version>2.0.6.RELEASE</version>
<packaging>jar</packaging>
<dependencies>
<dependency>
@@ -45,26 +45,14 @@
<version>0.9.3</version>
</dependency>
</dependencies>
<properties>
<spring.osgi.export>
org.springframework.security.*;version=${pom.version.osgi}
</spring.osgi.export>
<spring.osgi.import>
javax.servlet.*;version="[2.4.0, 3.0.0)",
org.apache.commons.logging.*;version="[1.1.1, 2.0.0)",
org.openid4java.*;version="[0.9.3, 1.0.0)",
org.springframework.security.*;version="[${pom.version.osgi},${pom.version.osgi}]",
org.springframework.beans.*;version="${spring.version.osgi}",
org.springframework.util.*;version="${spring.version.osgi}"
</spring.osgi.import>
<spring.osgi.private.pkg>
!org.springframework.security.*
</spring.osgi.private.pkg>
<spring.osgi.symbolic.name>org.springframework.security.openid</spring.osgi.symbolic.name>
</properties>
<build>
<plugins>
<plugin>
<groupId>com.springsource.bundlor</groupId>
<artifactId>com.springsource.bundlor.maven</artifactId>
</plugin>
</plugins>
</build>
</project>
+15
View File
@@ -0,0 +1,15 @@
Bundle-SymbolicName: org.springframework.security.openid
Bundle-Name: Spring Security OpenID Support
Bundle-Vendor: SpringSource
Bundle-Version: ${version}
Bundle-ManifestVersion: 2
Ignored-Existing-Headers:
Import-Package,
Export-Package
Import-Template:
javax.servlet.*;version="[2.4.0, 3.0.0)",
org.apache.commons.logging.*;version="[1.0.4, 2.0.0)",
org.openid4java.*;version="[0.9.3, 1.0.0)",
org.springframework.security.*;version="[${version},${version}]",
org.springframework.beans.*;version="[2.0.8, 3.1.0)",
org.springframework.util.*;version="[2.0.8, 3.1.0)"
+58 -113
View File
@@ -3,18 +3,17 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-parent</artifactId>
<version>2.0.5-SNAPSHOT</version>
<version>2.0.6.RELEASE</version>
<name>Spring Security</name>
<packaging>pom</packaging>
<modules>
<module>core</module>
<module>core-tiger</module>
<module>adapters</module>
<module>core</module>
<module>core-tiger</module>
<module>portlet</module>
<module>ntlm</module>
<module>openid</module>
<module>samples</module>
<!--module>samples</module-->
<module>cas</module>
<module>acl</module>
<module>taglibs</module>
@@ -36,13 +35,6 @@
</license>
</licenses>
<!-- Note when doing releases: tagBase is set in release plugin configuration below -->
<scm>
<connection>scm:svn:https://acegisecurity.svn.sourceforge.net/svnroot/acegisecurity/spring-security/trunk</connection>
<developerConnection>scm:svn:https://acegisecurity.svn.sourceforge.net/svnroot/acegisecurity/spring-security/trunk</developerConnection>
<url>http://acegisecurity.svn.sourceforge.net/viewcvs.cgi/acegisecurity/spring-security/trunk/</url>
</scm>
<issueManagement>
<system>jira</system>
<url>http://jira.springframework.org/browse/SEC</url>
@@ -50,13 +42,13 @@
<ciManagement>
<system>bamboo</system>
<url>https://build.springframework.org/browse/SEC</url>
</ciManagement>
</ciManagement>
<distributionManagement>
<distributionManagement>
<repository>
<id>spring-milestone</id>
<name>Spring Milestone Repository</name>
<url>s3://maven.springframework.org/milestone</url>
<id>spring-release</id>
<name>Spring Release Repository</name>
<url>s3://maven.springframework.org/release</url>
</repository>
<snapshotRepository>
@@ -64,49 +56,15 @@
<name>Spring Snapshot Repository</name>
<url>s3://maven.springframework.org/snapshot</url>
</snapshotRepository>
<site>
<id>local</id>
<name>Local Site Directory</name>
<!--
This variable is set by the build release script. You can also set it on the command line if
you are running maven directly. e.g. mvn site -DsiteDirectory=file:///home/joe/mysite
-->
<url>${siteDirectory}</url>
</site>
</distributionManagement>
<repositories>
<repository>
<id>spring-external</id>
<name>Spring Portfolio Release Repository</name>
<url>http://s3.amazonaws.com/maven.springframework.org/external</url>
</repository>
</repositories>
<mailingLists>
<mailingList>
<name>Acegi Developer List</name>
<subscribe>
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
</subscribe>
<!--
<unsubscribe>https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer</unsubscribe>
<post>acegisecurity-developer@lists.sourceforge.net</post>
-->
<archive>
http://sourceforge.net/mailarchive/forum.php?forum_id=40659
</archive>
<otherArchives>
<otherArchive>
http://news.gmane.org/gmane.comp.java.springframework.acegisecurity.devel/
</otherArchive>
<otherArchive>
http://www.mail-archive.com/acegisecurity-developer@lists.sourceforge.net/
</otherArchive>
</otherArchives>
</mailingList>
</mailingLists>
<pluginRepositories>
<pluginRepository>
<id>com.springsource.repository.maven.milestone</id>
<name>SpringSource Enterprise Bundle Repository - SpringSource Milestone Releases</name>
<url>http://repository.springsource.com/maven/bundles/milestone</url>
</pluginRepository>
</pluginRepositories>
<developers>
<developer>
@@ -218,10 +176,10 @@
</contributor>
<contributor>
<name>Ruud Senden</name>
</contributor>
</contributor>
<contributor>
<name>Michael Mayr</name>
</contributor>
</contributor>
</contributors>
<dependencies>
@@ -236,12 +194,30 @@
<build>
<extensions>
<extension>
<groupId>org.springframework.aws</groupId>
<artifactId>spring-aws-maven</artifactId>
<version>1.2.2</version>
<groupId>org.springframework.build.aws</groupId>
<artifactId>org.springframework.build.aws.maven</artifactId>
<version>2.0.0.RELEASE</version>
</extension>
</extensions>
<plugins>
<pluginManagement>
<plugins>
<plugin>
<groupId>com.springsource.bundlor</groupId>
<artifactId>com.springsource.bundlor.maven</artifactId>
<version>1.0.0.M6</version>
<executions>
<execution>
<id>bundlor</id>
<phase>package</phase>
<goals>
<goal>transform</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</pluginManagement>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-help-plugin</artifactId>
@@ -361,10 +337,10 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-release-plugin</artifactId>
<version>2.0-beta-7</version>
<version>2.0-beta-9</version>
<configuration>
<tagBase>
https://acegisecurity.svn.sourceforge.net/svnroot/acegisecurity/spring-security/tags
https://src.springframework.org/svn/spring-security/tags
</tagBase>
</configuration>
</plugin>
@@ -449,35 +425,6 @@
</postProcess>
</configuration>
</plugin>
<!-- OSGi Felix bundle plugin -->
<plugin>
<groupId>org.apache.felix</groupId>
<artifactId>maven-bundle-plugin</artifactId>
<version>1.4.0</version>
<extensions>true</extensions>
<configuration>
<obrRepository>NONE</obrRepository>
<instructions>
<!-- bundle specific conf -->
<Bundle-Name>${artifactId}</Bundle-Name>
<Bundle-SymbolicName>${spring.osgi.symbolic.name}</Bundle-SymbolicName>
<Bundle-Vendor>SpringSource</Bundle-Vendor>
<Export-Package>${spring.osgi.export}</Export-Package>
<Import-Package>${spring.osgi.import}</Import-Package>
<Private-Package>${spring.osgi.private.pkg}</Private-Package>
<!--Include-Resource>${spring.osgi.include.res}</Include-Resource-->
<!-- jar entries -->
<Implementation-Title>Spring Security</Implementation-Title>
<Implementation-Version>${pom.version}</Implementation-Version>
<Implementation-Vendor>SpringSource</Implementation-Vendor>
<Implementation-Vendor-Id>org.springframework.security</Implementation-Vendor-Id>
<!-- Spring specific entries -->
<!--Spring-Version>${spring.maven.artifact.version}</Spring-Version-->
</instructions>
<excludeDependencies>true</excludeDependencies>
</configuration>
</plugin>
</plugins>
</build>
@@ -487,11 +434,11 @@
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-report-plugin</artifactId>
<version>2.4.2</version>
<!--
<!--
<configuration>
<aggregate>true</aggregate>
</configuration>
-->
</configuration>
-->
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
@@ -501,7 +448,7 @@
<excludes>
<exclude>bigbank/**</exclude>
</excludes>
</configuration>
</configuration>
</plugin>
<!--
<plugin>
@@ -521,14 +468,14 @@
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>2.4</version>
<configuration>
<aggregate>true</aggregate>
<header>Spring Security Framework</header>
<quiet>true</quiet>
<excludePackageNames>sample,bigbank,zzz</excludePackageNames>
<excludePackageNames>sample,bigbank,zzz</excludePackageNames>
<links>
<link>
http://java.sun.com/j2se/1.5.0/docs/api
@@ -572,7 +519,7 @@
<!--<report>test-javadoc</report> -->
</reports>
</reportSet>
</reportSets>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
@@ -582,7 +529,7 @@
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-project-info-reports-plugin</artifactId>
<version>2.0.1</version>
<!--
<!--
<reportSets>
<reportSet>
<reports>
@@ -594,8 +541,8 @@
</reports>
</reportSet>
</reportSets>
-->
</plugin>
-->
</plugin>
</plugins>
</reporting>
@@ -656,7 +603,7 @@
<artifactId>aspectjweaver</artifactId>
<optional>true</optional>
<version>1.5.4</version>
</dependency>
</dependency>
<dependency>
<groupId>org.aspectj</groupId>
<artifactId>aspectjrt</artifactId>
@@ -665,15 +612,15 @@
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>${spring.version}</version>
</dependency>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>cglib</groupId>
<artifactId>cglib-nodep</artifactId>
<scope>test</scope>
<optional>true</optional>
<version>2.1_3</version>
</dependency>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
@@ -723,17 +670,15 @@
<artifactId>standard</artifactId>
<version>${jstl.version}</version>
<scope>runtime</scope>
</dependency>
</dependency>
</dependencies>
</dependencyManagement>
<properties>
<pom.version.osgi>2.0.3.RELEASE</pom.version.osgi>
<spring.version>2.0.8</spring.version>
<spring.version.osgi>[2.0.8, 3.0.0)</spring.version.osgi>
<jstl.version>1.1.2</jstl.version>
<docbook.source>${basedir}/src/docbkx</docbook.source>
<docbook.target>${basedir}/target/site/guide</docbook.target>
<docbook.target>${basedir}/target/site/guide</docbook.target>
</properties>
</project>
+1 -1
View File
@@ -3,7 +3,7 @@
<parent>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-parent</artifactId>
<version>2.0.5-SNAPSHOT</version>
<version>2.0.6.RELEASE</version>
</parent>
<artifactId>spring-security-portlet</artifactId>
<name>Spring Security - Portlet support</name>
+2 -9
View File
@@ -44,7 +44,7 @@ Release jars for the project are available from the central maven repository
http://repo1.maven.org/maven2/org/springframework/security/
Note that milestone releases and snapshots are not uploaded to the central
repository, but can be obtained from te Spring milestone repository.
repository, but can be obtained from the Spring milestone repository.
This blog article has full details on how to download milestone or snapshot
jars or use them in a Maven-based project build:
@@ -64,14 +64,7 @@ people who wrote Spring Security, and lead the development of the project:
For peer help and assistance, please use the Spring Security forum
located at the Spring Community's forum site:
http://forum.springframework.org
If you start using Spring Security in your project, please consider joining
the acegisecurity-developer mailing list. This is currently the best way to
keep informed about the project's status and provide feedback in design
discussions. You can join at:
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer.
http://forum.springsource.org
Links to mailing list archives, the forums, and other useful resources are
available from the web site.
+1 -1
View File
@@ -3,7 +3,7 @@
<parent>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-cas</artifactId>
<version>2.0.5-SNAPSHOT</version>
<version>2.0.6.RELEASE</version>
</parent>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-cas-client</artifactId>
+1 -1
View File
@@ -3,7 +3,7 @@
<parent>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples</artifactId>
<version>2.0.5-SNAPSHOT</version>
<version>2.0.6.RELEASE</version>
</parent>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-cas</artifactId>
+1 -1
View File
@@ -3,7 +3,7 @@
<parent>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-cas</artifactId>
<version>2.0.5-SNAPSHOT</version>
<version>2.0.6.RELEASE</version>
</parent>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-cas-server</artifactId>
+1 -1
View File
@@ -3,7 +3,7 @@
<parent>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples</artifactId>
<version>2.0.5-SNAPSHOT</version>
<version>2.0.6.RELEASE</version>
</parent>
<artifactId>spring-security-samples-contacts</artifactId>
<name>Spring Security - Contacts sample</name>
+1 -1
View File
@@ -3,7 +3,7 @@
<parent>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples</artifactId>
<version>2.0.5-SNAPSHOT</version>
<version>2.0.6.RELEASE</version>
</parent>
<artifactId>spring-security-samples-dms</artifactId>
<name>Spring Security - DMS sample</name>
+1 -1
View File
@@ -3,7 +3,7 @@
<parent>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples</artifactId>
<version>2.0.5-SNAPSHOT</version>
<version>2.0.6.RELEASE</version>
</parent>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-ldap</artifactId>
+1 -1
View File
@@ -3,7 +3,7 @@
<parent>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples</artifactId>
<version>2.0.5-SNAPSHOT</version>
<version>2.0.6.RELEASE</version>
</parent>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-openid</artifactId>
+1 -1
View File
@@ -3,7 +3,7 @@
<parent>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-parent</artifactId>
<version>2.0.5-SNAPSHOT</version>
<version>2.0.6.RELEASE</version>
</parent>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples</artifactId>
+1 -1
View File
@@ -3,7 +3,7 @@
<parent>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples</artifactId>
<version>2.0.5-SNAPSHOT</version>
<version>2.0.6.RELEASE</version>
</parent>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-portlet</artifactId>
+1 -1
View File
@@ -3,7 +3,7 @@
<parent>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples</artifactId>
<version>2.0.5-SNAPSHOT</version>
<version>2.0.6.RELEASE</version>
</parent>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-preauth</artifactId>
+1 -1
View File
@@ -3,7 +3,7 @@
<parent>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples</artifactId>
<version>2.0.5-SNAPSHOT</version>
<version>2.0.6.RELEASE</version>
</parent>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-tutorial</artifactId>
+4 -4
View File
@@ -10,23 +10,23 @@
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-webflow</artifactId>
<name>Spring Security - Webflow sample</name>
<version>2.0.5-SNAPSHOT</version>
<version>2.0.5.CI-SNAPSHOT</version>
<packaging>war</packaging>
<dependencies>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>2.0.4</version>
<version>2.0.5.CI-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core-tiger</artifactId>
<version>2.0.4</version>
<version>2.0.5.CI-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>2.0.4</version>
<version>2.0.5.CI-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>org.springframework.webflow</groupId>
+8 -2
View File
@@ -3,13 +3,13 @@
<parent>
<artifactId>spring-security-parent</artifactId>
<groupId>org.springframework.security</groupId>
<version>2.0.5-SNAPSHOT</version>
<version>2.0.6.RELEASE</version>
</parent>
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<name>Spring Security - JSP taglibs</name>
<version>2.0.5-SNAPSHOT</version>
<version>2.0.6.RELEASE</version>
<packaging>jar</packaging>
<dependencies>
@@ -64,5 +64,11 @@
<filtering>false</filtering>
</resource>
</resources>
<plugins>
<plugin>
<groupId>com.springsource.bundlor</groupId>
<artifactId>com.springsource.bundlor.maven</artifactId>
</plugin>
</plugins>
</build>
</project>
+18
View File
@@ -0,0 +1,18 @@
Bundle-SymbolicName: org.springframework.security.taglibs
Bundle-Name: Spring Security Taglibs
Bundle-Vendor: SpringSource
Bundle-Version: ${version}
Bundle-ManifestVersion: 2
Ignored-Existing-Headers:
Import-Package,
Export-Package
Import-Template:
org.apache.commons.logging.*;version="[1.0.4, 2.0.0)",
org.springframework.security.*;version="[${version}, ${version}]",
org.springframework.beans.*;version="[2.0.8, 3.1.0)",
org.springframework.context.*;version="[2.0.8, 3.1.0)",
org.springframework.web.*;version="[2.0.8, 3.1.0)",
org.springframework.util;version="[2.0.8, 3.1.0)",
net.sf.ehcache.*;version="[1.4.1, 2.0.0)";resolution:=optional,
javax.servlet.*;version="0"