From 04d42211b12dcba52f34752f2852af00ca9eb995 Mon Sep 17 00:00:00 2001
From: Luke Taylor <luke.taylor@springsource.com>
Date: Thu, 31 Mar 2011 21:04:32 +0100
Subject: [PATCH] SEC-1705: Make sure a single OpenIDAuthenticationFilter bean
 is created by the namespace. Likewise for
 UsernamePasswordAuthenticationFilter.

---
 .../http/AuthenticationConfigBuilder.java     | 24 +++++++++----------
 samples/openid/openid.gradle                  | 15 ++++++++----
 2 files changed, 22 insertions(+), 17 deletions(-)

diff --git a/config/src/main/java/org/springframework/security/config/http/AuthenticationConfigBuilder.java b/config/src/main/java/org/springframework/security/config/http/AuthenticationConfigBuilder.java
index 354102774a..aa754fff46 100644
--- a/config/src/main/java/org/springframework/security/config/http/AuthenticationConfigBuilder.java
+++ b/config/src/main/java/org/springframework/security/config/http/AuthenticationConfigBuilder.java
@@ -81,10 +81,8 @@ final class AuthenticationConfigBuilder {
     private String rememberMeServicesId;
     private BeanReference rememberMeProviderRef;
     private BeanDefinition basicFilter;
-    private BeanReference basicEntryPoint;
-    private RootBeanDefinition formFilter;
+    private RuntimeBeanReference basicEntryPoint;
     private BeanDefinition formEntryPoint;
-    private RootBeanDefinition openIDFilter;
     private BeanDefinition openIDEntryPoint;
     private BeanReference openIDProviderRef;
     private String openIDProviderId;
@@ -141,6 +139,7 @@ final class AuthenticationConfigBuilder {
     void createFormLoginFilter(BeanReference sessionStrategy, BeanReference authManager) {
 
         Element formLoginElt = DomUtils.getChildElementByTagName(httpElt, Elements.FORM_LOGIN);
+        RootBeanDefinition formFilter = null;
 
         if (formLoginElt != null || autoConfig) {
             FormLoginBeanDefinitionParser parser = new FormLoginBeanDefinitionParser("/j_spring_security_check",
@@ -165,6 +164,7 @@ final class AuthenticationConfigBuilder {
 
     void createOpenIDLoginFilter(BeanReference sessionStrategy, BeanReference authManager) {
         Element openIDLoginElt = DomUtils.getChildElementByTagName(httpElt, Elements.OPENID_LOGIN);
+        RootBeanDefinition openIDFilter = null;
 
         if (openIDLoginElt != null) {
             FormLoginBeanDefinitionParser parser = new FormLoginBeanDefinitionParser("/j_spring_openid_security_check",
@@ -318,7 +318,7 @@ final class AuthenticationConfigBuilder {
 
 
     void createLoginPageFilterIfNeeded() {
-        boolean needLoginPage = formFilter != null || openIDFilter != null;
+        boolean needLoginPage = formFilterId != null || openIDFilterId != null;
         String formLoginPage = getLoginFormUrl(formEntryPoint);
         String openIDLoginPage = getLoginFormUrl(openIDEntryPoint);
 
@@ -329,11 +329,11 @@ final class AuthenticationConfigBuilder {
             BeanDefinitionBuilder loginPageFilter =
                 BeanDefinitionBuilder.rootBeanDefinition(DefaultLoginPageGeneratingFilter.class);
 
-            if (formFilter != null) {
+            if (formFilterId != null) {
                 loginPageFilter.addConstructorArgReference(formFilterId);
             }
 
-            if (openIDFilter != null) {
+            if (openIDFilterId != null) {
                 loginPageFilter.addConstructorArgReference(openIDFilterId);
             }
 
@@ -497,12 +497,12 @@ final class AuthenticationConfigBuilder {
                     "but not both.", pc.extractSource(openIDLoginElt));
         }
 
-        if (formFilter != null && openIDLoginPage == null) {
+        if (formFilterId != null && openIDLoginPage == null) {
             return formEntryPoint;
         }
 
         // Otherwise use OpenID if enabled
-        if (openIDFilter != null) {
+        if (openIDFilterId != null) {
             return openIDEntryPoint;
         }
 
@@ -566,12 +566,12 @@ final class AuthenticationConfigBuilder {
             filters.add(new OrderDecorator(x509Filter, X509_FILTER));
         }
 
-        if (formFilter != null) {
-            filters.add(new OrderDecorator(formFilter, FORM_LOGIN_FILTER));
+        if (formFilterId != null) {
+            filters.add(new OrderDecorator(new RuntimeBeanReference(formFilterId), FORM_LOGIN_FILTER));
         }
 
-        if (openIDFilter != null) {
-            filters.add(new OrderDecorator(openIDFilter, OPENID_FILTER));
+        if (openIDFilterId != null) {
+            filters.add(new OrderDecorator(new RuntimeBeanReference(openIDFilterId), OPENID_FILTER));
         }
 
         if (loginPageGenerationFilter != null) {
diff --git a/samples/openid/openid.gradle b/samples/openid/openid.gradle
index e22ef503f5..b5e017cf76 100644
--- a/samples/openid/openid.gradle
+++ b/samples/openid/openid.gradle
@@ -6,8 +6,13 @@ apply plugin: 'jetty'
 dependencies {
     providedCompile 'javax.servlet:servlet-api:2.5@jar'
 
-    runtime project(':spring-security-web'),
-            project(':spring-security-config'),
-            project(':spring-security-openid'),
-            'log4j:log4j:1.2.15@jar'
-}
\ No newline at end of file
+    runtime project(':spring-security-config'),
+            project(':spring-security-taglibs'),
+//            'xerces:xercesImpl:2.9.1',
+//            'net.sourceforge.nekohtml:nekohtml:1.9.7',
+            "javax.servlet:jstl:$jstlVersion",
+            "org.slf4j:jcl-over-slf4j:$slf4jVersion",
+            "ch.qos.logback:logback-classic:$logbackVersion"
+}
+
+[jettyRun, jettyRunWar]*.contextPath = "/openid"