SEC-1998: Provide integration with WebAsyncManager#startCallableProcessing

Support integration of the Spring SecurityContext on Callable's used with
WebAsyncManager by registering SecurityContextCallableProcessingInterceptor.
This commit is contained in:
Rob Winch 2012-11-28 17:56:03 -06:00
parent 1a7aaa85c4
commit 1ed643ca1f
29 changed files with 583 additions and 35 deletions

View File

@ -8,5 +8,5 @@ dependencies {
"org.jasig.cas.client:cas-client-core:3.1.12", "org.jasig.cas.client:cas-client-core:3.1.12",
"net.sf.ehcache:ehcache:$ehcacheVersion" "net.sf.ehcache:ehcache:$ehcacheVersion"
provided 'javax.servlet:servlet-api:2.5' provided "org.apache.tomcat:tomcat-servlet-api:$servletApiVersion"
} }

View File

@ -21,7 +21,7 @@ dependencies {
"org.springframework:spring-web:$springVersion", "org.springframework:spring-web:$springVersion",
"org.springframework:spring-beans:$springVersion" "org.springframework:spring-beans:$springVersion"
provided "javax.servlet:servlet-api:2.5" provided "org.apache.tomcat:tomcat-servlet-api:$servletApiVersion"
groovy 'org.codehaus.groovy:groovy:1.8.7' groovy 'org.codehaus.groovy:groovy:1.8.7'

View File

@ -21,6 +21,8 @@ import static org.springframework.security.config.http.SecurityFilters.*;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
import javax.servlet.ServletRequest;
import org.springframework.beans.factory.config.BeanDefinition; import org.springframework.beans.factory.config.BeanDefinition;
import org.springframework.beans.factory.config.BeanReference; import org.springframework.beans.factory.config.BeanReference;
import org.springframework.beans.factory.config.RuntimeBeanReference; import org.springframework.beans.factory.config.RuntimeBeanReference;
@ -53,6 +55,7 @@ import org.springframework.security.web.authentication.session.SessionFixationPr
import org.springframework.security.web.context.HttpSessionSecurityContextRepository; import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
import org.springframework.security.web.context.NullSecurityContextRepository; import org.springframework.security.web.context.NullSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextPersistenceFilter; import org.springframework.security.web.context.SecurityContextPersistenceFilter;
import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter;
import org.springframework.security.web.jaasapi.JaasApiIntegrationFilter; import org.springframework.security.web.jaasapi.JaasApiIntegrationFilter;
import org.springframework.security.web.savedrequest.HttpSessionRequestCache; import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
import org.springframework.security.web.savedrequest.NullRequestCache; import org.springframework.security.web.savedrequest.NullRequestCache;
@ -61,6 +64,7 @@ import org.springframework.security.web.servletapi.SecurityContextHolderAwareReq
import org.springframework.security.web.session.ConcurrentSessionFilter; import org.springframework.security.web.session.ConcurrentSessionFilter;
import org.springframework.security.web.session.SessionManagementFilter; import org.springframework.security.web.session.SessionManagementFilter;
import org.springframework.security.web.session.SimpleRedirectInvalidSessionStrategy; import org.springframework.security.web.session.SimpleRedirectInvalidSessionStrategy;
import org.springframework.util.ClassUtils;
import org.springframework.util.StringUtils; import org.springframework.util.StringUtils;
import org.springframework.util.xml.DomUtils; import org.springframework.util.xml.DomUtils;
import org.w3c.dom.Element; import org.w3c.dom.Element;
@ -102,6 +106,7 @@ class HttpConfigurationBuilder {
private BeanReference contextRepoRef; private BeanReference contextRepoRef;
private BeanReference sessionRegistryRef; private BeanReference sessionRegistryRef;
private BeanDefinition concurrentSessionFilter; private BeanDefinition concurrentSessionFilter;
private BeanDefinition webAsyncManagerFilter;
private BeanDefinition requestCacheAwareFilter; private BeanDefinition requestCacheAwareFilter;
private BeanReference sessionStrategyRef; private BeanReference sessionStrategyRef;
private RootBeanDefinition sfpf; private RootBeanDefinition sfpf;
@ -114,7 +119,6 @@ class HttpConfigurationBuilder {
public HttpConfigurationBuilder(Element element, ParserContext pc, public HttpConfigurationBuilder(Element element, ParserContext pc,
BeanReference portMapper, BeanReference portResolver, BeanReference authenticationManager) { BeanReference portMapper, BeanReference portResolver, BeanReference authenticationManager) {
this.httpElt = element; this.httpElt = element;
this.pc = pc; this.pc = pc;
this.portMapper = portMapper; this.portMapper = portMapper;
@ -140,6 +144,7 @@ class HttpConfigurationBuilder {
createSecurityContextPersistenceFilter(); createSecurityContextPersistenceFilter();
createSessionManagementFilters(); createSessionManagementFilters();
createWebAsyncManagerFilter();
createRequestCacheFilter(); createRequestCacheFilter();
createServletApiFilter(); createServletApiFilter();
createJaasApiFilter(); createJaasApiFilter();
@ -350,6 +355,13 @@ class HttpConfigurationBuilder {
sessionRegistryRef = new RuntimeBeanReference(sessionRegistryId); sessionRegistryRef = new RuntimeBeanReference(sessionRegistryId);
} }
private void createWebAsyncManagerFilter() {
boolean asyncSupported = ClassUtils.hasMethod(ServletRequest.class, "startAsync");
if(asyncSupported) {
webAsyncManagerFilter = new RootBeanDefinition(WebAsyncManagerIntegrationFilter.class);
}
}
// Adds the servlet-api integration filter if required // Adds the servlet-api integration filter if required
private void createServletApiFilter() { private void createServletApiFilter() {
final String ATT_SERVLET_API_PROVISION = "servlet-api-provision"; final String ATT_SERVLET_API_PROVISION = "servlet-api-provision";
@ -552,6 +564,10 @@ class HttpConfigurationBuilder {
filters.add(new OrderDecorator(concurrentSessionFilter, CONCURRENT_SESSION_FILTER)); filters.add(new OrderDecorator(concurrentSessionFilter, CONCURRENT_SESSION_FILTER));
} }
if (webAsyncManagerFilter != null) {
filters.add(new OrderDecorator(webAsyncManagerFilter, WEB_ASYNC_MANAGER_FILTER));
}
filters.add(new OrderDecorator(securityContextPersistenceFilter, SECURITY_CONTEXT_FILTER)); filters.add(new OrderDecorator(securityContextPersistenceFilter, SECURITY_CONTEXT_FILTER));
if (servApiFilter != null) { if (servApiFilter != null) {

View File

@ -1,10 +1,25 @@
/*
* Copyright 2002-2012 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
* an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
* specific language governing permissions and limitations under the License.
*/
package org.springframework.security.config.http; package org.springframework.security.config.http;
import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter;
/** /**
* Stores the default order numbers of all Spring Security filters for use in configuration. * Stores the default order numbers of all Spring Security filters for use in configuration.
* *
* @author Luke Taylor * @author Luke Taylor
* @author Rob Winch
*/ */
enum SecurityFilters { enum SecurityFilters {
@ -12,6 +27,8 @@ enum SecurityFilters {
CHANNEL_FILTER, CHANNEL_FILTER,
SECURITY_CONTEXT_FILTER, SECURITY_CONTEXT_FILTER,
CONCURRENT_SESSION_FILTER, CONCURRENT_SESSION_FILTER,
/** {@link WebAsyncManagerIntegrationFilter} */
WEB_ASYNC_MANAGER_FILTER,
LOGOUT_FILTER, LOGOUT_FILTER,
X509_FILTER, X509_FILTER,
PRE_AUTH_FILTER, PRE_AUTH_FILTER,

View File

@ -1,3 +1,15 @@
/*
* Copyright 2002-2012 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
* an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
* specific language governing permissions and limitations under the License.
*/
package org.springframework.security.config.http package org.springframework.security.config.http
import javax.servlet.Filter import javax.servlet.Filter
@ -8,8 +20,13 @@ import org.springframework.security.config.AbstractXmlConfigTests
import org.springframework.security.config.BeanIds import org.springframework.security.config.BeanIds
import org.springframework.security.web.FilterInvocation import org.springframework.security.web.FilterInvocation
/**
*
* @author Rob Winch
*
*/
abstract class AbstractHttpConfigTests extends AbstractXmlConfigTests { abstract class AbstractHttpConfigTests extends AbstractXmlConfigTests {
final int AUTO_CONFIG_FILTERS = 11; final int AUTO_CONFIG_FILTERS = 12;
def httpAutoConfig(Closure c) { def httpAutoConfig(Closure c) {
xml.http('auto-config': 'true', c) xml.http('auto-config': 'true', c)

View File

@ -54,6 +54,7 @@ import org.springframework.security.web.authentication.www.BasicAuthenticationEn
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter import org.springframework.security.web.authentication.www.BasicAuthenticationFilter
import org.springframework.security.web.context.HttpSessionSecurityContextRepository import org.springframework.security.web.context.HttpSessionSecurityContextRepository
import org.springframework.security.web.context.SecurityContextPersistenceFilter import org.springframework.security.web.context.SecurityContextPersistenceFilter
import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter;
import org.springframework.security.web.jaasapi.JaasApiIntegrationFilter import org.springframework.security.web.jaasapi.JaasApiIntegrationFilter
import org.springframework.security.web.savedrequest.HttpSessionRequestCache import org.springframework.security.web.savedrequest.HttpSessionRequestCache
import org.springframework.security.web.savedrequest.RequestCacheAwareFilter import org.springframework.security.web.savedrequest.RequestCacheAwareFilter
@ -79,6 +80,7 @@ import org.springframework.security.authentication.AuthenticationManager
* @author Rob Winch * @author Rob Winch
*/ */
class MiscHttpConfigTests extends AbstractHttpConfigTests { class MiscHttpConfigTests extends AbstractHttpConfigTests {
def 'Minimal configuration parses'() { def 'Minimal configuration parses'() {
setup: setup:
xml.http { xml.http {
@ -101,6 +103,7 @@ class MiscHttpConfigTests extends AbstractHttpConfigTests {
Iterator<Filter> filters = filterList.iterator(); Iterator<Filter> filters = filterList.iterator();
assert filters.next() instanceof SecurityContextPersistenceFilter assert filters.next() instanceof SecurityContextPersistenceFilter
assert filters.next() instanceof WebAsyncManagerIntegrationFilter
assert filters.next() instanceof LogoutFilter assert filters.next() instanceof LogoutFilter
Object authProcFilter = filters.next(); Object authProcFilter = filters.next();
assert authProcFilter instanceof UsernamePasswordAuthenticationFilter assert authProcFilter instanceof UsernamePasswordAuthenticationFilter
@ -181,7 +184,7 @@ class MiscHttpConfigTests extends AbstractHttpConfigTests {
createAppContext() createAppContext()
expect: expect:
getFilters("/anything")[5] instanceof AnonymousAuthenticationFilter getFilters("/anything")[6] instanceof AnonymousAuthenticationFilter
} }
def anonymousFilterIsRemovedIfDisabledFlagSet() { def anonymousFilterIsRemovedIfDisabledFlagSet() {
@ -354,7 +357,7 @@ class MiscHttpConfigTests extends AbstractHttpConfigTests {
AUTO_CONFIG_FILTERS + 3 == filters.size(); AUTO_CONFIG_FILTERS + 3 == filters.size();
filters[0] instanceof SecurityContextHolderAwareRequestFilter filters[0] instanceof SecurityContextHolderAwareRequestFilter
filters[1] instanceof SecurityContextPersistenceFilter filters[1] instanceof SecurityContextPersistenceFilter
filters[4] instanceof SecurityContextHolderAwareRequestFilter filters[5] instanceof SecurityContextHolderAwareRequestFilter
filters[1] instanceof SecurityContextPersistenceFilter filters[1] instanceof SecurityContextPersistenceFilter
} }
@ -377,7 +380,7 @@ class MiscHttpConfigTests extends AbstractHttpConfigTests {
createAppContext() createAppContext()
expect: expect:
getFilters("/someurl")[2] instanceof X509AuthenticationFilter getFilters("/someurl")[3] instanceof X509AuthenticationFilter
} }
def x509SubjectPrincipalRegexCanBeSetUsingPropertyPlaceholder() { def x509SubjectPrincipalRegexCanBeSetUsingPropertyPlaceholder() {

View File

@ -305,7 +305,7 @@ class SessionManagementConfigTests extends AbstractHttpConfigTests {
'session-management'('session-fixation-protection': 'none', 'invalid-session-url': '/timeoutUrl') 'session-management'('session-fixation-protection': 'none', 'invalid-session-url': '/timeoutUrl')
} }
createAppContext() createAppContext()
def filter = getFilters("/someurl")[8] def filter = getFilters("/someurl")[9]
expect: expect:
filter instanceof SessionManagementFilter filter instanceof SessionManagementFilter

View File

@ -0,0 +1,49 @@
/*
* Copyright 2002-2012 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
* an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
* specific language governing permissions and limitations under the License.
*/
package org.springframework.security.core;
import static org.fest.assertions.Assertions.assertThat;
import java.io.DataInputStream;
import java.io.InputStream;
import org.junit.Test;
/**
*
* @author Rob Winch
*
*/
public class JavaVersionTests {
private static final int JDK5_CLASS_VERSION = 49;
@Test
public void authenticationCorrectJdkCompatibility() throws Exception {
assertClassVersion(Authentication.class);
}
private void assertClassVersion(Class<?> clazz) throws Exception {
String classResourceName = clazz.getName().replaceAll("\\.", "/") + ".class";
InputStream input = Thread.currentThread().getContextClassLoader().getResourceAsStream(classResourceName);
try {
DataInputStream data = new DataInputStream(input);
data.readInt();
data.readShort(); // minor
int major = data.readShort();
assertThat(major).isEqualTo(JDK5_CLASS_VERSION);
} finally {
try { input.close(); } catch(Exception e) {}
}
}
}

View File

@ -39,8 +39,8 @@ configure(javaProjects) {
} }
} }
// STS-2723 // STS-3057
project(':spring-security-samples-aspectj') { configure(allprojects) {
task afterEclipseImport { task afterEclipseImport {
ext.srcFile = file('.classpath') ext.srcFile = file('.classpath')
inputs.file srcFile inputs.file srcFile
@ -48,6 +48,25 @@ project(':spring-security-samples-aspectj') {
onlyIf { srcFile.exists() } onlyIf { srcFile.exists() }
doLast {
def classpath = new XmlParser().parse(srcFile)
classpath.classpathentry.findAll{ it.@path == 'GROOVY_SUPPORT' }.each { classpath.remove(it) }
def writer = new FileWriter(srcFile)
new XmlNodePrinter(new PrintWriter(writer)).print(classpath)
}
}
}
// STS-2723
project(':spring-security-samples-aspectj') {
task afterEclipseImportAjdtFix {
ext.srcFile = afterEclipseImport.srcFile
inputs.file srcFile
outputs.dir srcFile
onlyIf { srcFile.exists() }
doLast { doLast {
def classpath = new XmlParser().parse(srcFile) def classpath = new XmlParser().parse(srcFile)
@ -63,4 +82,6 @@ project(':spring-security-samples-aspectj') {
new XmlNodePrinter(new PrintWriter(writer)).print(classpath) new XmlNodePrinter(new PrintWriter(writer)).print(classpath)
} }
} }
afterEclipseImport.dependsOn afterEclipseImportAjdtFix
} }

View File

@ -16,6 +16,7 @@ ext.slf4jVersion = '1.6.1'
ext.logbackVersion = '0.9.29' ext.logbackVersion = '0.9.29'
ext.cglibVersion = '2.2' ext.cglibVersion = '2.2'
ext.powerMockVersion = '1.4.12' ext.powerMockVersion = '1.4.12'
ext.servletApiVersion = '7.0.33'
ext.powerMockDependencies = [ ext.powerMockDependencies = [
"org.powermock:powermock-core:$powerMockVersion", "org.powermock:powermock-core:$powerMockVersion",

View File

@ -10,7 +10,7 @@ dependencies {
"org.springframework:spring-beans:$springVersion" "org.springframework:spring-beans:$springVersion"
testCompile project(':spring-security-web'), testCompile project(':spring-security-web'),
'javax.servlet:servlet-api:2.5', "org.apache.tomcat:tomcat-servlet-api:$servletApiVersion",
"org.springframework:spring-web:$springVersion" "org.springframework:spring-web:$springVersion"
testRuntime project(':spring-security-config') testRuntime project(':spring-security-config')

View File

@ -3,7 +3,7 @@ dependencies {
compile "org.springframework:spring-context:$springVersion", compile "org.springframework:spring-context:$springVersion",
"org.springframework:spring-web:$springVersion" "org.springframework:spring-web:$springVersion"
provided 'javax.servlet:servlet-api:2.5' provided "org.apache.tomcat:tomcat-servlet-api:$servletApiVersion"
testCompile project(':spring-security-core'), testCompile project(':spring-security-core'),
project(':spring-security-web'), project(':spring-security-web'),

View File

@ -16,7 +16,7 @@ dependencies {
} }
compile 'com.google.inject:guice:2.0' compile 'com.google.inject:guice:2.0'
provided 'javax.servlet:servlet-api:2.5' provided "org.apache.tomcat:tomcat-servlet-api:$servletApiVersion"
runtime 'org.apache.httpcomponents:httpclient:4.1.1' runtime 'org.apache.httpcomponents:httpclient:4.1.1'
} }

View File

@ -30,7 +30,7 @@ eclipse.classpath.plusConfigurations += configurations.integrationTestRuntime
dependencies { dependencies {
groovy 'org.codehaus.groovy:groovy:1.8.7' groovy 'org.codehaus.groovy:groovy:1.8.7'
providedCompile 'javax.servlet:servlet-api:2.5@jar' providedCompile "org.apache.tomcat:tomcat-servlet-api:$servletApiVersion"
compile project(':spring-security-core'), compile project(':spring-security-core'),
project(':spring-security-cas'), project(':spring-security-cas'),

View File

@ -9,7 +9,7 @@ configurations {
} }
dependencies { dependencies {
providedCompile 'javax.servlet:servlet-api:2.5@jar' providedCompile "org.apache.tomcat:tomcat-servlet-api:$servletApiVersion"
compile project(':spring-security-core'), compile project(':spring-security-core'),
project(':spring-security-acl'), project(':spring-security-acl'),

View File

@ -21,7 +21,7 @@ repositories {
configurations.runtime.exclude(group: 'ch.qos.logback') configurations.runtime.exclude(group: 'ch.qos.logback')
dependencies { dependencies {
providedCompile 'javax.servlet:servlet-api:2.5@jar' providedCompile "org.apache.tomcat:tomcat-servlet-api:$servletApiVersion"
compile project(':spring-security-core'), compile project(':spring-security-core'),
project(':spring-security-web'), project(':spring-security-web'),

View File

@ -14,7 +14,7 @@ configurations {
} }
dependencies { dependencies {
providedCompile 'javax.servlet:servlet-api:2.5@jar' providedCompile "org.apache.tomcat:tomcat-servlet-api:$servletApiVersion"
compile project(':spring-security-core'), compile project(':spring-security-core'),
"org.springframework:spring-beans:$springVersion", "org.springframework:spring-beans:$springVersion",

View File

@ -7,7 +7,7 @@ dependencies {
compile project(':spring-security-core'), compile project(':spring-security-core'),
project(':spring-security-openid') project(':spring-security-openid')
providedCompile 'javax.servlet:servlet-api:2.5@jar' providedCompile "org.apache.tomcat:tomcat-servlet-api:$servletApiVersion"
runtime project(':spring-security-config'), runtime project(':spring-security-config'),
project(':spring-security-taglibs'), project(':spring-security-taglibs'),

View File

@ -14,7 +14,7 @@ configurations {
} }
dependencies { dependencies {
providedCompile 'javax.servlet:servlet-api:2.5@jar' providedCompile "org.apache.tomcat:tomcat-servlet-api:$servletApiVersion"
compile project(':spring-security-core'), compile project(':spring-security-core'),
"org.springframework:spring-beans:$springVersion", "org.springframework:spring-beans:$springVersion",

View File

@ -24,9 +24,9 @@ dependencies {
'org.aspectj:aspectjrt:1.6.8', 'org.aspectj:aspectjrt:1.6.8',
'org.hibernate:ejb3-persistence:1.0.2.GA', 'org.hibernate:ejb3-persistence:1.0.2.GA',
'javax.persistence:persistence-api:1.0', 'javax.persistence:persistence-api:1.0',
'org.slf4j:jcl-over-slf4j:1.5.11' 'org.slf4j:jcl-over-slf4j:1.5.11'
providedCompile 'javax.servlet:servlet-api:2.5' providedCompile "org.apache.tomcat:tomcat-servlet-api:$servletApiVersion"
runtime 'org.hibernate:hibernate-entitymanager:3.4.0.GA', runtime 'org.hibernate:hibernate-entitymanager:3.4.0.GA',
"org.springframework:spring-context-support:$springVersion", "org.springframework:spring-context-support:$springVersion",

View File

@ -10,7 +10,8 @@ dependencies {
"org.springframework:spring-expression:$springVersion", "org.springframework:spring-expression:$springVersion",
"org.springframework:spring-web:$springVersion" "org.springframework:spring-web:$springVersion"
provided 'javax.servlet:jsp-api:2.0', 'javax.servlet:servlet-api:2.5' provided 'javax.servlet:jsp-api:2.0',
"org.apache.tomcat:tomcat-servlet-api:$servletApiVersion"
testRuntime "javax.servlet:jstl:$jstlVersion" testRuntime "javax.servlet:jstl:$jstlVersion"
} }

View File

@ -1,4 +1,5 @@
/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited /* Copyright 2002-2012 the original author or authors.
* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -20,12 +21,16 @@ import java.io.IOException;
import java.io.PrintWriter; import java.io.PrintWriter;
import java.io.UnsupportedEncodingException; import java.io.UnsupportedEncodingException;
import java.security.Principal; import java.security.Principal;
import java.util.Collection;
import java.util.Enumeration; import java.util.Enumeration;
import java.util.Locale; import java.util.Locale;
import java.util.Map; import java.util.Map;
import javax.servlet.AsyncContext;
import javax.servlet.DispatcherType;
import javax.servlet.FilterChain; import javax.servlet.FilterChain;
import javax.servlet.RequestDispatcher; import javax.servlet.RequestDispatcher;
import javax.servlet.ServletContext;
import javax.servlet.ServletException; import javax.servlet.ServletException;
import javax.servlet.ServletInputStream; import javax.servlet.ServletInputStream;
import javax.servlet.ServletOutputStream; import javax.servlet.ServletOutputStream;
@ -35,6 +40,7 @@ import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession; import javax.servlet.http.HttpSession;
import javax.servlet.http.Part;
import org.springframework.security.web.util.UrlUtils; import org.springframework.security.web.util.UrlUtils;
@ -50,6 +56,7 @@ import org.springframework.security.web.util.UrlUtils;
* @author Ben Alex * @author Ben Alex
* @author colin sampaleanu * @author colin sampaleanu
* @author Luke Taylor * @author Luke Taylor
* @author Rob Winch
*/ */
public class FilterInvocation { public class FilterInvocation {
//~ Static fields ================================================================================================== //~ Static fields ==================================================================================================
@ -147,7 +154,7 @@ public class FilterInvocation {
} }
} }
@SuppressWarnings({"unchecked", "deprecation"}) @SuppressWarnings({"unchecked"})
class DummyRequest implements HttpServletRequest { class DummyRequest implements HttpServletRequest {
private String requestURI; private String requestURI;
private String contextPath = ""; private String contextPath = "";
@ -221,10 +228,12 @@ class DummyRequest implements HttpServletRequest {
throw new UnsupportedOperationException(); throw new UnsupportedOperationException();
} }
@SuppressWarnings("rawtypes")
public Enumeration getHeaderNames() { public Enumeration getHeaderNames() {
throw new UnsupportedOperationException(); throw new UnsupportedOperationException();
} }
@SuppressWarnings("rawtypes")
public Enumeration getHeaders(String name) { public Enumeration getHeaders(String name) {
throw new UnsupportedOperationException(); throw new UnsupportedOperationException();
} }
@ -285,6 +294,7 @@ class DummyRequest implements HttpServletRequest {
throw new UnsupportedOperationException(); throw new UnsupportedOperationException();
} }
@SuppressWarnings("rawtypes")
public Enumeration getAttributeNames() { public Enumeration getAttributeNames() {
throw new UnsupportedOperationException(); throw new UnsupportedOperationException();
} }
@ -322,6 +332,7 @@ class DummyRequest implements HttpServletRequest {
throw new UnsupportedOperationException(); throw new UnsupportedOperationException();
} }
@SuppressWarnings("rawtypes")
public Enumeration getLocales() { public Enumeration getLocales() {
throw new UnsupportedOperationException(); throw new UnsupportedOperationException();
} }
@ -330,10 +341,12 @@ class DummyRequest implements HttpServletRequest {
throw new UnsupportedOperationException(); throw new UnsupportedOperationException();
} }
@SuppressWarnings("rawtypes")
public Map getParameterMap() { public Map getParameterMap() {
throw new UnsupportedOperationException(); throw new UnsupportedOperationException();
} }
@SuppressWarnings("rawtypes")
public Enumeration getParameterNames() { public Enumeration getParameterNames() {
throw new UnsupportedOperationException(); throw new UnsupportedOperationException();
} }
@ -397,9 +410,56 @@ class DummyRequest implements HttpServletRequest {
public void setCharacterEncoding(String env) throws UnsupportedEncodingException { public void setCharacterEncoding(String env) throws UnsupportedEncodingException {
throw new UnsupportedOperationException(); throw new UnsupportedOperationException();
} }
public ServletContext getServletContext() {
throw new UnsupportedOperationException();
}
public AsyncContext startAsync() {
throw new UnsupportedOperationException();
}
public AsyncContext startAsync(ServletRequest servletRequest, ServletResponse servletResponse) {
throw new UnsupportedOperationException();
}
public boolean isAsyncStarted() {
throw new UnsupportedOperationException();
}
public boolean isAsyncSupported() {
throw new UnsupportedOperationException();
}
public AsyncContext getAsyncContext() {
throw new UnsupportedOperationException();
}
public DispatcherType getDispatcherType() {
throw new UnsupportedOperationException();
}
public boolean authenticate(HttpServletResponse response) throws IOException, ServletException {
throw new UnsupportedOperationException();
}
public void login(String username, String password) throws ServletException {
throw new UnsupportedOperationException();
}
public void logout() throws ServletException {
throw new UnsupportedOperationException();
}
public Collection<Part> getParts() throws IOException, IllegalStateException, ServletException {
throw new UnsupportedOperationException();
}
public Part getPart(String name) throws IOException, IllegalStateException, ServletException {
throw new UnsupportedOperationException();
}
} }
@SuppressWarnings({"deprecation"})
class DummyResponse implements HttpServletResponse { class DummyResponse implements HttpServletResponse {
public void addCookie(Cookie cookie) { public void addCookie(Cookie cookie) {
throw new UnsupportedOperationException(); throw new UnsupportedOperationException();
@ -529,4 +589,20 @@ class DummyResponse implements HttpServletResponse {
public void setLocale(Locale loc) { public void setLocale(Locale loc) {
throw new UnsupportedOperationException(); throw new UnsupportedOperationException();
} }
public int getStatus() {
throw new UnsupportedOperationException();
}
public String getHeader(String name) {
throw new UnsupportedOperationException();
}
public Collection<String> getHeaders(String name) {
throw new UnsupportedOperationException();
}
public Collection<String> getHeaderNames() {
throw new UnsupportedOperationException();
}
} }

View File

@ -0,0 +1,79 @@
/*
* Copyright 2002-2012 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
* an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
* specific language governing permissions and limitations under the License.
*/
package org.springframework.security.web.context.request.async;
import java.util.concurrent.Callable;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.util.Assert;
import org.springframework.web.context.request.NativeWebRequest;
import org.springframework.web.context.request.async.CallableProcessingInterceptor;
import org.springframework.web.context.request.async.CallableProcessingInterceptorAdapter;
/**
* <p>
* Allows for integration with Spring MVC's {@link Callable} support.
* </p>
* <p>
* A {@link CallableProcessingInterceptor} that establishes the injected {@link SecurityContext} on the
* {@link SecurityContextHolder} when {@link #preProcess(NativeWebRequest, Callable)} is invoked. It also clear out the
* {@link SecurityContextHolder} by invoking {@link SecurityContextHolder#clearContext()} in the
* {@link #afterCompletion(NativeWebRequest, Callable)} method.
* </p>
*
* @author Rob Winch
* @since 3.2
*/
public final class SecurityContextCallableProcessingInterceptor extends CallableProcessingInterceptorAdapter {
private SecurityContext securityContext;
/**
* Create a new {@link SecurityContextCallableProcessingInterceptor} that uses the {@link SecurityContext} from the
* {@link SecurityContextHolder} at the time {@link #beforeConcurrentHandling(NativeWebRequest, Callable)} is invoked.
*/
public SecurityContextCallableProcessingInterceptor() {
}
/**
* Creates a new {@link SecurityContextCallableProcessingInterceptor} with the specified {@link SecurityContext}.
* @param securityContext the {@link SecurityContext} to set on the {@link SecurityContextHolder} in
* {@link #preProcess(NativeWebRequest, Callable)}. Cannot be null.
* @throws IllegalArgumentException if {@link SecurityContext} is null.
*/
public SecurityContextCallableProcessingInterceptor(SecurityContext securityContext) {
Assert.notNull(securityContext, "securityContext cannot be null");
setSecurityContext(securityContext);
}
@Override
public <T> void beforeConcurrentHandling(NativeWebRequest request, Callable<T> task) throws Exception {
if(securityContext == null) {
setSecurityContext(SecurityContextHolder.getContext());
}
}
@Override
public <T> void afterCompletion(NativeWebRequest request, Callable<T> task) throws Exception {
SecurityContextHolder.clearContext();
}
@Override
public <T> void preProcess(NativeWebRequest request, Callable<T> task) throws Exception {
SecurityContextHolder.setContext(securityContext);
}
private void setSecurityContext(SecurityContext securityContext) {
this.securityContext = securityContext;
}
}

View File

@ -0,0 +1,52 @@
/*
* Copyright 2002-2012 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
* an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
* specific language governing permissions and limitations under the License.
*/
package org.springframework.security.web.context.request.async;
import java.io.IOException;
import java.util.concurrent.Callable;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.web.context.request.async.WebAsyncManager;
import org.springframework.web.context.request.async.WebAsyncUtils;
import org.springframework.web.filter.OncePerRequestFilter;
/**
* Provides integration between the {@link SecurityContext} and Spring Web's {@link WebAsyncManager} by using the
* {@link SecurityContextCallableProcessingInterceptor#beforeConcurrentHandling(org.springframework.web.context.request.NativeWebRequest, Callable)}
* to populate the {@link SecurityContext} on the {@link Callable}.
*
* @author Rob Winch
* @see SecurityContextCallableProcessingInterceptor
*/
public final class WebAsyncManagerIntegrationFilter extends OncePerRequestFilter {
private static final Object CALLABLE_INTERCEPTOR_KEY = new Object();
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
WebAsyncManager asyncManager = WebAsyncUtils.getAsyncManager(request);
SecurityContextCallableProcessingInterceptor securityProcessingInterceptor = (SecurityContextCallableProcessingInterceptor) asyncManager.getCallableInterceptor(CALLABLE_INTERCEPTOR_KEY);
if (securityProcessingInterceptor == null) {
asyncManager.registerCallableInterceptor(CALLABLE_INTERCEPTOR_KEY,
new SecurityContextCallableProcessingInterceptor());
}
filterChain.doFilter(request, response);
}
}

View File

@ -110,7 +110,7 @@ public class DefaultSavedRequest implements SavedRequest {
} }
// Parameters // Parameters
Map<String,Object> parameters = request.getParameterMap(); Map<String,String[]> parameters = request.getParameterMap();
for(String paramName : parameters.keySet()) { for(String paramName : parameters.keySet()) {
Object paramValues = parameters.get(paramName); Object paramValues = parameters.get(paramName);

View File

@ -1,13 +1,23 @@
package org.springframework.security.web.authentication.rememberme; package org.springframework.security.web.authentication.rememberme;
import static org.junit.Assert.*; import static org.powermock.api.mockito.PowerMockito.*;
import static org.mockito.Mockito.*; import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertSame;
import static org.junit.Assert.assertTrue;
import static org.mockito.Mockito.mock;
import javax.servlet.http.Cookie; import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import org.junit.Test; import org.junit.Test;
import org.junit.runner.RunWith;
import org.powermock.core.classloader.annotations.PrepareForTest;
import org.powermock.core.classloader.annotations.PrepareOnlyThisForTest;
import org.powermock.modules.junit4.PowerMockRunner;
import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse; import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.authentication.AccountStatusUserDetailsChecker; import org.springframework.security.authentication.AccountStatusUserDetailsChecker;
@ -19,17 +29,16 @@ import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices;
import org.springframework.security.web.authentication.rememberme.CookieTheftException;
import org.springframework.security.web.authentication.rememberme.InvalidCookieException;
import org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationException;
import org.springframework.test.util.ReflectionTestUtils; import org.springframework.test.util.ReflectionTestUtils;
import org.springframework.util.ReflectionUtils;
import org.springframework.util.StringUtils; import org.springframework.util.StringUtils;
/** /**
* @author Luke Taylor * @author Luke Taylor
*/ */
@SuppressWarnings("unchecked") @SuppressWarnings("unchecked")
@RunWith(PowerMockRunner.class)
@PrepareOnlyThisForTest(ReflectionUtils.class)
public class AbstractRememberMeServicesTests { public class AbstractRememberMeServicesTests {
static User joe = new User("joe", "password", true, true,true,true, AuthorityUtils.createAuthorityList("ROLE_A")); static User joe = new User("joe", "password", true, true,true,true, AuthorityUtils.createAuthorityList("ROLE_A"));
@ -333,6 +342,9 @@ public class AbstractRememberMeServicesTests {
@Test @Test
public void setHttpOnlyIgnoredForServlet25() throws Exception { public void setHttpOnlyIgnoredForServlet25() throws Exception {
spy(ReflectionUtils.class);
when(ReflectionUtils.findMethod(Cookie.class,"setHttpOnly", boolean.class)).thenReturn(null);
MockRememberMeServices services = new MockRememberMeServices(); MockRememberMeServices services = new MockRememberMeServices();
assertNull(ReflectionTestUtils.getField(services, "setHttpOnlyMethod")); assertNull(ReflectionTestUtils.getField(services, "setHttpOnlyMethod"));

View File

@ -0,0 +1,77 @@
/*
* Copyright 2002-2012 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
* an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
* specific language governing permissions and limitations under the License.
*/
package org.springframework.security.web.context.request.async;
import static org.fest.assertions.Assertions.assertThat;
import java.util.concurrent.Callable;
import org.junit.After;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.runners.MockitoJUnitRunner;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.context.request.NativeWebRequest;
/**
*
* @author Rob Winch
*
*/
@RunWith(MockitoJUnitRunner.class)
public class SecurityContextCallableProcessingInterceptorTests {
@Mock
private SecurityContext securityContext;
@Mock
private Callable<?> callable;
@Mock
private NativeWebRequest webRequest;
@After
public void clearSecurityContext() {
SecurityContextHolder.clearContext();
}
@Test(expected = IllegalArgumentException.class)
public void constructorNull() {
new SecurityContextCallableProcessingInterceptor(null);
}
@Test
public void currentSecurityContext() throws Exception {
SecurityContextCallableProcessingInterceptor interceptor = new SecurityContextCallableProcessingInterceptor();
SecurityContextHolder.setContext(securityContext);
interceptor.beforeConcurrentHandling(webRequest, callable);
SecurityContextHolder.clearContext();
interceptor.preProcess(webRequest, callable);
assertThat(SecurityContextHolder.getContext()).isSameAs(securityContext);
interceptor.afterCompletion(webRequest, callable);
assertThat(SecurityContextHolder.getContext()).isNotSameAs(securityContext);
}
@Test
public void specificSecurityContext() throws Exception {
SecurityContextCallableProcessingInterceptor interceptor = new SecurityContextCallableProcessingInterceptor(
securityContext);
interceptor.preProcess(webRequest, callable);
assertThat(SecurityContextHolder.getContext()).isSameAs(securityContext);
interceptor.afterCompletion(webRequest, callable);
assertThat(SecurityContextHolder.getContext()).isNotSameAs(securityContext);
}
}

View File

@ -0,0 +1,127 @@
/*
* Copyright 2002-2012 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
* an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
* specific language governing permissions and limitations under the License.
*/
package org.springframework.security.web.context.request.async;
import static org.fest.assertions.Assertions.assertThat;
import static org.mockito.Mockito.when;
import java.util.concurrent.Callable;
import java.util.concurrent.ThreadFactory;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.runners.MockitoJUnitRunner;
import org.springframework.core.task.SimpleAsyncTaskExecutor;
import org.springframework.mock.web.MockFilterChain;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.context.request.async.AsyncWebRequest;
import org.springframework.web.context.request.async.WebAsyncManager;
import org.springframework.web.context.request.async.WebAsyncUtils;
/**
*
* @author Rob Winch
*
*/
@RunWith(MockitoJUnitRunner.class)
public class WebAsyncManagerIntegrationFilterTests {
@Mock
private SecurityContext securityContext;
@Mock
private HttpServletRequest request;
@Mock
private HttpServletResponse response;
@Mock
private AsyncWebRequest asyncWebRequest;
private WebAsyncManager asyncManager;
private JoinableThreadFactory threadFactory;
private MockFilterChain filterChain;
private WebAsyncManagerIntegrationFilter filter;
@Before
public void setUp() {
when(asyncWebRequest.getNativeRequest(HttpServletRequest.class)).thenReturn(request);
when(request.getRequestURI()).thenReturn("/");
filterChain = new MockFilterChain();
threadFactory = new JoinableThreadFactory();
SimpleAsyncTaskExecutor executor = new SimpleAsyncTaskExecutor();
executor.setThreadFactory(threadFactory);
asyncManager = WebAsyncUtils.getAsyncManager(request);
asyncManager.setAsyncWebRequest(asyncWebRequest);
asyncManager.setTaskExecutor(executor);
when(request.getAttribute(WebAsyncUtils.WEB_ASYNC_MANAGER_ATTRIBUTE)).thenReturn(asyncManager);
filter = new WebAsyncManagerIntegrationFilter();
}
@After
public void clearSecurityContext() {
SecurityContextHolder.clearContext();
}
@Test
public void doFilterInternalRegistersSecurityContextCallableProcessor() throws Exception {
SecurityContextHolder.setContext(securityContext);
filter.doFilterInternal(request, response, filterChain);
VerifyingCallable verifyingCallable = new VerifyingCallable();
asyncManager.startCallableProcessing(verifyingCallable);
threadFactory.join();
assertThat(asyncManager.getConcurrentResult()).isSameAs(securityContext);
}
@Test
public void doFilterInternalRegistersSecurityContextCallableProcessorContextUpdated() throws Exception {
SecurityContextHolder.setContext(SecurityContextHolder.createEmptyContext());
filter.doFilterInternal(request, response, filterChain);
SecurityContextHolder.setContext(securityContext);
VerifyingCallable verifyingCallable = new VerifyingCallable();
asyncManager.startCallableProcessing(verifyingCallable);
threadFactory.join();
assertThat(asyncManager.getConcurrentResult()).isSameAs(securityContext);
}
private static final class JoinableThreadFactory implements ThreadFactory {
private Thread t;
public Thread newThread(Runnable r) {
t = new Thread(r);
return t;
}
public void join() throws InterruptedException {
t.join();
}
}
private class VerifyingCallable implements Callable<SecurityContext> {
public SecurityContext call() throws Exception {
return SecurityContextHolder.getContext();
}
}
}

View File

@ -9,7 +9,7 @@ dependencies {
"org.springframework:spring-tx:$springVersion", "org.springframework:spring-tx:$springVersion",
"org.springframework:spring-web:$springVersion" "org.springframework:spring-web:$springVersion"
provided 'javax.servlet:servlet-api:2.5' provided "org.apache.tomcat:tomcat-servlet-api:$servletApiVersion"
testCompile project(':spring-security-core').sourceSets.test.output, testCompile project(':spring-security-core').sourceSets.test.output,
'commons-codec:commons-codec:1.3', 'commons-codec:commons-codec:1.3',