From 35c6aea8e8c19be4e2e56d10a792a26bb4dd6fdc Mon Sep 17 00:00:00 2001
From: Vishal Puri <vishal.puri@springsource.com>
Date: Thu, 5 Jul 2007 02:15:31 +0000
Subject: [PATCH] SEC-271: added AuthorizationManagerBeanDefinitionParser

---
 .../BasicProcessingFilterEntryPoint.java      | 71 +++++++++++--------
 ...curityInterceptorBeanDefinitionParser.java | 21 +-----
 .../config/SecurityNamespaceHandler.java      |  1 +
 .../config/spring-security-2.0.xsd            | 28 +++++++-
 .../config/security-namespaces.xml            |  2 +-
 5 files changed, 74 insertions(+), 49 deletions(-)

diff --git a/sandbox/spring-security-config/basicauth/BasicProcessingFilterEntryPoint.java b/sandbox/spring-security-config/basicauth/BasicProcessingFilterEntryPoint.java
index 83f14c5fb3..ad02d21362 100644
--- a/sandbox/spring-security-config/basicauth/BasicProcessingFilterEntryPoint.java
+++ b/sandbox/spring-security-config/basicauth/BasicProcessingFilterEntryPoint.java
@@ -32,28 +32,41 @@ import org.springframework.context.ApplicationContextAware;
 import org.springframework.core.Ordered;
 import org.springframework.util.Assert;
 
-
 /**
- * Used by the <code>SecurityEnforcementFilter</code> to commence authentication via the {@link
- * BasicProcessingFilter}.<P>Once a user agent is authenticated using BASIC authentication, logout requires that
- * the browser be closed or an unauthorized (401) header be sent. The simplest way of achieving the latter is to call
- * the {@link #commence(ServletRequest, ServletResponse, AuthenticationException)} method below. This will indicate to
- * the browser its credentials are no longer authorized, causing it to prompt the user to login again.</p>
- *
+ * Used by the <code>SecurityEnforcementFilter</code> to commence
+ * authentication via the {@link BasicProcessingFilter}.
+ * <P>
+ * Once a user agent is authenticated using BASIC authentication, logout
+ * requires that the browser be closed or an unauthorized (401) header be sent.
+ * The simplest way of achieving the latter is to call the
+ * {@link #commence(ServletRequest, ServletResponse, AuthenticationException)}
+ * method below. This will indicate to the browser its credentials are no longer
+ * authorized, causing it to prompt the user to login again.
+ * </p>
+ * 
  * @author Ben Alex
- * @version $Id: BasicProcessingFilterEntryPoint.java 1822 2007-05-17 12:20:16Z vishalpuri $
+ * @version $Id: BasicProcessingFilterEntryPoint.java 1822 2007-05-17 12:20:16Z
+ * vishalpuri $
  */
-public class BasicProcessingFilterEntryPoint implements AuthenticationEntryPoint, InitializingBean, Ordered, ApplicationContextAware {
-    //~ Instance fields ================================================================================================
-
+public class BasicProcessingFilterEntryPoint implements AuthenticationEntryPoint, InitializingBean, Ordered,
+		ApplicationContextAware {
+	// ~ Static fields/initializers
+	// =====================================================================================
 	private static final int DEFAULT_ORDER = Integer.MAX_VALUE;
-    private String realmName;
-    private int order = DEFAULT_ORDER;
-    private ApplicationContext applicationContext;
 
-    //~ Methods ========================================================================================================
+	// ~ Instance fields
+	// ================================================================================================
 
-    public int getOrder() {
+	private String realmName;
+
+	private int order = DEFAULT_ORDER;
+
+	private ApplicationContext applicationContext;
+
+	// ~ Methods
+	// ========================================================================================================
+
+	public int getOrder() {
 		return order;
 	}
 
@@ -66,22 +79,22 @@ public class BasicProcessingFilterEntryPoint implements AuthenticationEntryPoint
 		if (order == DEFAULT_ORDER) {
 			OrderedUtils.copyOrderFromOtherClass(BasicProcessingFilter.class, applicationContext, this, true);
 		}
-    }
+	}
 
-    public void commence(ServletRequest request, ServletResponse response, AuthenticationException authException)
-        throws IOException, ServletException {
-        HttpServletResponse httpResponse = (HttpServletResponse) response;
-        httpResponse.addHeader("WWW-Authenticate", "Basic realm=\"" + realmName + "\"");
-        httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, authException.getMessage());
-    }
+	public void commence(ServletRequest request, ServletResponse response, AuthenticationException authException)
+			throws IOException, ServletException {
+		HttpServletResponse httpResponse = (HttpServletResponse) response;
+		httpResponse.addHeader("WWW-Authenticate", "Basic realm=\"" + realmName + "\"");
+		httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, authException.getMessage());
+	}
 
-    public String getRealmName() {
-        return realmName;
-    }
+	public String getRealmName() {
+		return realmName;
+	}
 
-    public void setRealmName(String realmName) {
-        this.realmName = realmName;
-    }
+	public void setRealmName(String realmName) {
+		this.realmName = realmName;
+	}
 
 	public void setApplicationContext(ApplicationContext applicationContext) {
 		this.applicationContext = applicationContext;
diff --git a/sandbox/spring-security-config/src/main/java/org/acegisecurity/config/FilterSecurityInterceptorBeanDefinitionParser.java b/sandbox/spring-security-config/src/main/java/org/acegisecurity/config/FilterSecurityInterceptorBeanDefinitionParser.java
index 577ac2eafb..4e6bc5041b 100644
--- a/sandbox/spring-security-config/src/main/java/org/acegisecurity/config/FilterSecurityInterceptorBeanDefinitionParser.java
+++ b/sandbox/spring-security-config/src/main/java/org/acegisecurity/config/FilterSecurityInterceptorBeanDefinitionParser.java
@@ -1,22 +1,17 @@
 package org.acegisecurity.config;
 
 import java.util.ArrayList;
-import java.util.HashMap;
 import java.util.Iterator;
 import java.util.List;
-import java.util.Map;
 
+import org.acegisecurity.AccessDecisionManager;
 import org.acegisecurity.intercept.web.FilterInvocationDefinitionDecorator;
 import org.acegisecurity.intercept.web.FilterInvocationDefinitionSourceMapping;
 import org.acegisecurity.intercept.web.FilterSecurityInterceptor;
 import org.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap;
 import org.acegisecurity.intercept.web.RegExpBasedFilterInvocationDefinitionMap;
 import org.acegisecurity.util.BeanDefinitionParserUtils;
-import org.acegisecurity.vote.AffirmativeBased;
-import org.acegisecurity.vote.AuthenticatedVoter;
-import org.acegisecurity.vote.RoleVoter;
 import org.springframework.beans.factory.support.AbstractBeanDefinition;
-import org.springframework.beans.factory.support.ManagedList;
 import org.springframework.beans.factory.support.RootBeanDefinition;
 import org.springframework.beans.factory.xml.AbstractBeanDefinitionParser;
 import org.springframework.beans.factory.xml.ParserContext;
@@ -50,7 +45,7 @@ public class FilterSecurityInterceptorBeanDefinitionParser extends AbstractBeanD
 			ParserContext parserContext) {
 		RootBeanDefinition filterInvocationInterceptor = new RootBeanDefinition(FilterSecurityInterceptor.class);
 
-		RootBeanDefinition accessDecisionManager = createAccessDecisionManagerAffirmativeBased();
+		RootBeanDefinition accessDecisionManager = AuthorizationManagerBeanDefinitionParser.createAccessDecisionManagerAffirmativeBased();
 		filterInvocationInterceptor.getPropertyValues()
 				.addPropertyValue("accessDecisionManager", accessDecisionManager);
 
@@ -155,16 +150,6 @@ public class FilterSecurityInterceptorBeanDefinitionParser extends AbstractBeanD
 		return filterInvocationInterceptor;
 	}
 
-	protected static RootBeanDefinition createAccessDecisionManagerAffirmativeBased() {
-		ManagedList decisionVoters = new ManagedList();
-		RootBeanDefinition accessDecisionManager = new RootBeanDefinition(AffirmativeBased.class);
-		accessDecisionManager.getPropertyValues().addPropertyValue("allowIfAllAbstainDecisions", Boolean.FALSE);
-		RootBeanDefinition authenticatedVoter = new RootBeanDefinition(AuthenticatedVoter.class);
-		RootBeanDefinition roleVoter = new RootBeanDefinition(RoleVoter.class);
-		decisionVoters.add(authenticatedVoter);
-		decisionVoters.add(roleVoter);
-		accessDecisionManager.getPropertyValues().addPropertyValue("decisionVoters", decisionVoters);
-		return accessDecisionManager;
-	}
+	
 
 }
diff --git a/sandbox/spring-security-config/src/main/java/org/acegisecurity/config/SecurityNamespaceHandler.java b/sandbox/spring-security-config/src/main/java/org/acegisecurity/config/SecurityNamespaceHandler.java
index a7bd459ce7..d56ea98b29 100644
--- a/sandbox/spring-security-config/src/main/java/org/acegisecurity/config/SecurityNamespaceHandler.java
+++ b/sandbox/spring-security-config/src/main/java/org/acegisecurity/config/SecurityNamespaceHandler.java
@@ -28,6 +28,7 @@ public class SecurityNamespaceHandler extends NamespaceHandlerSupport {
 		registerBeanDefinitionParser("logout-support", new LogoutFilterBeanDefinitionParser());
 		registerBeanDefinitionParser("exception-translation", new ExceptionTranslationFilterBeanDefinitionParser());
 		registerBeanDefinitionParser("authentication-form", new AuthenticationProcessingFilterBeanDefinitionParser());
+		registerBeanDefinitionParser("authorization-manager", new AuthorizationManagerBeanDefinitionParser());
 		registerBeanDefinitionParser("authorization-http-url", new FilterSecurityInterceptorBeanDefinitionParser());
 		registerBeanDefinitionParser("autoconfig", new AutoConfigBeanDefinitionParser());
 	}
diff --git a/sandbox/spring-security-config/src/main/resources/org/acegisecurity/config/spring-security-2.0.xsd b/sandbox/spring-security-config/src/main/resources/org/acegisecurity/config/spring-security-2.0.xsd
index 25a8848d40..1dd2273768 100644
--- a/sandbox/spring-security-config/src/main/resources/org/acegisecurity/config/spring-security-2.0.xsd
+++ b/sandbox/spring-security-config/src/main/resources/org/acegisecurity/config/spring-security-2.0.xsd
@@ -560,7 +560,33 @@
 	<xsd:complexType name="ConfigurationAttributeType">
 		<xsd:attribute name="attribute" type="xsd:string" />
 	</xsd:complexType>
-
+	
+	<xsd:element name="authorization-manager" type="AuthorizationManagerType"/>
+	
+	<xsd:complexType name="AuthorizationManagerType">
+		<xsd:sequence>
+			<xsd:element name="role-voter" type="xsd:string" minOccurs="0" maxOccurs="1"/>
+			<xsd:element name="authenticated-voter" type="xsd:string" minOccurs="0" maxOccurs="1"/>
+		</xsd:sequence>
+		<xsd:attribute name="id" type="xsd:ID">
+			<xsd:annotation>
+				<xsd:documentation>
+					<![CDATA[
+	The unique identifier for a bean.
+				]]>
+				</xsd:documentation>
+			</xsd:annotation>
+		</xsd:attribute>
+		<xsd:attribute name="strategy" type="response" default="affirmative"/>
+	</xsd:complexType>
+	
+	<xsd:simpleType name="response">
+		<xsd:restriction base="xsd:NMTOKEN">
+			<xsd:enumeration value="consensus" />
+			<xsd:enumeration value="unanimous" />
+			<xsd:enumeration value="affirmative" />
+		</xsd:restriction>
+	</xsd:simpleType>
 
 	<!-- simple internal types -->
 	<xsd:simpleType name="defaultable-boolean">
diff --git a/sandbox/spring-security-config/src/test/resources/org/acegisecurity/config/security-namespaces.xml b/sandbox/spring-security-config/src/test/resources/org/acegisecurity/config/security-namespaces.xml
index 65f23cb40c..29bae5ab6f 100644
--- a/sandbox/spring-security-config/src/test/resources/org/acegisecurity/config/security-namespaces.xml
+++ b/sandbox/spring-security-config/src/test/resources/org/acegisecurity/config/security-namespaces.xml
@@ -37,7 +37,7 @@
 		and uses their Ordered interface to apply them; if one doesn't implement Ordered, assume it is Integer.MAX_VALUE -->
 	<security:authorization-manager id="id"
 		strategy="consensus|unanimous|affirmative" />
-	t
+
 
 	<!-- ======================== AUTHENTICATION ======================= -->