SEC-271: added AuthorizationManagerBeanDefinitionParser
This commit is contained in:
parent
97a568c078
commit
35c6aea8e8
|
@ -32,28 +32,41 @@ import org.springframework.context.ApplicationContextAware;
|
|||
import org.springframework.core.Ordered;
|
||||
import org.springframework.util.Assert;
|
||||
|
||||
|
||||
/**
|
||||
* Used by the <code>SecurityEnforcementFilter</code> to commence authentication via the {@link
|
||||
* BasicProcessingFilter}.<P>Once a user agent is authenticated using BASIC authentication, logout requires that
|
||||
* the browser be closed or an unauthorized (401) header be sent. The simplest way of achieving the latter is to call
|
||||
* the {@link #commence(ServletRequest, ServletResponse, AuthenticationException)} method below. This will indicate to
|
||||
* the browser its credentials are no longer authorized, causing it to prompt the user to login again.</p>
|
||||
* Used by the <code>SecurityEnforcementFilter</code> to commence
|
||||
* authentication via the {@link BasicProcessingFilter}.
|
||||
* <P>
|
||||
* Once a user agent is authenticated using BASIC authentication, logout
|
||||
* requires that the browser be closed or an unauthorized (401) header be sent.
|
||||
* The simplest way of achieving the latter is to call the
|
||||
* {@link #commence(ServletRequest, ServletResponse, AuthenticationException)}
|
||||
* method below. This will indicate to the browser its credentials are no longer
|
||||
* authorized, causing it to prompt the user to login again.
|
||||
* </p>
|
||||
*
|
||||
* @author Ben Alex
|
||||
* @version $Id: BasicProcessingFilterEntryPoint.java 1822 2007-05-17 12:20:16Z vishalpuri $
|
||||
* @version $Id: BasicProcessingFilterEntryPoint.java 1822 2007-05-17 12:20:16Z
|
||||
* vishalpuri $
|
||||
*/
|
||||
public class BasicProcessingFilterEntryPoint implements AuthenticationEntryPoint, InitializingBean, Ordered, ApplicationContextAware {
|
||||
//~ Instance fields ================================================================================================
|
||||
|
||||
public class BasicProcessingFilterEntryPoint implements AuthenticationEntryPoint, InitializingBean, Ordered,
|
||||
ApplicationContextAware {
|
||||
// ~ Static fields/initializers
|
||||
// =====================================================================================
|
||||
private static final int DEFAULT_ORDER = Integer.MAX_VALUE;
|
||||
private String realmName;
|
||||
private int order = DEFAULT_ORDER;
|
||||
private ApplicationContext applicationContext;
|
||||
|
||||
//~ Methods ========================================================================================================
|
||||
// ~ Instance fields
|
||||
// ================================================================================================
|
||||
|
||||
public int getOrder() {
|
||||
private String realmName;
|
||||
|
||||
private int order = DEFAULT_ORDER;
|
||||
|
||||
private ApplicationContext applicationContext;
|
||||
|
||||
// ~ Methods
|
||||
// ========================================================================================================
|
||||
|
||||
public int getOrder() {
|
||||
return order;
|
||||
}
|
||||
|
||||
|
@ -66,22 +79,22 @@ public class BasicProcessingFilterEntryPoint implements AuthenticationEntryPoint
|
|||
if (order == DEFAULT_ORDER) {
|
||||
OrderedUtils.copyOrderFromOtherClass(BasicProcessingFilter.class, applicationContext, this, true);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public void commence(ServletRequest request, ServletResponse response, AuthenticationException authException)
|
||||
throws IOException, ServletException {
|
||||
HttpServletResponse httpResponse = (HttpServletResponse) response;
|
||||
httpResponse.addHeader("WWW-Authenticate", "Basic realm=\"" + realmName + "\"");
|
||||
httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, authException.getMessage());
|
||||
}
|
||||
public void commence(ServletRequest request, ServletResponse response, AuthenticationException authException)
|
||||
throws IOException, ServletException {
|
||||
HttpServletResponse httpResponse = (HttpServletResponse) response;
|
||||
httpResponse.addHeader("WWW-Authenticate", "Basic realm=\"" + realmName + "\"");
|
||||
httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, authException.getMessage());
|
||||
}
|
||||
|
||||
public String getRealmName() {
|
||||
return realmName;
|
||||
}
|
||||
public String getRealmName() {
|
||||
return realmName;
|
||||
}
|
||||
|
||||
public void setRealmName(String realmName) {
|
||||
this.realmName = realmName;
|
||||
}
|
||||
public void setRealmName(String realmName) {
|
||||
this.realmName = realmName;
|
||||
}
|
||||
|
||||
public void setApplicationContext(ApplicationContext applicationContext) {
|
||||
this.applicationContext = applicationContext;
|
||||
|
|
|
@ -1,22 +1,17 @@
|
|||
package org.acegisecurity.config;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.HashMap;
|
||||
import java.util.Iterator;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
|
||||
import org.acegisecurity.AccessDecisionManager;
|
||||
import org.acegisecurity.intercept.web.FilterInvocationDefinitionDecorator;
|
||||
import org.acegisecurity.intercept.web.FilterInvocationDefinitionSourceMapping;
|
||||
import org.acegisecurity.intercept.web.FilterSecurityInterceptor;
|
||||
import org.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap;
|
||||
import org.acegisecurity.intercept.web.RegExpBasedFilterInvocationDefinitionMap;
|
||||
import org.acegisecurity.util.BeanDefinitionParserUtils;
|
||||
import org.acegisecurity.vote.AffirmativeBased;
|
||||
import org.acegisecurity.vote.AuthenticatedVoter;
|
||||
import org.acegisecurity.vote.RoleVoter;
|
||||
import org.springframework.beans.factory.support.AbstractBeanDefinition;
|
||||
import org.springframework.beans.factory.support.ManagedList;
|
||||
import org.springframework.beans.factory.support.RootBeanDefinition;
|
||||
import org.springframework.beans.factory.xml.AbstractBeanDefinitionParser;
|
||||
import org.springframework.beans.factory.xml.ParserContext;
|
||||
|
@ -50,7 +45,7 @@ public class FilterSecurityInterceptorBeanDefinitionParser extends AbstractBeanD
|
|||
ParserContext parserContext) {
|
||||
RootBeanDefinition filterInvocationInterceptor = new RootBeanDefinition(FilterSecurityInterceptor.class);
|
||||
|
||||
RootBeanDefinition accessDecisionManager = createAccessDecisionManagerAffirmativeBased();
|
||||
RootBeanDefinition accessDecisionManager = AuthorizationManagerBeanDefinitionParser.createAccessDecisionManagerAffirmativeBased();
|
||||
filterInvocationInterceptor.getPropertyValues()
|
||||
.addPropertyValue("accessDecisionManager", accessDecisionManager);
|
||||
|
||||
|
@ -155,16 +150,6 @@ public class FilterSecurityInterceptorBeanDefinitionParser extends AbstractBeanD
|
|||
return filterInvocationInterceptor;
|
||||
}
|
||||
|
||||
protected static RootBeanDefinition createAccessDecisionManagerAffirmativeBased() {
|
||||
ManagedList decisionVoters = new ManagedList();
|
||||
RootBeanDefinition accessDecisionManager = new RootBeanDefinition(AffirmativeBased.class);
|
||||
accessDecisionManager.getPropertyValues().addPropertyValue("allowIfAllAbstainDecisions", Boolean.FALSE);
|
||||
RootBeanDefinition authenticatedVoter = new RootBeanDefinition(AuthenticatedVoter.class);
|
||||
RootBeanDefinition roleVoter = new RootBeanDefinition(RoleVoter.class);
|
||||
decisionVoters.add(authenticatedVoter);
|
||||
decisionVoters.add(roleVoter);
|
||||
accessDecisionManager.getPropertyValues().addPropertyValue("decisionVoters", decisionVoters);
|
||||
return accessDecisionManager;
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
|
|
|
@ -28,6 +28,7 @@ public class SecurityNamespaceHandler extends NamespaceHandlerSupport {
|
|||
registerBeanDefinitionParser("logout-support", new LogoutFilterBeanDefinitionParser());
|
||||
registerBeanDefinitionParser("exception-translation", new ExceptionTranslationFilterBeanDefinitionParser());
|
||||
registerBeanDefinitionParser("authentication-form", new AuthenticationProcessingFilterBeanDefinitionParser());
|
||||
registerBeanDefinitionParser("authorization-manager", new AuthorizationManagerBeanDefinitionParser());
|
||||
registerBeanDefinitionParser("authorization-http-url", new FilterSecurityInterceptorBeanDefinitionParser());
|
||||
registerBeanDefinitionParser("autoconfig", new AutoConfigBeanDefinitionParser());
|
||||
}
|
||||
|
|
|
@ -561,6 +561,32 @@
|
|||
<xsd:attribute name="attribute" type="xsd:string" />
|
||||
</xsd:complexType>
|
||||
|
||||
<xsd:element name="authorization-manager" type="AuthorizationManagerType"/>
|
||||
|
||||
<xsd:complexType name="AuthorizationManagerType">
|
||||
<xsd:sequence>
|
||||
<xsd:element name="role-voter" type="xsd:string" minOccurs="0" maxOccurs="1"/>
|
||||
<xsd:element name="authenticated-voter" type="xsd:string" minOccurs="0" maxOccurs="1"/>
|
||||
</xsd:sequence>
|
||||
<xsd:attribute name="id" type="xsd:ID">
|
||||
<xsd:annotation>
|
||||
<xsd:documentation>
|
||||
<![CDATA[
|
||||
The unique identifier for a bean.
|
||||
]]>
|
||||
</xsd:documentation>
|
||||
</xsd:annotation>
|
||||
</xsd:attribute>
|
||||
<xsd:attribute name="strategy" type="response" default="affirmative"/>
|
||||
</xsd:complexType>
|
||||
|
||||
<xsd:simpleType name="response">
|
||||
<xsd:restriction base="xsd:NMTOKEN">
|
||||
<xsd:enumeration value="consensus" />
|
||||
<xsd:enumeration value="unanimous" />
|
||||
<xsd:enumeration value="affirmative" />
|
||||
</xsd:restriction>
|
||||
</xsd:simpleType>
|
||||
|
||||
<!-- simple internal types -->
|
||||
<xsd:simpleType name="defaultable-boolean">
|
||||
|
|
|
@ -37,7 +37,7 @@
|
|||
and uses their Ordered interface to apply them; if one doesn't implement Ordered, assume it is Integer.MAX_VALUE -->
|
||||
<security:authorization-manager id="id"
|
||||
strategy="consensus|unanimous|affirmative" />
|
||||
t
|
||||
|
||||
|
||||
<!-- ======================== AUTHENTICATION ======================= -->
|
||||
|
||||
|
|
Loading…
Reference in New Issue