SEC-271: added AuthorizationManagerBeanDefinitionParser

This commit is contained in:
Vishal Puri 2007-07-05 02:15:31 +00:00
parent 97a568c078
commit 35c6aea8e8
5 changed files with 74 additions and 49 deletions

View File

@ -32,28 +32,41 @@ import org.springframework.context.ApplicationContextAware;
import org.springframework.core.Ordered;
import org.springframework.util.Assert;
/**
* Used by the <code>SecurityEnforcementFilter</code> to commence authentication via the {@link
* BasicProcessingFilter}.<P>Once a user agent is authenticated using BASIC authentication, logout requires that
* the browser be closed or an unauthorized (401) header be sent. The simplest way of achieving the latter is to call
* the {@link #commence(ServletRequest, ServletResponse, AuthenticationException)} method below. This will indicate to
* the browser its credentials are no longer authorized, causing it to prompt the user to login again.</p>
* Used by the <code>SecurityEnforcementFilter</code> to commence
* authentication via the {@link BasicProcessingFilter}.
* <P>
* Once a user agent is authenticated using BASIC authentication, logout
* requires that the browser be closed or an unauthorized (401) header be sent.
* The simplest way of achieving the latter is to call the
* {@link #commence(ServletRequest, ServletResponse, AuthenticationException)}
* method below. This will indicate to the browser its credentials are no longer
* authorized, causing it to prompt the user to login again.
* </p>
*
* @author Ben Alex
* @version $Id: BasicProcessingFilterEntryPoint.java 1822 2007-05-17 12:20:16Z vishalpuri $
* @version $Id: BasicProcessingFilterEntryPoint.java 1822 2007-05-17 12:20:16Z
* vishalpuri $
*/
public class BasicProcessingFilterEntryPoint implements AuthenticationEntryPoint, InitializingBean, Ordered, ApplicationContextAware {
//~ Instance fields ================================================================================================
public class BasicProcessingFilterEntryPoint implements AuthenticationEntryPoint, InitializingBean, Ordered,
ApplicationContextAware {
// ~ Static fields/initializers
// =====================================================================================
private static final int DEFAULT_ORDER = Integer.MAX_VALUE;
private String realmName;
private int order = DEFAULT_ORDER;
private ApplicationContext applicationContext;
//~ Methods ========================================================================================================
// ~ Instance fields
// ================================================================================================
public int getOrder() {
private String realmName;
private int order = DEFAULT_ORDER;
private ApplicationContext applicationContext;
// ~ Methods
// ========================================================================================================
public int getOrder() {
return order;
}
@ -66,22 +79,22 @@ public class BasicProcessingFilterEntryPoint implements AuthenticationEntryPoint
if (order == DEFAULT_ORDER) {
OrderedUtils.copyOrderFromOtherClass(BasicProcessingFilter.class, applicationContext, this, true);
}
}
}
public void commence(ServletRequest request, ServletResponse response, AuthenticationException authException)
throws IOException, ServletException {
HttpServletResponse httpResponse = (HttpServletResponse) response;
httpResponse.addHeader("WWW-Authenticate", "Basic realm=\"" + realmName + "\"");
httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, authException.getMessage());
}
public void commence(ServletRequest request, ServletResponse response, AuthenticationException authException)
throws IOException, ServletException {
HttpServletResponse httpResponse = (HttpServletResponse) response;
httpResponse.addHeader("WWW-Authenticate", "Basic realm=\"" + realmName + "\"");
httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, authException.getMessage());
}
public String getRealmName() {
return realmName;
}
public String getRealmName() {
return realmName;
}
public void setRealmName(String realmName) {
this.realmName = realmName;
}
public void setRealmName(String realmName) {
this.realmName = realmName;
}
public void setApplicationContext(ApplicationContext applicationContext) {
this.applicationContext = applicationContext;

View File

@ -1,22 +1,17 @@
package org.acegisecurity.config;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.acegisecurity.AccessDecisionManager;
import org.acegisecurity.intercept.web.FilterInvocationDefinitionDecorator;
import org.acegisecurity.intercept.web.FilterInvocationDefinitionSourceMapping;
import org.acegisecurity.intercept.web.FilterSecurityInterceptor;
import org.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap;
import org.acegisecurity.intercept.web.RegExpBasedFilterInvocationDefinitionMap;
import org.acegisecurity.util.BeanDefinitionParserUtils;
import org.acegisecurity.vote.AffirmativeBased;
import org.acegisecurity.vote.AuthenticatedVoter;
import org.acegisecurity.vote.RoleVoter;
import org.springframework.beans.factory.support.AbstractBeanDefinition;
import org.springframework.beans.factory.support.ManagedList;
import org.springframework.beans.factory.support.RootBeanDefinition;
import org.springframework.beans.factory.xml.AbstractBeanDefinitionParser;
import org.springframework.beans.factory.xml.ParserContext;
@ -50,7 +45,7 @@ public class FilterSecurityInterceptorBeanDefinitionParser extends AbstractBeanD
ParserContext parserContext) {
RootBeanDefinition filterInvocationInterceptor = new RootBeanDefinition(FilterSecurityInterceptor.class);
RootBeanDefinition accessDecisionManager = createAccessDecisionManagerAffirmativeBased();
RootBeanDefinition accessDecisionManager = AuthorizationManagerBeanDefinitionParser.createAccessDecisionManagerAffirmativeBased();
filterInvocationInterceptor.getPropertyValues()
.addPropertyValue("accessDecisionManager", accessDecisionManager);
@ -155,16 +150,6 @@ public class FilterSecurityInterceptorBeanDefinitionParser extends AbstractBeanD
return filterInvocationInterceptor;
}
protected static RootBeanDefinition createAccessDecisionManagerAffirmativeBased() {
ManagedList decisionVoters = new ManagedList();
RootBeanDefinition accessDecisionManager = new RootBeanDefinition(AffirmativeBased.class);
accessDecisionManager.getPropertyValues().addPropertyValue("allowIfAllAbstainDecisions", Boolean.FALSE);
RootBeanDefinition authenticatedVoter = new RootBeanDefinition(AuthenticatedVoter.class);
RootBeanDefinition roleVoter = new RootBeanDefinition(RoleVoter.class);
decisionVoters.add(authenticatedVoter);
decisionVoters.add(roleVoter);
accessDecisionManager.getPropertyValues().addPropertyValue("decisionVoters", decisionVoters);
return accessDecisionManager;
}
}

View File

@ -28,6 +28,7 @@ public class SecurityNamespaceHandler extends NamespaceHandlerSupport {
registerBeanDefinitionParser("logout-support", new LogoutFilterBeanDefinitionParser());
registerBeanDefinitionParser("exception-translation", new ExceptionTranslationFilterBeanDefinitionParser());
registerBeanDefinitionParser("authentication-form", new AuthenticationProcessingFilterBeanDefinitionParser());
registerBeanDefinitionParser("authorization-manager", new AuthorizationManagerBeanDefinitionParser());
registerBeanDefinitionParser("authorization-http-url", new FilterSecurityInterceptorBeanDefinitionParser());
registerBeanDefinitionParser("autoconfig", new AutoConfigBeanDefinitionParser());
}

View File

@ -561,6 +561,32 @@
<xsd:attribute name="attribute" type="xsd:string" />
</xsd:complexType>
<xsd:element name="authorization-manager" type="AuthorizationManagerType"/>
<xsd:complexType name="AuthorizationManagerType">
<xsd:sequence>
<xsd:element name="role-voter" type="xsd:string" minOccurs="0" maxOccurs="1"/>
<xsd:element name="authenticated-voter" type="xsd:string" minOccurs="0" maxOccurs="1"/>
</xsd:sequence>
<xsd:attribute name="id" type="xsd:ID">
<xsd:annotation>
<xsd:documentation>
<![CDATA[
The unique identifier for a bean.
]]>
</xsd:documentation>
</xsd:annotation>
</xsd:attribute>
<xsd:attribute name="strategy" type="response" default="affirmative"/>
</xsd:complexType>
<xsd:simpleType name="response">
<xsd:restriction base="xsd:NMTOKEN">
<xsd:enumeration value="consensus" />
<xsd:enumeration value="unanimous" />
<xsd:enumeration value="affirmative" />
</xsd:restriction>
</xsd:simpleType>
<!-- simple internal types -->
<xsd:simpleType name="defaultable-boolean">

View File

@ -37,7 +37,7 @@
and uses their Ordered interface to apply them; if one doesn't implement Ordered, assume it is Integer.MAX_VALUE -->
<security:authorization-manager id="id"
strategy="consensus|unanimous|affirmative" />
t
<!-- ======================== AUTHENTICATION ======================= -->