SEC-271: Added more security elements

core/src/main/java/org/acegisecurity/config/AuthenticationMechanismBeanDefinitionParser.java

@@ -44,7 +44,7 @@ public class AuthenticationMechanismBeanDefinitionParser extends AbstractBeanDef
 
 			if (node.getNodeType() == Node.ELEMENT_NODE) {
 				Element childElement = (Element) node;
-				providerExists = true;
+				this.providerExists = true;
 
 				if (AUTHENTICATION_JDBC.equals(node.getLocalName())) {
 					String attribute = childElement.getAttribute(REF);
@@ -60,7 +60,7 @@ public class AuthenticationMechanismBeanDefinitionParser extends AbstractBeanDef
 
 		}
 
-		if (!providerExists) {
+		if (!this.providerExists) {
 			RootBeanDefinition rootBeanDefinition = new RootBeanDefinition(AuthenticationProviderOrderResolver.class);
 			BeanDefinitionHolder beanDefinitionHolder = new BeanDefinitionHolder(rootBeanDefinition,
 					"providerOrderResolver");

core/src/main/java/org/acegisecurity/config/LogoutFilterBeanDefinitionParser.java

@@ -4,9 +4,6 @@
 package org.acegisecurity.config;
 
 import org.acegisecurity.ui.logout.LogoutFilter;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.springframework.beans.factory.config.BeanDefinitionHolder;
 import org.springframework.beans.factory.support.AbstractBeanDefinition;
 import org.springframework.beans.factory.support.RootBeanDefinition;
 import org.springframework.beans.factory.xml.AbstractBeanDefinitionParser;
@@ -34,9 +31,7 @@ public class LogoutFilterBeanDefinitionParser extends AbstractBeanDefinitionPars
 		// add the properties
 		RootBeanDefinition definition = new RootBeanDefinition(LogoutFilter.class);
 		setConstructorArgumentIfAvailable(0, element, REDIRECT_AFTER_LOGOUT_URL, "logoutSuccessUrl", definition);
-		// setPropertyIfAvailable(element,
-		// element.getAttribute(REDIRECT_AFTER_LOGOUT_URL), "logoutSuccessUrl",
-		// definition);
+		
 		setPropertyIfAvailable(element, LOGOUT_URL, "filterProcessesUrl", definition);
 
 		// register BFPP to check if LogoutFilter does not have setHandlers

core/src/main/java/org/acegisecurity/config/SecurityNamespaceHandler.java

@@ -26,6 +26,8 @@ public class SecurityNamespaceHandler extends NamespaceHandlerSupport {
 		registerBeanDefinitionParser("authentication-remember-me-services", new RememberMeServicesBeanDefinitionParser());
 		registerBeanDefinitionParser("authentication-remember-me-filter", new RememberMeFilterBeanDefinitionParser());
 		registerBeanDefinitionParser("logout-support", new LogoutFilterBeanDefinitionParser());
+		registerBeanDefinitionParser("exception-translation", new ExceptionTranslationFilterBeanDefinitionParser());
+		registerBeanDefinitionParser("authentication-form", new AuthenticationProcessingFilterBeanDefinitionParser());
 	}
 
 }

core/src/main/resources/org/acegisecurity/config/spring-security-2.0.xsd

@@ -124,6 +124,103 @@
 			type="xsd:string" use="optional" />
 	</xsd:complexType>
 
+	<!-- Logout Filter -->
+	<xsd:element name="logout-support" type="LogoutFilter" />
+
+	<xsd:complexType name="LogoutFilter">
+		<!-- Write other attributes -->
+		<xsd:attribute name="id" type="xsd:ID" />
+		<xsd:attribute name="redirectAfterLogoutUrl" type="xsd:string"
+			default="/" />
+		<xsd:attribute name="logoutUrl" type="xsd:string"
+			default="/logout" />
+	</xsd:complexType>
+
+	<!-- Exception Translation Filter -->
+	<xsd:element name="exception-translation"
+		type="ExceptionTranslation" />
+
+	<xsd:complexType name="ExceptionTranslation">
+		<xsd:all>
+			<xsd:element ref="entry-point" maxOccurs="1" />
+			<xsd:element ref="access-denied" maxOccurs="1"
+				minOccurs="0" />
+		</xsd:all>
+		<xsd:attribute name="id" type="xsd:ID">
+			<xsd:annotation>
+				<xsd:documentation>
+					<![CDATA[
+	The unique identifier for a bean.
+				]]>
+				</xsd:documentation>
+			</xsd:annotation>
+		</xsd:attribute>
+	</xsd:complexType>
+
+	<xsd:element name="entry-point">
+		<xsd:complexType>
+			<xsd:attribute name="entryPointBeanRef" type="xsd:string" />
+		</xsd:complexType>
+	</xsd:element>
+
+	<xsd:element name="access-denied">
+		<xsd:complexType>
+			<xsd:attribute name="accessDeniedUrl" type="xsd:string"
+				use="optional" />
+			<xsd:attribute name="accessDeniedBeanRef" type="xsd:string"
+				use="optional" />
+		</xsd:complexType>
+	</xsd:element>
+
+	<!-- AuthenticationProcessigFilter -->
+	<xsd:element name="authentication-form"
+		type="AuthenticationProcessingFilter" />
+
+	<xsd:complexType name="AuthenticationProcessingFilter">
+		<xsd:attribute name="id" type="xsd:ID">
+			<xsd:annotation>
+				<xsd:documentation>
+					<![CDATA[
+	The unique identifier for a bean.
+				]]>
+				</xsd:documentation>
+			</xsd:annotation>
+		</xsd:attribute>
+		<xsd:attribute name="authenticationUrl" type="xsd:string"
+			use="required">
+			<xsd:annotation>
+				<xsd:documentation>
+					<![CDATA[
+	The URL destination that this filter intercepts and processes (usually something like
+     /login) 
+				]]>
+				</xsd:documentation>
+			</xsd:annotation>
+		</xsd:attribute>
+		<xsd:attribute name="defaultTargetUrl" type="xsd:string"
+			use="required">
+			<xsd:annotation>
+				<xsd:documentation>
+					<![CDATA[
+	Where to redirect the browser to if authentication is successful but ACEGI_SAVED_REQUEST_KEY is
+     null
+				]]>
+				</xsd:documentation>
+			</xsd:annotation>
+		</xsd:attribute>
+		<xsd:attribute name="errorFormUrl" type="xsd:string"
+			use="required">
+			<xsd:annotation>
+				<xsd:documentation>
+					<![CDATA[
+	Where to redirect the browser to if authentication fails.
+				]]>
+				</xsd:documentation>
+			</xsd:annotation>
+		</xsd:attribute>
+	</xsd:complexType>
+
+
 
 	<xsd:element name="authentication-mechanism"
 		type="AuthenticationManager" />
@@ -158,30 +255,10 @@
 		</xsd:complexType>
 	</xsd:element>
 
-	<xsd:element name="logout-support" type="LogoutFilter" />
 
-	<xsd:complexType name="LogoutFilter">
-		<!-- <xsd:all>
-			<xsd:element name="clear-context" minOccurs="0" maxOccurs="1">
-			<xsd:complexType>
-			<xsd:attribute name="invalidateHttpSession"
-			type="xsd:boolean" default="true" use="optional" />
-			</xsd:complexType>
-			</xsd:element>
-			<xsd:element name="clear-remember-me" minOccurs="0" maxOccurs="1">>
-			<xsd:complexType>
-			<xsd:attribute name="rememberMeServicesBeanRef"
-			type="xsd:string" use="optional" />
-			</xsd:complexType>
-			</xsd:element>
-			</xsd:all> -->
-		<!-- Write other attributes -->
-		<xsd:attribute name="id" type="xsd:ID" />
-		<xsd:attribute name="redirectAfterLogoutUrl" type="xsd:string"
-			default="/" />
-		<xsd:attribute name="logoutUrl" type="xsd:string"
-			default="/logout" />
-	</xsd:complexType>
+
+
+
 
 	<xsd:element name="principal-repository" type="PrincipalRepository" />
 
@@ -339,6 +416,8 @@
 		</xsd:restriction>
 	</xsd:simpleType>
 
+
+
 	<xsd:simpleType name="encoders">
 		<xsd:restriction base="xsd:NMTOKEN">
 			<xsd:enumeration value="md5" />

core/src/test/java/org/acegisecurity/config/LogoutFilterBeanDefinitionParserTests.java

@@ -14,7 +14,7 @@ import junit.framework.TestCase;
  */
 public class LogoutFilterBeanDefinitionParserTests extends TestCase {
 	
-	public void testXX(){
+	public void testLogoutFilter(){
 		ApplicationContext context = new ClassPathXmlApplicationContext("org/acegisecurity/config/logout-filter-with-handlers.xml");
 	}
 

core/src/test/java/org/acegisecurity/config/RememberMeBeanDefinitionParserTest.java

@@ -7,7 +7,7 @@ import org.springframework.context.support.ClassPathXmlApplicationContext;
 
 public class RememberMeBeanDefinitionParserTest extends TestCase {
 	
-	public void testRememberMeDefaults() {
+	public void testParserDefaults() {
 		ApplicationContext context = new ClassPathXmlApplicationContext("org/acegisecurity/config/principal-repository-properties.xml");
 		
 		

core/src/test/resources/org/acegisecurity/config/authentication-dao-defaults.xml

@@ -15,14 +15,8 @@ http://www.springframework.org/schema/security http://www.springframework.org/sc
 	<!--  autocreate userDetailsService with dataSource(search in ctx) injected -->
 
 	<security:authentication-repository id="authenticationRepository">
-		<!--<security:salt-source>
-			<security:system-wide systemWideSalt="12345" />
-		</security:salt-source>
-		--><security:password-encoder encoderBeanRef="passwordEncoder"/>
-		<!-- OR <security:password-encoder>
-				<security:encoder method="md5"/>
-		</security:password-encoder>
-	--></security:authentication-repository>
+		<security:password-encoder encoderBeanRef="passwordEncoder" />
+	</security:authentication-repository>
 
 	<bean id="userDetailsService"
 		class="org.acegisecurity.userdetails.jdbc.JdbcDaoImpl">

core/src/test/resources/org/acegisecurity/config/security-namespaces.xml

@@ -12,7 +12,10 @@
 	<!-- http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd" -->
 
 	<!-- introspect all bean definitions for an explicit object of a "required" type, and if not found, add it. You can turn OFF ones you dont want added via attributes -->
-	<security:security-autoconfig exceptionTranslation="disable" sessionContextIntegration="disable" logoutSupport="disable" filterChain="disable"  servletRequestEmulation="disabled" anonyomousRoleGranter="disabled"/>
+	<security:security-autoconfig exceptionTranslation="disable"
+		sessionContextIntegration="disable" logoutSupport="disable"
+		filterChain="disable" servletRequestEmulation="disabled"
+		anonyomousRoleGranter="disabled" />
 
 	<!-- autodetect attribute is the default, and an exception is thrown if false, as the expectation is they will write their own legacy <beans> format
 		FilterChainProxy bean definition is dissatisfied with the auto approach. The auto approach simply creates a bean definition similar to that shown
@@ -32,12 +35,15 @@
 	<!-- creates a bean definition for an AccessDecisionManager; strategy defaults to AffirmativeBased; 
 		superclass AbstractAccessDecisionManager requires refactoring so if no setProvider(List) given, it introspects app ctx for all AccessDecisionVoters
 		and uses their Ordered interface to apply them; if one doesn't implement Ordered, assume it is Integer.MAX_VALUE -->
-	<security:authorization-manager id="id" strategy="consensus|unanimous|affirmative"/>
+	<security:authorization-manager id="id"
+		strategy="consensus|unanimous|affirmative" />
 
 	<!-- ======================== AUTHENTICATION ======================= -->
 
 	<!-- sessionCreation defaults to ifRequired. -->
-	<security:session-context-integration id="httpSessionContextIntegrationFilter" sessionCreation="never|ifRequired|always" />
+	<security:session-context-integration
+		id="httpSessionContextIntegrationFilter"
+		sessionCreation="never|ifRequired|always" />
 
 	<!-- The rules are:
 		AuthenticationManager interface is implemented by ProviderManager
@@ -46,9 +52,15 @@
 		Every authentication mechanism OR provider must start with security:authentication-something
 		Use appropriate attrs and elements depending on provider or mechanism
 	-->
-	<security:authentication-repository id="id" repositoryBeanRef="beanIdOfRepositoryIfUnspecifiedAutoDetectTheirUserDetailsInstance">
-		<security:salt-source saltSourceBeanRef="beanRefOfAnExternalEncoder"/> <!--  or allow it to be written inline as an inner bean -->
-		<security:password-encoder encoder="md5|md5Hex|sha|shaHex|custom" encoderBeanRef="beanRefOfAnExternalEncoder"/> <!-- same story here, inner beans allowed -->
+	<security:authentication-repository id="id"
+		repositoryBeanRef="beanIdOfRepositoryIfUnspecifiedAutoDetectTheirUserDetailsInstance">
+		<security:salt-source
+			saltSourceBeanRef="beanRefOfAnExternalEncoder" />
+		<!--  or allow it to be written inline as an inner bean -->
+		<security:password-encoder
+			encoder="md5|md5Hex|sha|shaHex|custom"
+			encoderBeanRef="beanRefOfAnExternalEncoder" />
+		<!-- same story here, inner beans allowed -->
 	</security:authentication-repository>
 
 	<security:salt-source>
@@ -58,22 +70,30 @@
 
 
 	<!--  the URLs are all mandatory and have no defaults (well, except authenticationUrl) -->
-	<security:authentication-form id="id" authenticationUrl="/login" loginFormUrl="/login.html" errorFormUrl="error.html"/>
+	<security:authentication-form id="id" authenticationUrl="/login"
+		loginFormUrl="/login.html" errorFormUrl="error.html" />
 
 	<!-- AuthenticationEntryPoints handled across the system via Ordered interface; every Acegi entry point has an order; the highest order wins and
 		is used as the entry point by ExceptionTranslationFilter; for things like BasicAuthenticationfilter, they're smart enough to know they need a
 		BasicAuthenticationProcessingFilterEntryPoint, so they use that one; here we have an entryPointOrder to say when we make the BasicEntryPoint,
 		we will call setOrder(2) such that this app effectively will use somehing with a higher order as the app-wide default -->
-	<security:authentication-basic id="id" realmName="Spring Security Application" entryPointOrder="2"/>
+	<security:authentication-basic id="id"
+		realmName="Spring Security Application" entryPointOrder="2" />
 
 	<!-- This is used if they want an out-of-the-bx UserDetailsService; if they write their own, this goes away and they wire a legacy bean definition and then the various
 		beans depending on a UserDetailsService will auto-detect it at runtime OR provide a way of setUserDetailsService(UserDetailsService) if to specified explicitly.
 		If they fail to provide a repository, the security-autodetect will set one up for them with a few basic in-memory users and pwds -->
 	<security:principal-repository id="id">
-		<security:ldap x="you can do the attributes and suitable nested elements"/>
-		<security:jdbc x="you can do the attributes and suitable nested elements"/>
-		<security:properties location="resourceStringToPropertiesFile"> <!-- if they specify a resource attrib, that means throw exception if they nest some user-definition data) -->
-			<security:user-definition username="ben" password="nottellingYou" enabled="true" it="more stuff if you want">
+		<security:ldap
+			x="you can do the attributes and suitable nested elements" />
+		<security:jdbc
+			x="you can do the attributes and suitable nested elements" />
+		<security:properties
+			location="resourceStringToPropertiesFile">
+<!-- if they specify a resource attrib, that means throw exception if they nest some user-definition data) -->
+			<security:user-definition username="ben"
+				password="nottellingYou" enabled="true"
+				it="more stuff if you want">
 				<security:granted-authority authority="ROLE_ANONYMOUS" />
 				<ref bean="fooBarAuthority" />
 			</security:user-definition>
@@ -81,22 +101,26 @@
 	</security:principal-repository>
 
 	<!-- makes the filter, but does little else, as it auto-detects everything -->
-	<security:authentication-remember-me-filter id="id" rememberMeServicesBeanRef="theId" />
+	<security:authentication-remember-me-filter id="id"
+		rememberMeServicesBeanRef="theId" />
 
 	<!-- services should auto-detect UserDetails from app ctx if principalRepository was not specified; key is handled in same way as discussed earlier -->
-	<security:authentication-remember-me-services id="id" key="someValue" principalRepositoryBeanRef="jdbcDaoImpl" />
+	<security:authentication-remember-me-services id="id"
+		key="someValue" principalRepositoryBeanRef="jdbcDaoImpl" />
 
 	<!-- key is optional; if unspecified, in the NamespaceHandler pick a rnd int and use for all unspecified key properties for acegi beans -->
-	<security:anonymous-role-granter " id="id" key="someValue" >
+	<security:anonymous-role-granter id="id" key="someValue">
 		<security:granted-authority authority="ROLE_ANONYMOUS" />
 		<ref bean="fooBarAuthority" />
 	</security:anonymous-role-granter>
 
-	<security:granted-authority id="fooBarAuthority" authority="ROLE_FOOBAR"/>
+	<security:granted-authority id="fooBarAuthority"
+		authority="ROLE_FOOBAR" />
 
 	<!-- If LogoutFilter does not have setHandlers populated, introspect app ctx for LogoutHandlers, using Ordered (if present, otherwise assume Integer.MAX_VALUE) -->
 	<!-- The logoutUrl and redirectAfterLogout are both optional and default to that shown -->
-	<security:logout-support id="logoutFilter" redirectAfterLogoutUrl="/" logoutUrl="/logout"/>
+	<security:logout-support id="logoutFilter"
+		redirectAfterLogoutUrl="/" logoutUrl="/logout" />
 
 
 	<!-- ===================== HTTP CHANNEL REQUIREMENTS ==================== -->
@@ -107,16 +131,22 @@
 
 	<!-- ensure element name is not overlapping with portlet or spring web flow or tapestry URI patterns, as this filter is incompatible with them -->
 	<security:authorization-http-url>
-		<security:url-mapping source="xml - the default and no other options" sourceBeanId="referenceToTheirObjectDefinitionSource">
+		<security:url-mapping
+			source="xml - the default and no other options"
+			sourceBeanId="referenceToTheirObjectDefinitionSource">
 			<!-- Specify security:uri-patterns in order of processing; each pattern must specify EITHER a regularExpression OR a path, but not both
 				and ALL patterns in the url-mapping MUST be of the SAME type (ie cannot mix a regular expression and Ant Path) - give exception if tried -->
-			<security:uri-pattern path ="/index.jsp" regularExpression="whatever">
+			<security:uri-pattern path="/index.jsp"
+				regularExpression="whatever">
 				<security:configuration-attribute attribute="ROLE_A" />
-				<ref bean="someExternalConfigurationAttributeThatIsATopLevelBean"/>
+				<ref
+					bean="someExternalConfigurationAttributeThatIsATopLevelBean" />
 			</security:uri-pattern>
-			<security:uri-pattern path ="/**" regularExperssion="whatever">
+			<security:uri-pattern path="/**"
+				regularExperssion="whatever">
 				<security:configuration-attribute attribute="ROLE_A" />
-				<ref bean="someExternalConfigurationAttributeThatIsATopLevelBean"/>
+				<ref
+					bean="someExternalConfigurationAttributeThatIsATopLevelBean" />
 			</security:uri-pattern>
 		</security:url-mapping>
 	</security:authorization-http-url>
@@ -126,11 +156,15 @@
 		security:method-pattern element, and you will therefore create it via the MethodDefinitionSourceEditor (that is what the default source=xml means, too)
 		For aspectj and springAop, that means create a MethodSecurityInterceptor and AspectJSecurityInterceptor bean definition respectively (in the case of
 		springAop, also create a MethodDefinitionSourceAdvisor); defaults to springAop=true, aspectJ=false -->
-	<security:authorization-joinpoint aspectj="false|true" springAop="true|false" >
-		<security:url-mapping source="custom|xml|attributes|annotations" sourceBeanId="referenceToTheirObjectDefinitionSource">
-			<security:method-pattern type="com.foo.Bar.whateverMethodNamePattern">
+	<security:authorization-joinpoint aspectj="false|true"
+		springAop="true|false">
+		<security:url-mapping source="custom|xml|attributes|annotations"
+			sourceBeanId="referenceToTheirObjectDefinitionSource">
+			<security:method-pattern
+				type="com.foo.Bar.whateverMethodNamePattern">
 				<security:configuration-attribute attribute="ROLE_A" />
-				<ref bean="someExternalConfigurationAttributeThatIsATopLevelBean"/>
+				<ref
+					bean="someExternalConfigurationAttributeThatIsATopLevelBean" />
 			</security:method-pattern>
 		</security:url-mapping>
 		<!-- if get time, do a new security:pointcut-pattern -->
@@ -140,7 +174,9 @@
 	<!-- Basically accessDeniedUrl is optional, we if unspecified impl will auto-detect any AccessDeniedHandler in ctx and use it; 
 		alternately if there are > 1 such handlers, we can nominate the one to use via accessDeniedBeanRef; provide nested elements for
 		other props; i do not mind if you move the access denied stuff to a sub-element -->
-	<security:exception-translation id="id" accessDeniedUrl="/accessDenied.jsp" accessDeniedBeanRef="theBeanToUse">
+	<security:exception-translation id="id"
+		accessDeniedUrl="/accessDenied.jsp"
+		accessDeniedBeanRef="theBeanToUse">
 		<security:entry-point path="/acegilogin.jsp" https="boolean" />
 	</security:exception-translation>