From 533a5f0905ca7c39406bb9baaa046176718d0d50 Mon Sep 17 00:00:00 2001
From: Rob Winch <rwinch@gopivotal.com>
Date: Mon, 21 Mar 2016 22:48:49 -0500
Subject: [PATCH] Fix <password-encoder> when authentication-manager@id
 specified

When <authentication-manager> specifies an id, the <password-encoder> is
not used because the parser changes the bean id without aliasing it to
BeanIds.AUTHENTICATION_MANAGER which is used by
AuthenticationManagerBeanDefinitionParser to look up the
AuthenticationManager bean.

This commit updates AuthenticationManagerBeanDefinitionParser to ensure
there is an alias to BeanIds.AUTHENTICATION_MANAGER when the id is
specified.

Fixes gh-3296
---
 ...enticationManagerBeanDefinitionParser.java |   5 +
 .../config/http/NamespaceHttpBasicTests.java  | 102 ++++++++++++++++++
 2 files changed, 107 insertions(+)
 create mode 100644 config/src/test/java/org/springframework/security/config/http/NamespaceHttpBasicTests.java

diff --git a/config/src/main/java/org/springframework/security/config/authentication/AuthenticationManagerBeanDefinitionParser.java b/config/src/main/java/org/springframework/security/config/authentication/AuthenticationManagerBeanDefinitionParser.java
index d8dabf47d5..24967fde76 100644
--- a/config/src/main/java/org/springframework/security/config/authentication/AuthenticationManagerBeanDefinitionParser.java
+++ b/config/src/main/java/org/springframework/security/config/authentication/AuthenticationManagerBeanDefinitionParser.java
@@ -139,6 +139,11 @@ public class AuthenticationManagerBeanDefinitionParser implements BeanDefinition
 			pc.getReaderContext().fireAliasRegistered(id, alias,
 					pc.extractSource(element));
 		}
+		if (!BeanIds.AUTHENTICATION_MANAGER.equals(id)) {
+			pc.getRegistry().registerAlias(id, BeanIds.AUTHENTICATION_MANAGER);
+			pc.getReaderContext().fireAliasRegistered(id, BeanIds.AUTHENTICATION_MANAGER,
+					pc.extractSource(element));
+		}
 
 		pc.popAndRegisterContainingComponent();
 
diff --git a/config/src/test/java/org/springframework/security/config/http/NamespaceHttpBasicTests.java b/config/src/test/java/org/springframework/security/config/http/NamespaceHttpBasicTests.java
new file mode 100644
index 0000000000..5f5d186d8e
--- /dev/null
+++ b/config/src/test/java/org/springframework/security/config/http/NamespaceHttpBasicTests.java
@@ -0,0 +1,102 @@
+/*
+ * Copyright 2012-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.http;
+
+import java.lang.reflect.Method;
+
+import javax.servlet.Filter;
+import javax.servlet.http.HttpServletResponse;
+
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.Mock;
+
+import org.springframework.context.ConfigurableApplicationContext;
+import org.springframework.mock.web.MockFilterChain;
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.security.config.util.InMemoryXmlApplicationContext;
+import org.springframework.security.crypto.codec.Base64;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * @author Rob Winch
+ */
+public class NamespaceHttpBasicTests {
+	@Mock
+	Method method;
+
+	MockHttpServletRequest request;
+	MockHttpServletResponse response;
+	MockFilterChain chain;
+
+	ConfigurableApplicationContext context;
+
+	Filter springSecurityFilterChain;
+
+	@Before
+	public void setup() {
+		this.request = new MockHttpServletRequest();
+		this.request.setMethod("GET");
+		this.response = new MockHttpServletResponse();
+		this.chain = new MockFilterChain();
+	}
+
+	@After
+	public void teardown() {
+		if (this.context != null) {
+			this.context.close();
+		}
+	}
+
+	// gh-3296
+	@Test
+	public void httpBasicWithPasswordEncoder() throws Exception {
+		// @formatter:off
+		loadContext("<http>\n" +
+			"		<intercept-url pattern=\"/**\" access=\"hasRole('USER')\" />\n" +
+			"		<http-basic />\n" +
+			"	</http>\n" +
+			"\n" +
+			"	<authentication-manager id=\"authenticationManager\">\n" +
+			"		<authentication-provider>\n" +
+			"			<password-encoder ref=\"passwordEncoder\" />\n" +
+			"			<user-service>\n" +
+			"				<user name=\"user\" password=\"$2a$10$Zk1MxFEt7YYji4Ccy9xlfuewWzUMsmHZfy4UcCmNKVV6z5i/JNGJW\" authorities=\"ROLE_USER\"/>\n" +
+			"			</user-service>\n" +
+			"		</authentication-provider>\n" +
+			"	</authentication-manager>\n" +
+			"	<b:bean id=\"passwordEncoder\"\n" +
+			"		class=\"org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder\" />");
+			// @formatter:on
+
+		this.request.addHeader("Authorization",
+				"Basic " + new String(Base64.encode("user:test".getBytes("UTF-8"))));
+
+		this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
+
+		assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_OK);
+	}
+
+	private void loadContext(String context) {
+		this.context = new InMemoryXmlApplicationContext(context);
+		this.springSecurityFilterChain = this.context.getBean("springSecurityFilterChain",
+				Filter.class);
+	}
+}