mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-03-03 20:09:18 +00:00
SEC-2371: Remove ObjectPostProcessor.QUIESENT_POSTPROCESSOR
This commit is contained in:
Rob Winch
parent
a3009e303b
commit
5f290ba10f
@ -66,13 +66,6 @@ public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBui
|
||||
|
||||
private ObjectPostProcessor<Object> objectPostProcessor;
|
||||
|
||||
/**
|
||||
* Creates a new instance without post processing
|
||||
*/
|
||||
protected AbstractConfiguredSecurityBuilder() {
|
||||
this(ObjectPostProcessor.QUIESCENT_POSTPROCESSOR);
|
||||
}
|
||||
|
||||
/***
|
||||
* Creates a new instance with the provided {@link ObjectPostProcessor}.
|
||||
* This post processor must support Object since there are many types of
|
||||
|
||||
@ -39,13 +39,4 @@ public interface ObjectPostProcessor<T> {
|
||||
* @return the initialized version of the object
|
||||
*/
|
||||
<O extends T> O postProcess(O object);
|
||||
|
||||
/**
|
||||
* A do nothing implementation of the {@link ObjectPostProcessor}
|
||||
*/
|
||||
ObjectPostProcessor<Object> QUIESCENT_POSTPROCESSOR = new ObjectPostProcessor<Object>() {
|
||||
public <T> T postProcess(T object) {
|
||||
return object;
|
||||
}
|
||||
};
|
||||
}
|
||||
@ -89,7 +89,7 @@ public class GlobalMethodSecurityConfiguration implements ImportAware {
|
||||
};
|
||||
private DefaultMethodSecurityExpressionHandler defaultMethodExpressionHandler = new DefaultMethodSecurityExpressionHandler();
|
||||
private AuthenticationManager authenticationManager;
|
||||
private AuthenticationManagerBuilder auth = new AuthenticationManagerBuilder(ObjectPostProcessor.QUIESCENT_POSTPROCESSOR);
|
||||
private AuthenticationManagerBuilder auth;
|
||||
private boolean disableAuthenticationRegistry;
|
||||
private AnnotationAttributes enableMethodSecurity;
|
||||
private MethodSecurityExpressionHandler expressionHandler;
|
||||
@ -245,8 +245,8 @@ public class GlobalMethodSecurityConfiguration implements ImportAware {
|
||||
protected AuthenticationManager authenticationManager() throws Exception {
|
||||
if(authenticationManager == null) {
|
||||
DefaultAuthenticationEventPublisher eventPublisher = objectPostProcessor.postProcess(new DefaultAuthenticationEventPublisher());
|
||||
auth = new AuthenticationManagerBuilder(objectPostProcessor);
|
||||
auth.authenticationEventPublisher(eventPublisher);
|
||||
auth.objectPostProcessor(objectPostProcessor);
|
||||
configure(auth);
|
||||
if(!disableAuthenticationRegistry) {
|
||||
authenticationManager = auth.build();
|
||||
|
||||
@ -28,6 +28,7 @@ import org.springframework.context.ApplicationContext;
|
||||
import org.springframework.context.ApplicationContextAware;
|
||||
import org.springframework.security.access.expression.SecurityExpressionHandler;
|
||||
import org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder;
|
||||
import org.springframework.security.config.annotation.ObjectPostProcessor;
|
||||
import org.springframework.security.config.annotation.SecurityBuilder;
|
||||
import org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry;
|
||||
import org.springframework.security.config.annotation.web.WebSecurityConfigurer;
|
||||
@ -101,9 +102,11 @@ public final class WebSecurity extends
|
||||
|
||||
/**
|
||||
* Creates a new instance
|
||||
* @param objectPostProcessor the {@link ObjectPostProcessor} to use
|
||||
* @see WebSecurityConfiguration
|
||||
*/
|
||||
public WebSecurity() {
|
||||
public WebSecurity(ObjectPostProcessor<Object> objectPostProcessor) {
|
||||
super(objectPostProcessor);
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@ -62,7 +62,9 @@ import org.springframework.util.ClassUtils;
|
||||
*/
|
||||
@Configuration
|
||||
public class WebSecurityConfiguration implements ImportAware, BeanClassLoaderAware {
|
||||
private final WebSecurity webSecurity = new WebSecurity();
|
||||
private WebSecurity webSecurity;
|
||||
|
||||
private Boolean debugEnabled;
|
||||
|
||||
private List<SecurityConfigurer<Filter, WebSecurity>> webSecurityConfigurers;
|
||||
|
||||
@ -102,12 +104,18 @@ public class WebSecurityConfiguration implements ImportAware, BeanClassLoaderAwa
|
||||
/**
|
||||
* Sets the {@code <SecurityConfigurer<FilterChainProxy, WebSecurityBuilder>} instances used to create the web configuration.
|
||||
*
|
||||
* @param objectPostProcessor the {@link ObjectPostProcessor} used to create a {@link WebSecurity} instance
|
||||
* @param webSecurityConfigurers the {@code <SecurityConfigurer<FilterChainProxy, WebSecurityBuilder>} instances used to create the web configuration
|
||||
* @throws Exception
|
||||
*/
|
||||
@Autowired(required = false)
|
||||
public void setFilterChainProxySecurityConfigurer(
|
||||
public void setFilterChainProxySecurityConfigurer(ObjectPostProcessor<Object> objectPostProcessor,
|
||||
List<SecurityConfigurer<Filter, WebSecurity>> webSecurityConfigurers) throws Exception {
|
||||
webSecurity = objectPostProcessor.postProcess(new WebSecurity(objectPostProcessor));
|
||||
if(debugEnabled != null) {
|
||||
webSecurity.debug(debugEnabled);
|
||||
}
|
||||
|
||||
Collections.sort(webSecurityConfigurers, AnnotationAwareOrderComparator.INSTANCE);
|
||||
|
||||
Integer previousOrder = null;
|
||||
@ -175,8 +183,10 @@ public class WebSecurityConfiguration implements ImportAware, BeanClassLoaderAwa
|
||||
enableWebSecurityAttrs = AnnotationAttributes.fromMap(enableWebSecurityAttrMap);
|
||||
}
|
||||
}
|
||||
boolean debugEnabled = enableWebSecurityAttrs.getBoolean("debug");
|
||||
this.webSecurity.debug(debugEnabled);
|
||||
debugEnabled = enableWebSecurityAttrs.getBoolean("debug");
|
||||
if(webSecurity != null) {
|
||||
webSecurity.debug(debugEnabled);
|
||||
}
|
||||
}
|
||||
|
||||
/* (non-Javadoc)
|
||||
@ -185,9 +195,4 @@ public class WebSecurityConfiguration implements ImportAware, BeanClassLoaderAwa
|
||||
public void setBeanClassLoader(ClassLoader classLoader) {
|
||||
this.beanClassLoader = classLoader;
|
||||
}
|
||||
|
||||
@Autowired
|
||||
public void setObjectPostProcessor(ObjectPostProcessor<Object> objectPostProcessor) {
|
||||
objectPostProcessor.postProcess(webSecurity);
|
||||
}
|
||||
}
|
||||
|
||||
@ -45,6 +45,7 @@ import org.springframework.security.core.userdetails.UserDetailsService;
|
||||
import org.springframework.security.core.userdetails.UsernameNotFoundException;
|
||||
import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
|
||||
import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter;
|
||||
import org.springframework.util.Assert;
|
||||
import org.springframework.web.accept.ContentNegotiationStrategy;
|
||||
import org.springframework.web.accept.HeaderContentNegotiationStrategy;
|
||||
|
||||
@ -69,15 +70,8 @@ public abstract class WebSecurityConfigurerAdapter implements SecurityConfigurer
|
||||
}
|
||||
};
|
||||
|
||||
private final AuthenticationManagerBuilder authenticationBuilder = new AuthenticationManagerBuilder(ObjectPostProcessor.QUIESCENT_POSTPROCESSOR);
|
||||
private final AuthenticationManagerBuilder parentAuthenticationBuilder = new AuthenticationManagerBuilder(ObjectPostProcessor.QUIESCENT_POSTPROCESSOR) {
|
||||
@Override
|
||||
public AuthenticationManagerBuilder eraseCredentials(boolean eraseCredentials) {
|
||||
authenticationBuilder.eraseCredentials(eraseCredentials);
|
||||
return super.eraseCredentials(eraseCredentials);
|
||||
}
|
||||
|
||||
};
|
||||
private AuthenticationManagerBuilder authenticationBuilder;
|
||||
private AuthenticationManagerBuilder parentAuthenticationBuilder;
|
||||
private boolean disableAuthenticationRegistration;
|
||||
private boolean authenticationManagerInitialized;
|
||||
private AuthenticationManager authenticationManager;
|
||||
@ -168,9 +162,6 @@ public abstract class WebSecurityConfigurerAdapter implements SecurityConfigurer
|
||||
return http;
|
||||
}
|
||||
|
||||
authenticationBuilder.objectPostProcessor(objectPostProcessor);
|
||||
parentAuthenticationBuilder.objectPostProcessor(objectPostProcessor);
|
||||
|
||||
DefaultAuthenticationEventPublisher eventPublisher = objectPostProcessor.postProcess(new DefaultAuthenticationEventPublisher());
|
||||
parentAuthenticationBuilder.authenticationEventPublisher(eventPublisher);
|
||||
|
||||
@ -355,6 +346,16 @@ public abstract class WebSecurityConfigurerAdapter implements SecurityConfigurer
|
||||
@Autowired(required=false)
|
||||
public void setObjectPostProcessor(ObjectPostProcessor<Object> objectPostProcessor) {
|
||||
this.objectPostProcessor = objectPostProcessor;
|
||||
|
||||
authenticationBuilder = new AuthenticationManagerBuilder(objectPostProcessor);
|
||||
parentAuthenticationBuilder = new AuthenticationManagerBuilder(objectPostProcessor) {
|
||||
@Override
|
||||
public AuthenticationManagerBuilder eraseCredentials(boolean eraseCredentials) {
|
||||
authenticationBuilder.eraseCredentials(eraseCredentials);
|
||||
return super.eraseCredentials(eraseCredentials);
|
||||
}
|
||||
|
||||
};
|
||||
}
|
||||
|
||||
|
||||
@ -372,6 +373,9 @@ public abstract class WebSecurityConfigurerAdapter implements SecurityConfigurer
|
||||
private final Object delegateMonitor = new Object();
|
||||
|
||||
UserDetailsServiceDelegator(List<AuthenticationManagerBuilder> delegateBuilders) {
|
||||
if(delegateBuilders.contains(null)) {
|
||||
throw new IllegalArgumentException("delegateBuilders cannot contain null values. Got " + delegateBuilders);
|
||||
}
|
||||
this.delegateBuilders = delegateBuilders;
|
||||
}
|
||||
|
||||
|
||||
@ -20,6 +20,7 @@ import javax.servlet.Filter
|
||||
import org.springframework.beans.factory.NoSuchBeanDefinitionException
|
||||
import org.springframework.context.ConfigurableApplicationContext
|
||||
import org.springframework.context.annotation.AnnotationConfigApplicationContext
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.mock.web.MockFilterChain
|
||||
import org.springframework.mock.web.MockHttpServletRequest
|
||||
import org.springframework.mock.web.MockHttpServletResponse
|
||||
@ -27,6 +28,9 @@ import org.springframework.security.authentication.AuthenticationManager
|
||||
import org.springframework.security.authentication.AuthenticationProvider
|
||||
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken
|
||||
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder
|
||||
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
|
||||
import org.springframework.security.config.annotation.configuration.AutowireBeanFactoryObjectPostProcessor;
|
||||
import org.springframework.security.config.annotation.configuration.ObjectPostProcessorConfiguration;
|
||||
import org.springframework.security.core.Authentication
|
||||
import org.springframework.security.core.authority.AuthorityUtils
|
||||
import org.springframework.security.core.context.SecurityContextHolder
|
||||
@ -49,13 +53,17 @@ import spock.lang.Specification
|
||||
abstract class BaseSpringSpec extends Specification {
|
||||
@AutoCleanup
|
||||
ConfigurableApplicationContext context
|
||||
@AutoCleanup
|
||||
ConfigurableApplicationContext oppContext
|
||||
|
||||
MockHttpServletRequest request
|
||||
MockHttpServletResponse response
|
||||
MockFilterChain chain
|
||||
CsrfToken csrfToken
|
||||
AuthenticationManagerBuilder authenticationBldr
|
||||
|
||||
def setup() {
|
||||
authenticationBldr = createAuthenticationManagerBuilder()
|
||||
setupWeb(null)
|
||||
}
|
||||
|
||||
@ -75,8 +83,6 @@ abstract class BaseSpringSpec extends Specification {
|
||||
req.setParameter(csrfToken.parameterName, csrfToken.token)
|
||||
}
|
||||
|
||||
AuthenticationManagerBuilder authenticationBldr = new AuthenticationManagerBuilder(ObjectPostProcessor.QUIESCENT_POSTPROCESSOR).inMemoryAuthentication().and()
|
||||
|
||||
def cleanup() {
|
||||
SecurityContextHolder.clearContext()
|
||||
}
|
||||
@ -149,4 +155,14 @@ abstract class BaseSpringSpec extends Specification {
|
||||
repo.loadContext(requestResponseHolder)
|
||||
repo.saveContext(new SecurityContextImpl(authentication:auth), requestResponseHolder.request, requestResponseHolder.response)
|
||||
}
|
||||
|
||||
def createAuthenticationManagerBuilder() {
|
||||
oppContext = new AnnotationConfigApplicationContext(ObjectPostProcessorConfiguration, AuthenticationConfiguration)
|
||||
AuthenticationManagerBuilder auth = new AuthenticationManagerBuilder(objectPostProcessor)
|
||||
auth.inMemoryAuthentication().and()
|
||||
}
|
||||
|
||||
def getObjectPostProcessor() {
|
||||
oppContext.getBean(ObjectPostProcessor)
|
||||
}
|
||||
}
|
||||
@ -38,7 +38,7 @@ class AuthenticationManagerBuilderTests extends BaseSpringSpec {
|
||||
setup:
|
||||
ObjectPostProcessor opp = Mock()
|
||||
AuthenticationProvider provider = Mock()
|
||||
AuthenticationManagerBuilder builder = new AuthenticationManagerBuilder(ObjectPostProcessor.QUIESCENT_POSTPROCESSOR).objectPostProcessor(opp)
|
||||
AuthenticationManagerBuilder builder = new AuthenticationManagerBuilder(objectPostProcessor).objectPostProcessor(opp)
|
||||
when: "Adding an AuthenticationProvider"
|
||||
builder.authenticationProvider(provider)
|
||||
builder.build()
|
||||
@ -51,7 +51,7 @@ class AuthenticationManagerBuilderTests extends BaseSpringSpec {
|
||||
setup:
|
||||
AuthenticationEventPublisher aep = Mock()
|
||||
when:
|
||||
AuthenticationManager am = new AuthenticationManagerBuilder(ObjectPostProcessor.QUIESCENT_POSTPROCESSOR)
|
||||
AuthenticationManager am = new AuthenticationManagerBuilder(objectPostProcessor)
|
||||
.authenticationEventPublisher(aep)
|
||||
.inMemoryAuthentication()
|
||||
.and()
|
||||
|
||||
@ -16,6 +16,7 @@
|
||||
package org.springframework.security.config.annotation.web
|
||||
|
||||
import org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder
|
||||
import org.springframework.security.config.annotation.BaseSpringSpec
|
||||
import org.springframework.security.config.annotation.ObjectPostProcessor;
|
||||
import org.springframework.security.config.annotation.SecurityConfigurer
|
||||
import org.springframework.security.config.annotation.SecurityConfigurerAdapter
|
||||
@ -27,9 +28,13 @@ import spock.lang.Specification
|
||||
* @author Rob Winch
|
||||
*
|
||||
*/
|
||||
class AbstractConfiguredSecurityBuilderTests extends Specification {
|
||||
class AbstractConfiguredSecurityBuilderTests extends BaseSpringSpec {
|
||||
|
||||
ConcreteAbstractConfiguredBuilder builder = new ConcreteAbstractConfiguredBuilder()
|
||||
ConcreteAbstractConfiguredBuilder builder
|
||||
|
||||
def setup() {
|
||||
builder = new ConcreteAbstractConfiguredBuilder(objectPostProcessor)
|
||||
}
|
||||
|
||||
def "Null ObjectPostProcessor rejected"() {
|
||||
when:
|
||||
@ -86,7 +91,7 @@ class AbstractConfiguredSecurityBuilderTests extends Specification {
|
||||
|
||||
def "getConfigurer with multi fails"() {
|
||||
setup:
|
||||
ConcreteAbstractConfiguredBuilder builder = new ConcreteAbstractConfiguredBuilder(ObjectPostProcessor.QUIESCENT_POSTPROCESSOR, true)
|
||||
ConcreteAbstractConfiguredBuilder builder = new ConcreteAbstractConfiguredBuilder(objectPostProcessor, true)
|
||||
builder.apply(new DelegateConfigurer())
|
||||
builder.apply(new DelegateConfigurer())
|
||||
when:
|
||||
@ -97,7 +102,7 @@ class AbstractConfiguredSecurityBuilderTests extends Specification {
|
||||
|
||||
def "removeConfigurer with multi fails"() {
|
||||
setup:
|
||||
ConcreteAbstractConfiguredBuilder builder = new ConcreteAbstractConfiguredBuilder(ObjectPostProcessor.QUIESCENT_POSTPROCESSOR, true)
|
||||
ConcreteAbstractConfiguredBuilder builder = new ConcreteAbstractConfiguredBuilder(objectPostProcessor, true)
|
||||
builder.apply(new DelegateConfigurer())
|
||||
builder.apply(new DelegateConfigurer())
|
||||
when:
|
||||
@ -110,7 +115,7 @@ class AbstractConfiguredSecurityBuilderTests extends Specification {
|
||||
setup:
|
||||
DelegateConfigurer c1 = new DelegateConfigurer()
|
||||
DelegateConfigurer c2 = new DelegateConfigurer()
|
||||
ConcreteAbstractConfiguredBuilder builder = new ConcreteAbstractConfiguredBuilder(ObjectPostProcessor.QUIESCENT_POSTPROCESSOR, true)
|
||||
ConcreteAbstractConfiguredBuilder builder = new ConcreteAbstractConfiguredBuilder(objectPostProcessor, true)
|
||||
builder.apply(c1)
|
||||
builder.apply(c2)
|
||||
when:
|
||||
@ -126,7 +131,7 @@ class AbstractConfiguredSecurityBuilderTests extends Specification {
|
||||
setup:
|
||||
DelegateConfigurer c1 = new DelegateConfigurer()
|
||||
DelegateConfigurer c2 = new DelegateConfigurer()
|
||||
ConcreteAbstractConfiguredBuilder builder = new ConcreteAbstractConfiguredBuilder(ObjectPostProcessor.QUIESCENT_POSTPROCESSOR, true)
|
||||
ConcreteAbstractConfiguredBuilder builder = new ConcreteAbstractConfiguredBuilder(objectPostProcessor, true)
|
||||
builder.apply(c1)
|
||||
builder.apply(c2)
|
||||
when:
|
||||
@ -150,10 +155,7 @@ class AbstractConfiguredSecurityBuilderTests extends Specification {
|
||||
|
||||
private static class ConcreteConfigurer extends SecurityConfigurerAdapter<Object, ConcreteAbstractConfiguredBuilder> { }
|
||||
|
||||
private static class ConcreteAbstractConfiguredBuilder extends AbstractConfiguredSecurityBuilder<Object, ConcreteAbstractConfiguredBuilder> {
|
||||
|
||||
public ConcreteAbstractConfiguredBuilder() {
|
||||
}
|
||||
private class ConcreteAbstractConfiguredBuilder extends AbstractConfiguredSecurityBuilder<Object, ConcreteAbstractConfiguredBuilder> {
|
||||
|
||||
public ConcreteAbstractConfiguredBuilder(ObjectPostProcessor<Object> objectPostProcessor) {
|
||||
super(objectPostProcessor);
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user