Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SEC-2758: Make ROLE_ consistent

This commit is contained in:
Rob Winch 2015-01-29 16:57:56 -06:00
parent 753fdcaef0
commit 6627f76df7
17 changed files with 479 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
config/src/main/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfiguration.java
View File

@ -88,6 +88,7 @@ public class GlobalMethodSecurityConfiguration implements ImportAware {
private AnnotationAttributes enableMethodSecurity;
private ApplicationContext context;
private MethodSecurityExpressionHandler expressionHandler;
private Jsr250MethodSecurityMetadataSource jsr250MethodSecurityMetadataSource;
/**
* Creates the default MethodInterceptor which is a MethodSecurityInterceptor using the following methods to
@ -172,7 +173,6 @@ public class GlobalMethodSecurityConfiguration implements ImportAware {
*
* @return
*/
@SuppressWarnings("rawtypes")
protected AccessDecisionManager accessDecisionManager() {
List<AccessDecisionVoter<? extends Object>> decisionVoters = new ArrayList<AccessDecisionVoter<? extends Object>>();
ExpressionBasedPreInvocationAdvice expressionAdvice = new ExpressionBasedPreInvocationAdvice();
@ -282,14 +282,13 @@ public class GlobalMethodSecurityConfiguration implements ImportAware {
sources.add(customMethodSecurityMetadataSource);
}
if (prePostEnabled()) {
sources.add(new PrePostAnnotationSecurityMetadataSource(
attributeFactory));
sources.add(new PrePostAnnotationSecurityMetadataSource(attributeFactory));
}
if (securedEnabled()) {
sources.add(new SecuredAnnotationSecurityMetadataSource());
}
if (jsr250Enabled()) {
sources.add(new Jsr250MethodSecurityMetadataSource());
sources.add(jsr250MethodSecurityMetadataSource);
}
return new DelegatingMethodSecurityMetadataSource(sources);
}
@ -344,6 +343,12 @@ public class GlobalMethodSecurityConfiguration implements ImportAware {
this.defaultMethodExpressionHandler = objectPostProcessor.postProcess(defaultMethodExpressionHandler);
}
@Autowired(required = false)
public void setJsr250MethodSecurityMetadataSource(
Jsr250MethodSecurityMetadataSource jsr250MethodSecurityMetadataSource) {
this.jsr250MethodSecurityMetadataSource = jsr250MethodSecurityMetadataSource;
}
@Autowired(required = false)
public void setPermissionEvaluator(List<PermissionEvaluator> permissionEvaluators) {
if(permissionEvaluators.size() != 1) {
@ -352,6 +357,15 @@ public class GlobalMethodSecurityConfiguration implements ImportAware {
this.defaultMethodExpressionHandler.setPermissionEvaluator(permissionEvaluators.get(0));
}
@Autowired(required = false)
public void setMethodSecurityExpressionHandler(List<MethodSecurityExpressionHandler> handlers) {
if(handlers.size() != 1) {
logger.debug("Not autwiring PermissionEvaluator since size != 1. Got " + handlers);
return;
}
this.expressionHandler = handlers.get(0);
}
@Autowired
public void setApplicationContext(ApplicationContext context) {
this.context = context;

20
config/src/main/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecuritySelector.java
View File

@ -15,6 +15,8 @@
*/
package org.springframework.security.config.annotation.method.configuration;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import org.springframework.context.annotation.AdviceMode;
@ -49,10 +51,20 @@ final class GlobalMethodSecuritySelector implements ImportSelector {
AdviceMode mode = attributes.getEnum("mode");
String autoProxyClassName = AdviceMode.PROXY == mode ? AutoProxyRegistrar.class.getName()
: GlobalMethodSecurityAspectJAutoProxyRegistrar.class.getName();
if(skipMethodSecurityConfiguration) {
return new String[] { autoProxyClassName };
boolean jsr250Enabled = attributes.getBoolean("jsr250Enabled");
List<String> classNames = new ArrayList<String>(4);
classNames.add(autoProxyClassName);
if(!skipMethodSecurityConfiguration) {
classNames.add(GlobalMethodSecurityConfiguration.class.getName());
}
return new String[] { autoProxyClassName,
GlobalMethodSecurityConfiguration.class.getName()};
if(jsr250Enabled) {
classNames.add(Jsr250MetadataSourceConfiguration.class.getName());
}
return classNames.toArray(new String[0]);
}
}

14
config/src/main/java/org/springframework/security/config/annotation/method/configuration/Jsr250MetadataSourceConfiguration.java Normal file
View File

@ -0,0 +1,14 @@
package org.springframework.security.config.annotation.method.configuration;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.access.annotation.Jsr250MethodSecurityMetadataSource;
@Configuration
class Jsr250MetadataSourceConfiguration {
@Bean
public Jsr250MethodSecurityMetadataSource jsr250MethodSecurityMetadataSource() {
return new Jsr250MethodSecurityMetadataSource();
}
}

143
config/src/test/groovy/org/springframework/security/config/annotation/sec2758/Sec2758Tests.groovy Normal file
View File

@ -0,0 +1,143 @@
/*
* Copyright 2002-2013 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.config.annotation.sec2758;
import javax.annotation.security.RolesAllowed;
import org.springframework.beans.BeansException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.config.BeanPostProcessor;
import org.springframework.context.annotation.Bean;
import org.springframework.core.PriorityOrdered;
import org.springframework.mock.web.MockFilterChain;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.access.annotation.Jsr250MethodSecurityMetadataSource;
import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.authentication.TestingAuthenticationToken
import org.springframework.security.config.annotation.BaseSpringSpec
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configuration.sec2377.a.*
import org.springframework.security.config.annotation.web.configuration.sec2377.b.*
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
import org.springframework.web.context.support.AnnotationConfigWebApplicationContext
public class Sec2758Tests extends BaseSpringSpec {
def cleanup() {
SecurityContextHolder.clearContext()
}
def "SEC-2758: Verify Passivity Restored with Advice from JIRA"() {
setup:
SecurityContextHolder.context.authentication = new TestingAuthenticationToken("user", "pass", "USER")
loadConfig(SecurityConfig)
Service service = context.getBean(Service)
when:
findFilter(FilterSecurityInterceptor).doFilter(new MockHttpServletRequest(), new MockHttpServletResponse(), new MockFilterChain())
then:
noExceptionThrown()
when:
service.doPreAuthorize()
then:
noExceptionThrown()
when:
service.doJsr250()
then:
noExceptionThrown()
}
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled=true)
static class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().hasAnyAuthority("USER");
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) {
auth
.inMemoryAuthentication()
.withUser("user").password("password").authorities("USER")
}
@Bean
Service service() {
return new ServiceImpl()
}
@Bean
static DefaultRolesPrefixPostProcessor defaultRolesPrefixPostProcessor() {
new DefaultRolesPrefixPostProcessor()
}
}
interface Service {
void doPreAuthorize()
void doJsr250()
}
static class ServiceImpl implements Service {
@PreAuthorize("hasRole('USER')")
void doPreAuthorize() {}
@RolesAllowed("USER")
void doJsr250() {}
}
static class DefaultRolesPrefixPostProcessor implements BeanPostProcessor, PriorityOrdered {
@Override
public Object postProcessAfterInitialization(Object bean, String beanName)
throws BeansException {
if(bean instanceof Jsr250MethodSecurityMetadataSource) {
((Jsr250MethodSecurityMetadataSource) bean).setDefaultRolePrefix(null);
}
if(bean instanceof DefaultMethodSecurityExpressionHandler) {
((DefaultMethodSecurityExpressionHandler) bean).setDefaultRolePrefix(null);
}
if(bean instanceof DefaultWebSecurityExpressionHandler) {
((DefaultWebSecurityExpressionHandler) bean).setDefaultRolePrefix(null);
}
return bean;
}
@Override
public Object postProcessBeforeInitialization(Object bean, String beanName)
throws BeansException {
return bean;
}
@Override
public int getOrder() {
return PriorityOrdered.HIGHEST_PRECEDENCE;
}
}
}

10
config/src/test/java/org/springframework/security/config/method/Jsr250AnnotationDrivenBeanDefinitionParserTests.java
View File

@ -68,4 +68,14 @@ public class Jsr250AnnotationDrivenBeanDefinitionParserTests {
target.someAdminMethod();
}
@Test
public void hasAnyRoleAddsDefaultPrefix() {
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("Test", "Password",
AuthorityUtils.createAuthorityList("ROLE_USER"));
SecurityContextHolder.getContext().setAuthentication(token);
target.rolesAllowedUser();
}
}

34
core/src/main/java/org/springframework/security/access/annotation/Jsr250MethodSecurityMetadataSource.java
View File

@ -38,6 +38,24 @@ import org.springframework.security.access.method.AbstractFallbackMethodSecurity
*/
public class Jsr250MethodSecurityMetadataSource extends AbstractFallbackMethodSecurityMetadataSource {
private String defaultRolePrefix = "ROLE_";
/**
* <p>
* Sets the default prefix to be added to {@link RolesAllowed}. For example, if {@code @RolesAllowed("ADMIN")} or {@code @RolesAllowed("ADMIN")} is used,
* then the role ROLE_ADMIN will be used when the defaultRolePrefix is "ROLE_" (default).
* </p>
*
* <p>
* If null or empty, then no default role prefix is used.
* </p>
*
* @param defaultRolePrefix the default prefix to add to roles. Default "ROLE_".
*/
public void setDefaultRolePrefix(String defaultRolePrefix) {
this.defaultRolePrefix = defaultRolePrefix;
}
protected Collection<ConfigAttribute> findAttributes(Class<?> clazz) {
return processAnnotations(clazz.getAnnotations());
}
@ -69,11 +87,25 @@ public class Jsr250MethodSecurityMetadataSource extends AbstractFallbackMethodSe
RolesAllowed ra = (RolesAllowed) a;
for (String allowed : ra.value()) {
attributes.add(new Jsr250SecurityConfig(allowed));
String defaultedAllowed = getRoleWithDefaultPrefix(allowed);
attributes.add(new Jsr250SecurityConfig(defaultedAllowed));
}
return attributes;
}
}
return null;
}
private String getRoleWithDefaultPrefix(String role) {
if(role == null) {
return role;
}
if(defaultRolePrefix == null || defaultRolePrefix.length() == 0) {
return role;
}
if(role.startsWith(defaultRolePrefix)) {
return role;
}
return defaultRolePrefix + role;
}
}

52
core/src/main/java/org/springframework/security/access/expression/SecurityExpressionRoot.java
View File

@ -24,6 +24,7 @@ public abstract class SecurityExpressionRoot implements SecurityExpressionOperat
private AuthenticationTrustResolver trustResolver;
private RoleHierarchy roleHierarchy;
private Set<String> roles;
private String defaultRolePrefix = "ROLE_";
/** Allows "permitAll" expression */
public final boolean permitAll = true;
@ -49,22 +50,27 @@ public abstract class SecurityExpressionRoot implements SecurityExpressionOperat
}
public final boolean hasAuthority(String authority) {
return hasRole(authority);
return hasAnyAuthority(authority);
}
public final boolean hasAnyAuthority(String... authorities) {
return hasAnyRole(authorities);
return hasAnyAuthorityName(null, authorities);
}
public final boolean hasRole(String role) {
return getAuthoritySet().contains(role);
return hasAnyRole(role);
}
public final boolean hasAnyRole(String... roles) {
return hasAnyAuthorityName(defaultRolePrefix, roles);
}
private boolean hasAnyAuthorityName(String prefix, String... roles) {
Set<String> roleSet = getAuthoritySet();
for (String role : roles) {
if (roleSet.contains(role)) {
String defaultedRole = getRoleWithDefaultPrefix(prefix, role);
if (roleSet.contains(defaultedRole)) {
return true;
}
}
@ -116,6 +122,23 @@ public abstract class SecurityExpressionRoot implements SecurityExpressionOperat
this.roleHierarchy = roleHierarchy;
}
/**
* <p>
* Sets the default prefix to be added to {@link #hasAnyRole(String...)} or
* {@link #hasRole(String)}. For example, if hasRole("ADMIN") or hasRole("ROLE_ADMIN") is passed in,
* then the role ROLE_ADMIN will be used when the defaultRolePrefix is "ROLE_" (default).
* </p>
*
* <p>
* If null or empty, then no default role prefix is used.
* </p>
*
* @param defaultRolePrefix the default prefix to add to roles. Default "ROLE_".
*/
public void setDefaultRolePrefix(String defaultRolePrefix) {
this.defaultRolePrefix = defaultRolePrefix;
}
private Set<String> getAuthoritySet() {
if (roles == null) {
roles = new HashSet<String>();
@ -143,4 +166,25 @@ public abstract class SecurityExpressionRoot implements SecurityExpressionOperat
public void setPermissionEvaluator(PermissionEvaluator permissionEvaluator) {
this.permissionEvaluator = permissionEvaluator;
}
/**
* Prefixes role with defaultRolePrefix if defaultRolePrefix is non-null and
* if role does not already start with defaultRolePrefix.
*
* @param defaultRolePrefix
* @param role
* @return
*/
private static String getRoleWithDefaultPrefix(String defaultRolePrefix, String role) {
if(role == null) {
return role;
}
if(defaultRolePrefix == null || defaultRolePrefix.length() == 0) {
return role;
}
if(role.startsWith(defaultRolePrefix)) {
return role;
}
return defaultRolePrefix + role;
}
}

19
core/src/main/java/org/springframework/security/access/expression/method/DefaultMethodSecurityExpressionHandler.java
View File

@ -37,6 +37,7 @@ public class DefaultMethodSecurityExpressionHandler extends AbstractSecurityExpr
private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
private ParameterNameDiscoverer parameterNameDiscoverer = new DefaultSecurityParameterNameDiscoverer();
private PermissionCacheOptimizer permissionCacheOptimizer = null;
private String defaultRolePrefix = "ROLE_";
public DefaultMethodSecurityExpressionHandler() {
}
@ -57,6 +58,7 @@ public class DefaultMethodSecurityExpressionHandler extends AbstractSecurityExpr
root.setPermissionEvaluator(getPermissionEvaluator());
root.setTrustResolver(trustResolver);
root.setRoleHierarchy(getRoleHierarchy());
root.setDefaultRolePrefix(defaultRolePrefix);
return root;
}
@ -172,4 +174,21 @@ public class DefaultMethodSecurityExpressionHandler extends AbstractSecurityExpr
public void setReturnObject(Object returnObject, EvaluationContext ctx) {
((MethodSecurityExpressionOperations)ctx.getRootObject().getValue()).setReturnObject(returnObject);
}
/**
* <p>
* Sets the default prefix to be added to {@link #hasAnyRole(String...)} or
* {@link #hasRole(String)}. For example, if hasRole("ADMIN") or hasRole("ROLE_ADMIN") is passed in,
* then the role ROLE_ADMIN will be used when the defaultRolePrefix is "ROLE_" (default).
* </p>
*
* <p>
* If null or empty, then no default role prefix is used.
* </p>
*
* @param defaultRolePrefix the default prefix to add to roles. Default "ROLE_".
*/
public void setDefaultRolePrefix(String defaultRolePrefix) {
this.defaultRolePrefix = defaultRolePrefix;
}
}

3
core/src/test/java/org/springframework/security/access/annotation/BusinessService.java
View File

@ -47,6 +47,9 @@ public interface BusinessService extends Serializable {
@RolesAllowed({"ROLE_USER"})
public void someUserMethod2();
@RolesAllowed({"USER"})
public void rolesAllowedUser();
public int someOther(String s);
public int someOther(int input);

3
core/src/test/java/org/springframework/security/access/annotation/BusinessServiceImpl.java
View File

@ -49,4 +49,7 @@ public class BusinessServiceImpl<E extends Entity> implements BusinessService {
return null;
}
public void rolesAllowedUser() {
}
}

4
core/src/test/java/org/springframework/security/access/annotation/ExpressionProtectedBusinessServiceImpl.java
View File

@ -49,4 +49,8 @@ public class ExpressionProtectedBusinessServiceImpl implements BusinessService {
public void methodWithBeanNamePropertyAccessExpression(String x) {
}
public void rolesAllowedUser() {
}
}

4
core/src/test/java/org/springframework/security/access/annotation/Jsr250BusinessServiceImpl.java
View File

@ -50,4 +50,8 @@ public class Jsr250BusinessServiceImpl implements BusinessService {
return null;
}
@RolesAllowed({"USER"})
public void rolesAllowedUser() {
}
}

65
core/src/test/java/org/springframework/security/access/annotation/Jsr250MethodDefinitionSourceTests.java → core/src/test/java/org/springframework/security/access/annotation/Jsr250MethodSecurityMetadataSourceTests.java
View File

@ -24,6 +24,7 @@ import javax.annotation.security.PermitAll;
import javax.annotation.security.RolesAllowed;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.intercept.method.MockMethodInvocation;
@ -32,10 +33,17 @@ import org.springframework.security.access.intercept.method.MockMethodInvocation
* @author Luke Taylor
* @author Ben Alex
*/
public class Jsr250MethodDefinitionSourceTests {
Jsr250MethodSecurityMetadataSource mds = new Jsr250MethodSecurityMetadataSource();
A a = new A();
UserAllowedClass userAllowed = new UserAllowedClass();
public class Jsr250MethodSecurityMetadataSourceTests {
Jsr250MethodSecurityMetadataSource mds;
A a;
UserAllowedClass userAllowed;
@Before
public void setup() {
mds = new Jsr250MethodSecurityMetadataSource();
a = new A();
userAllowed = new UserAllowedClass();
}
private ConfigAttribute[] findAttributes(String methodName) throws Exception {
return mds.findAttributes(a.getClass().getMethod(methodName), null).toArray(new ConfigAttribute[0]);
@ -45,7 +53,7 @@ public class Jsr250MethodDefinitionSourceTests {
public void methodWithRolesAllowedHasCorrectAttribute() throws Exception {
ConfigAttribute[] accessAttributes = findAttributes("adminMethod");
assertEquals(1, accessAttributes.length);
assertEquals("ADMIN", accessAttributes[0].toString());
assertEquals("ROLE_ADMIN", accessAttributes[0].toString());
}
@Test
@ -71,7 +79,41 @@ public class Jsr250MethodDefinitionSourceTests {
public void methodRoleOverridesClassRole() throws Exception {
Collection<ConfigAttribute> accessAttributes = mds.findAttributes(userAllowed.getClass().getMethod("adminMethod"), null);
assertEquals(1, accessAttributes.size());
assertEquals("ADMIN", accessAttributes.toArray()[0].toString());
assertEquals("ROLE_ADMIN", accessAttributes.toArray()[0].toString());
}
@Test
public void customDefaultRolePrefix() throws Exception {
mds.setDefaultRolePrefix("CUSTOMPREFIX_");
ConfigAttribute[] accessAttributes = findAttributes("adminMethod");
assertEquals(1, accessAttributes.length);
assertEquals("CUSTOMPREFIX_ADMIN", accessAttributes[0].toString());
}
@Test
public void emptyDefaultRolePrefix() throws Exception {
mds.setDefaultRolePrefix("");
ConfigAttribute[] accessAttributes = findAttributes("adminMethod");
assertEquals(1, accessAttributes.length);
assertEquals("ADMIN", accessAttributes[0].toString());
}
@Test
public void nullDefaultRolePrefix() throws Exception {
mds.setDefaultRolePrefix(null);
ConfigAttribute[] accessAttributes = findAttributes("adminMethod");
assertEquals(1, accessAttributes.length);
assertEquals("ADMIN", accessAttributes[0].toString());
}
@Test
public void alreadyHasDefaultPrefix() throws Exception {
ConfigAttribute[] accessAttributes = findAttributes("roleAdminMethod");
assertEquals(1, accessAttributes.length);
assertEquals("ROLE_ADMIN", accessAttributes[0].toString());
}
// JSR-250 Spec Tests
@ -98,7 +140,7 @@ public class Jsr250MethodDefinitionSourceTests {
Collection<ConfigAttribute> accessAttributes = mds.getAttributes(mi);
assertEquals(1, accessAttributes.size());
assertEquals("DERIVED", accessAttributes.toArray()[0].toString());
assertEquals("ROLE_DERIVED", accessAttributes.toArray()[0].toString());
}
@Test
@ -108,7 +150,7 @@ public class Jsr250MethodDefinitionSourceTests {
Collection<ConfigAttribute> accessAttributes = mds.getAttributes(mi);
assertEquals(1, accessAttributes.size());
assertEquals("DERIVED", accessAttributes.toArray()[0].toString());
assertEquals("ROLE_DERIVED", accessAttributes.toArray()[0].toString());
}
@Test
@ -118,7 +160,7 @@ public class Jsr250MethodDefinitionSourceTests {
Collection<ConfigAttribute> accessAttributes = mds.getAttributes(mi);
assertEquals(1, accessAttributes.size());
assertEquals("EXPLICIT", accessAttributes.toArray()[0].toString());
assertEquals("ROLE_EXPLICIT", accessAttributes.toArray()[0].toString());
}
/**
@ -151,7 +193,7 @@ public class Jsr250MethodDefinitionSourceTests {
Collection<ConfigAttribute> accessAttributes = mds.getAttributes(mi);
assertEquals(1, accessAttributes.size());
assertEquals("DERIVED", accessAttributes.toArray()[0].toString());
assertEquals("ROLE_DERIVED", accessAttributes.toArray()[0].toString());
}
//~ Inner Classes ======================================================================================================
@ -163,6 +205,9 @@ public class Jsr250MethodDefinitionSourceTests {
@RolesAllowed("ADMIN")
public void adminMethod() {}
@RolesAllowed("ROLE_ADMIN")
public void roleAdminMethod() {}
@PermitAll
public void permitAllMethod() {}
}

82
core/src/test/java/org/springframework/security/access/expression/SecurityExpressionRootTests.java
View File

@ -3,9 +3,11 @@ package org.springframework.security.access.expression;
import static org.junit.Assert.*;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when;
import static org.fest.assertions.Assertions.*;
import java.util.Collection;
import org.junit.Before;
import org.junit.Test;
import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
import org.springframework.security.authentication.AuthenticationTrustResolver;
@ -20,11 +22,17 @@ import org.springframework.security.core.authority.AuthorityUtils;
* @since 3.0
*/
public class SecurityExpressionRootTests {
final static Authentication JOE = new TestingAuthenticationToken("joe", "pass", "A", "B");
final static Authentication JOE = new TestingAuthenticationToken("joe", "pass", "ROLE_A", "ROLE_B");
SecurityExpressionRoot root;
@Before
public void setup() {
root = new SecurityExpressionRoot(JOE) {};
}
@Test
public void denyAllIsFalsePermitAllTrue() throws Exception {
SecurityExpressionRoot root = new SecurityExpressionRoot(JOE) {};
assertFalse(root.denyAll());
assertFalse(root.denyAll);
assertTrue(root.permitAll());
@ -33,7 +41,6 @@ public class SecurityExpressionRootTests {
@Test
public void rememberMeIsCorrectlyDetected() throws Exception {
SecurityExpressionRoot root = new SecurityExpressionRoot(JOE) {};
AuthenticationTrustResolver atr = mock(AuthenticationTrustResolver.class);
root.setTrustResolver(atr);
when(atr.isRememberMe(JOE)).thenReturn(true);
@ -43,20 +50,79 @@ public class SecurityExpressionRootTests {
@Test
public void roleHierarchySupportIsCorrectlyUsedInEvaluatingRoles() throws Exception {
SecurityExpressionRoot root = new SecurityExpressionRoot(JOE) {};
root.setRoleHierarchy(new RoleHierarchy() {
public Collection<GrantedAuthority> getReachableGrantedAuthorities(Collection<? extends GrantedAuthority> authorities) {
return AuthorityUtils.createAuthorityList("C");
return AuthorityUtils.createAuthorityList("ROLE_C");
}
});
assertTrue(root.hasRole("C"));
assertTrue(root.hasAuthority("C"));
assertTrue(root.hasAuthority("ROLE_C"));
assertFalse(root.hasRole("A"));
assertFalse(root.hasRole("B"));
assertTrue(root.hasAnyRole("C", "A", "B"));
assertTrue(root.hasAnyAuthority("C", "A", "B"));
assertTrue(root.hasAnyAuthority("ROLE_C", "ROLE_A", "ROLE_B"));
assertFalse(root.hasAnyRole("A", "B"));
}
@Test
public void hasRoleAddsDefaultPrefix() throws Exception {
assertThat(root.hasRole("A")).isTrue();
assertThat(root.hasRole("NO")).isFalse();
}
@Test
public void hasRoleEmptyPrefixDoesNotAddsDefaultPrefix() throws Exception {
root.setDefaultRolePrefix("");
assertThat(root.hasRole("A")).isFalse();
assertThat(root.hasRole("ROLE_A")).isTrue();
}
@Test
public void hasRoleNullPrefixDoesNotAddsDefaultPrefix() throws Exception {
root.setDefaultRolePrefix(null);
assertThat(root.hasRole("A")).isFalse();
assertThat(root.hasRole("ROLE_A")).isTrue();
}
@Test
public void hasRoleDoesNotAddDefaultPrefixForAlreadyPrefixedRoles() throws Exception {
SecurityExpressionRoot root = new SecurityExpressionRoot(JOE) {};
assertThat(root.hasRole("ROLE_A")).isTrue();
assertThat(root.hasRole("ROLE_NO")).isFalse();
}
@Test
public void hasAnyRoleAddsDefaultPrefix() throws Exception {
assertThat(root.hasAnyRole("NO","A")).isTrue();
assertThat(root.hasAnyRole("NO","NOT")).isFalse();
}
@Test
public void hasAnyRoleDoesNotAddDefaultPrefixForAlreadyPrefixedRoles() throws Exception {
assertThat(root.hasAnyRole("ROLE_NO","ROLE_A")).isTrue();
assertThat(root.hasAnyRole("ROLE_NO","ROLE_NOT")).isFalse();
}
@Test
public void hasAnyRoleEmptyPrefixDoesNotAddsDefaultPrefix() throws Exception {
root.setDefaultRolePrefix("");
assertThat(root.hasRole("A")).isFalse();
assertThat(root.hasRole("ROLE_A")).isTrue();
}
@Test
public void hasAnyRoleNullPrefixDoesNotAddsDefaultPrefix() throws Exception {
root.setDefaultRolePrefix(null);
assertThat(root.hasAnyRole("A")).isFalse();
assertThat(root.hasAnyRole("ROLE_A")).isTrue();
}
@Test
public void hasAuthorityDoesNotAddDefaultPrefix() throws Exception {
assertThat(root.hasAuthority("A")).isFalse();
assertThat(root.hasAnyAuthority("NO","A")).isFalse();
assertThat(root.hasAnyAuthority("ROLE_A","NOT")).isTrue();
}
}

2
core/src/test/java/org/springframework/security/access/expression/method/MethodExpressionVoterTests.java
View File

@ -19,7 +19,7 @@ import org.springframework.security.util.SimpleMethodInvocation;
@SuppressWarnings("unchecked")
public class MethodExpressionVoterTests {
private TestingAuthenticationToken joe = new TestingAuthenticationToken("joe", "joespass", "blah");
private TestingAuthenticationToken joe = new TestingAuthenticationToken("joe", "joespass", "ROLE_blah");
private PreInvocationAuthorizationAdviceVoter am =
new PreInvocationAuthorizationAdviceVoter(new ExpressionBasedPreInvocationAdvice());

28
docs/manual/src/docs/asciidoc/index.adoc
View File

@ -628,7 +628,7 @@ protected void configure(HttpSecurity http) throws Exception {
.authorizeRequests() <1>
.antMatchers("/resources/**", "/signup", "/about").permitAll() <2>
.antMatchers("/admin/**").hasRole("ADMIN") <3>
.antMatchers("/db/**").access("hasRole('ROLE_ADMIN') and hasRole('ROLE_DBA')") <4>
.antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')") <4>
.anyRequest().authenticated() <5>
.and()
// ...
@ -639,7 +639,7 @@ protected void configure(HttpSecurity http) throws Exception {
<1> There are multiple children to the `http.authorizeRequests()` method each matcher is considered in the order they were declared.
<2> We specified multiple URL patterns that any user can access. Specifically, any user can access a request if the URL starts with "/resources/", equals "/signup", or equals "/about".
<3> Any URL that starts with "/admin/" will be resticted to users who have the role "ROLE_ADMIN". You will notice that since we are invoking the `hasRole` method we do not need to specify the "ROLE_" prefix.
<4> Any URL that starts with "/db/" requires the user to have both "ROLE_ADMIN" and "ROLE_DBA"
<4> Any URL that starts with "/db/" requires the user to have both "ROLE_ADMIN" and "ROLE_DBA". You will notice that since we are using the `hasRole` expression we do not need to specify the "ROLE_" prefix.
<5> Any URL that has not already been matched on only requires that the user be authenticated
[[jc-authentication]]
@ -817,7 +817,7 @@ public class MethodSecurityConfig {
}
----
Adding an annotation to a method (on an class or interface) would then limit the access to that method accordingly. Spring Security<EFBFBD><EFBFBD><EFBFBD>s native annotation support defines a set of attributes for the method. These will be passed to the AccessDecisionManager for it to make the actual decision:
Adding an annotation to a method (on an class or interface) would then limit the access to that method accordingly. Spring Security's native annotation support defines a set of attributes for the method. These will be passed to the AccessDecisionManager for it to make the actual decision:
[source,java]
----
@ -844,7 +844,7 @@ public class MethodSecurityConfig {
}
----
These are standards-based and allow simple role-based constraints to be applied but do not have the power Spring Security<EFBFBD><EFBFBD><EFBFBD>s native annotations. To use the new expression-based syntax, you would use
These are standards-based and allow simple role-based constraints to be applied but do not have the power Spring Security's native annotations. To use the new expression-based syntax, you would use
[source,java]
----
@ -1017,7 +1017,7 @@ All you need to enable web security to begin with is
[source,xml]
----
<http>
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<intercept-url pattern="/**" access="hasRole('USER')" />
<form-login />
<logout />
</http>
@ -2388,7 +2388,7 @@ As we saw earlier in the namespace chapter, it's possible to use multiple `http`
----
<!-- Stateless RESTful service using Basic authentication -->
<http pattern="/restful/**" create-session="stateless">
<intercept-url pattern='/**' access="hasRole('ROLE_REMOTE')" />
<intercept-url pattern='/**' access="hasRole('REMOTE')" />
<http-basic />
</http>
@ -2397,7 +2397,7 @@ As we saw earlier in the namespace chapter, it's possible to use multiple `http`
<!-- Additional filter chain for normal users, matching all other requests -->
<http>
<intercept-url pattern='/**' access="hasRole('ROLE_USER')" />
<intercept-url pattern='/**' access="hasRole('USER')" />
<form-login login-page='/login.htm' default-target-url="/home.htm"/>
<logout />
</http>
@ -4270,16 +4270,16 @@ The base class for expression root objects is `SecurityExpressionRoot`. This pro
| Expression | Description
| `hasRole([role])`
| Returns `true` if the current principal has the specified role. This is a synonym for `hasAuthority([authority])`
| Returns `true` if the current principal has the specified role. By default if the supplied role does not start with 'ROLE_' it will be added. This can be customized by modifying the `defaultRolePrefix` on `DefaultWebSecurityExpressionHandler`.
| `hasAnyRole([role1,role2])`
| Returns `true` if the current principal has any of the supplied roles (given as a comma-separated list of strings) This is a synonym for `hasAnyAuthority([authority1,authority2])`
| Returns `true` if the current principal has any of the supplied roles (given as a comma-separated list of strings). By default if the supplied role does not start with 'ROLE_' it will be added. This can be customized by modifying the `defaultRolePrefix` on `DefaultWebSecurityExpressionHandler`.
| `hasAuthority([authority])`
| Returns `true` if the current principal has the specified authority. This is a synonym for `hasRole([role])`
| Returns `true` if the current principal has the specified authority.
| `hasAnyAuthority([authority1,authority2])`
| Returns `true` if the current principal has any of the supplied roles (given as a comma-separated list of strings) `hasAnyRole([role1,role2])``hasAnyRole([role1,role2])`
| Returns `true` if the current principal has any of the supplied roles (given as a comma-separated list of strings)
| `principal`
| Allows direct access to the principal object representing the current user
@ -4351,7 +4351,7 @@ The most obviously useful annotation is `@PreAuthorize` which decides whether a
[source,java]
----
@PreAuthorize("hasRole('ROLE_USER')")
@PreAuthorize("hasRole('USER')")
public void create(Contact contact);
----
@ -4430,7 +4430,7 @@ As you may already be aware, Spring Security supports filtering of collections a
[source,java]
----
@PreAuthorize("hasRole('ROLE_USER')")
@PreAuthorize("hasRole('USER')")
@PostFilter("hasPermission(filterObject, 'read') or hasPermission(filterObject, 'admin')")
public List<Contact> getAll();
----
@ -7694,7 +7694,7 @@ Defines an authorization rule for a message.
* **pattern** An ant based pattern that matches on the Message destination. For example, "/**" matches any Message with a destination; "/admin/**" matches any Message that has a destination that starts with "/admin/**".
[[nsa-message-interceptor-access]]
* **access** The expression used to secure the Message. For example, "denyAll" will deny access to all of the matching Messages; "permitAll" will grant access to all of the matching Messages; "hasRole('ROLE_ADMIN') requires the current user to have the role 'ROLE_ADMIN' for the matching Messages.
* **access** The expression used to secure the Message. For example, "denyAll" will deny access to all of the matching Messages; "permitAll" will grant access to all of the matching Messages; "hasRole('ADMIN') requires the current user to have the role 'ROLE_ADMIN' for the matching Messages.
[[nsa-authentication]]
=== Authentication Services

21
web/src/main/java/org/springframework/security/web/access/expression/DefaultWebSecurityExpressionHandler.java
View File

@ -17,6 +17,7 @@ import org.springframework.util.Assert;
public class DefaultWebSecurityExpressionHandler extends AbstractSecurityExpressionHandler<FilterInvocation> implements SecurityExpressionHandler<FilterInvocation> {
private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
private String defaultRolePrefix = "ROLE_";
@Override
protected SecurityExpressionOperations createSecurityExpressionRoot(Authentication authentication, FilterInvocation fi) {
@ -24,6 +25,7 @@ public class DefaultWebSecurityExpressionHandler extends AbstractSecurityExpress
root.setPermissionEvaluator(getPermissionEvaluator());
root.setTrustResolver(trustResolver);
root.setRoleHierarchy(getRoleHierarchy());
root.setDefaultRolePrefix(defaultRolePrefix);
return root;
}
@ -39,4 +41,21 @@ public class DefaultWebSecurityExpressionHandler extends AbstractSecurityExpress
Assert.notNull(trustResolver, "trustResolver cannot be null");
this.trustResolver = trustResolver;
}
}
/**
* <p>
* Sets the default prefix to be added to {@link #hasAnyRole(String...)} or
* {@link #hasRole(String)}. For example, if hasRole("ADMIN") or hasRole("ROLE_ADMIN") is passed in,
* then the role ROLE_ADMIN will be used when the defaultRolePrefix is "ROLE_" (default).
* </p>
*
* <p>
* If null or empty, then no default role prefix is used.
* </p>
*
* @param defaultRolePrefix the default prefix to add to roles. Default "ROLE_".
*/
public void setDefaultRolePrefix(String defaultRolePrefix) {
this.defaultRolePrefix = defaultRolePrefix;
}
}