SEC-1383: Added namespace support for method-security-metadata-source

config/src/main/java/org/springframework/security/config/Elements.java

@@ -47,6 +47,7 @@ public abstract class Elements {
     public static final String REQUEST_CACHE = "request-cache";
     public static final String X509 = "x509";
     public static final String FILTER_SECURITY_METADATA_SOURCE = "filter-security-metadata-source";
+    public static final String METHOD_SECURITY_METADATA_SOURCE = "method-security-metadata-source";
     @Deprecated
     public static final String FILTER_INVOCATION_DEFINITION_SOURCE = "filter-invocation-definition-source";
     public static final String LDAP_PASSWORD_COMPARE = "password-compare";

config/src/main/java/org/springframework/security/config/SecurityNamespaceHandler.java

@@ -21,6 +21,7 @@ import org.springframework.security.config.ldap.LdapServerBeanDefinitionParser;
 import org.springframework.security.config.ldap.LdapUserServiceBeanDefinitionParser;
 import org.springframework.security.config.method.GlobalMethodSecurityBeanDefinitionParser;
 import org.springframework.security.config.method.InterceptMethodsBeanDefinitionDecorator;
+import org.springframework.security.config.method.MethodSecurityMetadataSourceBeanDefinitionParser;
 import org.springframework.util.ClassUtils;
 import org.w3c.dom.Element;
 import org.w3c.dom.Node;
@@ -102,6 +103,7 @@ public final class SecurityNamespaceHandler implements NamespaceHandler {
         parsers.put(Elements.AUTHENTICATION_PROVIDER, new AuthenticationProviderBeanDefinitionParser());
         parsers.put(Elements.GLOBAL_METHOD_SECURITY, new GlobalMethodSecurityBeanDefinitionParser());
         parsers.put(Elements.AUTHENTICATION_MANAGER, new AuthenticationManagerBeanDefinitionParser());
+        parsers.put(Elements.METHOD_SECURITY_METADATA_SOURCE, new MethodSecurityMetadataSourceBeanDefinitionParser());
  //       registerBeanDefinitionDecorator(Elements.INTERCEPT_METHODS, new InterceptMethodsBeanDefinitionDecorator());
 
         // Only load the web-namespace parsers if the web classes are available

config/src/main/java/org/springframework/security/config/method/MethodSecurityMetadataSourceBeanDefinitionParser.java

@@ -0,0 +1,41 @@
+package org.springframework.security.config.method;
+
+import java.util.LinkedHashMap;
+import java.util.List;
+import java.util.Map;
+
+import org.springframework.beans.factory.config.BeanDefinition;
+import org.springframework.beans.factory.support.RootBeanDefinition;
+import org.springframework.beans.factory.xml.BeanDefinitionParser;
+import org.springframework.beans.factory.xml.ParserContext;
+import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.access.SecurityConfig;
+import org.springframework.security.access.method.MapBasedMethodSecurityMetadataSource;
+import org.springframework.security.config.Elements;
+import org.springframework.util.StringUtils;
+import org.springframework.util.xml.DomUtils;
+import org.w3c.dom.Element;
+
+public class MethodSecurityMetadataSourceBeanDefinitionParser implements BeanDefinitionParser {
+    static final String ATT_METHOD = "method";
+    static final String ATT_ACCESS = "access";
+
+    public BeanDefinition parse(Element elt, ParserContext pc) {
+        // Parse the included methods
+        List<Element> methods = DomUtils.getChildElementsByTagName(elt, Elements.PROTECT);
+        Map<String, List<ConfigAttribute>> mappings = new LinkedHashMap<String, List<ConfigAttribute>>();
+
+        for (Element protectmethodElt : methods) {
+            String[] tokens = StringUtils.commaDelimitedListToStringArray(protectmethodElt.getAttribute(ATT_ACCESS));
+            String methodName = protectmethodElt.getAttribute(ATT_METHOD);
+
+            mappings.put(methodName, SecurityConfig.createList(tokens));
+        }
+
+        BeanDefinition metadataSource = new RootBeanDefinition(MapBasedMethodSecurityMetadataSource.class);
+        metadataSource.getConstructorArgumentValues().addGenericArgumentValue(mappings);
+
+        return metadataSource;
+    }
+
+}

config/src/main/resources/org/springframework/security/config/spring-security-3.1.rnc

@@ -184,6 +184,12 @@ protect.attlist &=
     ## Access configuration attributes list that applies to the method, e.g. "ROLE_A,ROLE_B".
     attribute access {xsd:token}
 
+method-security-metadata-source =
+    ## Creates a MethodSecurityMetadataSource instance
+    element method-security-metadata-source {msmds.attlist, protect+}
+msmds.attlist &= id?
+
+msmds.attlist &= use-expressions?
 
 global-method-security =
     ## Provides method security for all beans registered in the Spring application context. Specifically, beans will be scanned for matches with the ordered list of "protect-pointcut" sub-elements, Spring Security annotations and/or. Where there is a match, the beans will automatically be proxied and security authorization applied to the methods accordingly. If you use and enable all four sources of method security metadata (ie "protect-pointcut" declarations, expression annotations, @Secured and also JSR250 security annotations), the metadata sources will be queried in that order. In practical terms, this enables you to use XML to override method security metadata expressed in annotations. If using annotations, the order of precedence is EL-based (@PreAuthorize etc.), @Secured and finally JSR-250.
@@ -619,5 +625,3 @@ position =
 
 
 named-security-filter = "FIRST" | "CHANNEL_FILTER" | "CONCURRENT_SESSION_FILTER" | "SECURITY_CONTEXT_FILTER" | "LOGOUT_FILTER" | "X509_FILTER" | "PRE_AUTH_FILTER" | "CAS_FILTER" | "FORM_LOGIN_FILTER" | "OPENID_FILTER" |"BASIC_AUTH_FILTER" | "SERVLET_API_SUPPORT_FILTER" | "REMEMBER_ME_FILTER" | "ANONYMOUS_FILTER" | "EXCEPTION_TRANSLATION_FILTER" | "SESSION_MANAGEMENT_FILTER" | "FILTER_SECURITY_INTERCEPTOR" | "SWITCH_USER_FILTER" | "LAST"
-    
-    

config/src/main/resources/org/springframework/security/config/spring-security-3.1.xsd

@@ -448,6 +448,30 @@
       </xs:annotation>
     </xs:attribute>
   </xs:attributeGroup>
+  <xs:element name="method-security-metadata-source"><xs:annotation>
+      <xs:documentation>Creates a MethodSecurityMetadataSource instance</xs:documentation>
+    </xs:annotation><xs:complexType>
+      <xs:sequence>
+        <xs:element maxOccurs="unbounded" name="protect"><xs:annotation>
+      <xs:documentation>Defines a protected method and the access control configuration attributes that apply to it. We strongly advise you NOT to mix "protect" declarations with any services provided "global-method-security".</xs:documentation>
+    </xs:annotation><xs:complexType>
+      <xs:attributeGroup ref="security:protect.attlist"/>
+    </xs:complexType></xs:element>
+      </xs:sequence>
+      <xs:attributeGroup ref="security:msmds.attlist"/>
+    </xs:complexType></xs:element>
+  <xs:attributeGroup name="msmds.attlist">
+    <xs:attribute name="id" type="xs:ID">
+      <xs:annotation>
+        <xs:documentation>A bean identifier, used for referring to the bean elsewhere in the context.</xs:documentation>
+      </xs:annotation>
+    </xs:attribute>
+    <xs:attribute name="use-expressions" type="security:boolean">
+      <xs:annotation>
+        <xs:documentation>Enables the use of expressions in the 'access' attributes in &lt;intercept-url&gt; elements rather than the traditional list of configuration attributes. Defaults to 'false'. If enabled, each attribute should contain a single boolean expression. If the expression evaluates to 'true', access will be granted.</xs:documentation>
+      </xs:annotation>
+    </xs:attribute>
+  </xs:attributeGroup>
   <xs:element name="global-method-security"><xs:annotation>
       <xs:documentation>Provides method security for all beans registered in the Spring application context. Specifically, beans will be scanned for matches with the ordered list of "protect-pointcut" sub-elements, Spring Security annotations and/or. Where there is a match, the beans will automatically be proxied and security authorization applied to the methods accordingly. If you use and enable all four sources of method security metadata (ie "protect-pointcut" declarations, expression annotations, @Secured and also JSR250 security annotations), the metadata sources will be queried in that order. In practical terms, this enables you to use XML to override method security metadata expressed in annotations. If using annotations, the order of precedence is EL-based (@PreAuthorize etc.), @Secured and finally JSR-250.</xs:documentation>
     </xs:annotation><xs:complexType>