diff --git a/taglibs/src/main/java/org/springframework/security/taglibs/authz/AbstractAuthorizeTag.java b/taglibs/src/main/java/org/springframework/security/taglibs/authz/AbstractAuthorizeTag.java new file mode 100644 index 0000000000..d85a351a5b --- /dev/null +++ b/taglibs/src/main/java/org/springframework/security/taglibs/authz/AbstractAuthorizeTag.java @@ -0,0 +1,336 @@ +/* + * Copyright 2004-2010 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.springframework.security.taglibs.authz; + +import java.io.IOException; +import java.util.Collection; +import java.util.Collections; +import java.util.HashSet; +import java.util.Map; +import java.util.Set; + +import javax.servlet.FilterChain; +import javax.servlet.ServletContext; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; + +import org.springframework.context.ApplicationContext; +import org.springframework.core.GenericTypeResolver; +import org.springframework.expression.Expression; +import org.springframework.expression.ParseException; +import org.springframework.security.access.expression.ExpressionUtils; +import org.springframework.security.access.expression.SecurityExpressionHandler; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.GrantedAuthority; +import org.springframework.security.core.authority.AuthorityUtils; +import org.springframework.security.core.context.SecurityContextHolder; +import org.springframework.security.web.FilterInvocation; +import org.springframework.security.web.access.WebInvocationPrivilegeEvaluator; +import org.springframework.util.StringUtils; +import org.springframework.web.context.support.WebApplicationContextUtils; + +/** + * A base class for an <authorize> tag that is independent of the tag rendering technology (JSP, Facelets). + * It treats tag attributes as simple strings rather than strings that may contain expressions with the + * exception of the "access" attribute, which is always expected to contain a Spring EL expression. + * + * Subclasses are expected to extract tag attribute values from the specific rendering technology, evaluate + * them as expressions if necessary, and set the String-based attributes of this class. + * + * @author Francois Beausoleil + * @author Luke Taylor + * @author Rossen Stoyanchev + * + * @since 3.1.0 + */ +public abstract class AbstractAuthorizeTag { + + private String access; + private String url; + private String method; + private String ifAllGranted; + private String ifAnyGranted; + private String ifNotGranted; + + /** + * This method allows subclasses to provide a way to access the ServletRequest according to the rendering + * technology. + */ + protected abstract ServletRequest getRequest(); + + /** + * This method allows subclasses to provide a way to access the ServletResponse according to the rendering + * technology. + */ + protected abstract ServletResponse getResponse(); + + /** + * This method allows subclasses to provide a way to access the ServletContext according to the rendering + * technology. + */ + protected abstract ServletContext getServletContext(); + + /** + * Make an authorization decision by considering all <authorize> tag attributes. The following are valid + * combinations of attributes: + * + * The above combinations are mutually exclusive and evaluated in the given order. + * + * @return the result of the authorization decision + * + * @throws IOException + */ + public boolean authorize() throws IOException { + boolean isAuthorized = false; + + if (StringUtils.hasText(getAccess())) { + isAuthorized = authorizeUsingAccessExpression(); + + } else if (StringUtils.hasText(getUrl())) { + isAuthorized = authorizeUsingUrlCheck(); + + } else { + isAuthorized = authorizeUsingGrantedAuthorities(); + + } + + return isAuthorized; + } + + /** + * Make an authorization decision by considering ifAllGranted, ifAnyGranted, and ifNotGranted. All 3 or any + * combination can be provided. All provided attributes must evaluate to true. + * + * @return the result of the authorization decision + */ + public boolean authorizeUsingGrantedAuthorities() { + boolean hasTextAllGranted = StringUtils.hasText(getIfAllGranted()); + boolean hasTextAnyGranted = StringUtils.hasText(getIfAnyGranted()); + boolean hasTextNotGranted = StringUtils.hasText(getIfNotGranted()); + + if ((!hasTextAllGranted) && (!hasTextAnyGranted) && (!hasTextNotGranted)) { + return false; + } + + final Collection granted = getPrincipalAuthorities(); + + if (hasTextAllGranted) { + if (!granted.containsAll(toAuthorities(getIfAllGranted()))) { + return false; + } + } + + if (hasTextAnyGranted) { + Set grantedCopy = retainAll(granted, toAuthorities(getIfAnyGranted())); + if (grantedCopy.isEmpty()) { + return false; + } + } + + if (hasTextNotGranted) { + Set grantedCopy = retainAll(granted, toAuthorities(getIfNotGranted())); + if (!grantedCopy.isEmpty()) { + return false; + } + } + + return true; + } + + /** + * Make an authorization decision based on a Spring EL expression. See the "Expression-Based Access Control" chapter + * in Spring Security for details on what expressions can be used. + * + * @return the result of the authorization decision + * + * @throws IOException + */ + public boolean authorizeUsingAccessExpression() throws IOException { + Authentication currentUser = SecurityContextHolder.getContext().getAuthentication(); + if (currentUser == null) { + return false; + } + + SecurityExpressionHandler handler = getExpressionHandler(); + + Expression accessExpression; + try { + accessExpression = handler.getExpressionParser().parseExpression(getAccess()); + + } catch (ParseException e) { + IOException ioException = new IOException(); + ioException.initCause(e); + throw ioException; + } + + FilterInvocation f = new FilterInvocation(getRequest(), getResponse(), new FilterChain() { + public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException { + throw new UnsupportedOperationException(); + } + }); + + return ExpressionUtils.evaluateAsBoolean(accessExpression, handler.createEvaluationContext(currentUser, f)); + } + + /** + * Make an authorization decision based on the URL and HTTP method attributes. True is returned if the user is + * allowed to access the given URL as defined. + * + * @return the result of the authorization decision + * + * @throws IOException + */ + public boolean authorizeUsingUrlCheck() throws IOException { + String contextPath = ((HttpServletRequest) getRequest()).getContextPath(); + Authentication currentUser = SecurityContextHolder.getContext().getAuthentication(); + return getPrivilegeEvaluator().isAllowed(contextPath, getUrl(), getMethod(), currentUser); + } + + public String getAccess() { + return access; + } + + public void setAccess(String access) { + this.access = access; + } + + public String getUrl() { + return url; + } + + public void setUrl(String url) { + this.url = url; + } + + public String getMethod() { + return method; + } + + public void setMethod(String method) { + this.method = (method != null) ? method.toUpperCase() : null; + } + + public String getIfAllGranted() { + return ifAllGranted; + } + + public void setIfAllGranted(String ifAllGranted) { + this.ifAllGranted = ifAllGranted; + } + + public String getIfAnyGranted() { + return ifAnyGranted; + } + + public void setIfAnyGranted(String ifAnyGranted) { + this.ifAnyGranted = ifAnyGranted; + } + + public String getIfNotGranted() { + return ifNotGranted; + } + + public void setIfNotGranted(String ifNotGranted) { + this.ifNotGranted = ifNotGranted; + } + + /*------------- Private helper methods -----------------*/ + + private Collection getPrincipalAuthorities() { + Authentication currentUser = SecurityContextHolder.getContext().getAuthentication(); + if (null == currentUser) { + return Collections.emptyList(); + } + return currentUser.getAuthorities(); + } + + private Set toAuthorities(String authorizations) { + final Set requiredAuthorities = new HashSet(); + requiredAuthorities.addAll(AuthorityUtils.commaSeparatedStringToAuthorityList(authorizations)); + return requiredAuthorities; + } + + private Set retainAll(final Collection granted, + final Set required) { + Set grantedRoles = authoritiesToRoles(granted); + Set requiredRoles = authoritiesToRoles(required); + grantedRoles.retainAll(requiredRoles); + + return rolesToAuthorities(grantedRoles, granted); + } + + private Set authoritiesToRoles(Collection c) { + Set target = new HashSet(); + for (GrantedAuthority authority : c) { + if (null == authority.getAuthority()) { + throw new IllegalArgumentException( + "Cannot process GrantedAuthority objects which return null from getAuthority() - attempting to process " + + authority.toString()); + } + target.add(authority.getAuthority()); + } + return target; + } + + private Set rolesToAuthorities(Set grantedRoles, Collection granted) { + Set target = new HashSet(); + for (String role : grantedRoles) { + for (GrantedAuthority authority : granted) { + if (authority.getAuthority().equals(role)) { + target.add(authority); + break; + } + } + } + return target; + } + + private SecurityExpressionHandler getExpressionHandler() throws IOException { + ApplicationContext appContext = WebApplicationContextUtils + .getRequiredWebApplicationContext(getServletContext()); + Map handlers = appContext + .getBeansOfType(SecurityExpressionHandler.class); + + for (SecurityExpressionHandler h : handlers.values()) { + if (FilterInvocation.class.equals(GenericTypeResolver.resolveTypeArgument(h.getClass(), + SecurityExpressionHandler.class))) { + return h; + } + } + + throw new IOException("No visible WebSecurityExpressionHandler instance could be found in the application " + + "context. There must be at least one in order to support expressions in JSP 'authorize' tags."); + } + + private WebInvocationPrivilegeEvaluator getPrivilegeEvaluator() throws IOException { + ApplicationContext ctx = WebApplicationContextUtils.getRequiredWebApplicationContext(getServletContext()); + Map wipes = ctx.getBeansOfType(WebInvocationPrivilegeEvaluator.class); + + if (wipes.size() == 0) { + throw new IOException( + "No visible WebInvocationPrivilegeEvaluator instance could be found in the application " + + "context. There must be at least one in order to support the use of URL access checks in 'authorize' tags."); + } + + return (WebInvocationPrivilegeEvaluator) wipes.values().toArray()[0]; + } +} diff --git a/taglibs/src/main/java/org/springframework/security/taglibs/authz/AuthorizeTag.java b/taglibs/src/main/java/org/springframework/security/taglibs/authz/AuthorizeTag.java deleted file mode 100644 index d9afe4b6ae..0000000000 --- a/taglibs/src/main/java/org/springframework/security/taglibs/authz/AuthorizeTag.java +++ /dev/null @@ -1,141 +0,0 @@ -package org.springframework.security.taglibs.authz; - -import java.io.IOException; -import java.util.*; -import javax.servlet.FilterChain; -import javax.servlet.ServletContext; -import javax.servlet.ServletException; -import javax.servlet.ServletRequest; -import javax.servlet.ServletResponse; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.jsp.JspException; -import javax.servlet.jsp.PageContext; - -import org.springframework.context.ApplicationContext; -import org.springframework.core.GenericTypeResolver; -import org.springframework.expression.Expression; -import org.springframework.expression.ParseException; -import org.springframework.security.access.expression.ExpressionUtils; -import org.springframework.security.access.expression.SecurityExpressionHandler; -import org.springframework.security.core.Authentication; -import org.springframework.security.core.context.SecurityContextHolder; -import org.springframework.security.web.FilterInvocation; -import org.springframework.security.web.access.WebInvocationPrivilegeEvaluator; -import org.springframework.web.context.support.WebApplicationContextUtils; - -/** - * Access control tag which evaluates its body based either on - *
    - *
  • an access expression (the "access" attribute), or
    • - *
  • by evaluating the current user's right to access a particular URL (set using the "url" attribute).
    • - *
- * @author Luke Taylor - * @since 3.0 - */ -public class AuthorizeTag extends LegacyAuthorizeTag { - private String access; - private String url; - private String method; - private String var; - - // If access expression evaluates to "true" return - public int doStartTag() throws JspException { - Authentication currentUser = SecurityContextHolder.getContext().getAuthentication(); - - if (currentUser == null) { - return SKIP_BODY; - } - - int result; - - if (access != null && access.length() > 0) { - result = authorizeUsingAccessExpression(currentUser); - } else if (url != null && url.length() > 0) { - result = authorizeUsingUrlCheck(currentUser); - } else { - result = super.doStartTag(); - } - - if (var != null) { - pageContext.setAttribute(var, Boolean.valueOf(result == EVAL_BODY_INCLUDE), PageContext.PAGE_SCOPE); - } - - return result; - } - - private int authorizeUsingAccessExpression(Authentication currentUser) throws JspException { - SecurityExpressionHandler handler = getExpressionHandler(); - - Expression accessExpression; - try { - accessExpression = handler.getExpressionParser().parseExpression(access); - - } catch (ParseException e) { - throw new JspException(e); - } - - FilterInvocation f = new FilterInvocation(pageContext.getRequest(), pageContext.getResponse(), DUMMY_CHAIN); - - if (ExpressionUtils.evaluateAsBoolean(accessExpression, handler.createEvaluationContext(currentUser, f))) { - return EVAL_BODY_INCLUDE; - } - - return SKIP_BODY; - } - - private int authorizeUsingUrlCheck(Authentication currentUser) throws JspException { - return getPrivilegeEvaluator().isAllowed(((HttpServletRequest)pageContext.getRequest()).getContextPath(), - url, method, currentUser) ? EVAL_BODY_INCLUDE : SKIP_BODY; - } - - public void setAccess(String access) { - this.access = access; - } - - public void setUrl(String url) { - this.url = url; - } - - public void setMethod(String method) { - this.method = method; - } - - public void setVar(String var) { - this.var = var; - } - - SecurityExpressionHandler getExpressionHandler() throws JspException { - ServletContext servletContext = pageContext.getServletContext(); - ApplicationContext ctx = WebApplicationContextUtils.getRequiredWebApplicationContext(servletContext); - Map expressionHdlrs = ctx.getBeansOfType(SecurityExpressionHandler.class); - - - for (SecurityExpressionHandler h : expressionHdlrs.values()) { - if (FilterInvocation.class.equals(GenericTypeResolver.resolveTypeArgument(h.getClass(), SecurityExpressionHandler.class))) { - return h; - } - } - - throw new JspException("No visible SecurityExpressionHandler instance could be found in the " + - "application context. There must be at least one in order to support expressions in JSP 'authorize' tags."); - } - - WebInvocationPrivilegeEvaluator getPrivilegeEvaluator() throws JspException { - ServletContext servletContext = pageContext.getServletContext(); - ApplicationContext ctx = WebApplicationContextUtils.getRequiredWebApplicationContext(servletContext); - Map wipes = ctx.getBeansOfType(WebInvocationPrivilegeEvaluator.class); - - if (wipes.size() == 0) { - throw new JspException("No visible WebInvocationPrivilegeEvaluator instance could be found in the application " + - "context. There must be at least one in order to support the use of URL access checks in 'authorize' tags."); - } - - return (WebInvocationPrivilegeEvaluator) wipes.values().toArray()[0]; - } - - private static final FilterChain DUMMY_CHAIN = new FilterChain() { - public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException { - throw new UnsupportedOperationException(); - } - }; -} diff --git a/taglibs/src/main/java/org/springframework/security/taglibs/authz/JspAuthorizeTag.java b/taglibs/src/main/java/org/springframework/security/taglibs/authz/JspAuthorizeTag.java new file mode 100644 index 0000000000..fe4870780e --- /dev/null +++ b/taglibs/src/main/java/org/springframework/security/taglibs/authz/JspAuthorizeTag.java @@ -0,0 +1,101 @@ +package org.springframework.security.taglibs.authz; + +import java.io.IOException; + +import javax.servlet.ServletContext; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.jsp.JspException; +import javax.servlet.jsp.PageContext; +import javax.servlet.jsp.tagext.Tag; + +import org.springframework.web.util.ExpressionEvaluationUtils; + +/** + * A JSP {@link Tag} implementation of {@link AbstractAuthorizeTag}. + * + * @since 3.1.0 + * + * @author Rossen Stoyanchev + * + * @see AbstractAuthorizeTag + */ +public class JspAuthorizeTag extends AbstractAuthorizeTag implements Tag { + + private Tag parent; + + protected String id; + + protected PageContext pageContext; + + /** + * Invokes the base class {@link AbstractAuthorizeTag#authorize()} method to + * decide if the body of the tag should be skipped or not. + * + * @return {@link Tag#SKIP_BODY} or {@link Tag#EVAL_BODY_INCLUDE} + */ + public int doStartTag() throws JspException { + try { + setIfNotGranted(ExpressionEvaluationUtils.evaluateString("ifNotGranted", getIfNotGranted(), pageContext)); + setIfAllGranted(ExpressionEvaluationUtils.evaluateString("ifAllGranted", getIfAllGranted(), pageContext)); + setIfAnyGranted(ExpressionEvaluationUtils.evaluateString("ifAnyGranted", getIfAnyGranted(), pageContext)); + + return super.authorize() ? Tag.EVAL_BODY_INCLUDE : Tag.SKIP_BODY; + + } catch (IOException e) { + throw new JspException(e); + } + } + + /** + * Default processing of the end tag returning EVAL_PAGE. + * + * @return EVAL_PAGE + * + * @see Tag#doEndTag() + */ + public int doEndTag() { + return EVAL_PAGE; + } + + public String getId() { + return id; + } + + public void setId(String id) { + this.id = id; + } + + public Tag getParent() { + return parent; + } + + public void setParent(Tag parent) { + this.parent = parent; + } + + public void release() { + parent = null; + id = null; + } + + public void setPageContext(PageContext pageContext) { + this.pageContext = pageContext; + } + + @Override + protected ServletRequest getRequest() { + return pageContext.getRequest(); + } + + @Override + protected ServletResponse getResponse() { + return pageContext.getResponse(); + } + + @Override + protected ServletContext getServletContext() { + return pageContext.getServletContext(); + } + +} diff --git a/taglibs/src/main/java/org/springframework/security/taglibs/authz/LegacyAuthorizeTag.java b/taglibs/src/main/java/org/springframework/security/taglibs/authz/LegacyAuthorizeTag.java deleted file mode 100644 index 4f120c9bc0..0000000000 --- a/taglibs/src/main/java/org/springframework/security/taglibs/authz/LegacyAuthorizeTag.java +++ /dev/null @@ -1,192 +0,0 @@ -/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.springframework.security.taglibs.authz; - -import java.util.Collection; -import java.util.Collections; -import java.util.HashSet; -import java.util.Set; - -import javax.servlet.jsp.JspException; -import javax.servlet.jsp.tagext.Tag; -import javax.servlet.jsp.tagext.TagSupport; - -import org.springframework.security.core.Authentication; -import org.springframework.security.core.GrantedAuthority; -import org.springframework.security.core.authority.AuthorityUtils; -import org.springframework.security.core.authority.GrantedAuthorityImpl; -import org.springframework.security.core.context.SecurityContextHolder; -import org.springframework.web.util.ExpressionEvaluationUtils; - - -/** - * An implementation of {@link javax.servlet.jsp.tagext.Tag} that allows it's body through if some authorizations - * are granted to the request's principal. - * - * @author Francois Beausoleil - */ -public class LegacyAuthorizeTag extends TagSupport { - //~ Instance fields ================================================================================================ - - private String ifAllGranted = ""; - private String ifAnyGranted = ""; - private String ifNotGranted = ""; - - //~ Methods ======================================================================================================== - - private Set authoritiesToRoles(Collection c) { - Set target = new HashSet(); - - for (GrantedAuthority authority : c) { - if (null == authority.getAuthority()) { - throw new IllegalArgumentException( - "Cannot process GrantedAuthority objects which return null from getAuthority() - attempting to process " - + authority.toString()); - } - - target.add(authority.getAuthority()); - } - - return target; - } - - public int doStartTag() throws JspException { - if (((null == ifAllGranted) || "".equals(ifAllGranted)) && ((null == ifAnyGranted) || "".equals(ifAnyGranted)) - && ((null == ifNotGranted) || "".equals(ifNotGranted))) { - return Tag.SKIP_BODY; - } - - final Collection granted = getPrincipalAuthorities(); - - final String evaledIfNotGranted = ExpressionEvaluationUtils.evaluateString("ifNotGranted", ifNotGranted, - pageContext); - - if ((null != evaledIfNotGranted) && !"".equals(evaledIfNotGranted)) { - Set grantedCopy = retainAll(granted, parseAuthoritiesString(evaledIfNotGranted)); - - if (!grantedCopy.isEmpty()) { - return Tag.SKIP_BODY; - } - } - - final String evaledIfAllGranted = ExpressionEvaluationUtils.evaluateString("ifAllGranted", ifAllGranted, - pageContext); - - if ((null != evaledIfAllGranted) && !"".equals(evaledIfAllGranted)) { - if (!granted.containsAll(parseAuthoritiesString(evaledIfAllGranted))) { - return Tag.SKIP_BODY; - } - } - - final String evaledIfAnyGranted = ExpressionEvaluationUtils.evaluateString("ifAnyGranted", ifAnyGranted, - pageContext); - - if ((null != evaledIfAnyGranted) && !"".equals(evaledIfAnyGranted)) { - Set grantedCopy = retainAll(granted, parseAuthoritiesString(evaledIfAnyGranted)); - - if (grantedCopy.isEmpty()) { - return Tag.SKIP_BODY; - } - } - - return Tag.EVAL_BODY_INCLUDE; - } - - public String getIfAllGranted() { - return ifAllGranted; - } - - public String getIfAnyGranted() { - return ifAnyGranted; - } - - public String getIfNotGranted() { - return ifNotGranted; - } - - private Collection getPrincipalAuthorities() { - Authentication currentUser = SecurityContextHolder.getContext().getAuthentication(); - - if (null == currentUser) { - return Collections.emptyList(); - } - - return currentUser.getAuthorities(); - } - - private Set parseAuthoritiesString(String authorizationsString) { - final Set requiredAuthorities = new HashSet(); - requiredAuthorities.addAll(AuthorityUtils.commaSeparatedStringToAuthorityList(authorizationsString)); - - return requiredAuthorities; - } - - /** - * Find the common authorities between the current authentication's {@link GrantedAuthority} and the ones - * that have been specified in the tag's ifAny, ifNot or ifAllGranted attributes.

We need to manually - * iterate over both collections, because the granted authorities might not implement {@link - * Object#equals(Object)} and {@link Object#hashCode()} in the same way as {@link GrantedAuthorityImpl}, thereby - * invalidating {@link Collection#retainAll(java.util.Collection)} results.

- *

- * CAVEAT: This method will not work if the granted authorities - * returns a null string as the return value of {@link GrantedAuthority#getAuthority()}. - *

- * - * @param granted The authorities granted by the authentication. May be any implementation of {@link - * GrantedAuthority} that does not return null from {@link - * GrantedAuthority#getAuthority()}. - * @param required A {@link Set} of {@link GrantedAuthorityImpl}s that have been built using ifAny, ifAll or - * ifNotGranted. - * - * @return A set containing only the common authorities between granted and required. - * - */ - private Set retainAll(final Collection granted, final Set required) { - Set grantedRoles = authoritiesToRoles(granted); - Set requiredRoles = authoritiesToRoles(required); - grantedRoles.retainAll(requiredRoles); - - return rolesToAuthorities(grantedRoles, granted); - } - - private Set rolesToAuthorities(Set grantedRoles, Collection granted) { - Set target = new HashSet(); - - for (String role : grantedRoles) { - for (GrantedAuthority authority : granted) { - if (authority.getAuthority().equals(role)) { - target.add(authority); - - break; - } - } - } - - return target; - } - - public void setIfAllGranted(String ifAllGranted) throws JspException { - this.ifAllGranted = ifAllGranted; - } - - public void setIfAnyGranted(String ifAnyGranted) throws JspException { - this.ifAnyGranted = ifAnyGranted; - } - - public void setIfNotGranted(String ifNotGranted) throws JspException { - this.ifNotGranted = ifNotGranted; - } -} diff --git a/taglibs/src/main/java/org/springframework/security/taglibs/velocity/AuthzImpl.java b/taglibs/src/main/java/org/springframework/security/taglibs/velocity/AuthzImpl.java index c809f52882..56fa3b1847 100644 --- a/taglibs/src/main/java/org/springframework/security/taglibs/velocity/AuthzImpl.java +++ b/taglibs/src/main/java/org/springframework/security/taglibs/velocity/AuthzImpl.java @@ -20,7 +20,7 @@ import javax.servlet.jsp.tagext.Tag; import org.springframework.context.ApplicationContext; import org.springframework.security.taglibs.authz.AuthenticationTag; -import org.springframework.security.taglibs.authz.LegacyAuthorizeTag; +import org.springframework.security.taglibs.authz.JspAuthorizeTag; /** @@ -72,10 +72,10 @@ public class AuthzImpl implements Authz { } /** - * implementation of LegacyAuthorizeTag + * implementation of JspAuthorizeTag */ private boolean ifGranted(String roles, int grantType) { - LegacyAuthorizeTag authorizeTag = new LegacyAuthorizeTag(); + JspAuthorizeTag authorizeTag = new JspAuthorizeTag(); int result; diff --git a/taglibs/src/main/resources/META-INF/security.tld b/taglibs/src/main/resources/META-INF/security.tld index b14383f498..87b0368cb7 100644 --- a/taglibs/src/main/resources/META-INF/security.tld +++ b/taglibs/src/main/resources/META-INF/security.tld @@ -13,7 +13,7 @@ authorize - org.springframework.security.taglibs.authz.AuthorizeTag + org.springframework.security.taglibs.authz.JspAuthorizeTag A tag which outputs the body of the tag if the configured access expression evaluates to true for the currently authenticated principal. diff --git a/taglibs/src/test/java/org/springframework/security/taglibs/authz/AuthorizeTagAttributeTests.java b/taglibs/src/test/java/org/springframework/security/taglibs/authz/AuthorizeTagAttributeTests.java index 22c02f8b3b..03f854a709 100644 --- a/taglibs/src/test/java/org/springframework/security/taglibs/authz/AuthorizeTagAttributeTests.java +++ b/taglibs/src/test/java/org/springframework/security/taglibs/authz/AuthorizeTagAttributeTests.java @@ -36,7 +36,7 @@ import javax.servlet.jsp.tagext.Tag; public class AuthorizeTagAttributeTests extends TestCase { //~ Instance fields ================================================================================================ - private final LegacyAuthorizeTag authorizeTag = new LegacyAuthorizeTag(); + private final JspAuthorizeTag authorizeTag = new JspAuthorizeTag(); private TestingAuthenticationToken currentUser; //~ Methods ======================================================================================================== diff --git a/taglibs/src/test/java/org/springframework/security/taglibs/authz/AuthorizeTagCustomGrantedAuthorityTests.java b/taglibs/src/test/java/org/springframework/security/taglibs/authz/AuthorizeTagCustomGrantedAuthorityTests.java index 13c2950ebb..233daf8a31 100644 --- a/taglibs/src/test/java/org/springframework/security/taglibs/authz/AuthorizeTagCustomGrantedAuthorityTests.java +++ b/taglibs/src/test/java/org/springframework/security/taglibs/authz/AuthorizeTagCustomGrantedAuthorityTests.java @@ -34,7 +34,7 @@ import javax.servlet.jsp.tagext.Tag; public class AuthorizeTagCustomGrantedAuthorityTests extends TestCase { //~ Instance fields ================================================================================================ - private final LegacyAuthorizeTag authorizeTag = new LegacyAuthorizeTag(); + private final JspAuthorizeTag authorizeTag = new JspAuthorizeTag(); private TestingAuthenticationToken currentUser; //~ Methods ======================================================================================================== diff --git a/taglibs/src/test/java/org/springframework/security/taglibs/authz/AuthorizeTagExpressionLanguageTests.java b/taglibs/src/test/java/org/springframework/security/taglibs/authz/AuthorizeTagExpressionLanguageTests.java index 3cc352b969..df34d51b9a 100644 --- a/taglibs/src/test/java/org/springframework/security/taglibs/authz/AuthorizeTagExpressionLanguageTests.java +++ b/taglibs/src/test/java/org/springframework/security/taglibs/authz/AuthorizeTagExpressionLanguageTests.java @@ -33,7 +33,7 @@ import org.springframework.security.core.context.SecurityContextHolder; public class AuthorizeTagExpressionLanguageTests extends TestCase { //~ Instance fields ================================================================================================ - private final LegacyAuthorizeTag authorizeTag = new LegacyAuthorizeTag(); + private final JspAuthorizeTag authorizeTag = new JspAuthorizeTag(); private MockPageContext pageContext; private TestingAuthenticationToken currentUser; diff --git a/taglibs/src/test/java/org/springframework/security/taglibs/authz/AuthorizeTagTests.java b/taglibs/src/test/java/org/springframework/security/taglibs/authz/AuthorizeTagTests.java index 226c023fb5..77455dc9dc 100644 --- a/taglibs/src/test/java/org/springframework/security/taglibs/authz/AuthorizeTagTests.java +++ b/taglibs/src/test/java/org/springframework/security/taglibs/authz/AuthorizeTagTests.java @@ -43,7 +43,7 @@ import org.springframework.web.context.support.StaticWebApplicationContext; public class AuthorizeTagTests { //~ Instance fields ================================================================================================ - private AuthorizeTag authorizeTag; + private JspAuthorizeTag authorizeTag; private final TestingAuthenticationToken currentUser = new TestingAuthenticationToken("abc", "123", "ROLE SUPERVISOR", "ROLE_TELLER"); //~ Methods ======================================================================================================== @@ -56,7 +56,7 @@ public class AuthorizeTagTests { ctx.registerSingleton("wipe", MockWebInvocationPrivilegeEvaluator.class); MockServletContext servletCtx = new MockServletContext(); servletCtx.setAttribute(WebApplicationContext.ROOT_WEB_APPLICATION_CONTEXT_ATTRIBUTE, ctx); - authorizeTag = new AuthorizeTag(); + authorizeTag = new JspAuthorizeTag(); authorizeTag.setPageContext(new MockPageContext(servletCtx, new MockHttpServletRequest(), new MockHttpServletResponse())); } @@ -125,9 +125,18 @@ public class AuthorizeTagTests { @Test public void testDefaultsToNotOutputtingBodyWhenNoRequiredAuthorities() throws JspException { - assertEquals("", authorizeTag.getIfAllGranted()); - assertEquals("", authorizeTag.getIfAnyGranted()); - assertEquals("", authorizeTag.getIfNotGranted()); + assertEquals(null, authorizeTag.getIfAllGranted()); + assertEquals(null, authorizeTag.getIfAnyGranted()); + assertEquals(null, authorizeTag.getIfNotGranted()); + + assertEquals(Tag.SKIP_BODY, authorizeTag.doStartTag()); + } + + @Test + public void testDefaultsToNotOutputtingBodyWhenNoAuthoritiesProvided() throws JspException { + authorizeTag.setIfAllGranted(""); + authorizeTag.setIfAnyGranted(""); + authorizeTag.setIfNotGranted(""); assertEquals(Tag.SKIP_BODY, authorizeTag.doStartTag()); } diff --git a/web/src/test/java/org/springframework/security/web/jaasapi/JaasApiIntegrationFilterTest.java b/web/src/test/java/org/springframework/security/web/jaasapi/JaasApiIntegrationFilterTest.java index 22178b4182..cf60ee94b8 100644 --- a/web/src/test/java/org/springframework/security/web/jaasapi/JaasApiIntegrationFilterTest.java +++ b/web/src/test/java/org/springframework/security/web/jaasapi/JaasApiIntegrationFilterTest.java @@ -83,7 +83,6 @@ public class JaasApiIntegrationFilterTest { authenticatedSubject.getPrivateCredentials().add("password"); authenticatedSubject.getPublicCredentials().add("username"); callbackHandler = new CallbackHandler() { - @Override public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { for (Callback callback : callbacks) { if (callback instanceof NameCallback) {