OPEN - issue SEC-775: CLONE -impossible to specify "observeOncePerRequest" property in the namespace based configuration.

http://jira.springframework.org/browse/SEC-775. Corrected check for value of observe-once-per-request attribute. Should be a check for "false" as it is true by default.

core/src/main/java/org/springframework/security/config/HttpSecurityBeanDefinitionParser.java

@@ -169,8 +169,8 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
         filterSecurityInterceptorBuilder.addPropertyValue("authenticationManager",
                 ConfigUtils.registerProviderManagerIfNecessary(parserContext));
         
-        if ("true".equals(element.getAttribute(ATT_ONCE_PER_REQUEST))) {
-        	filterSecurityInterceptorBuilder.addPropertyValue("observeOncePerRequest", Boolean.TRUE);
+        if ("false".equals(element.getAttribute(ATT_ONCE_PER_REQUEST))) {
+        	filterSecurityInterceptorBuilder.addPropertyValue("observeOncePerRequest", Boolean.FALSE);
         }
 
         // SEC-501 - should paths stored in request maps be converted to lower case

core/src/main/resources/org/springframework/security/config/spring-security-2.0.rnc

@@ -214,7 +214,7 @@ http.attlist &=
     ## Allows a customized AuthenticationEntryPoint to be used.
     attribute entry-point-ref {xsd:string}?
 http.attlist &=
-    ## Corresponds to the observeOncePerRequest property of FilterSecurityInterceptor. Defaults to "false"
+    ## Corresponds to the observeOncePerRequest property of FilterSecurityInterceptor. Defaults to "true"
     attribute once-per-request {boolean}?
 http.attlist &=
     ## Allows the access denied page to be set (the user will be redirected here if an AccessDeniedException is raised).

core/src/main/resources/org/springframework/security/config/spring-security-2.0.xsd

@@ -700,7 +700,7 @@
     <xs:attribute name="once-per-request" type="security:boolean">
       <xs:annotation>
         <xs:documentation>Corresponds to the observeOncePerRequest property of
-          FilterSecurityInterceptor. Defaults to "false"</xs:documentation>
+          FilterSecurityInterceptor. Defaults to "true"</xs:documentation>
       </xs:annotation>
     </xs:attribute>
     <xs:attribute name="access-denied-page" type="xs:string">

core/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java

@@ -97,7 +97,10 @@ public class HttpSecurityBeanDefinitionParserTests {
         assertTrue(filters.next() instanceof RememberMeProcessingFilter);
         assertTrue(filters.next() instanceof AnonymousProcessingFilter);
         assertTrue(filters.next() instanceof ExceptionTranslationFilter);
-        assertTrue(filters.next() instanceof FilterSecurityInterceptor);
+        Object fsiObj = filters.next();
+        assertTrue(fsiObj instanceof FilterSecurityInterceptor);
+        FilterSecurityInterceptor fsi = (FilterSecurityInterceptor) fsiObj;
+        assertTrue(fsi.isObserveOncePerRequest());
     }
 
     @Test
@@ -202,12 +205,12 @@ public class HttpSecurityBeanDefinitionParserTests {
 
     @Test
     public void oncePerRequestAttributeIsSupported() throws Exception {
-        setContext("<http once-per-request='true'><http-basic /></http>" + AUTH_PROVIDER_XML);
+        setContext("<http once-per-request='false'><http-basic /></http>" + AUTH_PROVIDER_XML);
         List filters = getFilters("/someurl");
         
         FilterSecurityInterceptor fsi = (FilterSecurityInterceptor) filters.get(filters.size() - 1);
         
-        assertTrue(fsi.isObserveOncePerRequest());
+        assertFalse(fsi.isObserveOncePerRequest());
     }
     
     @Test