Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SEC-1775: Removed internal use of UserAttribute class in AnonymousAuthenticationFilter.

This commit is contained in:
Luke Taylor 2011-07-04 21:09:23 +01:00
parent 5d20f57fa8
commit 73442125de
4 changed files with 67 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
config/src/main/java/org/springframework/security/config/http/DefaultFilterChainValidator.java
View File

@ -137,8 +137,8 @@ public class DefaultFilterChainValidator implements FilterChainProxy.FilterChain
}
// Simulate an anonymous access with the supplied attributes.
AnonymousAuthenticationToken token = new AnonymousAuthenticationToken("key", anonPF.getUserAttribute().getPassword(),
anonPF.getUserAttribute().getAuthorities());
AnonymousAuthenticationToken token = new AnonymousAuthenticationToken("key", anonPF.getPrincipal(),
anonPF.getAuthorities());
try {
fsi.getAccessDecisionManager().decide(token, loginRequest, attributes);
} catch (AccessDeniedException e) {

6
config/src/test/groovy/org/springframework/security/config/http/MiscHttpConfigTests.groovy
View File

@ -170,9 +170,9 @@ class MiscHttpConfigTests extends AbstractHttpConfigTests {
AnonymousAuthenticationFilter filter = getFilter(AnonymousAuthenticationFilter);
expect:
'customKey' == filter.getKey()
'joe' == filter.userAttribute.password
'anonymity' == filter.userAttribute.authorities[0].authority
'customKey' == filter.key
'joe' == filter.principal
'anonymity' == filter.authorities[0].authority
}
def httpMethodMatchIsSupported() {

72
web/src/main/java/org/springframework/security/web/authentication/AnonymousAuthenticationFilter.java
View File

@ -17,6 +17,7 @@ package org.springframework.security.web.authentication;
import java.io.IOException;
import java.util.*;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
@ -28,6 +29,8 @@ import org.springframework.beans.factory.InitializingBean;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.memory.UserAttribute;
import org.springframework.util.Assert;
@ -39,6 +42,7 @@ import org.springframework.web.filter.GenericFilterBean;
* populates it with one if needed.
*
* @author Ben Alex
* @author Luke Taylor
*/
public class AnonymousAuthenticationFilter extends GenericFilterBean implements InitializingBean {
@ -47,14 +51,44 @@ public class AnonymousAuthenticationFilter extends GenericFilterBean implements
private AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource
= new WebAuthenticationDetailsSource();
private String key;
private UserAttribute userAttribute;
private Object principal;
private List<GrantedAuthority> authorities;
/**
* @deprecated Use constructor injection version
*/
@Deprecated
public AnonymousAuthenticationFilter() {
}
/**
* Creates a filter with a principal named "anonymousUser" and the single authority "ROLE_ANONYMOUS".
*
* @param key the key to identify tokens created by this filter
*/
public AnonymousAuthenticationFilter(String key) {
this(key, "anonymousUser", AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
}
/**
*
* @param key key the key to identify tokens created by this filter
* @param principal the principal which will be used to represent anonymous users
* @param authorities the authority list for anonymous users
*/
public AnonymousAuthenticationFilter(String key, Object principal, List<GrantedAuthority> authorities) {
this.key = key;
this.principal = principal;
this.authorities = authorities;
}
//~ Methods ========================================================================================================
@Override
public void afterPropertiesSet() {
Assert.notNull(userAttribute);
Assert.hasLength(key);
Assert.notNull(principal, "Anonymous authentication principal must be set");
Assert.notNull(authorities, "Anonymous authorities must be set");
}
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
@ -89,37 +123,49 @@ public class AnonymousAuthenticationFilter extends GenericFilterBean implements
* @return <code>true</code> if the anonymous token should be setup for this request (provided that the request
* doesn't already have some other <code>Authentication</code> inside it), or <code>false</code> if no
* anonymous token should be setup for this request
* @deprecated no obvious use case and can easily be achieved by other means
*/
@Deprecated
protected boolean applyAnonymousForThisRequest(HttpServletRequest request) {
return true;
}
protected Authentication createAuthentication(HttpServletRequest request) {
AnonymousAuthenticationToken auth = new AnonymousAuthenticationToken(key, userAttribute.getPassword(),
userAttribute.getAuthorities());
AnonymousAuthenticationToken auth = new AnonymousAuthenticationToken(key, principal, authorities);
auth.setDetails(authenticationDetailsSource.buildDetails(request));
return auth;
}
public String getKey() {
return key;
}
public UserAttribute getUserAttribute() {
return userAttribute;
}
public void setAuthenticationDetailsSource(AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource) {
Assert.notNull(authenticationDetailsSource, "AuthenticationDetailsSource required");
this.authenticationDetailsSource = authenticationDetailsSource;
}
public Object getPrincipal() {
return principal;
}
public List<GrantedAuthority> getAuthorities() {
return authorities;
}
/**
*
* @deprecated use constructor injection instead
*/
@Deprecated
public void setKey(String key) {
this.key = key;
}
/**
*
* @deprecated use constructor injection instead
*/
@Deprecated
public void setUserAttribute(UserAttribute userAttributeDefinition) {
this.userAttribute = userAttributeDefinition;
this.principal = userAttributeDefinition.getPassword();
this.authorities = userAttributeDefinition.getAuthorities();
}
}

29
web/src/test/java/org/springframework/security/web/authentication/AnonymousAuthenticationFilterTests.java
View File

@ -76,36 +76,13 @@ public class AnonymousAuthenticationFilterTests {
}
@Test
public void testGettersSetters() throws Exception {
UserAttribute user = new UserAttribute();
user.setPassword("anonymousUsername");
user.addAuthority(new SimpleGrantedAuthority("ROLE_ANONYMOUS"));
AnonymousAuthenticationFilter filter = new AnonymousAuthenticationFilter();
filter.setKey("qwerty");
filter.setUserAttribute(user);
filter.afterPropertiesSet();
assertEquals("qwerty", filter.getKey());
assertEquals(user, filter.getUserAttribute());
}
@Test
public void testOperationWhenAuthenticationExistsInContextHolder()
throws Exception {
public void testOperationWhenAuthenticationExistsInContextHolder() throws Exception {
// Put an Authentication object into the SecurityContextHolder
Authentication originalAuth = new TestingAuthenticationToken("user", "password", "ROLE_A");
SecurityContextHolder.getContext().setAuthentication(originalAuth);
// Setup our filter correctly
UserAttribute user = new UserAttribute();
user.setPassword("anonymousUsername");
user.addAuthority(new SimpleGrantedAuthority("ROLE_ANONYMOUS"));
AnonymousAuthenticationFilter filter = new AnonymousAuthenticationFilter();
filter.setKey("qwerty");
filter.setUserAttribute(user);
filter.afterPropertiesSet();
AnonymousAuthenticationFilter filter =
new AnonymousAuthenticationFilter("qwerty", "anonymousUsername", AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
// Test
MockHttpServletRequest request = new MockHttpServletRequest();