SEC-1131: Applied patch for portlet upgrade

core/src/main/java/org/springframework/security/authoritymapping/SimpleMappableAttributesRetriever.java

@@ -1,6 +1,5 @@
 package org.springframework.security.authoritymapping;
 
-import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.Set;
@@ -25,9 +24,10 @@ public class SimpleMappableAttributesRetriever implements MappableAttributesRetr
         return mappableAttributes;
     }
 
-    public void setMappableAttributes(String[] aMappableRoles) {
+    @SuppressWarnings("unchecked")
-        mappableAttributes = new HashSet<String>(aMappableRoles.length);
+    public void setMappableAttributes(Set aMappableRoles) {
-        mappableAttributes.addAll(Arrays.asList(aMappableRoles));
+        mappableAttributes = new HashSet<String>();
+        mappableAttributes.addAll(aMappableRoles);
         mappableAttributes = Collections.unmodifiableSet(mappableAttributes);
     }
 

core/src/test/java/org/springframework/security/authoritymapping/SimpleMappableRolesRetrieverTests.java

@@ -3,8 +3,10 @@ package org.springframework.security.authoritymapping;
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.Set;
+import java.util.HashSet;
 
 import junit.framework.TestCase;
+import org.springframework.util.StringUtils;
 
 /**
  *
@@ -14,13 +16,12 @@ import junit.framework.TestCase;
 public class SimpleMappableRolesRetrieverTests extends TestCase {
 
     public final void testGetSetMappableRoles() {
-        String[] roles = new String[] { "Role1", "Role2" };
+        Set<String> roles = StringUtils.commaDelimitedListToSet("Role1,Role2");
         SimpleMappableAttributesRetriever r = new SimpleMappableAttributesRetriever();
         r.setMappableAttributes(roles);
         Set<String> result = r.getMappableAttributes();
-        Collection<String> rolesColl = Arrays.asList(roles);
+        assertTrue("Role collections do not match; result: " + result + ", expected: " + roles, roles.containsAll(result)
-        assertTrue("Role collections do not match; result: " + result + ", expected: " + rolesColl, rolesColl.containsAll(result)
+                && result.containsAll(roles));
-                && result.containsAll(rolesColl));
     }
 
 }

pom.xml

@@ -19,7 +19,7 @@
         <module>samples</module>
         <module>taglibs</module>
         <module>itest</module>
-        <!-- module>portlet</module -->
+        <module>portlet</module>
   </modules>
 
     <description>Spring Security</description>

portlet/pom.xml

@@ -12,7 +12,7 @@
     <dependencies>
         <dependency>
             <groupId>org.springframework.security</groupId>
-            <artifactId>spring-security-core</artifactId>
+            <artifactId>spring-security-web</artifactId>
             <version>${project.version}</version>
         </dependency>
         <dependency>
@@ -22,13 +22,13 @@
         <dependency>
           <groupId>javax.portlet</groupId>
           <artifactId>portlet-api</artifactId>
-          <version>1.0</version>
+          <version>2.0</version>
           <scope>provided</scope>
         </dependency>
         <dependency>
           <groupId>org.springframework</groupId>
-          <artifactId>spring-portlet</artifactId>
+          <artifactId>org.springframework.web.portlet</artifactId>
-          <version>2.0.8</version>
+          <version>${spring.version}</version>
         </dependency>
         <dependency>
           <groupId>org.springframework</groupId>

portlet/src/main/java/org/springframework/security/context/PortletSessionContextIntegrationInterceptor.java

@@ -18,14 +18,7 @@ package org.springframework.security.context;
 
 import java.lang.reflect.Method;
 
-import javax.portlet.ActionRequest;
+import javax.portlet.*;
-import javax.portlet.ActionResponse;
-import javax.portlet.PortletException;
-import javax.portlet.PortletRequest;
-import javax.portlet.PortletResponse;
-import javax.portlet.PortletSession;
-import javax.portlet.RenderRequest;
-import javax.portlet.RenderResponse;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -34,6 +27,8 @@ import org.springframework.util.Assert;
 import org.springframework.util.ReflectionUtils;
 import org.springframework.web.portlet.HandlerInterceptor;
 import org.springframework.web.portlet.ModelAndView;
+import org.springframework.security.web.context.SecurityContextPersistenceFilter;
+import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
 
 /**
  * <p>This interceptor populates the {@link SecurityContextHolder} with information obtained from the
@@ -75,10 +70,10 @@ import org.springframework.web.portlet.ModelAndView;
  * sharing it with all the other portlets in your webapp (which is generally a good idea).  It also means that (if
  * you have done all the other appropriate magic), you will share this <code>SecurityContext</code> with servlets in
  * your webapp.  This is very useful if you have servlets serving images or processing AJAX calls from your portlets
- * since they can now use the {@link HttpSessionContextIntegrationFilter} to access the same <code>SecurityContext<code>
+ * since they can now use the {@link SecurityContextPersistenceFilter} to access the same <code>SecurityContext<code>
  * object from the session.  This allows these calls to be secured as well as the portlet calls.</p>
  *
- * Much of the logic of this interceptor comes from the {@link HttpSessionContextIntegrationFilter} class which
+ * Much of the logic of this interceptor comes from the {@link SecurityContextPersistenceFilter} class which
  * fills the same purpose on the servlet side.  Ben Alex and Patrick Burlson are listed as authors here because they
  * are the authors of that class and there are blocks of code that essentially identical between the two. (Making this
  * a good candidate for refactoring someday.)
@@ -101,7 +96,7 @@ public class PortletSessionContextIntegrationInterceptor
 
     protected static final Log logger = LogFactory.getLog(PortletSessionContextIntegrationInterceptor.class);
 
-    public static final String SPRING_SECURITY_CONTEXT_KEY = HttpSessionContextIntegrationFilter.SPRING_SECURITY_CONTEXT_KEY;
+    public static final String SPRING_SECURITY_CONTEXT_KEY = HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY;
 
     private static final String SESSION_EXISTED = PortletSessionContextIntegrationInterceptor.class.getName() + ".SESSION_EXISTED";
     private static final String CONTEXT_HASHCODE = PortletSessionContextIntegrationInterceptor.class.getName() + ".CONTEXT_HASHCODE";
@@ -219,6 +214,42 @@ public class PortletSessionContextIntegrationInterceptor
         afterCompletion(request, response, handler, ex);
     }
 
+    /**
+     * {@inheritDoc}
+     */
+    public boolean preHandleResource(ResourceRequest request, ResourceResponse response, Object handler) throws Exception {
+        return preHandle(request, response, handler);
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    public void postHandleResource(ResourceRequest request, ResourceResponse response, Object handler, ModelAndView modelAndView) throws Exception {
+        // no-op
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    public void afterResourceCompletion(ResourceRequest request, ResourceResponse response, Object handler, Exception ex) throws Exception {
+        // call to common afterCompletion method
+        afterCompletion(request, response, handler, ex);
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    public boolean preHandleEvent(EventRequest request, EventResponse response, Object handler) throws Exception {
+        return preHandle(request, response, handler);
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    public void afterEventCompletion(EventRequest request, EventResponse response, Object handler, Exception ex) throws Exception {
+        // call to common afterCompletion method
+        afterCompletion(request, response, handler, ex);
+    }
 
     private boolean preHandle(PortletRequest request, PortletResponse response,
             Object handler) throws Exception {

portlet/src/main/java/org/springframework/security/ui/portlet/PortletPreAuthenticatedAuthenticationDetailsSource.java

@@ -6,7 +6,7 @@ import java.util.Set;
 
 import javax.portlet.PortletRequest;
 
-import org.springframework.security.ui.preauth.j2ee.AbstractPreAuthenticatedAuthenticationDetailsSource;
+import org.springframework.security.web.authentication.preauth.j2ee.AbstractPreAuthenticatedAuthenticationDetailsSource;
 
 public class PortletPreAuthenticatedAuthenticationDetailsSource extends AbstractPreAuthenticatedAuthenticationDetailsSource {
 

portlet/src/main/java/org/springframework/security/ui/portlet/PortletProcessingInterceptor.java

@@ -22,23 +22,18 @@ import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
 
-import javax.portlet.ActionRequest;
+import javax.portlet.*;
-import javax.portlet.ActionResponse;
-import javax.portlet.PortletRequest;
-import javax.portlet.PortletResponse;
-import javax.portlet.PortletSession;
-import javax.portlet.RenderRequest;
-import javax.portlet.RenderResponse;
 
 import org.springframework.security.Authentication;
 import org.springframework.security.AuthenticationDetailsSource;
 import org.springframework.security.AuthenticationDetailsSourceImpl;
 import org.springframework.security.AuthenticationException;
 import org.springframework.security.AuthenticationManager;
+import org.springframework.security.web.authentication.AbstractProcessingFilter;
 import org.springframework.security.context.SecurityContext;
 import org.springframework.security.context.SecurityContextHolder;
 import org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationToken;
-import org.springframework.security.ui.AbstractProcessingFilter;
+import org.springframework.security.web.authentication.AbstractProcessingFilter;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.springframework.beans.factory.InitializingBean;
@@ -69,14 +64,10 @@ import org.springframework.web.portlet.ModelAndView;
  *
  * <p>This interceptor will put the <code>PortletRequest</code> object into the
  * <code>details<code> property of the <code>Authentication</code> object that is sent
- * as a request to the <code>AuthenticationManager</code>.  This is done so that the request
+ * as a request to the <code>AuthenticationManager</code>.
- * is available to classes like {@link ContainerPortletAuthoritiesPopulator} that need
- * access to information from the portlet container.  The {@link PortletAuthenticationProvider}
- * will replace this with the <code>USER_INFO</code> map in the resulting <code>Authentication</code>
- * object.</p>
  *
- * @see org.springframework.security.ui.AbstractProcessingFilter
+ * @see org.springframework.security.web.authentication.AbstractProcessingFilter
- * @see org.springframework.security.ui.webapp.AuthenticationProcessingFilter
+ * @see org.springframework.security.web.authentication.AuthenticationProcessingFilter
  * @author John A. Lewis
  * @since 2.0
  * @version $Id$
@@ -130,6 +121,35 @@ public class PortletProcessingInterceptor implements HandlerInterceptor, Initial
             Object handler, Exception ex) throws Exception {
     }
 
+    /**
+     * {@inheritDoc}
+     */
+    public boolean preHandleResource(ResourceRequest request, ResourceResponse response, Object handler) throws Exception {
+        return preHandle(request, response, handler);
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    public void postHandleResource(ResourceRequest request, ResourceResponse response, Object handler, ModelAndView modelAndView) throws Exception {
+    }
+
+    public void afterResourceCompletion(ResourceRequest request, ResourceResponse response, Object handler, Exception ex) throws Exception {
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    public boolean preHandleEvent(EventRequest request, EventResponse response, Object handler) throws Exception {
+        return preHandle(request, response, handler);
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    public void afterEventCompletion(EventRequest request, EventResponse response, Object handler, Exception ex) throws Exception {
+    }
+
     /**
      * Common preHandle method for both the action and render phases of the interceptor.
      */

portlet/src/test/java/org/springframework/security/ui/portlet/PortletProcessingInterceptorTests.java

@@ -34,6 +34,7 @@ import org.springframework.mock.web.portlet.MockRenderResponse;
 import org.springframework.security.Authentication;
 import org.springframework.security.AuthenticationManager;
 import org.springframework.security.BadCredentialsException;
+import org.springframework.security.web.authentication.AbstractProcessingFilter;
 import org.springframework.security.context.SecurityContextHolder;
 import org.springframework.security.providers.TestingAuthenticationToken;
 import org.springframework.security.providers.UsernamePasswordAuthenticationToken;

samples/pom.xml

@@ -16,7 +16,7 @@
         <module>preauth</module>
         <module>openid</module>
         <module>ldap</module>
-        <!-- module>portlet</module -->
+        <module>portlet</module>
         <module>cas</module>        
     </modules>
     <dependencies>

samples/portlet/src/main/java/org/springframework/web/portlet/sample/SecurityContextPortlet.java

@@ -11,11 +11,11 @@ import javax.portlet.RenderRequest;
 import javax.portlet.RenderResponse;
 
 import org.springframework.security.context.SecurityContextHolder;
-import org.springframework.security.ui.AbstractProcessingFilter;
+import org.springframework.security.web.authentication.AbstractProcessingFilter;
 
 
 /**
- * A simple portlet which prints out the contents of the current {@link SecurityContext} 
+ * A simple portlet which prints out the contents of the current {@link org.springframework.security.context.SecurityContext} 
  *  
  * @author Luke Taylor
  */

samples/portlet/src/main/resources/portlet/securityContextPortlet.xml

@@ -38,7 +38,7 @@
                 <property name="mappableRolesRetriever">
                     <bean class="org.springframework.security.authoritymapping.SimpleMappableAttributesRetriever">
                         <property name="mappableAttributes">
-                            <list>
+                            <set>
                                 <value>tomcat</value>
                                 <value>admin</value>
                                 <value>manager</value>
@@ -47,7 +47,7 @@
                                 <value>Guest</value>
                                 <value>User</value>
                                 <value>Power User</value>
-                            </list>
+                            </set>
                         </property>                        
                     </bean>
                 </property>

web/src/test/java/org/springframework/security/web/authentication/preauth/j2ee/J2eeBasedPreAuthenticatedWebAuthenticationDetailsSourceTests.java

@@ -19,6 +19,7 @@ import org.springframework.security.web.authentication.preauth.j2ee.J2eeBasedPre
 import org.springframework.security.GrantedAuthority;
 
 import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.util.StringUtils;
 
 /**
  *
@@ -123,7 +124,7 @@ public class J2eeBasedPreAuthenticatedWebAuthenticationDetailsSourceTests extend
 
     private MappableAttributesRetriever getMappableRolesRetriever(String[] mappedRoles) {
         SimpleMappableAttributesRetriever result = new SimpleMappableAttributesRetriever();
-        result.setMappableAttributes(mappedRoles);
+        result.setMappableAttributes(new HashSet<String>(Arrays.asList(mappedRoles)));
         return result;
     }