From 8d681b3b8035a6b7b0d708d9a3a711e04acf2449 Mon Sep 17 00:00:00 2001 From: Josh Cummings Date: Thu, 23 Jun 2022 15:43:55 -0600 Subject: [PATCH] Polish SecurityContextHolderStrategy XML Configuration for Defaults Issue gh-11061 --- .../http/AuthenticationConfigBuilder.java | 12 ++++++------ .../config/http/HttpConfigurationBuilder.java | 17 ++++++++--------- .../config/http/LogoutBeanDefinitionParser.java | 7 +++---- 3 files changed, 17 insertions(+), 19 deletions(-) diff --git a/config/src/main/java/org/springframework/security/config/http/AuthenticationConfigBuilder.java b/config/src/main/java/org/springframework/security/config/http/AuthenticationConfigBuilder.java index 1508cb46b4..05270cfd2f 100644 --- a/config/src/main/java/org/springframework/security/config/http/AuthenticationConfigBuilder.java +++ b/config/src/main/java/org/springframework/security/config/http/AuthenticationConfigBuilder.java @@ -236,7 +236,7 @@ final class AuthenticationConfigBuilder { AuthenticationConfigBuilder(Element element, boolean forceAutoConfig, ParserContext pc, SessionCreationPolicy sessionPolicy, BeanReference requestCache, BeanReference authenticationManager, - BeanReference authenticationFilterSecurityContextHolderStrategyRef, + BeanMetadataElement authenticationFilterSecurityContextHolderStrategyRef, BeanReference authenticationFilterSecurityContextRepositoryRef, BeanReference sessionStrategy, BeanReference portMapper, BeanReference portResolver, BeanMetadataElement csrfLogoutHandler) { this.httpElt = element; @@ -295,7 +295,7 @@ final class AuthenticationConfigBuilder { } void createFormLoginFilter(BeanReference sessionStrategy, BeanReference authManager, - BeanReference authenticationFilterSecurityContextHolderStrategyRef, + BeanMetadataElement authenticationFilterSecurityContextHolderStrategyRef, BeanReference authenticationFilterSecurityContextRepositoryRef) { Element formLoginElt = DomUtils.getChildElementByTagName(this.httpElt, Elements.FORM_LOGIN); RootBeanDefinition formFilter = null; @@ -570,7 +570,7 @@ final class AuthenticationConfigBuilder { } void createBasicFilter(BeanReference authManager, - BeanReference authenticationFilterSecurityContextHolderStrategyRef) { + BeanMetadataElement authenticationFilterSecurityContextHolderStrategyRef) { Element basicAuthElt = DomUtils.getChildElementByTagName(this.httpElt, Elements.BASIC_AUTH); if (basicAuthElt == null && !this.autoConfig) { // No basic auth, do nothing @@ -747,7 +747,7 @@ final class AuthenticationConfigBuilder { } } - void createLogoutFilter(BeanReference authenticationFilterSecurityContextHolderStrategyRef) { + void createLogoutFilter(BeanMetadataElement authenticationFilterSecurityContextHolderStrategyRef) { Element logoutElt = DomUtils.getChildElementByTagName(this.httpElt, Elements.LOGOUT); if (logoutElt != null || this.autoConfig) { String formLoginPage = this.formLoginPage; @@ -812,7 +812,7 @@ final class AuthenticationConfigBuilder { return this.csrfIgnoreRequestMatchers; } - void createAnonymousFilter(BeanReference authenticationFilterSecurityContextHolderStrategyRef) { + void createAnonymousFilter(BeanMetadataElement authenticationFilterSecurityContextHolderStrategyRef) { Element anonymousElt = DomUtils.getChildElementByTagName(this.httpElt, Elements.ANONYMOUS); if (anonymousElt != null && "false".equals(anonymousElt.getAttribute("enabled"))) { return; @@ -858,7 +858,7 @@ final class AuthenticationConfigBuilder { return Long.toString(random.nextLong()); } - void createExceptionTranslationFilter(BeanReference authenticationFilterSecurityContextHolderStrategyRef) { + void createExceptionTranslationFilter(BeanMetadataElement authenticationFilterSecurityContextHolderStrategyRef) { BeanDefinitionBuilder etfBuilder = BeanDefinitionBuilder.rootBeanDefinition(ExceptionTranslationFilter.class); this.accessDeniedHandler = createAccessDeniedHandler(this.httpElt, this.pc); etfBuilder.addPropertyValue("accessDeniedHandler", this.accessDeniedHandler); diff --git a/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java b/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java index ca4ee8d828..e7c4eda627 100644 --- a/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java +++ b/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -161,7 +161,7 @@ class HttpConfigurationBuilder { private BeanDefinition forceEagerSessionCreationFilter; - private BeanReference holderStrategyRef; + private BeanMetadataElement holderStrategyRef; private BeanReference contextRepoRef; @@ -302,7 +302,7 @@ class HttpConfigurationBuilder { return lowerCase ? path.toLowerCase() : path; } - BeanReference getSecurityContextHolderStrategyForAuthenticationFilters() { + BeanMetadataElement getSecurityContextHolderStrategyForAuthenticationFilters() { return this.holderStrategyRef; } @@ -351,13 +351,12 @@ class HttpConfigurationBuilder { private void createSecurityContextHolderStrategy() { String holderStrategyRef = this.httpElt.getAttribute(ATT_SECURITY_CONTEXT_HOLDER_STRATEGY); - if (!StringUtils.hasText(holderStrategyRef)) { - BeanDefinition holderStrategyBean = BeanDefinitionBuilder - .rootBeanDefinition(SecurityContextHolderStrategyFactory.class).getBeanDefinition(); - holderStrategyRef = this.pc.getReaderContext().generateBeanName(holderStrategyBean); - this.pc.registerBeanComponent(new BeanComponentDefinition(holderStrategyBean, holderStrategyRef)); + if (StringUtils.hasText(holderStrategyRef)) { + this.holderStrategyRef = new RuntimeBeanReference(holderStrategyRef); + return; } - this.holderStrategyRef = new RuntimeBeanReference(holderStrategyRef); + this.holderStrategyRef = BeanDefinitionBuilder.rootBeanDefinition(SecurityContextHolderStrategyFactory.class) + .getBeanDefinition(); } private void createSecurityContextRepository() { diff --git a/config/src/main/java/org/springframework/security/config/http/LogoutBeanDefinitionParser.java b/config/src/main/java/org/springframework/security/config/http/LogoutBeanDefinitionParser.java index f7f4a4ec0d..f1072cce83 100644 --- a/config/src/main/java/org/springframework/security/config/http/LogoutBeanDefinitionParser.java +++ b/config/src/main/java/org/springframework/security/config/http/LogoutBeanDefinitionParser.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -20,7 +20,6 @@ import org.w3c.dom.Element; import org.springframework.beans.BeanMetadataElement; import org.springframework.beans.factory.config.BeanDefinition; -import org.springframework.beans.factory.config.BeanReference; import org.springframework.beans.factory.config.RuntimeBeanReference; import org.springframework.beans.factory.support.BeanDefinitionBuilder; import org.springframework.beans.factory.support.ManagedList; @@ -62,10 +61,10 @@ class LogoutBeanDefinitionParser implements BeanDefinitionParser { private BeanMetadataElement logoutSuccessHandler; - private BeanReference authenticationFilterSecurityContextHolderStrategyRef; + private BeanMetadataElement authenticationFilterSecurityContextHolderStrategyRef; LogoutBeanDefinitionParser(String loginPageUrl, String rememberMeServices, BeanMetadataElement csrfLogoutHandler, - BeanReference authenticationFilterSecurityContextHolderStrategyRef) { + BeanMetadataElement authenticationFilterSecurityContextHolderStrategyRef) { this.defaultLogoutUrl = loginPageUrl + "?logout"; this.rememberMeServices = rememberMeServices; this.csrfEnabled = csrfLogoutHandler != null;