SEC-1491: Add support for an external priority SecurityMetadataSource to be referenced from global-method-security.

2011-04-04 19:49:36 +01:00 · 2011-04-04 19:49:36 +01:00 · 8d99918798
parent 3084ad878f
commit 8d99918798
5 changed files with 38 additions and 6 deletions
--- a/config/src/main/java/org/springframework/security/config/method/GlobalMethodSecurityBeanDefinitionParser.java
+++ b/config/src/main/java/org/springframework/security/config/method/GlobalMethodSecurityBeanDefinitionParser.java
@ -79,6 +79,7 @@ public class GlobalMethodSecurityBeanDefinitionParser implements BeanDefinitionP
    private static final String ATT_REF = "ref";
    private static final String ATT_MODE = "mode";
    private static final String ATT_ADVICE_ORDER = "order";
    private static final String ATT_META_DATA_SOURCE_REF = "metadata-source-ref";
    public BeanDefinition parse(Element element, ParserContext pc) {
        CompositeComponentDefinition compositeDef =
@ -97,6 +98,13 @@ public class GlobalMethodSecurityBeanDefinitionParser implements BeanDefinitionP
        BeanDefinition preInvocationVoter = null;
        ManagedList<BeanMetadataElement> afterInvocationProviders = new ManagedList<BeanMetadataElement>();
        // Check for an external SecurityMetadataSource, which takes priority over other sources
        String metaDataSourceId = element.getAttribute(ATT_META_DATA_SOURCE_REF);
        if (StringUtils.hasText(metaDataSourceId)) {
            delegates.add(new RuntimeBeanReference(metaDataSourceId));
        }
        if (prePostAnnotationsEnabled) {
            Element prePostElt = DomUtils.getChildElementByTagName(element, INVOCATION_HANDLING);
            Element expressionHandlerElt = DomUtils.getChildElementByTagName(element, EXPRESSION_HANDLER);
--- a/config/src/main/resources/org/springframework/security/config/spring-security-3.1.rnc
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.1.rnc
@ -226,6 +226,8 @@ global-method-security.attlist &=
 global-method-security.attlist &=
    ## Can be used to specify that AspectJ should be used instead of the default Spring AOP. If set, secured classes must be woven with the AnnotationSecurityAspect from the spring-security-aspects module.
    attribute mode {"aspectj"}?
 global-method-security.attlist &=
    attribute metadata-source-ref {xsd:token}?
 after-invocation-provider =
    ## Allows addition of extra AfterInvocationProvider beans which should be called by the MethodSecurityInterceptor created by global-method-security.
--- a/config/src/main/resources/org/springframework/security/config/spring-security-3.1.xsd
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.1.xsd
@ -576,6 +576,7 @@
        </xs:restriction>
      </xs:simpleType>
    </xs:attribute>
    <xs:attribute name="metadata-source-ref" type="xs:token"/>
  </xs:attributeGroup>
--- a/config/src/test/java/org/springframework/security/config/method/GlobalMethodSecurityBeanDefinitionParserTests.java
+++ b/config/src/test/java/org/springframework/security/config/method/GlobalMethodSecurityBeanDefinitionParserTests.java
@ -346,6 +346,28 @@ public class GlobalMethodSecurityBeanDefinitionParserTests {
        assertSame(ram, FieldUtils.getFieldValue(msi.getAdvice(), "runAsManager"));
    }
    @Test
    @SuppressWarnings("unchecked")
    public void supportsExternalMetadataSource() throws Exception {
        setContext(
                "<b:bean id='target' class='" + ConcreteFoo.class.getName()  + "'/>" +
                "<method-security-metadata-source id='mds'>" +
                "      <protect method='"+ Foo.class.getName() + ".foo' access='ROLE_ADMIN'/>" +
                "</method-security-metadata-source>" +
                "<global-method-security pre-post-annotations='enabled' metadata-source-ref='mds'/>" + AUTH_PROVIDER_XML
        );
        // External MDS should take precedence over PreAuthorize
        SecurityContextHolder.getContext().setAuthentication(bob);
        Foo foo = (Foo) appContext.getBean("target");
        try {
            foo.foo(new SecurityConfig("A"));
            fail("Bob can't invoke admin methods");
        } catch (AccessDeniedException expected) {
        }
        SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken("admin", "password"));
        foo.foo(new SecurityConfig("A"));
    }
    private void setContext(String context) {
        appContext = new InMemoryXmlApplicationContext(context);
    }
--- a/core/src/test/java/org/springframework/security/access/annotation/SecuredAnnotationSecurityMetadataDefinitionSourceTests.java
+++ b/core/src/test/java/org/springframework/security/access/annotation/SecuredAnnotationSecurityMetadataDefinitionSourceTests.java
@ -16,19 +16,18 @@ package org.springframework.security.access.annotation;
 import static org.junit.Assert.*;
 import org.junit.*;
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.access.SecurityConfig;
 import org.springframework.security.core.GrantedAuthority;
 import java.lang.annotation.ElementType;
 import java.lang.annotation.Inherited;
 import java.lang.annotation.Retention;
 import java.lang.annotation.RetentionPolicy;
 import java.lang.annotation.Target;
 import java.lang.reflect.Method;
 import java.util.*;
 import org.junit.*;
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.access.SecurityConfig;
 import org.springframework.security.core.GrantedAuthority;
 /**
 * Tests for {@link org.springframework.security.access.annotation.SecuredAnnotationSecurityMetadataSource}