SEC-586: Implemented secure channel support in namespace configuration.

2007-11-11 22:07:46 +00:00 · 2007-11-11 22:07:46 +00:00 · 910e63f83c
parent c214f4a9bc
commit 910e63f83c
6 changed files with 106 additions and 73 deletions
--- a/core/src/main/java/org/springframework/security/config/HttpSecurityBeanDefinitionParser.java
+++ b/core/src/main/java/org/springframework/security/config/HttpSecurityBeanDefinitionParser.java
@ -1,27 +1,39 @@
 package org.springframework.security.config;
 import org.springframework.security.ConfigAttributeDefinition;
 import org.springframework.security.ConfigAttributeEditor;
 import org.springframework.security.context.HttpSessionContextIntegrationFilter;
 import org.springframework.security.intercept.web.AbstractFilterInvocationDefinitionSource;
 import org.springframework.security.intercept.web.FilterInvocationDefinitionMap;
 import org.springframework.security.intercept.web.FilterSecurityInterceptor;
 import org.springframework.security.intercept.web.PathBasedFilterInvocationDefinitionMap;
 import org.springframework.security.intercept.web.RegExpBasedFilterInvocationDefinitionMap;
 import org.springframework.security.securechannel.ChannelDecisionManagerImpl;
 import org.springframework.security.securechannel.ChannelProcessingFilter;
 import org.springframework.security.securechannel.InsecureChannelProcessor;
 import org.springframework.security.securechannel.SecureChannelProcessor;
 import org.springframework.security.ui.ExceptionTranslationFilter;
 import org.springframework.security.util.FilterChainProxy;
 import org.springframework.security.util.RegexUrlPathMatcher;
 import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.beans.factory.config.RuntimeBeanReference;
 import org.springframework.beans.factory.support.BeanDefinitionBuilder;
 import org.springframework.beans.factory.support.BeanDefinitionRegistry;
 import org.springframework.beans.factory.support.RootBeanDefinition;
 import org.springframework.beans.factory.xml.BeanDefinitionParser;
 import org.springframework.beans.factory.xml.ParserContext;
 import org.springframework.security.ConfigAttributeDefinition;
 import org.springframework.security.ConfigAttributeEditor;
 import org.springframework.security.context.HttpSessionContextIntegrationFilter;
 import org.springframework.security.intercept.web.FilterInvocationDefinitionMap;
 import org.springframework.security.intercept.web.FilterSecurityInterceptor;
 import org.springframework.security.intercept.web.PathBasedFilterInvocationDefinitionMap;
 import org.springframework.security.intercept.web.RegExpBasedFilterInvocationDefinitionMap;
 import org.springframework.security.ui.ExceptionTranslationFilter;
 import org.springframework.security.util.FilterChainProxy;
 import org.springframework.security.util.RegexUrlPathMatcher;
 import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
 import org.springframework.util.xml.DomUtils;
 import org.w3c.dom.Element;
-import java.util.*;
+import java.util.ArrayList;
 import java.util.Collections;
 import java.util.Iterator;
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
 /**
 * Sets up HTTP security: filter stack and protected URLs.
@ -38,6 +50,8 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
    public static final String DEFAULT_LOGOUT_FILTER_ID = "_logoutFilter";
    public static final String DEFAULT_EXCEPTION_TRANSLATION_FILTER_ID = "_exceptionTranslationFilter";
    public static final String DEFAULT_FILTER_SECURITY_INTERCEPTOR_ID = "_filterSecurityInterceptor";
    public static final String DEFAULT_CHANNEL_PROCESSING_FILTER_ID = "_channelProcessingFilter";
    public static final String DEFAULT_CHANNEL_DECISION_MANAGER_ID = "_channelDecisionManager";
    public static final String CONCURRENT_SESSIONS_ELEMENT = "concurrent-session-control";
    public static final String LOGOUT_ELEMENT = "logout";
@ -53,6 +67,7 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
    static final String NO_FILTERS_VALUE = "none";
    private static final String ACCESS_CONFIG_ATTRIBUTE = "access";
    private static final String REQUIRES_CHANNEL_ATTRIBUTE = "requiresChannel";
    public BeanDefinition parse(Element element, ParserContext parserContext) {
        RootBeanDefinition filterChainProxy = new RootBeanDefinition(FilterChainProxy.class);
@ -78,10 +93,12 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
        String patternType = element.getAttribute(PATTERN_TYPE_ATTRIBUTE);
        FilterInvocationDefinitionMap interceptorFilterInvDefSource = new PathBasedFilterInvocationDefinitionMap();
        FilterInvocationDefinitionMap channelFilterInvDefSource = new PathBasedFilterInvocationDefinitionMap();
        if (patternType.equals(PATTERN_TYPE_REGEX)) {
            filterChainProxy.getPropertyValues().addPropertyValue("matcher", new RegexUrlPathMatcher());
            interceptorFilterInvDefSource = new RegExpBasedFilterInvocationDefinitionMap();
            channelFilterInvDefSource = new RegExpBasedFilterInvocationDefinitionMap();
        }
        filterChainProxy.getPropertyValues().addPropertyValue("filterChainMap", filterChainMap);
@ -92,7 +109,28 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
        //filterSecurityInterceptorBuilder.setAutowireMode(RootBeanDefinition.AUTOWIRE_BY_TYPE);
        parseInterceptUrls(DomUtils.getChildElementsByTagName(element, "intercept-url"),
-                filterChainMap, interceptorFilterInvDefSource);
+                filterChainMap, interceptorFilterInvDefSource, channelFilterInvDefSource, parserContext);
        BeanDefinitionRegistry registry = parserContext.getRegistry();
        // Check if we need to register the channel processing beans
        if (((AbstractFilterInvocationDefinitionSource)channelFilterInvDefSource).getMapSize() > 0) {
            // At least one channel requirement has been specified
            RootBeanDefinition channelFilter = new RootBeanDefinition(ChannelProcessingFilter.class);
            channelFilter.getPropertyValues().addPropertyValue("channelDecisionManager",
                    new RuntimeBeanReference(DEFAULT_CHANNEL_DECISION_MANAGER_ID));
            channelFilter.getPropertyValues().addPropertyValue("filterInvocationDefinitionSource",
                    channelFilterInvDefSource);
            RootBeanDefinition channelDecisionManager = new RootBeanDefinition(ChannelDecisionManagerImpl.class);
            List channelProcessors = new ArrayList(2);
            channelProcessors.add(new SecureChannelProcessor());
            channelProcessors.add(new InsecureChannelProcessor());
            channelDecisionManager.getPropertyValues().addPropertyValue("channelProcessors", channelProcessors);
            registry.registerBeanDefinition(DEFAULT_CHANNEL_PROCESSING_FILTER_ID, channelFilter);
            registry.registerBeanDefinition(DEFAULT_CHANNEL_DECISION_MANAGER_ID, channelDecisionManager);
        }
        Element sessionControlElt = DomUtils.getChildElementByTagName(element, CONCURRENT_SESSIONS_ELEMENT);
@ -100,8 +138,8 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
            new ConcurrentSessionsBeanDefinitionParser().parse(sessionControlElt, parserContext);
        }
-        // Parse remember me before logout as RememberMeServices is also a LogoutHandler implementation. 
+        // Parse remember me before logout as RememberMeServices is also a LogoutHandler implementation.
-        BeanDefinitionRegistry registry = parserContext.getRegistry();
+
        Element rememberMeElt = DomUtils.getChildElementByTagName(element, REMEMBER_ME_ELEMENT);
@ -149,11 +187,12 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
     * FilterInvocationDefinitionSource used in FilterSecurityInterceptor.
     */
    private void parseInterceptUrls(List urlElts, Map filterChainMap,
-            FilterInvocationDefinitionMap interceptorFilterInvDefSource) {
+            FilterInvocationDefinitionMap interceptorFilterInvDefSource,
            FilterInvocationDefinitionMap channelFilterInvDefSource, ParserContext parserContext) {
        Iterator urlEltsIterator = urlElts.iterator();
-        ConfigAttributeEditor attributeEditor = new ConfigAttributeEditor();
+        ConfigAttributeEditor editor = new ConfigAttributeEditor();
        while (urlEltsIterator.hasNext()) {
            Element urlElt = (Element) urlEltsIterator.next();
@ -166,18 +205,33 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
            // Convert the comma-separated list of access attributes to a ConfigAttributeDefinition
            if (StringUtils.hasText(access)) {
-                attributeEditor.setAsText(access);
+                editor.setAsText(access);
                interceptorFilterInvDefSource.addSecureUrl(path, (ConfigAttributeDefinition) editor.getValue());
            }
-                ConfigAttributeDefinition attributeDef = (ConfigAttributeDefinition) attributeEditor.getValue();
+            String requiredChannel = urlElt.getAttribute(REQUIRES_CHANNEL_ATTRIBUTE);
-                interceptorFilterInvDefSource.addSecureUrl(path, attributeDef);
+            if (StringUtils.hasText(requiredChannel)) {
                String channelConfigAttribute = null;
                if (requiredChannel.equals("https")) {
                    channelConfigAttribute = "REQUIRES_SECURE_CHANNEL";
                } else if (requiredChannel.equals("http")) {
                    channelConfigAttribute = "REQUIRES_INSECURE_CHANNEL";
                } else {
                    parserContext.getReaderContext().error("Unsupported channel " + requiredChannel, urlElt);
                }
                editor.setAsText(channelConfigAttribute);
                channelFilterInvDefSource.addSecureUrl(path, (ConfigAttributeDefinition) editor.getValue());
            }
            String filters = urlElt.getAttribute(FILTERS_ATTRIBUTE);
            if (StringUtils.hasText(filters)) {
                if (!filters.equals(NO_FILTERS_VALUE)) {
-                    throw new IllegalStateException("Currently only 'none' is supported as the custom filters attribute");
+                    parserContext.getReaderContext().error("Currently only 'none' is supported as the custom " +
                            "filters attribute", urlElt);
                }
                filterChainMap.put(path, Collections.EMPTY_LIST);
--- a/core/src/main/java/org/springframework/security/config/HttpSecurityConfigPostProcessor.java
+++ b/core/src/main/java/org/springframework/security/config/HttpSecurityConfigPostProcessor.java
@ -163,7 +163,7 @@ public class HttpSecurityConfigPostProcessor implements BeanFactoryPostProcessor
            if (!(filter instanceof Ordered)) {
                // TODO: Possibly log this as a warning and skip this filter.
-                throw new IllegalArgumentException("Filter " + id + " must implement the Ordered interface");
+                throw new SecurityConfigurationException("Filter " + id + " must implement the Ordered interface");
            }
            orderedFilters.add(filter);
--- a/core/src/main/java/org/springframework/security/securechannel/ChannelProcessingFilter.java
+++ b/core/src/main/java/org/springframework/security/securechannel/ChannelProcessingFilter.java
@ -17,47 +17,40 @@ package org.springframework.security.securechannel;
 import org.springframework.security.ConfigAttribute;
 import org.springframework.security.ConfigAttributeDefinition;
 import org.springframework.security.intercept.web.FilterInvocation;
 import org.springframework.security.intercept.web.FilterInvocationDefinitionSource;
 import org.springframework.security.ui.SpringSecurityFilter;
 import org.springframework.security.ui.FilterChainOrderUtils;
 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.util.Assert;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.springframework.beans.factory.InitializingBean;
+import javax.servlet.FilterChain;
-
+import javax.servlet.ServletException;
-import org.springframework.util.Assert;
+import javax.servlet.http.HttpServletRequest;
-
+import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import java.util.HashSet;
 import java.util.Iterator;
 import java.util.Set;
 import javax.servlet.Filter;
 import javax.servlet.FilterChain;
 import javax.servlet.FilterConfig;
 import javax.servlet.ServletException;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 /**
- * Ensures a web request is delivered over the required channel.<p>Internally uses a {@link FilterInvocation} to
+ * Ensures a web request is delivered over the required channel.
- * represent the request, so that the <code>FilterInvocation</code>-related property editors and lookup classes can be
+ * <p>Internally uses a {@link FilterInvocation} to represent the request, so that the
- * used.</p>
+ * <code>FilterInvocation</code>-related property editors and lookup classes can be used.</p>
- *  <P>Delegates the actual channel security decisions and necessary actions to the configured {@link
+ * <p>Delegates the actual channel security decisions and necessary actions to the configured
- * ChannelDecisionManager}. If a response is committed by the <code>ChannelDecisionManager</code>, the filter chain
+ * {@link ChannelDecisionManager}. If a response is committed by the <code>ChannelDecisionManager</code>,
- * will not proceed.</p>
+ * the filter chain will not proceed.</p>
- *  <P><B>Do not use this class directly.</B> Instead configure <code>web.xml</code> to use the {@link
+ *  <p><b>Do not use this class directly.</b> Instead configure <code>web.xml</code> to use the {@link
 * org.springframework.security.util.FilterToBeanProxy}.</p>
 *
 * @author Ben Alex
 * @version $Id$
 */
-public class ChannelProcessingFilter implements InitializingBean, Filter {
+public class ChannelProcessingFilter extends SpringSecurityFilter implements InitializingBean {
    //~ Static fields/initializers =====================================================================================
    private static final Log logger = LogFactory.getLog(ChannelProcessingFilter.class);
@ -108,17 +101,8 @@ public class ChannelProcessingFilter implements InitializingBean, Filter {
        }
    }
-    public void destroy() {}
+    public void doFilterHttp(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
        throws IOException, ServletException {
        if (!(request instanceof HttpServletRequest)) {
            throw new ServletException("HttpServletRequest required");
        }
        if (!(response instanceof HttpServletResponse)) {
            throw new ServletException("HttpServletResponse required");
        }
        FilterInvocation fi = new FilterInvocation(request, response, chain);
        ConfigAttributeDefinition attr = this.filterInvocationDefinitionSource.getAttributes(fi);
@ -146,8 +130,6 @@ public class ChannelProcessingFilter implements InitializingBean, Filter {
        return filterInvocationDefinitionSource;
    }
    public void init(FilterConfig filterConfig) throws ServletException {}
    public void setChannelDecisionManager(ChannelDecisionManager channelDecisionManager) {
        this.channelDecisionManager = channelDecisionManager;
    }
@ -155,4 +137,8 @@ public class ChannelProcessingFilter implements InitializingBean, Filter {
    public void setFilterInvocationDefinitionSource(FilterInvocationDefinitionSource filterInvocationDefinitionSource) {
        this.filterInvocationDefinitionSource = filterInvocationDefinitionSource;
    }
    public int getOrder() {
        return FilterChainOrderUtils.CHANNEL_PROCESSING_FILTER_ORDER;
    }
 }
--- a/core/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java
+++ b/core/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java
@ -1,19 +1,21 @@
 package org.springframework.security.config;
 import org.springframework.context.support.ClassPathXmlApplicationContext;
 import org.springframework.security.concurrent.ConcurrentSessionFilter;
 import org.springframework.security.context.HttpSessionContextIntegrationFilter;
 import org.springframework.security.intercept.web.FilterSecurityInterceptor;
 import org.springframework.security.securechannel.ChannelProcessingFilter;
 import org.springframework.security.ui.ExceptionTranslationFilter;
 import org.springframework.security.ui.rememberme.RememberMeProcessingFilter;
 import org.springframework.security.ui.basicauth.BasicProcessingFilter;
 import org.springframework.security.ui.logout.LogoutFilter;
 import org.springframework.security.ui.rememberme.RememberMeProcessingFilter;
 import org.springframework.security.ui.webapp.AuthenticationProcessingFilter;
 import org.springframework.security.ui.webapp.DefaultLoginPageGeneratingFilter;
 import org.springframework.security.util.FilterChainProxy;
 import org.springframework.context.support.ClassPathXmlApplicationContext;
 import org.junit.AfterClass;
-import static org.junit.Assert.*;
+import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
 import org.junit.BeforeClass;
 import org.junit.Test;
@ -56,17 +58,18 @@ public class HttpSecurityBeanDefinitionParserTests {
        List filterList = filterChainProxy.getFilters("/someurl");
-        assertEquals("Expected 9 filters in chain", 9, filterList.size());
+        assertEquals("Expected 10 filters in chain", 10, filterList.size());
        Iterator filters = filterList.iterator();
        assertTrue(filters.next() instanceof ChannelProcessingFilter);
        assertTrue(filters.next() instanceof ConcurrentSessionFilter);
        assertTrue(filters.next() instanceof HttpSessionContextIntegrationFilter);
        assertTrue(filters.next() instanceof LogoutFilter);
        assertTrue(filters.next() instanceof AuthenticationProcessingFilter);
        assertTrue(filters.next() instanceof DefaultLoginPageGeneratingFilter);
        assertTrue(filters.next() instanceof BasicProcessingFilter);
-        assertTrue(filters.next() instanceof RememberMeProcessingFilter);        
+        assertTrue(filters.next() instanceof RememberMeProcessingFilter);
        assertTrue(filters.next() instanceof ExceptionTranslationFilter);
        assertTrue(filters.next() instanceof FilterSecurityInterceptor);
    }
--- a/core/src/test/java/org/springframework/security/securechannel/ChannelProcessingFilterTests.java
+++ b/core/src/test/java/org/springframework/security/securechannel/ChannelProcessingFilterTests.java
@ -48,14 +48,6 @@ import javax.servlet.ServletResponse;
 public class ChannelProcessingFilterTests extends TestCase {
    //~ Methods ========================================================================================================
    public static void main(String[] args) {
        junit.textui.TestRunner.run(ChannelProcessingFilterTests.class);
    }
    public final void setUp() throws Exception {
        super.setUp();
    }
    public void testDetectsMissingChannelDecisionManager()
        throws Exception {
        ChannelProcessingFilter filter = new ChannelProcessingFilter();
@ -200,7 +192,6 @@ public class ChannelProcessingFilterTests extends TestCase {
            filter.doFilter(null, new MockHttpServletResponse(), new MockFilterChain());
            fail("Should have thrown ServletException");
        } catch (ServletException expected) {
            assertEquals("HttpServletRequest required", expected.getMessage());
        }
    }
@ -212,7 +203,6 @@ public class ChannelProcessingFilterTests extends TestCase {
            filter.doFilter(new MockHttpServletRequest(null, null), null, new MockFilterChain());
            fail("Should have thrown ServletException");
        } catch (ServletException expected) {
            assertEquals("HttpServletResponse required", expected.getMessage());
        }
    }
--- a/core/src/test/resources/org/springframework/security/config/http-security.xml
+++ b/core/src/test/resources/org/springframework/security/config/http-security.xml
@ -8,7 +8,7 @@ http://www.springframework.org/schema/security http://www.springframework.org/sc
    <security:http createSession="ifRequired" pathType="ant" lowerCaseComparisons="true">
        <security:intercept-url pattern="/unprotected" filters="none" />
-        <security:intercept-url pattern="/somepath" access="ROLE_SPECIAL,ROLE_USER" />
+        <security:intercept-url pattern="/somepath" access="ROLE_SPECIAL,ROLE_USER" requiresChannel="http" />
        <security:intercept-url pattern="/**" access="ROLE_USER" />
        <!-- Default form login configuration. Will create filter and entry point -->
@ -18,7 +18,7 @@ http://www.springframework.org/schema/security http://www.springframework.org/sc
        <security:http-basic realm="NamespaceTestRealm" />
        <!-- Default logout configuration -->
-        <security:logout logoutUrl="/j_spring_security_logout" logoutSuccessUrl="/" invalidateSession="true" />        
+        <security:logout logoutUrl="/j_spring_security_logout" logoutSuccessUrl="/" invalidateSession="true" />
        <security:concurrent-session-control maxSessions="1"/>