SEC-271: Fixed IllegalStateException being thrown by LogoutHandlerOrdereResolver and add an assert statement in the unit test

core/src/main/java/org/acegisecurity/config/LogoutHandlerOrderResolver.java

@@ -67,10 +67,14 @@ public class LogoutHandlerOrderResolver implements BeanFactoryPostProcessor {
 		for (int i = 0, n = names.length; i < n; i++) {
 			RootBeanDefinition definition = (RootBeanDefinition) beanFactory.getBeanDefinition(names[i]);
 
-			if (Ordered.class.isAssignableFrom(definition.getBeanClass())) {
+			if (definition.hasBeanClass()) {
-				definition.getPropertyValues().addPropertyValue("order", new Integer(getOrder(definition.getBeanClass())));
+				if (Ordered.class.isAssignableFrom(definition.getBeanClass())) {
-			} else {
+					definition.getPropertyValues().addPropertyValue("order",
-				definition.getPropertyValues().addPropertyValue("order", new Integer(Integer.MAX_VALUE));
+							new Integer(getOrder(definition.getBeanClass())));
+				}
+				else {
+					definition.getPropertyValues().addPropertyValue("order", new Integer(Integer.MAX_VALUE));
+				}
 			}
 			list.add(definition);
 		}

core/src/test/java/org/acegisecurity/config/LogoutFilterBeanDefinitionParserTests.java

@@ -3,19 +3,27 @@
  */
 package org.acegisecurity.config;
 
-import org.springframework.context.ApplicationContext;
+import java.util.Map;
-import org.springframework.context.support.ClassPathXmlApplicationContext;
 
 import junit.framework.TestCase;
 
+import org.acegisecurity.ui.logout.LogoutHandler;
+import org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
+import org.springframework.context.ApplicationContext;
+import org.springframework.context.support.ClassPathXmlApplicationContext;
+
 /**
  * @author vpuri
  * 
  */
 public class LogoutFilterBeanDefinitionParserTests extends TestCase {
 
-	public void testLogoutFilter(){
+	public void testLogoutFilter() {
-		ApplicationContext context = new ClassPathXmlApplicationContext("org/acegisecurity/config/logout-filter-with-handlers.xml");
+		ApplicationContext context = new ClassPathXmlApplicationContext(
+				"org/acegisecurity/config/logout-filter-with-handlers.xml");
+		ConfigurableListableBeanFactory bf = (ConfigurableListableBeanFactory) context.getAutowireCapableBeanFactory();
+		Map m = bf.getBeansOfType(LogoutHandler.class);
+		assertEquals(2, m.size());
 	}
 
 }

core/src/test/resources/org/acegisecurity/config/logout-filter-with-handlers.xml

@@ -14,11 +14,14 @@ http://www.springframework.org/schema/security http://www.springframework.org/sc
 	<!-- If LogoutFilter does not have setHandlers populated, introspect app ctx for LogoutHandlers, using Ordered (if present, otherwise assume Integer.MAX_VALUE) -->
 	<!-- The logoutUrl and redirectAfterLogout are both optional and default to that shown -->
 	<security:logout-support id="logoutFilter"
-		redirectAfterLogoutUrl="/" logoutUrl="/logout"/>
+		redirectAfterLogoutUrl="/" logoutUrl="/logout" />
 
 	<security:authentication-remember-me-services
 		id="rememberMeServices" key="someValue" />
 
+	<bean id="SecurityContextLogoutHandler"
+		class="org.acegisecurity.ui.logout.SecurityContextLogoutHandler" />
+
 	<security:principal-repository id="userDetailsService">
 		<security:user-definition username="vishal"
 			password="nottellingya" enabled="true">

samples/tutorial/src/webapp/WEB-INF/applicationContext-acegi-security.xml

@@ -1,24 +1,32 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">
 
-<!--
+<beans xmlns="http://www.springframework.org/schema/beans"
-  - A simple "base bones" Acegi Security configuration.
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-  -
+	xmlns:security="http://www.springframework.org/schema/security"
-  - The sample includes the "popular" features that people tend to use.
+	xmlns:util="http://www.springframework.org/schema/util"
-  - Specifically, form authentication, remember-me, and anonymous processing.
+	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd 
-  - Other features aren't setup, as these can be added later by inserting
+	http://www.springframework.org/schema/util http://www.springframework.org/schema/beans/spring-util-2.0.xsd
-  - the relevant XML fragments as specified in the Reference Guide.
+	http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">
-  -
-  - To assist new users, the filters specified in the FilterChainProxy are
-  - declared in the application context in the same order. Collaborators
-  - required by those filters are placed at the end of the file.
-  -
-  - $Id$
-  -->
 
-<beans>
+	<!--
+		- A simple "base bones" Acegi Security configuration.
+		-
+		- The sample includes the "popular" features that people tend to use.
+		- Specifically, form authentication, remember-me, and anonymous processing.
+		- Other features aren't setup, as these can be added later by inserting
+		- the relevant XML fragments as specified in the Reference Guide.
+		-
+		- To assist new users, the filters specified in the FilterChainProxy are
+		- declared in the application context in the same order. Collaborators
+		- required by those filters are placed at the end of the file.
+		-
+		- $Id$
+	-->
 
-	<bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
+
+
+	<bean id="filterChainProxy"
+		class="org.acegisecurity.util.FilterChainProxy">
 		<property name="filterInvocationDefinitionSource">
 			<value>
 				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
@@ -28,61 +36,82 @@
 		</property>
 	</bean>
 
-	<bean id="httpSessionContextIntegrationFilter" class="org.acegisecurity.context.HttpSessionContextIntegrationFilter"/>
+	<!-- sessionCreation defaults to ifRequired(true) always(true) never(false) . -->
+	<security:session-context-integration
+		id="httpSessionContextIntegrationFilter" sessionCreation="ifRequired" />
 
-	<bean id="logoutFilter" class="org.acegisecurity.ui.logout.LogoutFilter">
+
-		<constructor-arg value="/index.jsp"/> <!-- URL redirected to after logout -->
+	<!-- If LogoutFilter does not have setHandlers populated, introspect app ctx for LogoutHandlers, using Ordered (if present, otherwise assume Integer.MAX_VALUE) -->
-		<constructor-arg>
+	<!-- The logoutUrl and redirectAfterLogout are both optional and default to that shown -->
-			<list>
+	<security:logout-support id="logoutFilter"
-				<ref bean="rememberMeServices"/>
+		redirectAfterLogoutUrl="/index.jsp" />
-				<bean class="org.acegisecurity.ui.logout.SecurityContextLogoutHandler"/>
+
-			</list>
+	<security:authentication-remember-me-services
-		</constructor-arg>
+		id="rememberMeServices" key="someValue" />
+
+
+	<bean id="securityContextLogoutHandler"
+		class="org.acegisecurity.ui.logout.SecurityContextLogoutHandler" />
+
+	<!--  the URLs are all mandatory and have no defaults (well, except authenticationUrl) -->
+	<security:authentication-form id="authenticationProcessinFilter"
+		authenticationUrl="/j_acegi_security_check" defaultTargetUrl="/"
+		errorFormUrl="/acegilogin.jsp?login_error=1" />
+
+	<!-- make it optional, if not supplied autodetect all auth-providers from app ctx, using Ordered to resolve their order  -->
+	<security:authentication-mechanism id="authenticationManager" />
+
+	<!-- dao authentication provider "authenticationRepository" -->
+	<security:authentication-repository id="daoAuthenticationProvider" />
+
+	<bean id="securityContextHolderAwareRequestFilter"
+		class="org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter" />
+
+	<!-- makes the filter, but does little else, as it auto-detects everything -->
+	<security:authentication-remember-me-filter id="rememberMeFilter" />
+
+	<bean id="anonymousProcessingFilter"
+		class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter">
+		<property name="key" value="changeThis" />
+		<property name="userAttribute"
+			value="anonymousUser,ROLE_ANONYMOUS" />
 	</bean>
 
-	<bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
+	<!-- Basically accessDeniedUrl is optional, we if unspecified impl will auto-detect any AccessDeniedHandler in ctx and use it; 
-		<property name="authenticationManager" ref="authenticationManager"/>
+		alternately if there are > 1 such handlers, we can nominate the one to use via accessDeniedBeanRef; provide nested elements for
-		<property name="authenticationFailureUrl" value="/acegilogin.jsp?login_error=1"/>
+		other props; i do not mind if you move the access denied stuff to a sub-element -->
-		<property name="defaultTargetUrl" value="/"/>
+	<security:exception-translation id="exceptionTranslationFilter">
-		<property name="filterProcessesUrl" value="/j_acegi_security_check"/>
+		<security:entry-point
-		<property name="rememberMeServices" ref="rememberMeServices"/>
+			entryPointBeanRef="authenticationEntryPoint" />
+	</security:exception-translation>
+
+
+	<bean id="authenticationEntryPoint"
+		class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
+		<property name="loginFormUrl" value="/acegilogin.jsp" />
+		<property name="forceHttps" value="false" />
 	</bean>
 
-	<bean id="securityContextHolderAwareRequestFilter" class="org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter"/>
 
-	<bean id="rememberMeProcessingFilter" class="org.acegisecurity.ui.rememberme.RememberMeProcessingFilter">
+	<bean id="accessDeniedHandler"
-		<property name="authenticationManager" ref="authenticationManager"/>
+		class="org.acegisecurity.ui.AccessDeniedHandlerImpl">
-		<property name="rememberMeServices" ref="rememberMeServices"/>
+		<property name="errorPage" value="/accessDenied.jsp" />
 	</bean>
 
-	<bean id="anonymousProcessingFilter" class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter">
-		<property name="key" value="changeThis"/>
-		<property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS"/>
-	</bean>
 
-	<bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">
+	<bean id="filterInvocationInterceptor"
-		<property name="authenticationEntryPoint">
+		class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
-			<bean class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
+		<property name="authenticationManager"
-				<property name="loginFormUrl" value="/acegilogin.jsp"/>
+			ref="authenticationManager" />
-				<property name="forceHttps" value="false"/>
-			</bean>
-		</property>
-		<property name="accessDeniedHandler">
-			<bean class="org.acegisecurity.ui.AccessDeniedHandlerImpl">
-				<property name="errorPage" value="/accessDenied.jsp"/>
-			</bean>
-		</property>
-	</bean>
-
-	<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
-		<property name="authenticationManager" ref="authenticationManager"/>
 		<property name="accessDecisionManager">
 			<bean class="org.acegisecurity.vote.AffirmativeBased">
-				<property name="allowIfAllAbstainDecisions" value="false"/>
+				<property name="allowIfAllAbstainDecisions"
+					value="false" />
 				<property name="decisionVoters">
 					<list>
-						<bean class="org.acegisecurity.vote.RoleVoter"/>
+						<bean class="org.acegisecurity.vote.RoleVoter" />
-						<bean class="org.acegisecurity.vote.AuthenticatedVoter"/>
+						<bean
+							class="org.acegisecurity.vote.AuthenticatedVoter" />
 					</list>
 				</property>
 			</bean>
@@ -98,51 +127,48 @@
 		</property>
 	</bean>
 
-	<bean id="rememberMeServices" class="org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices">
-		<property name="userDetailsService" ref="userDetailsService"/>
-		<property name="key" value="changeThis"/>
-	</bean>
 
-	<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
+	<!--<bean id="authenticationManager"
+		class="org.acegisecurity.providers.ProviderManager">
 		<property name="providers">
-			<list>
+		<list>
-				<ref local="daoAuthenticationProvider"/>
+		<ref local="daoAuthenticationProvider" />
-				<bean class="org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider">
+		<bean
-					<property name="key" value="changeThis"/>
+		class="org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider">
-				</bean>
+		<property name="key" value="changeThis" />
-				<bean class="org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider">
+		</bean>
-					<property name="key" value="changeThis"/>
+		<bean
-				</bean>
+		class="org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider">
-			</list>
+		<property name="key" value="changeThis" />
+		</bean>
+		</list>
 		</property>
-	</bean>
+		</bean>-->
 
-	<bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
+	<bean id="userCache"
-		<property name="userDetailsService" ref="userDetailsService"/>
+		class="org.acegisecurity.providers.dao.cache.EhCacheBasedUserCache">
-		<property name="userCache">
+		<property name="cache">
-			<bean class="org.acegisecurity.providers.dao.cache.EhCacheBasedUserCache">
+			<bean
-				<property name="cache">
+				class="org.springframework.cache.ehcache.EhCacheFactoryBean">
-					<bean class="org.springframework.cache.ehcache.EhCacheFactoryBean">
+				<property name="cacheManager">
-						<property name="cacheManager">
+					<bean
-							<bean class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"/>
+						class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean" />
-						</property>
-						<property name="cacheName" value="userCache"/>
-					</bean>
 				</property>
+				<property name="cacheName" value="userCache" />
 			</bean>
 		</property>
 	</bean>
 
+
 	<!-- UserDetailsService is the most commonly frequently Acegi Security interface implemented by end users -->
-	<bean id="userDetailsService" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
+
-		<property name="userProperties">
+	<security:principal-repository id="userDetailsService">
-			<bean class="org.springframework.beans.factory.config.PropertiesFactoryBean">
+		<security:properties resource="/WEB-INF/users.properties" />
-				<property name="location" value="/WEB-INF/users.properties"/>
+	</security:principal-repository>
-			</bean>
+
-		</property>
-	</bean>
 
 	<!-- This bean is optional; it isn't used by any other bean as it only listens and logs -->
-	<bean id="loggerListener" class="org.acegisecurity.event.authentication.LoggerListener"/>
+	<bean id="loggerListener"
+		class="org.acegisecurity.event.authentication.LoggerListener" />
 
 </beans>