From aaa7cec32e0a6dd39c70704b0c7178e44634b4ce Mon Sep 17 00:00:00 2001
From: Rob Winch <rwinch@vmware.com>
Date: Thu, 12 Dec 2013 08:07:22 -0600
Subject: [PATCH] SEC-2326: CsrfRequestDataValueProcessor implements
 RequestDataValueProcessor

Previously there was unecessary complexity in CsrfRequestDataValueProcessor
due to the non-passive changes in RequestDataValueProcessor. Now it simply
implements the interface with the methods for both versions of the interface.
This works since linking happens at runtime.
---
 .../WebMvcSecurityConfiguration.java          |  2 +-
 .../config/http/CsrfBeanDefinitionParser.java |  1 -
 .../csrf/CsrfRequestDataValueProcessor.java   | 58 +------------------
 .../CsrfRequestDataValueProcessorTests.java   |  2 +-
 4 files changed, 4 insertions(+), 59 deletions(-)

diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebMvcSecurityConfiguration.java b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebMvcSecurityConfiguration.java
index c845bdc953..f6aa886575 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebMvcSecurityConfiguration.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebMvcSecurityConfiguration.java
@@ -48,6 +48,6 @@ class WebMvcSecurityConfiguration extends WebMvcConfigurerAdapter {
 
     @Bean
     public RequestDataValueProcessor requestDataValueProcessor() {
-        return CsrfRequestDataValueProcessor.create();
+        return new CsrfRequestDataValueProcessor();
     }
 }
diff --git a/config/src/main/java/org/springframework/security/config/http/CsrfBeanDefinitionParser.java b/config/src/main/java/org/springframework/security/config/http/CsrfBeanDefinitionParser.java
index 2b5aa6282b..45fbf99a4e 100644
--- a/config/src/main/java/org/springframework/security/config/http/CsrfBeanDefinitionParser.java
+++ b/config/src/main/java/org/springframework/security/config/http/CsrfBeanDefinitionParser.java
@@ -59,7 +59,6 @@ public class CsrfBeanDefinitionParser implements BeanDefinitionParser {
         boolean webmvcPresent = ClassUtils.isPresent(DISPATCHER_SERVLET_CLASS_NAME, getClass().getClassLoader());
         if(webmvcPresent) {
             RootBeanDefinition beanDefinition = new RootBeanDefinition(CsrfRequestDataValueProcessor.class);
-            beanDefinition.setFactoryMethodName("create");
             BeanComponentDefinition componentDefinition =
                     new BeanComponentDefinition(beanDefinition, REQUEST_DATA_VALUE_PROCESSOR);
             pc.registerBeanComponent(componentDefinition);
diff --git a/web/src/main/java/org/springframework/security/web/servlet/support/csrf/CsrfRequestDataValueProcessor.java b/web/src/main/java/org/springframework/security/web/servlet/support/csrf/CsrfRequestDataValueProcessor.java
index f25b6b613d..367f02319c 100644
--- a/web/src/main/java/org/springframework/security/web/servlet/support/csrf/CsrfRequestDataValueProcessor.java
+++ b/web/src/main/java/org/springframework/security/web/servlet/support/csrf/CsrfRequestDataValueProcessor.java
@@ -15,9 +15,6 @@
  */
 package org.springframework.security.web.servlet.support.csrf;
 
-import java.lang.reflect.InvocationHandler;
-import java.lang.reflect.Method;
-import java.lang.reflect.Proxy;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
@@ -26,7 +23,6 @@ import java.util.regex.Pattern;
 import javax.servlet.http.HttpServletRequest;
 
 import org.springframework.security.web.csrf.CsrfToken;
-import org.springframework.util.ReflectionUtils;
 import org.springframework.web.servlet.support.RequestDataValueProcessor;
 
 /**
@@ -36,7 +32,7 @@ import org.springframework.web.servlet.support.RequestDataValueProcessor;
  * @author Rob Winch
  * @since 3.2
  */
-public final class CsrfRequestDataValueProcessor {
+public final class CsrfRequestDataValueProcessor implements RequestDataValueProcessor {
     private Pattern DISABLE_CSRF_TOKEN_PATTERN = Pattern.compile("(?i)^(GET|HEAD|TRACE|OPTIONS)$");
 
     private String DISABLE_CSRF_TOKEN_ATTR = "DISABLE_CSRF_TOKEN_ATTR";
@@ -78,54 +74,4 @@ public final class CsrfRequestDataValueProcessor {
     public String processUrl(HttpServletRequest request, String url) {
         return url;
     }
-
-    CsrfRequestDataValueProcessor() {}
-
-    /**
-     * Creates an instance of {@link CsrfRequestDataValueProcessor} that
-     * implements {@link RequestDataValueProcessor}. This is necessary to ensure
-     * compatibility between Spring 3 and Spring 4.
-     *
-     * @return an instance of {@link CsrfRequestDataValueProcessor} that
-     * implements {@link RequestDataValueProcessor}
-     */
-    public static RequestDataValueProcessor create() {
-        CsrfRequestDataValueProcessor target= new CsrfRequestDataValueProcessor();
-        ClassLoader classLoader = CsrfRequestDataValueProcessor.class.getClassLoader();
-        Class<?>[] interfaces = new Class[] { RequestDataValueProcessor.class};
-        TypeConversionInterceptor interceptor = new TypeConversionInterceptor(target);
-        return (RequestDataValueProcessor) Proxy.newProxyInstance(classLoader, interfaces, interceptor);
-    }
-
-    /**
-     * An {@link InvocationHandler} that assumes the target has all the method
-     * defined on it, but the target does not implement the interface. This is
-     * necessary to deal with the fact that Spring 3 and Spring 4 have different
-     * definitions for the {@link RequestDataValueProcessor} interface.
-     *
-     * @author Rob Winch
-     */
-    private static class TypeConversionInterceptor implements InvocationHandler {
-
-        private final Object target;
-
-        public TypeConversionInterceptor(Object target) {
-            this.target = target;
-        }
-
-        /* (non-Javadoc)
-         * @see java.lang.reflect.InvocationHandler#invoke(java.lang.Object, java.lang.reflect.Method, java.lang.Object[])
-         */
-        public Object invoke(Object proxy, Method method, Object[] args)
-                throws Throwable {
-            Method methodToInvoke = ReflectionUtils.findMethod(target.getClass(), method.getName(), method.getParameterTypes());
-            return methodToInvoke.invoke(target, args);
-        }
-
-        @Override
-        public String toString() {
-            return "RequestDataValueProcessorInterceptor [target=" + target
-                    + "]";
-        }
-    }
-}
+}
\ No newline at end of file
diff --git a/web/src/test/java/org/springframework/security/web/servlet/support/csrf/CsrfRequestDataValueProcessorTests.java b/web/src/test/java/org/springframework/security/web/servlet/support/csrf/CsrfRequestDataValueProcessorTests.java
index f5fa28bf93..98062e5998 100644
--- a/web/src/test/java/org/springframework/security/web/servlet/support/csrf/CsrfRequestDataValueProcessorTests.java
+++ b/web/src/test/java/org/springframework/security/web/servlet/support/csrf/CsrfRequestDataValueProcessorTests.java
@@ -126,7 +126,7 @@ public class CsrfRequestDataValueProcessorTests {
         Map<String,String> expected = new HashMap<String,String>();
         expected.put(token.getParameterName(),token.getToken());
 
-        RequestDataValueProcessor processor = CsrfRequestDataValueProcessor.create();
+        RequestDataValueProcessor processor = new CsrfRequestDataValueProcessor();
         assertThat(processor.getExtraHiddenFields(request)).isEqualTo(expected);
     }
 }