Polish GrantedAuthorityDefaults
* Move GrantedAuthorityDefaults to config module * Move setting of default role into config module vs ApplicationContextAware Issue gh-3701
This commit is contained in:
parent
eabeaf35d6
commit
b443baef04
|
@ -23,11 +23,11 @@ import org.springframework.security.authentication.AuthenticationManager;
|
||||||
import org.springframework.security.authentication.AuthenticationProvider;
|
import org.springframework.security.authentication.AuthenticationProvider;
|
||||||
import org.springframework.security.authentication.encoding.PasswordEncoder;
|
import org.springframework.security.authentication.encoding.PasswordEncoder;
|
||||||
import org.springframework.security.authentication.encoding.PlaintextPasswordEncoder;
|
import org.springframework.security.authentication.encoding.PlaintextPasswordEncoder;
|
||||||
import org.springframework.security.config.GrantedAuthorityDefaults;
|
|
||||||
import org.springframework.security.config.annotation.ObjectPostProcessor;
|
import org.springframework.security.config.annotation.ObjectPostProcessor;
|
||||||
import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
|
import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
|
||||||
import org.springframework.security.config.annotation.authentication.ProviderManagerBuilder;
|
import org.springframework.security.config.annotation.authentication.ProviderManagerBuilder;
|
||||||
import org.springframework.security.config.annotation.web.configurers.ChannelSecurityConfigurer;
|
import org.springframework.security.config.annotation.web.configurers.ChannelSecurityConfigurer;
|
||||||
|
import org.springframework.security.config.core.GrantedAuthorityDefaults;
|
||||||
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
|
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
|
||||||
import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper;
|
import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper;
|
||||||
import org.springframework.security.ldap.DefaultSpringSecurityContextSource;
|
import org.springframework.security.ldap.DefaultSpringSecurityContextSource;
|
||||||
|
@ -61,7 +61,7 @@ public class LdapAuthenticationProviderConfigurer<B extends ProviderManagerBuild
|
||||||
private String groupRoleAttribute = "cn";
|
private String groupRoleAttribute = "cn";
|
||||||
private String groupSearchBase = "";
|
private String groupSearchBase = "";
|
||||||
private String groupSearchFilter = "(uniqueMember={0})";
|
private String groupSearchFilter = "(uniqueMember={0})";
|
||||||
private GrantedAuthorityDefaults rolePrefix = new GrantedAuthorityDefaults("ROLE_");
|
private String rolePrefix = "ROLE_";
|
||||||
private String userSearchBase = ""; // only for search
|
private String userSearchBase = ""; // only for search
|
||||||
private String userSearchFilter = null;// "uid={0}"; // only for search
|
private String userSearchFilter = null;// "uid={0}"; // only for search
|
||||||
private String[] userDnPatterns;
|
private String[] userDnPatterns;
|
||||||
|
@ -129,7 +129,7 @@ public class LdapAuthenticationProviderConfigurer<B extends ProviderManagerBuild
|
||||||
contextSource, groupSearchBase);
|
contextSource, groupSearchBase);
|
||||||
defaultAuthoritiesPopulator.setGroupRoleAttribute(groupRoleAttribute);
|
defaultAuthoritiesPopulator.setGroupRoleAttribute(groupRoleAttribute);
|
||||||
defaultAuthoritiesPopulator.setGroupSearchFilter(groupSearchFilter);
|
defaultAuthoritiesPopulator.setGroupSearchFilter(groupSearchFilter);
|
||||||
defaultAuthoritiesPopulator.setRolePrefix(this.rolePrefix.getRolePrefix());
|
defaultAuthoritiesPopulator.setRolePrefix(this.rolePrefix);
|
||||||
|
|
||||||
this.ldapAuthoritiesPopulator = defaultAuthoritiesPopulator;
|
this.ldapAuthoritiesPopulator = defaultAuthoritiesPopulator;
|
||||||
return defaultAuthoritiesPopulator;
|
return defaultAuthoritiesPopulator;
|
||||||
|
@ -162,7 +162,7 @@ public class LdapAuthenticationProviderConfigurer<B extends ProviderManagerBuild
|
||||||
}
|
}
|
||||||
|
|
||||||
SimpleAuthorityMapper simpleAuthorityMapper = new SimpleAuthorityMapper();
|
SimpleAuthorityMapper simpleAuthorityMapper = new SimpleAuthorityMapper();
|
||||||
simpleAuthorityMapper.setPrefix(this.rolePrefix.getRolePrefix());
|
simpleAuthorityMapper.setPrefix(this.rolePrefix);
|
||||||
simpleAuthorityMapper.afterPropertiesSet();
|
simpleAuthorityMapper.afterPropertiesSet();
|
||||||
this.authoritiesMapper = simpleAuthorityMapper;
|
this.authoritiesMapper = simpleAuthorityMapper;
|
||||||
return simpleAuthorityMapper;
|
return simpleAuthorityMapper;
|
||||||
|
@ -357,7 +357,7 @@ public class LdapAuthenticationProviderConfigurer<B extends ProviderManagerBuild
|
||||||
* @see SimpleAuthorityMapper#setPrefix(String)
|
* @see SimpleAuthorityMapper#setPrefix(String)
|
||||||
*/
|
*/
|
||||||
public LdapAuthenticationProviderConfigurer<B> rolePrefix(String rolePrefix) {
|
public LdapAuthenticationProviderConfigurer<B> rolePrefix(String rolePrefix) {
|
||||||
this.rolePrefix = new GrantedAuthorityDefaults(rolePrefix);
|
this.rolePrefix = rolePrefix;
|
||||||
return this;
|
return this;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -64,11 +64,10 @@ import org.springframework.security.access.vote.RoleVoter;
|
||||||
import org.springframework.security.authentication.AuthenticationManager;
|
import org.springframework.security.authentication.AuthenticationManager;
|
||||||
import org.springframework.security.authentication.AuthenticationTrustResolver;
|
import org.springframework.security.authentication.AuthenticationTrustResolver;
|
||||||
import org.springframework.security.authentication.DefaultAuthenticationEventPublisher;
|
import org.springframework.security.authentication.DefaultAuthenticationEventPublisher;
|
||||||
|
|
||||||
import org.springframework.security.config.GrantedAuthorityDefaults;
|
|
||||||
import org.springframework.security.config.annotation.ObjectPostProcessor;
|
import org.springframework.security.config.annotation.ObjectPostProcessor;
|
||||||
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
|
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
|
||||||
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
|
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
|
||||||
|
import org.springframework.security.config.core.GrantedAuthorityDefaults;
|
||||||
import org.springframework.util.Assert;
|
import org.springframework.util.Assert;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -134,14 +133,6 @@ public class GlobalMethodSecurityConfiguration
|
||||||
.setSecurityMetadataSource(methodSecurityMetadataSource());
|
.setSecurityMetadataSource(methodSecurityMetadataSource());
|
||||||
RunAsManager runAsManager = runAsManager();
|
RunAsManager runAsManager = runAsManager();
|
||||||
if (runAsManager != null) {
|
if (runAsManager != null) {
|
||||||
if (runAsManager instanceof RunAsManagerImpl) {
|
|
||||||
GrantedAuthorityDefaults grantedAuthorityDefaults =
|
|
||||||
getSingleBeanOrNull(GrantedAuthorityDefaults.class);
|
|
||||||
if (grantedAuthorityDefaults != null) {
|
|
||||||
((RunAsManagerImpl) runAsManager).setRolePrefix(
|
|
||||||
grantedAuthorityDefaults.getRolePrefix());
|
|
||||||
}
|
|
||||||
}
|
|
||||||
methodSecurityInterceptor.setRunAsManager(runAsManager);
|
methodSecurityInterceptor.setRunAsManager(runAsManager);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -31,6 +31,7 @@ import org.springframework.security.authentication.AuthenticationTrustResolver;
|
||||||
import org.springframework.security.config.annotation.ObjectPostProcessor;
|
import org.springframework.security.config.annotation.ObjectPostProcessor;
|
||||||
import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
|
import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
|
||||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||||
|
import org.springframework.security.config.core.GrantedAuthorityDefaults;
|
||||||
import org.springframework.security.web.FilterInvocation;
|
import org.springframework.security.web.FilterInvocation;
|
||||||
import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
|
import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
|
||||||
import org.springframework.security.web.access.expression.ExpressionBasedFilterInvocationSecurityMetadataSource;
|
import org.springframework.security.web.access.expression.ExpressionBasedFilterInvocationSecurityMetadataSource;
|
||||||
|
@ -216,6 +217,11 @@ public final class ExpressionUrlAuthorizationConfigurer<H extends HttpSecurityBu
|
||||||
if(roleHiearchyBeanNames.length == 1) {
|
if(roleHiearchyBeanNames.length == 1) {
|
||||||
defaultHandler.setRoleHierarchy(context.getBean(roleHiearchyBeanNames[0], RoleHierarchy.class));
|
defaultHandler.setRoleHierarchy(context.getBean(roleHiearchyBeanNames[0], RoleHierarchy.class));
|
||||||
}
|
}
|
||||||
|
String[] grantedAuthorityDefaultsBeanNames = context.getBeanNamesForType(GrantedAuthorityDefaults.class);
|
||||||
|
if(grantedAuthorityDefaultsBeanNames.length == 1) {
|
||||||
|
GrantedAuthorityDefaults grantedAuthorityDefaults = context.getBean(grantedAuthorityDefaultsBeanNames[0], GrantedAuthorityDefaults.class);
|
||||||
|
defaultHandler.setDefaultRolePrefix(grantedAuthorityDefaults.getRolePrefix());
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
expressionHandler = postProcess(defaultHandler);
|
expressionHandler = postProcess(defaultHandler);
|
||||||
|
|
|
@ -19,10 +19,12 @@ import java.util.List;
|
||||||
|
|
||||||
import javax.servlet.http.HttpServletRequest;
|
import javax.servlet.http.HttpServletRequest;
|
||||||
|
|
||||||
|
import org.springframework.context.ApplicationContext;
|
||||||
import org.springframework.security.authentication.AuthenticationManager;
|
import org.springframework.security.authentication.AuthenticationManager;
|
||||||
import org.springframework.security.authentication.AuthenticationTrustResolver;
|
import org.springframework.security.authentication.AuthenticationTrustResolver;
|
||||||
import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
|
import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
|
||||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||||
|
import org.springframework.security.config.core.GrantedAuthorityDefaults;
|
||||||
import org.springframework.security.core.context.SecurityContext;
|
import org.springframework.security.core.context.SecurityContext;
|
||||||
import org.springframework.security.core.context.SecurityContextHolder;
|
import org.springframework.security.core.context.SecurityContextHolder;
|
||||||
import org.springframework.security.web.AuthenticationEntryPoint;
|
import org.springframework.security.web.AuthenticationEntryPoint;
|
||||||
|
@ -91,6 +93,14 @@ public final class ServletApiConfigurer<H extends HttpSecurityBuilder<H>> extend
|
||||||
if (trustResolver != null) {
|
if (trustResolver != null) {
|
||||||
securityContextRequestFilter.setTrustResolver(trustResolver);
|
securityContextRequestFilter.setTrustResolver(trustResolver);
|
||||||
}
|
}
|
||||||
|
ApplicationContext context = http.getSharedObject(ApplicationContext.class);
|
||||||
|
if(context != null) {
|
||||||
|
String[] grantedAuthorityDefaultsBeanNames = context.getBeanNamesForType(GrantedAuthorityDefaults.class);
|
||||||
|
if(grantedAuthorityDefaultsBeanNames.length == 1) {
|
||||||
|
GrantedAuthorityDefaults grantedAuthorityDefaults = context.getBean(grantedAuthorityDefaultsBeanNames[0], GrantedAuthorityDefaults.class);
|
||||||
|
securityContextRequestFilter.setRolePrefix(grantedAuthorityDefaults.getRolePrefix());
|
||||||
|
}
|
||||||
|
}
|
||||||
securityContextRequestFilter = postProcess(securityContextRequestFilter);
|
securityContextRequestFilter = postProcess(securityContextRequestFilter);
|
||||||
http.addFilter(securityContextRequestFilter);
|
http.addFilter(securityContextRequestFilter);
|
||||||
}
|
}
|
||||||
|
|
|
@ -13,26 +13,30 @@
|
||||||
* See the License for the specific language governing permissions and
|
* See the License for the specific language governing permissions and
|
||||||
* limitations under the License.
|
* limitations under the License.
|
||||||
*/
|
*/
|
||||||
package org.springframework.security.config;
|
package org.springframework.security.config.core;
|
||||||
|
|
||||||
|
import org.springframework.security.core.GrantedAuthority;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
* Allows providing defaults for {@link GrantedAuthority}
|
||||||
|
*
|
||||||
* @author Eddú Meléndez
|
* @author Eddú Meléndez
|
||||||
* @since 4.2.0
|
* @since 4.2.0
|
||||||
*/
|
*/
|
||||||
public class GrantedAuthorityDefaults {
|
public final class GrantedAuthorityDefaults {
|
||||||
|
|
||||||
private String rolePrefix = "ROLE_";
|
private final String rolePrefix;
|
||||||
|
|
||||||
public GrantedAuthorityDefaults(String rolePrefix) {
|
public GrantedAuthorityDefaults(String rolePrefix) {
|
||||||
this.rolePrefix = rolePrefix;
|
this.rolePrefix = rolePrefix;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* The default prefix used with role based authorization. Default is "ROLE_".
|
||||||
|
*
|
||||||
|
* @return the default role prefix
|
||||||
|
*/
|
||||||
public String getRolePrefix() {
|
public String getRolePrefix() {
|
||||||
return this.rolePrefix;
|
return this.rolePrefix;
|
||||||
}
|
}
|
||||||
|
|
||||||
public void setRolePrefix(String rolePrefix) {
|
|
||||||
this.rolePrefix = rolePrefix;
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
}
|
|
@ -15,8 +15,12 @@
|
||||||
*/
|
*/
|
||||||
package org.springframework.security.config.http;
|
package org.springframework.security.config.http;
|
||||||
|
|
||||||
|
import java.util.List;
|
||||||
|
|
||||||
import org.apache.commons.logging.Log;
|
import org.apache.commons.logging.Log;
|
||||||
import org.apache.commons.logging.LogFactory;
|
import org.apache.commons.logging.LogFactory;
|
||||||
|
import org.w3c.dom.Element;
|
||||||
|
|
||||||
import org.springframework.beans.factory.config.BeanDefinition;
|
import org.springframework.beans.factory.config.BeanDefinition;
|
||||||
import org.springframework.beans.factory.parsing.BeanComponentDefinition;
|
import org.springframework.beans.factory.parsing.BeanComponentDefinition;
|
||||||
import org.springframework.beans.factory.support.BeanDefinitionBuilder;
|
import org.springframework.beans.factory.support.BeanDefinitionBuilder;
|
||||||
|
@ -33,9 +37,6 @@ import org.springframework.security.web.access.intercept.DefaultFilterInvocation
|
||||||
import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
|
import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
|
||||||
import org.springframework.util.StringUtils;
|
import org.springframework.util.StringUtils;
|
||||||
import org.springframework.util.xml.DomUtils;
|
import org.springframework.util.xml.DomUtils;
|
||||||
import org.w3c.dom.Element;
|
|
||||||
|
|
||||||
import java.util.List;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Allows for convenient creation of a {@link FilterInvocationSecurityMetadataSource} bean
|
* Allows for convenient creation of a {@link FilterInvocationSecurityMetadataSource} bean
|
||||||
|
@ -133,8 +134,7 @@ public class FilterInvocationSecurityMetadataSourceParser implements BeanDefinit
|
||||||
}
|
}
|
||||||
|
|
||||||
static String registerDefaultExpressionHandler(ParserContext pc) {
|
static String registerDefaultExpressionHandler(ParserContext pc) {
|
||||||
BeanDefinition expressionHandler = BeanDefinitionBuilder.rootBeanDefinition(
|
BeanDefinition expressionHandler = GrantedAuthorityDefaultsParserUtils.registerWithDefaultRolePrefix(pc, DefaultWebSecurityExpressionHandlerBeanFactory.class);
|
||||||
DefaultWebSecurityExpressionHandler.class).getBeanDefinition();
|
|
||||||
String expressionHandlerRef = pc.getReaderContext().generateBeanName(
|
String expressionHandlerRef = pc.getReaderContext().generateBeanName(
|
||||||
expressionHandler);
|
expressionHandler);
|
||||||
pc.registerBeanComponent(new BeanComponentDefinition(expressionHandler,
|
pc.registerBeanComponent(new BeanComponentDefinition(expressionHandler,
|
||||||
|
@ -223,4 +223,12 @@ public class FilterInvocationSecurityMetadataSourceParser implements BeanDefinit
|
||||||
return filterInvocationDefinitionMap;
|
return filterInvocationDefinitionMap;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static class DefaultWebSecurityExpressionHandlerBeanFactory extends GrantedAuthorityDefaultsParserUtils.AbstractGrantedAuthorityDefaultsBeanFactory {
|
||||||
|
private DefaultWebSecurityExpressionHandler handler = new DefaultWebSecurityExpressionHandler();
|
||||||
|
|
||||||
|
public DefaultWebSecurityExpressionHandler getBean() {
|
||||||
|
handler.setDefaultRolePrefix(this.rolePrefix);
|
||||||
|
return handler;
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,61 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2012-2016 the original author or authors.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.springframework.security.config.http;
|
||||||
|
|
||||||
|
import org.springframework.beans.BeansException;
|
||||||
|
import org.springframework.beans.factory.support.RootBeanDefinition;
|
||||||
|
import org.springframework.beans.factory.xml.ParserContext;
|
||||||
|
import org.springframework.context.ApplicationContext;
|
||||||
|
import org.springframework.context.ApplicationContextAware;
|
||||||
|
import org.springframework.security.config.core.GrantedAuthorityDefaults;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author Rob Winch
|
||||||
|
* @since 4.2
|
||||||
|
*/
|
||||||
|
class GrantedAuthorityDefaultsParserUtils {
|
||||||
|
|
||||||
|
|
||||||
|
static RootBeanDefinition registerWithDefaultRolePrefix(ParserContext pc, Class<? extends AbstractGrantedAuthorityDefaultsBeanFactory> beanFactoryClass) {
|
||||||
|
RootBeanDefinition beanFactoryDefinition = new RootBeanDefinition(beanFactoryClass);
|
||||||
|
String beanFactoryRef = pc.getReaderContext().generateBeanName(beanFactoryDefinition);
|
||||||
|
pc.getRegistry().registerBeanDefinition(beanFactoryRef, beanFactoryDefinition);
|
||||||
|
|
||||||
|
RootBeanDefinition bean = new RootBeanDefinition();
|
||||||
|
bean.setFactoryBeanName(beanFactoryRef);
|
||||||
|
bean.setFactoryMethodName("getBean");
|
||||||
|
return bean;
|
||||||
|
}
|
||||||
|
|
||||||
|
static abstract class AbstractGrantedAuthorityDefaultsBeanFactory implements ApplicationContextAware {
|
||||||
|
protected String rolePrefix = "ROLE_";
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public final void setApplicationContext(ApplicationContext applicationContext)
|
||||||
|
throws BeansException {
|
||||||
|
String[] grantedAuthorityDefaultsBeanNames = applicationContext.getBeanNamesForType(GrantedAuthorityDefaults.class);
|
||||||
|
if(grantedAuthorityDefaultsBeanNames.length == 1) {
|
||||||
|
GrantedAuthorityDefaults grantedAuthorityDefaults = applicationContext.getBean(grantedAuthorityDefaultsBeanNames[0], GrantedAuthorityDefaults.class);
|
||||||
|
this.rolePrefix = grantedAuthorityDefaults.getRolePrefix();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
abstract Object getBean();
|
||||||
|
}
|
||||||
|
|
||||||
|
private GrantedAuthorityDefaultsParserUtils() {}
|
||||||
|
}
|
|
@ -18,9 +18,12 @@ package org.springframework.security.config.http;
|
||||||
import java.lang.reflect.Method;
|
import java.lang.reflect.Method;
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
|
||||||
import javax.servlet.ServletRequest;
|
import javax.servlet.ServletRequest;
|
||||||
import javax.servlet.http.HttpServletRequest;
|
import javax.servlet.http.HttpServletRequest;
|
||||||
|
|
||||||
|
import org.w3c.dom.Element;
|
||||||
|
|
||||||
import org.springframework.beans.BeanMetadataElement;
|
import org.springframework.beans.BeanMetadataElement;
|
||||||
import org.springframework.beans.factory.config.BeanDefinition;
|
import org.springframework.beans.factory.config.BeanDefinition;
|
||||||
import org.springframework.beans.factory.config.BeanReference;
|
import org.springframework.beans.factory.config.BeanReference;
|
||||||
|
@ -37,6 +40,7 @@ import org.springframework.security.access.vote.AffirmativeBased;
|
||||||
import org.springframework.security.access.vote.AuthenticatedVoter;
|
import org.springframework.security.access.vote.AuthenticatedVoter;
|
||||||
import org.springframework.security.access.vote.RoleVoter;
|
import org.springframework.security.access.vote.RoleVoter;
|
||||||
import org.springframework.security.config.Elements;
|
import org.springframework.security.config.Elements;
|
||||||
|
import org.springframework.security.config.http.GrantedAuthorityDefaultsParserUtils.AbstractGrantedAuthorityDefaultsBeanFactory;
|
||||||
import org.springframework.security.core.session.SessionRegistryImpl;
|
import org.springframework.security.core.session.SessionRegistryImpl;
|
||||||
import org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator;
|
import org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator;
|
||||||
import org.springframework.security.web.access.channel.ChannelDecisionManagerImpl;
|
import org.springframework.security.web.access.channel.ChannelDecisionManagerImpl;
|
||||||
|
@ -65,17 +69,30 @@ import org.springframework.security.web.savedrequest.RequestCacheAwareFilter;
|
||||||
import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter;
|
import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter;
|
||||||
import org.springframework.security.web.session.ConcurrentSessionFilter;
|
import org.springframework.security.web.session.ConcurrentSessionFilter;
|
||||||
import org.springframework.security.web.session.SessionManagementFilter;
|
import org.springframework.security.web.session.SessionManagementFilter;
|
||||||
import org.springframework.security.web.session.SimpleRedirectSessionInformationExpiredStrategy;
|
|
||||||
import org.springframework.security.web.session.SimpleRedirectInvalidSessionStrategy;
|
import org.springframework.security.web.session.SimpleRedirectInvalidSessionStrategy;
|
||||||
|
import org.springframework.security.web.session.SimpleRedirectSessionInformationExpiredStrategy;
|
||||||
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
||||||
import org.springframework.util.ClassUtils;
|
import org.springframework.util.ClassUtils;
|
||||||
import org.springframework.util.ReflectionUtils;
|
import org.springframework.util.ReflectionUtils;
|
||||||
import org.springframework.util.StringUtils;
|
import org.springframework.util.StringUtils;
|
||||||
import org.springframework.util.xml.DomUtils;
|
import org.springframework.util.xml.DomUtils;
|
||||||
import org.w3c.dom.Element;
|
|
||||||
|
|
||||||
import static org.springframework.security.config.http.HttpSecurityBeanDefinitionParser.*;
|
import static org.springframework.security.config.http.HttpSecurityBeanDefinitionParser.ATT_FILTERS;
|
||||||
import static org.springframework.security.config.http.SecurityFilters.*;
|
import static org.springframework.security.config.http.HttpSecurityBeanDefinitionParser.ATT_HTTP_METHOD;
|
||||||
|
import static org.springframework.security.config.http.HttpSecurityBeanDefinitionParser.ATT_PATH_PATTERN;
|
||||||
|
import static org.springframework.security.config.http.HttpSecurityBeanDefinitionParser.ATT_REQUIRES_CHANNEL;
|
||||||
|
import static org.springframework.security.config.http.SecurityFilters.CHANNEL_FILTER;
|
||||||
|
import static org.springframework.security.config.http.SecurityFilters.CONCURRENT_SESSION_FILTER;
|
||||||
|
import static org.springframework.security.config.http.SecurityFilters.CORS_FILTER;
|
||||||
|
import static org.springframework.security.config.http.SecurityFilters.CSRF_FILTER;
|
||||||
|
import static org.springframework.security.config.http.SecurityFilters.FILTER_SECURITY_INTERCEPTOR;
|
||||||
|
import static org.springframework.security.config.http.SecurityFilters.HEADERS_FILTER;
|
||||||
|
import static org.springframework.security.config.http.SecurityFilters.JAAS_API_SUPPORT_FILTER;
|
||||||
|
import static org.springframework.security.config.http.SecurityFilters.REQUEST_CACHE_FILTER;
|
||||||
|
import static org.springframework.security.config.http.SecurityFilters.SECURITY_CONTEXT_FILTER;
|
||||||
|
import static org.springframework.security.config.http.SecurityFilters.SERVLET_API_SUPPORT_FILTER;
|
||||||
|
import static org.springframework.security.config.http.SecurityFilters.SESSION_MANAGEMENT_FILTER;
|
||||||
|
import static org.springframework.security.config.http.SecurityFilters.WEB_ASYNC_MANAGER_FILTER;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Stateful class which helps HttpSecurityBDP to create the configuration for the
|
* Stateful class which helps HttpSecurityBDP to create the configuration for the
|
||||||
|
@ -543,8 +560,7 @@ class HttpConfigurationBuilder {
|
||||||
}
|
}
|
||||||
|
|
||||||
if ("true".equals(provideServletApi)) {
|
if ("true".equals(provideServletApi)) {
|
||||||
servApiFilter = new RootBeanDefinition(
|
servApiFilter = GrantedAuthorityDefaultsParserUtils.registerWithDefaultRolePrefix(pc, SecurityContextHolderAwareRequestFilterBeanFactory.class);
|
||||||
SecurityContextHolderAwareRequestFilter.class);
|
|
||||||
servApiFilter.getPropertyValues().add("authenticationManager",
|
servApiFilter.getPropertyValues().add("authenticationManager",
|
||||||
authenticationManager);
|
authenticationManager);
|
||||||
}
|
}
|
||||||
|
@ -715,7 +731,7 @@ class HttpConfigurationBuilder {
|
||||||
voters.add(expressionVoter.getBeanDefinition());
|
voters.add(expressionVoter.getBeanDefinition());
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
voters.add(new RootBeanDefinition(RoleVoter.class));
|
voters.add(GrantedAuthorityDefaultsParserUtils.registerWithDefaultRolePrefix(pc, RoleVoterBeanFactory.class));
|
||||||
voters.add(new RootBeanDefinition(AuthenticatedVoter.class));
|
voters.add(new RootBeanDefinition(AuthenticatedVoter.class));
|
||||||
}
|
}
|
||||||
accessDecisionMgr = new RootBeanDefinition(AffirmativeBased.class);
|
accessDecisionMgr = new RootBeanDefinition(AffirmativeBased.class);
|
||||||
|
@ -852,4 +868,22 @@ class HttpConfigurationBuilder {
|
||||||
|
|
||||||
return filters;
|
return filters;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static class RoleVoterBeanFactory extends AbstractGrantedAuthorityDefaultsBeanFactory {
|
||||||
|
private RoleVoter voter = new RoleVoter();
|
||||||
|
|
||||||
|
public RoleVoter getBean() {
|
||||||
|
voter.setRolePrefix(this.rolePrefix);
|
||||||
|
return voter;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
static class SecurityContextHolderAwareRequestFilterBeanFactory extends GrantedAuthorityDefaultsParserUtils.AbstractGrantedAuthorityDefaultsBeanFactory {
|
||||||
|
private SecurityContextHolderAwareRequestFilter filter = new SecurityContextHolderAwareRequestFilter();
|
||||||
|
|
||||||
|
public SecurityContextHolderAwareRequestFilter getBean() {
|
||||||
|
filter.setRolePrefix(this.rolePrefix);
|
||||||
|
return filter;
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -45,6 +45,8 @@ import org.springframework.beans.factory.support.ManagedList;
|
||||||
import org.springframework.beans.factory.support.RootBeanDefinition;
|
import org.springframework.beans.factory.support.RootBeanDefinition;
|
||||||
import org.springframework.beans.factory.xml.BeanDefinitionParser;
|
import org.springframework.beans.factory.xml.BeanDefinitionParser;
|
||||||
import org.springframework.beans.factory.xml.ParserContext;
|
import org.springframework.beans.factory.xml.ParserContext;
|
||||||
|
import org.springframework.context.ApplicationContext;
|
||||||
|
import org.springframework.context.ApplicationContextAware;
|
||||||
import org.springframework.security.access.ConfigAttribute;
|
import org.springframework.security.access.ConfigAttribute;
|
||||||
import org.springframework.security.access.SecurityConfig;
|
import org.springframework.security.access.SecurityConfig;
|
||||||
import org.springframework.security.access.annotation.Jsr250MethodSecurityMetadataSource;
|
import org.springframework.security.access.annotation.Jsr250MethodSecurityMetadataSource;
|
||||||
|
@ -71,6 +73,7 @@ import org.springframework.security.authentication.AuthenticationManager;
|
||||||
import org.springframework.security.config.BeanIds;
|
import org.springframework.security.config.BeanIds;
|
||||||
import org.springframework.security.config.Elements;
|
import org.springframework.security.config.Elements;
|
||||||
import org.springframework.security.config.authentication.AuthenticationManagerFactoryBean;
|
import org.springframework.security.config.authentication.AuthenticationManagerFactoryBean;
|
||||||
|
import org.springframework.security.config.core.GrantedAuthorityDefaults;
|
||||||
import org.springframework.security.core.Authentication;
|
import org.springframework.security.core.Authentication;
|
||||||
import org.springframework.security.core.AuthenticationException;
|
import org.springframework.security.core.AuthenticationException;
|
||||||
import org.springframework.util.Assert;
|
import org.springframework.util.Assert;
|
||||||
|
@ -198,8 +201,8 @@ public class GlobalMethodSecurityBeanDefinitionParser implements BeanDefinitionP
|
||||||
expressionHandlerRef));
|
expressionHandlerRef));
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
BeanDefinition expressionHandler = new RootBeanDefinition(
|
RootBeanDefinition expressionHandler = registerWithDefaultRolePrefix(pc, DefaultMethodSecurityExpressionHandlerBeanFactory.class);
|
||||||
DefaultMethodSecurityExpressionHandler.class);
|
|
||||||
expressionHandlerRef = pc.getReaderContext().generateBeanName(
|
expressionHandlerRef = pc.getReaderContext().generateBeanName(
|
||||||
expressionHandler);
|
expressionHandler);
|
||||||
pc.registerBeanComponent(new BeanComponentDefinition(
|
pc.registerBeanComponent(new BeanComponentDefinition(
|
||||||
|
@ -240,8 +243,8 @@ public class GlobalMethodSecurityBeanDefinitionParser implements BeanDefinitionP
|
||||||
}
|
}
|
||||||
|
|
||||||
if (jsr250Enabled) {
|
if (jsr250Enabled) {
|
||||||
delegates.add(BeanDefinitionBuilder.rootBeanDefinition(
|
RootBeanDefinition jsrMetadataSource = registerWithDefaultRolePrefix(pc, Jsr250MethodSecurityMetadataSourceBeanFactory.class);
|
||||||
Jsr250MethodSecurityMetadataSource.class).getBeanDefinition());
|
delegates.add(jsrMetadataSource);
|
||||||
}
|
}
|
||||||
|
|
||||||
// Now create a Map<String, ConfigAttribute> for each <protect-pointcut>
|
// Now create a Map<String, ConfigAttribute> for each <protect-pointcut>
|
||||||
|
@ -474,6 +477,17 @@ public class GlobalMethodSecurityBeanDefinitionParser implements BeanDefinitionP
|
||||||
BeanIds.METHOD_SECURITY_METADATA_SOURCE_ADVISOR, advisor);
|
BeanIds.METHOD_SECURITY_METADATA_SOURCE_ADVISOR, advisor);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private RootBeanDefinition registerWithDefaultRolePrefix(ParserContext pc, Class<? extends AbstractGrantedAuthorityDefaultsBeanFactory> beanFactoryClass) {
|
||||||
|
RootBeanDefinition beanFactoryDefinition = new RootBeanDefinition(beanFactoryClass);
|
||||||
|
String beanFactoryRef = pc.getReaderContext().generateBeanName(beanFactoryDefinition);
|
||||||
|
pc.getRegistry().registerBeanDefinition(beanFactoryRef, beanFactoryDefinition);
|
||||||
|
|
||||||
|
RootBeanDefinition bean = new RootBeanDefinition();
|
||||||
|
bean.setFactoryBeanName(beanFactoryRef);
|
||||||
|
bean.setFactoryMethodName("getBean");
|
||||||
|
return bean;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Delays the lookup of the AuthenticationManager within MethodSecurityInterceptor, to
|
* Delays the lookup of the AuthenticationManager within MethodSecurityInterceptor, to
|
||||||
* prevent issues like SEC-933.
|
* prevent issues like SEC-933.
|
||||||
|
@ -522,6 +536,38 @@ public class GlobalMethodSecurityBeanDefinitionParser implements BeanDefinitionP
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static class Jsr250MethodSecurityMetadataSourceBeanFactory extends AbstractGrantedAuthorityDefaultsBeanFactory {
|
||||||
|
private Jsr250MethodSecurityMetadataSource source = new Jsr250MethodSecurityMetadataSource();
|
||||||
|
|
||||||
|
public Jsr250MethodSecurityMetadataSource getBean() {
|
||||||
|
source.setDefaultRolePrefix(this.rolePrefix);
|
||||||
|
return source;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
static class DefaultMethodSecurityExpressionHandlerBeanFactory extends AbstractGrantedAuthorityDefaultsBeanFactory {
|
||||||
|
private DefaultMethodSecurityExpressionHandler handler = new DefaultMethodSecurityExpressionHandler();
|
||||||
|
|
||||||
|
public DefaultMethodSecurityExpressionHandler getBean() {
|
||||||
|
handler.setDefaultRolePrefix(this.rolePrefix);
|
||||||
|
return handler;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
static abstract class AbstractGrantedAuthorityDefaultsBeanFactory implements ApplicationContextAware {
|
||||||
|
protected String rolePrefix = "ROLE_";
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public final void setApplicationContext(ApplicationContext applicationContext)
|
||||||
|
throws BeansException {
|
||||||
|
String[] grantedAuthorityDefaultsBeanNames = applicationContext.getBeanNamesForType(GrantedAuthorityDefaults.class);
|
||||||
|
if(grantedAuthorityDefaultsBeanNames.length == 1) {
|
||||||
|
GrantedAuthorityDefaults grantedAuthorityDefaults = applicationContext.getBean(grantedAuthorityDefaultsBeanNames[0], GrantedAuthorityDefaults.class);
|
||||||
|
this.rolePrefix = grantedAuthorityDefaults.getRolePrefix();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Delays setting a bean of a given name to be lazyily initialized until after all the
|
* Delays setting a bean of a given name to be lazyily initialized until after all the
|
||||||
* beans are registered.
|
* beans are registered.
|
||||||
|
|
|
@ -18,7 +18,6 @@ package org.springframework.security.config.annotation.method.configuration
|
||||||
|
|
||||||
import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
|
import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
|
||||||
import org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl
|
import org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl
|
||||||
import org.springframework.security.config.GrantedAuthorityDefaults;
|
|
||||||
|
|
||||||
import java.lang.reflect.Proxy;
|
import java.lang.reflect.Proxy;
|
||||||
|
|
||||||
|
@ -28,6 +27,7 @@ import org.springframework.beans.factory.config.BeanPostProcessor
|
||||||
import org.springframework.security.config.annotation.authentication.configurers.GlobalAuthenticationConfigurerAdapter
|
import org.springframework.security.config.annotation.authentication.configurers.GlobalAuthenticationConfigurerAdapter
|
||||||
import org.springframework.security.config.annotation.method.configuration.NamespaceGlobalMethodSecurityTests.BaseMethodConfig;
|
import org.springframework.security.config.annotation.method.configuration.NamespaceGlobalMethodSecurityTests.BaseMethodConfig;
|
||||||
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
|
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
|
||||||
|
import org.springframework.security.config.core.GrantedAuthorityDefaults;
|
||||||
|
|
||||||
import javax.sql.DataSource
|
import javax.sql.DataSource
|
||||||
|
|
||||||
|
|
|
@ -17,7 +17,6 @@ package org.springframework.security.config.annotation.method.configuration
|
||||||
|
|
||||||
import org.springframework.security.access.annotation.Jsr250MethodSecurityMetadataSource
|
import org.springframework.security.access.annotation.Jsr250MethodSecurityMetadataSource
|
||||||
import org.springframework.security.access.intercept.aspectj.AspectJMethodSecurityInterceptor
|
import org.springframework.security.access.intercept.aspectj.AspectJMethodSecurityInterceptor
|
||||||
import org.springframework.security.config.GrantedAuthorityDefaults
|
|
||||||
|
|
||||||
import static org.assertj.core.api.Assertions.assertThat
|
import static org.assertj.core.api.Assertions.assertThat
|
||||||
import static org.junit.Assert.fail
|
import static org.junit.Assert.fail
|
||||||
|
@ -50,7 +49,7 @@ import org.springframework.security.authentication.TestingAuthenticationToken
|
||||||
import org.springframework.security.config.annotation.BaseSpringSpec
|
import org.springframework.security.config.annotation.BaseSpringSpec
|
||||||
import org.springframework.security.config.annotation.authentication.BaseAuthenticationConfig;
|
import org.springframework.security.config.annotation.authentication.BaseAuthenticationConfig;
|
||||||
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
|
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
|
||||||
import org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration;
|
import org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration
|
||||||
import org.springframework.security.core.Authentication
|
import org.springframework.security.core.Authentication
|
||||||
import org.springframework.security.core.context.SecurityContextHolder
|
import org.springframework.security.core.context.SecurityContextHolder
|
||||||
|
|
||||||
|
@ -148,39 +147,6 @@ public class NamespaceGlobalMethodSecurityTests extends BaseSpringSpec {
|
||||||
public static class Jsr250Config extends BaseMethodConfig {
|
public static class Jsr250Config extends BaseMethodConfig {
|
||||||
}
|
}
|
||||||
|
|
||||||
def "enable jsr250 with custom role prefix"() {
|
|
||||||
when:
|
|
||||||
context = new AnnotationConfigApplicationContext(Jsr250WithCustomRolePrefixConfig)
|
|
||||||
MethodSecurityService service = context.getBean(MethodSecurityService)
|
|
||||||
then: "@Secured and @PreAuthorize are ignored"
|
|
||||||
service.secured() == null
|
|
||||||
service.preAuthorize() == null
|
|
||||||
|
|
||||||
when: "@DenyAll method invoked"
|
|
||||||
service.jsr250()
|
|
||||||
then: "access is denied"
|
|
||||||
thrown(AccessDeniedException)
|
|
||||||
when: "@PermitAll method invoked"
|
|
||||||
String jsr250PermitAll = service.jsr250PermitAll()
|
|
||||||
then: "access is allowed"
|
|
||||||
jsr250PermitAll == null
|
|
||||||
when:
|
|
||||||
Jsr250MethodSecurityMetadataSource jsr250MethodSecurity = context.getBean(Jsr250MethodSecurityMetadataSource)
|
|
||||||
then:
|
|
||||||
jsr250MethodSecurity.defaultRolePrefix == "ROLE:"
|
|
||||||
}
|
|
||||||
|
|
||||||
@EnableGlobalMethodSecurity(jsr250Enabled = true)
|
|
||||||
@Configuration
|
|
||||||
public static class Jsr250WithCustomRolePrefixConfig extends BaseMethodConfig {
|
|
||||||
|
|
||||||
@Bean
|
|
||||||
public GrantedAuthorityDefaults ga() {
|
|
||||||
return new GrantedAuthorityDefaults("ROLE:")
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
// --- metadata-source-ref ---
|
// --- metadata-source-ref ---
|
||||||
|
|
||||||
def "custom MethodSecurityMetadataSource can be used with higher priority than other sources"() {
|
def "custom MethodSecurityMetadataSource can be used with higher priority than other sources"() {
|
||||||
|
@ -355,7 +321,7 @@ public class NamespaceGlobalMethodSecurityTests extends BaseSpringSpec {
|
||||||
context = new AnnotationConfigApplicationContext(BaseMethodConfig,CustomRunAsManagerConfig)
|
context = new AnnotationConfigApplicationContext(BaseMethodConfig,CustomRunAsManagerConfig)
|
||||||
MethodSecurityService service = context.getBean(MethodSecurityService)
|
MethodSecurityService service = context.getBean(MethodSecurityService)
|
||||||
then:
|
then:
|
||||||
service.runAs().authorities.find { it.authority == "ROLE:RUN_AS_SUPER"}
|
service.runAs().authorities.find { it.authority == "ROLE_RUN_AS_SUPER"}
|
||||||
}
|
}
|
||||||
|
|
||||||
@EnableGlobalMethodSecurity(securedEnabled = true)
|
@EnableGlobalMethodSecurity(securedEnabled = true)
|
||||||
|
@ -366,11 +332,6 @@ public class NamespaceGlobalMethodSecurityTests extends BaseSpringSpec {
|
||||||
runAsManager.setKey("some key")
|
runAsManager.setKey("some key")
|
||||||
return runAsManager
|
return runAsManager
|
||||||
}
|
}
|
||||||
|
|
||||||
@Bean
|
|
||||||
public GrantedAuthorityDefaults ga() {
|
|
||||||
return new GrantedAuthorityDefaults("ROLE:")
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// --- secured-annotation ---
|
// --- secured-annotation ---
|
||||||
|
|
|
@ -0,0 +1,183 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2002-2016 the original author or authors.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
package org.springframework.security.config.core;
|
||||||
|
|
||||||
|
import java.io.IOException;
|
||||||
|
|
||||||
|
import javax.servlet.ServletException;
|
||||||
|
import javax.servlet.ServletRequest;
|
||||||
|
import javax.servlet.ServletResponse;
|
||||||
|
import javax.servlet.http.HttpServletRequest;
|
||||||
|
import javax.servlet.http.HttpServletResponse;
|
||||||
|
|
||||||
|
import org.junit.After;
|
||||||
|
import org.junit.Before;
|
||||||
|
import org.junit.Test;
|
||||||
|
import org.junit.runner.RunWith;
|
||||||
|
import org.springframework.beans.factory.annotation.Autowired;
|
||||||
|
import org.springframework.context.annotation.Bean;
|
||||||
|
import org.springframework.context.annotation.Configuration;
|
||||||
|
import org.springframework.mock.web.MockFilterChain;
|
||||||
|
import org.springframework.mock.web.MockHttpServletRequest;
|
||||||
|
import org.springframework.mock.web.MockHttpServletResponse;
|
||||||
|
import org.springframework.security.access.AccessDeniedException;
|
||||||
|
import org.springframework.security.authentication.TestingAuthenticationToken;
|
||||||
|
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
|
||||||
|
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
|
||||||
|
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||||
|
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||||
|
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
|
||||||
|
import org.springframework.security.core.context.SecurityContext;
|
||||||
|
import org.springframework.security.core.context.SecurityContextHolder;
|
||||||
|
import org.springframework.security.web.FilterChainProxy;
|
||||||
|
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
|
||||||
|
import org.springframework.test.context.ContextConfiguration;
|
||||||
|
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
|
||||||
|
|
||||||
|
import static org.assertj.core.api.Assertions.assertThat;
|
||||||
|
|
||||||
|
@RunWith(SpringJUnit4ClassRunner.class)
|
||||||
|
@ContextConfiguration
|
||||||
|
public class GrantedAuthorityDefaultsJcTests {
|
||||||
|
@Autowired
|
||||||
|
FilterChainProxy springSecurityFilterChain;
|
||||||
|
@Autowired
|
||||||
|
MessageService messageService;
|
||||||
|
|
||||||
|
MockHttpServletRequest request;
|
||||||
|
MockHttpServletResponse response;
|
||||||
|
MockFilterChain chain;
|
||||||
|
|
||||||
|
@Before
|
||||||
|
public void setup() {
|
||||||
|
setup("USER");
|
||||||
|
|
||||||
|
request = new MockHttpServletRequest();
|
||||||
|
request.setMethod("GET");
|
||||||
|
response = new MockHttpServletResponse();
|
||||||
|
chain = new MockFilterChain();
|
||||||
|
}
|
||||||
|
|
||||||
|
@After
|
||||||
|
public void cleanup() {
|
||||||
|
SecurityContextHolder.clearContext();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void doFilter() throws Exception {
|
||||||
|
SecurityContext context = SecurityContextHolder.getContext();
|
||||||
|
request.getSession().setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, context);
|
||||||
|
|
||||||
|
springSecurityFilterChain.doFilter(request, response, chain);
|
||||||
|
|
||||||
|
assertThat(response.getStatus()).isEqualTo(HttpServletResponse.SC_OK);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void doFilterDenied() throws Exception {
|
||||||
|
setup("DENIED");
|
||||||
|
|
||||||
|
SecurityContext context = SecurityContextHolder.getContext();
|
||||||
|
request.getSession().setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, context);
|
||||||
|
|
||||||
|
springSecurityFilterChain.doFilter(request, response, chain);
|
||||||
|
|
||||||
|
assertThat(response.getStatus()).isEqualTo(HttpServletResponse.SC_FORBIDDEN);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void message() {
|
||||||
|
messageService.getMessage();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void jsrMessage() {
|
||||||
|
messageService.getJsrMessage();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test(expected = AccessDeniedException.class)
|
||||||
|
public void messageDenied() {
|
||||||
|
setup("DENIED");
|
||||||
|
|
||||||
|
messageService.getMessage();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test(expected = AccessDeniedException.class)
|
||||||
|
public void jsrMessageDenied() {
|
||||||
|
setup("DENIED");
|
||||||
|
|
||||||
|
messageService.getJsrMessage();
|
||||||
|
}
|
||||||
|
|
||||||
|
// SEC-2926
|
||||||
|
@Test
|
||||||
|
public void doFilterIsUserInRole() throws Exception {
|
||||||
|
SecurityContext context = SecurityContextHolder.getContext();
|
||||||
|
request.getSession().setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, context);
|
||||||
|
|
||||||
|
chain = new MockFilterChain() {
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void doFilter(ServletRequest request, ServletResponse response)
|
||||||
|
throws IOException, ServletException {
|
||||||
|
HttpServletRequest httpRequest = (HttpServletRequest) request;
|
||||||
|
assertThat(httpRequest.isUserInRole("USER")).isTrue();
|
||||||
|
assertThat(httpRequest.isUserInRole("INVALID")).isFalse();
|
||||||
|
super.doFilter(request, response);
|
||||||
|
}
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
|
springSecurityFilterChain.doFilter(request, response, chain);
|
||||||
|
|
||||||
|
assertThat(chain.getRequest()).isNotNull();
|
||||||
|
}
|
||||||
|
|
||||||
|
private void setup(String role) {
|
||||||
|
TestingAuthenticationToken user = new TestingAuthenticationToken("user", "password", role);
|
||||||
|
SecurityContextHolder.getContext().setAuthentication(user);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Configuration
|
||||||
|
@EnableWebSecurity
|
||||||
|
@EnableGlobalMethodSecurity(prePostEnabled=true, jsr250Enabled=true)
|
||||||
|
static class Config extends WebSecurityConfigurerAdapter {
|
||||||
|
|
||||||
|
@Autowired
|
||||||
|
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
|
||||||
|
auth
|
||||||
|
.inMemoryAuthentication()
|
||||||
|
.withUser("user").password("password").roles("USER");
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected void configure(HttpSecurity http) throws Exception {
|
||||||
|
http
|
||||||
|
.authorizeRequests()
|
||||||
|
.anyRequest().access("hasRole('USER')");
|
||||||
|
}
|
||||||
|
|
||||||
|
@Bean
|
||||||
|
public MessageService messageService() {
|
||||||
|
return new HelloWorldMessageService();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Bean
|
||||||
|
public static GrantedAuthorityDefaults grantedAuthorityDefaults() {
|
||||||
|
return new GrantedAuthorityDefaults("");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,146 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2002-2016 the original author or authors.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
package org.springframework.security.config.core;
|
||||||
|
|
||||||
|
import java.io.IOException;
|
||||||
|
|
||||||
|
import javax.servlet.ServletException;
|
||||||
|
import javax.servlet.ServletRequest;
|
||||||
|
import javax.servlet.ServletResponse;
|
||||||
|
import javax.servlet.http.HttpServletRequest;
|
||||||
|
import javax.servlet.http.HttpServletResponse;
|
||||||
|
|
||||||
|
import org.junit.After;
|
||||||
|
import org.junit.Before;
|
||||||
|
import org.junit.Test;
|
||||||
|
import org.junit.runner.RunWith;
|
||||||
|
import org.springframework.beans.factory.annotation.Autowired;
|
||||||
|
import org.springframework.mock.web.MockFilterChain;
|
||||||
|
import org.springframework.mock.web.MockHttpServletRequest;
|
||||||
|
import org.springframework.mock.web.MockHttpServletResponse;
|
||||||
|
import org.springframework.security.access.AccessDeniedException;
|
||||||
|
import org.springframework.security.authentication.TestingAuthenticationToken;
|
||||||
|
import org.springframework.security.core.context.SecurityContext;
|
||||||
|
import org.springframework.security.core.context.SecurityContextHolder;
|
||||||
|
import org.springframework.security.web.FilterChainProxy;
|
||||||
|
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
|
||||||
|
import org.springframework.test.context.ContextConfiguration;
|
||||||
|
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
|
||||||
|
|
||||||
|
import static org.assertj.core.api.Assertions.assertThat;
|
||||||
|
|
||||||
|
@RunWith(SpringJUnit4ClassRunner.class)
|
||||||
|
@ContextConfiguration
|
||||||
|
public class GrantedAuthorityDefaultsXmlTests {
|
||||||
|
@Autowired
|
||||||
|
FilterChainProxy springSecurityFilterChain;
|
||||||
|
@Autowired
|
||||||
|
MessageService messageService;
|
||||||
|
|
||||||
|
MockHttpServletRequest request;
|
||||||
|
MockHttpServletResponse response;
|
||||||
|
MockFilterChain chain;
|
||||||
|
|
||||||
|
@Before
|
||||||
|
public void setup() {
|
||||||
|
setup("USER");
|
||||||
|
|
||||||
|
request = new MockHttpServletRequest();
|
||||||
|
request.setMethod("GET");
|
||||||
|
response = new MockHttpServletResponse();
|
||||||
|
chain = new MockFilterChain();
|
||||||
|
}
|
||||||
|
|
||||||
|
@After
|
||||||
|
public void cleanup() {
|
||||||
|
SecurityContextHolder.clearContext();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void doFilter() throws Exception {
|
||||||
|
SecurityContext context = SecurityContextHolder.getContext();
|
||||||
|
request.getSession().setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, context);
|
||||||
|
|
||||||
|
springSecurityFilterChain.doFilter(request, response, chain);
|
||||||
|
|
||||||
|
assertThat(response.getStatus()).isEqualTo(HttpServletResponse.SC_OK);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void doFilterDenied() throws Exception {
|
||||||
|
setup("DENIED");
|
||||||
|
|
||||||
|
SecurityContext context = SecurityContextHolder.getContext();
|
||||||
|
request.getSession().setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, context);
|
||||||
|
|
||||||
|
springSecurityFilterChain.doFilter(request, response, chain);
|
||||||
|
|
||||||
|
assertThat(response.getStatus()).isEqualTo(HttpServletResponse.SC_FORBIDDEN);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void message() {
|
||||||
|
messageService.getMessage();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void jsrMessage() {
|
||||||
|
messageService.getJsrMessage();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test(expected = AccessDeniedException.class)
|
||||||
|
public void messageDenied() {
|
||||||
|
setup("DENIED");
|
||||||
|
|
||||||
|
messageService.getMessage();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test(expected = AccessDeniedException.class)
|
||||||
|
public void jsrMessageDenied() {
|
||||||
|
setup("DENIED");
|
||||||
|
|
||||||
|
messageService.getJsrMessage();
|
||||||
|
}
|
||||||
|
|
||||||
|
// SEC-2926
|
||||||
|
@Test
|
||||||
|
public void doFilterIsUserInRole() throws Exception {
|
||||||
|
SecurityContext context = SecurityContextHolder.getContext();
|
||||||
|
request.getSession().setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, context);
|
||||||
|
|
||||||
|
chain = new MockFilterChain() {
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void doFilter(ServletRequest request, ServletResponse response)
|
||||||
|
throws IOException, ServletException {
|
||||||
|
HttpServletRequest httpRequest = (HttpServletRequest) request;
|
||||||
|
assertThat(httpRequest.isUserInRole("USER")).isTrue();
|
||||||
|
assertThat(httpRequest.isUserInRole("INVALID")).isFalse();
|
||||||
|
super.doFilter(request, response);
|
||||||
|
}
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
|
springSecurityFilterChain.doFilter(request, response, chain);
|
||||||
|
|
||||||
|
assertThat(chain.getRequest()).isNotNull();
|
||||||
|
}
|
||||||
|
|
||||||
|
private void setup(String role) {
|
||||||
|
TestingAuthenticationToken user = new TestingAuthenticationToken("user", "password", role);
|
||||||
|
SecurityContextHolder.getContext().setAuthentication(user);
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,36 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2002-2016 the original author or authors.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
package org.springframework.security.config.core;
|
||||||
|
|
||||||
|
import javax.annotation.security.RolesAllowed;
|
||||||
|
|
||||||
|
import org.springframework.security.access.prepost.PreAuthorize;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author Rob Winch
|
||||||
|
*/
|
||||||
|
public class HelloWorldMessageService implements MessageService {
|
||||||
|
|
||||||
|
@PreAuthorize("hasRole('USER')")
|
||||||
|
public String getMessage() {
|
||||||
|
return "Hello World";
|
||||||
|
}
|
||||||
|
|
||||||
|
@RolesAllowed("USER")
|
||||||
|
public String getJsrMessage() {
|
||||||
|
return "Hello JSR";
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,24 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2002-2016 the original author or authors.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
package org.springframework.security.config.core;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author Rob Winch
|
||||||
|
*/
|
||||||
|
public interface MessageService {
|
||||||
|
String getMessage();
|
||||||
|
String getJsrMessage();
|
||||||
|
}
|
|
@ -0,0 +1,29 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<b:beans xmlns:b="http://www.springframework.org/schema/beans"
|
||||||
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||||
|
xmlns="http://www.springframework.org/schema/security"
|
||||||
|
xmlns:c="http://www.springframework.org/schema/c"
|
||||||
|
xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
|
||||||
|
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
|
||||||
|
|
||||||
|
<http use-expressions="true">
|
||||||
|
<intercept-url access="hasRole('USER')" pattern="/**" />
|
||||||
|
<form-login/>
|
||||||
|
<logout/>
|
||||||
|
</http>
|
||||||
|
|
||||||
|
<authentication-manager>
|
||||||
|
<authentication-provider>
|
||||||
|
<user-service>
|
||||||
|
<user name="user" password="password" authorities="USER"/>
|
||||||
|
<user name="admin" password="password" authorities="USER,ADMIN"/>
|
||||||
|
</user-service>
|
||||||
|
</authentication-provider>
|
||||||
|
</authentication-manager>
|
||||||
|
|
||||||
|
<global-method-security jsr250-annotations="enabled" pre-post-annotations="enabled"/>
|
||||||
|
|
||||||
|
<b:bean class="org.springframework.security.config.core.HelloWorldMessageService"/>
|
||||||
|
<b:bean class="org.springframework.security.config.core.GrantedAuthorityDefaults"
|
||||||
|
c:rolePrefix=""/>
|
||||||
|
</b:beans>
|
|
@ -16,29 +16,25 @@
|
||||||
|
|
||||||
package org.springframework.security.ldap.userdetails;
|
package org.springframework.security.ldap.userdetails;
|
||||||
|
|
||||||
import org.springframework.beans.BeansException;
|
|
||||||
import org.springframework.context.ApplicationContext;
|
|
||||||
import org.springframework.context.ApplicationContextAware;
|
|
||||||
import org.springframework.security.config.GrantedAuthorityDefaults;
|
|
||||||
import org.springframework.security.core.GrantedAuthority;
|
|
||||||
import org.springframework.security.core.authority.SimpleGrantedAuthority;
|
|
||||||
import org.springframework.security.ldap.SpringSecurityLdapTemplate;
|
|
||||||
import org.springframework.ldap.core.ContextSource;
|
|
||||||
import org.springframework.ldap.core.DirContextOperations;
|
|
||||||
import org.springframework.ldap.core.LdapTemplate;
|
|
||||||
import org.springframework.util.Assert;
|
|
||||||
|
|
||||||
import org.apache.commons.logging.Log;
|
|
||||||
import org.apache.commons.logging.LogFactory;
|
|
||||||
|
|
||||||
import javax.naming.directory.SearchControls;
|
|
||||||
|
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.Collection;
|
import java.util.Collection;
|
||||||
import java.util.HashSet;
|
import java.util.HashSet;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
import java.util.Set;
|
import java.util.Set;
|
||||||
|
|
||||||
|
import javax.naming.directory.SearchControls;
|
||||||
|
|
||||||
|
import org.apache.commons.logging.Log;
|
||||||
|
import org.apache.commons.logging.LogFactory;
|
||||||
|
|
||||||
|
import org.springframework.ldap.core.ContextSource;
|
||||||
|
import org.springframework.ldap.core.DirContextOperations;
|
||||||
|
import org.springframework.ldap.core.LdapTemplate;
|
||||||
|
import org.springframework.security.core.GrantedAuthority;
|
||||||
|
import org.springframework.security.core.authority.SimpleGrantedAuthority;
|
||||||
|
import org.springframework.security.ldap.SpringSecurityLdapTemplate;
|
||||||
|
import org.springframework.util.Assert;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* The default strategy for obtaining user role information from the directory.
|
* The default strategy for obtaining user role information from the directory.
|
||||||
* <p>
|
* <p>
|
||||||
|
@ -101,7 +97,7 @@ import java.util.Set;
|
||||||
* @author Luke Taylor
|
* @author Luke Taylor
|
||||||
* @author Filip Hanik
|
* @author Filip Hanik
|
||||||
*/
|
*/
|
||||||
public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator, ApplicationContextAware {
|
public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator {
|
||||||
// ~ Static fields/initializers
|
// ~ Static fields/initializers
|
||||||
// =====================================================================================
|
// =====================================================================================
|
||||||
|
|
||||||
|
@ -144,7 +140,7 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
|
||||||
/**
|
/**
|
||||||
* The role prefix that will be prepended to each role name
|
* The role prefix that will be prepended to each role name
|
||||||
*/
|
*/
|
||||||
private GrantedAuthorityDefaults rolePrefix = new GrantedAuthorityDefaults("ROLE_");
|
private String rolePrefix = "ROLE_";
|
||||||
/**
|
/**
|
||||||
* Should we convert the role name to uppercase
|
* Should we convert the role name to uppercase
|
||||||
*/
|
*/
|
||||||
|
@ -164,7 +160,7 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
|
||||||
public DefaultLdapAuthoritiesPopulator(ContextSource contextSource,
|
public DefaultLdapAuthoritiesPopulator(ContextSource contextSource,
|
||||||
String groupSearchBase) {
|
String groupSearchBase) {
|
||||||
Assert.notNull(contextSource, "contextSource must not be null");
|
Assert.notNull(contextSource, "contextSource must not be null");
|
||||||
ldapTemplate = new SpringSecurityLdapTemplate(contextSource);
|
this.ldapTemplate = new SpringSecurityLdapTemplate(contextSource);
|
||||||
getLdapTemplate().setSearchControls(getSearchControls());
|
getLdapTemplate().setSearchControls(getSearchControls());
|
||||||
this.groupSearchBase = groupSearchBase;
|
this.groupSearchBase = groupSearchBase;
|
||||||
|
|
||||||
|
@ -172,7 +168,8 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
|
||||||
logger.info("groupSearchBase is null. No group search will be performed.");
|
logger.info("groupSearchBase is null. No group search will be performed.");
|
||||||
}
|
}
|
||||||
else if (groupSearchBase.length() == 0) {
|
else if (groupSearchBase.length() == 0) {
|
||||||
logger.info("groupSearchBase is empty. Searches will be performed from the context source base");
|
logger.info(
|
||||||
|
"groupSearchBase is empty. Searches will be performed from the context source base");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -201,6 +198,7 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
|
||||||
* @param user the user who's authorities are required
|
* @param user the user who's authorities are required
|
||||||
* @return the set of roles granted to the user.
|
* @return the set of roles granted to the user.
|
||||||
*/
|
*/
|
||||||
|
@Override
|
||||||
public final Collection<GrantedAuthority> getGrantedAuthorities(
|
public final Collection<GrantedAuthority> getGrantedAuthorities(
|
||||||
DirContextOperations user, String username) {
|
DirContextOperations user, String username) {
|
||||||
String userDn = user.getNameInNamespace();
|
String userDn = user.getNameInNamespace();
|
||||||
|
@ -217,8 +215,8 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
|
||||||
roles.addAll(extraRoles);
|
roles.addAll(extraRoles);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (defaultRole != null) {
|
if (this.defaultRole != null) {
|
||||||
roles.add(defaultRole);
|
roles.add(this.defaultRole);
|
||||||
}
|
}
|
||||||
|
|
||||||
List<GrantedAuthority> result = new ArrayList<GrantedAuthority>(roles.size());
|
List<GrantedAuthority> result = new ArrayList<GrantedAuthority>(roles.size());
|
||||||
|
@ -236,13 +234,13 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
|
||||||
|
|
||||||
if (logger.isDebugEnabled()) {
|
if (logger.isDebugEnabled()) {
|
||||||
logger.debug("Searching for roles for user '" + username + "', DN = " + "'"
|
logger.debug("Searching for roles for user '" + username + "', DN = " + "'"
|
||||||
+ userDn + "', with filter " + groupSearchFilter
|
+ userDn + "', with filter " + this.groupSearchFilter
|
||||||
+ " in search base '" + getGroupSearchBase() + "'");
|
+ " in search base '" + getGroupSearchBase() + "'");
|
||||||
}
|
}
|
||||||
|
|
||||||
Set<String> userRoles = getLdapTemplate().searchForSingleAttributeValues(
|
Set<String> userRoles = getLdapTemplate().searchForSingleAttributeValues(
|
||||||
getGroupSearchBase(), groupSearchFilter,
|
getGroupSearchBase(), this.groupSearchFilter,
|
||||||
new String[] { userDn, username }, groupRoleAttribute);
|
new String[] { userDn, username }, this.groupRoleAttribute);
|
||||||
|
|
||||||
if (logger.isDebugEnabled()) {
|
if (logger.isDebugEnabled()) {
|
||||||
logger.debug("Roles from search: " + userRoles);
|
logger.debug("Roles from search: " + userRoles);
|
||||||
|
@ -250,11 +248,11 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
|
||||||
|
|
||||||
for (String role : userRoles) {
|
for (String role : userRoles) {
|
||||||
|
|
||||||
if (convertToUpperCase) {
|
if (this.convertToUpperCase) {
|
||||||
role = role.toUpperCase();
|
role = role.toUpperCase();
|
||||||
}
|
}
|
||||||
|
|
||||||
authorities.add(new SimpleGrantedAuthority(rolePrefix.getRolePrefix() + role));
|
authorities.add(new SimpleGrantedAuthority(this.rolePrefix + role));
|
||||||
}
|
}
|
||||||
|
|
||||||
return authorities;
|
return authorities;
|
||||||
|
@ -265,7 +263,7 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
|
||||||
}
|
}
|
||||||
|
|
||||||
protected String getGroupSearchBase() {
|
protected String getGroupSearchBase() {
|
||||||
return groupSearchBase;
|
return this.groupSearchBase;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -301,7 +299,7 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
|
||||||
*/
|
*/
|
||||||
public void setRolePrefix(String rolePrefix) {
|
public void setRolePrefix(String rolePrefix) {
|
||||||
Assert.notNull(rolePrefix, "rolePrefix must not be null");
|
Assert.notNull(rolePrefix, "rolePrefix must not be null");
|
||||||
this.rolePrefix = new GrantedAuthorityDefaults(rolePrefix);
|
this.rolePrefix = rolePrefix;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -314,7 +312,7 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
|
||||||
public void setSearchSubtree(boolean searchSubtree) {
|
public void setSearchSubtree(boolean searchSubtree) {
|
||||||
int searchScope = searchSubtree ? SearchControls.SUBTREE_SCOPE
|
int searchScope = searchSubtree ? SearchControls.SUBTREE_SCOPE
|
||||||
: SearchControls.ONELEVEL_SCOPE;
|
: SearchControls.ONELEVEL_SCOPE;
|
||||||
searchControls.setSearchScope(searchScope);
|
this.searchControls.setSearchScope(searchScope);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -334,7 +332,7 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
|
||||||
* @see org.springframework.security.ldap.SpringSecurityLdapTemplate
|
* @see org.springframework.security.ldap.SpringSecurityLdapTemplate
|
||||||
*/
|
*/
|
||||||
protected SpringSecurityLdapTemplate getLdapTemplate() {
|
protected SpringSecurityLdapTemplate getLdapTemplate() {
|
||||||
return ldapTemplate;
|
return this.ldapTemplate;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -344,7 +342,7 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
|
||||||
* @see #setGroupRoleAttribute(String)
|
* @see #setGroupRoleAttribute(String)
|
||||||
*/
|
*/
|
||||||
protected final String getGroupRoleAttribute() {
|
protected final String getGroupRoleAttribute() {
|
||||||
return groupRoleAttribute;
|
return this.groupRoleAttribute;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -354,7 +352,7 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
|
||||||
* @see #setGroupSearchFilter(String)
|
* @see #setGroupSearchFilter(String)
|
||||||
*/
|
*/
|
||||||
protected final String getGroupSearchFilter() {
|
protected final String getGroupSearchFilter() {
|
||||||
return groupSearchFilter;
|
return this.groupSearchFilter;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -364,7 +362,7 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
|
||||||
* @see #setRolePrefix(String)
|
* @see #setRolePrefix(String)
|
||||||
*/
|
*/
|
||||||
protected final String getRolePrefix() {
|
protected final String getRolePrefix() {
|
||||||
return this.rolePrefix.getRolePrefix();
|
return this.rolePrefix;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -374,7 +372,7 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
|
||||||
* @see #setConvertToUpperCase(boolean)
|
* @see #setConvertToUpperCase(boolean)
|
||||||
*/
|
*/
|
||||||
protected final boolean isConvertToUpperCase() {
|
protected final boolean isConvertToUpperCase() {
|
||||||
return convertToUpperCase;
|
return this.convertToUpperCase;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -384,7 +382,7 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
|
||||||
* @see #setDefaultRole(String)
|
* @see #setDefaultRole(String)
|
||||||
*/
|
*/
|
||||||
private GrantedAuthority getDefaultRole() {
|
private GrantedAuthority getDefaultRole() {
|
||||||
return defaultRole;
|
return this.defaultRole;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -393,16 +391,6 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
|
||||||
* @return the search controls
|
* @return the search controls
|
||||||
*/
|
*/
|
||||||
private SearchControls getSearchControls() {
|
private SearchControls getSearchControls() {
|
||||||
return searchControls;
|
return this.searchControls;
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
|
||||||
public void setApplicationContext(ApplicationContext context) throws
|
|
||||||
BeansException {
|
|
||||||
String[] beanNames = context.getBeanNamesForType(GrantedAuthorityDefaults.class);
|
|
||||||
if (beanNames.length == 1) {
|
|
||||||
this.rolePrefix = context.getBean(beanNames[0], GrantedAuthorityDefaults.class);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -21,12 +21,8 @@ import java.util.Collection;
|
||||||
import org.apache.commons.logging.Log;
|
import org.apache.commons.logging.Log;
|
||||||
import org.apache.commons.logging.LogFactory;
|
import org.apache.commons.logging.LogFactory;
|
||||||
|
|
||||||
import org.springframework.beans.BeansException;
|
|
||||||
import org.springframework.context.ApplicationContext;
|
|
||||||
import org.springframework.context.ApplicationContextAware;
|
|
||||||
import org.springframework.ldap.core.DirContextAdapter;
|
import org.springframework.ldap.core.DirContextAdapter;
|
||||||
import org.springframework.ldap.core.DirContextOperations;
|
import org.springframework.ldap.core.DirContextOperations;
|
||||||
import org.springframework.security.config.GrantedAuthorityDefaults;
|
|
||||||
import org.springframework.security.core.GrantedAuthority;
|
import org.springframework.security.core.GrantedAuthority;
|
||||||
import org.springframework.security.core.authority.SimpleGrantedAuthority;
|
import org.springframework.security.core.authority.SimpleGrantedAuthority;
|
||||||
import org.springframework.security.core.userdetails.UserDetails;
|
import org.springframework.security.core.userdetails.UserDetails;
|
||||||
|
@ -41,29 +37,30 @@ import org.springframework.util.Assert;
|
||||||
* @author Luke Taylor
|
* @author Luke Taylor
|
||||||
* @author Eddú Meléndez
|
* @author Eddú Meléndez
|
||||||
*/
|
*/
|
||||||
public class LdapUserDetailsMapper implements UserDetailsContextMapper, ApplicationContextAware {
|
public class LdapUserDetailsMapper implements UserDetailsContextMapper {
|
||||||
// ~ Instance fields
|
// ~ Instance fields
|
||||||
// ================================================================================================
|
// ================================================================================================
|
||||||
|
|
||||||
private final Log logger = LogFactory.getLog(LdapUserDetailsMapper.class);
|
private final Log logger = LogFactory.getLog(LdapUserDetailsMapper.class);
|
||||||
private String passwordAttributeName = "userPassword";
|
private String passwordAttributeName = "userPassword";
|
||||||
private GrantedAuthorityDefaults rolePrefix = new GrantedAuthorityDefaults("ROLE_");
|
private String rolePrefix = "ROLE_";
|
||||||
private String[] roleAttributes = null;
|
private String[] roleAttributes = null;
|
||||||
private boolean convertToUpperCase = true;
|
private boolean convertToUpperCase = true;
|
||||||
|
|
||||||
// ~ Methods
|
// ~ Methods
|
||||||
// ========================================================================================================
|
// ========================================================================================================
|
||||||
|
|
||||||
|
@Override
|
||||||
public UserDetails mapUserFromContext(DirContextOperations ctx, String username,
|
public UserDetails mapUserFromContext(DirContextOperations ctx, String username,
|
||||||
Collection<? extends GrantedAuthority> authorities) {
|
Collection<? extends GrantedAuthority> authorities) {
|
||||||
String dn = ctx.getNameInNamespace();
|
String dn = ctx.getNameInNamespace();
|
||||||
|
|
||||||
logger.debug("Mapping user details from context with DN: " + dn);
|
this.logger.debug("Mapping user details from context with DN: " + dn);
|
||||||
|
|
||||||
LdapUserDetailsImpl.Essence essence = new LdapUserDetailsImpl.Essence();
|
LdapUserDetailsImpl.Essence essence = new LdapUserDetailsImpl.Essence();
|
||||||
essence.setDn(dn);
|
essence.setDn(dn);
|
||||||
|
|
||||||
Object passwordValue = ctx.getObjectAttribute(passwordAttributeName);
|
Object passwordValue = ctx.getObjectAttribute(this.passwordAttributeName);
|
||||||
|
|
||||||
if (passwordValue != null) {
|
if (passwordValue != null) {
|
||||||
essence.setPassword(mapPassword(passwordValue));
|
essence.setPassword(mapPassword(passwordValue));
|
||||||
|
@ -72,12 +69,13 @@ public class LdapUserDetailsMapper implements UserDetailsContextMapper, Applicat
|
||||||
essence.setUsername(username);
|
essence.setUsername(username);
|
||||||
|
|
||||||
// Map the roles
|
// Map the roles
|
||||||
for (int i = 0; (roleAttributes != null) && (i < roleAttributes.length); i++) {
|
for (int i = 0; (this.roleAttributes != null)
|
||||||
String[] rolesForAttribute = ctx.getStringAttributes(roleAttributes[i]);
|
&& (i < this.roleAttributes.length); i++) {
|
||||||
|
String[] rolesForAttribute = ctx.getStringAttributes(this.roleAttributes[i]);
|
||||||
|
|
||||||
if (rolesForAttribute == null) {
|
if (rolesForAttribute == null) {
|
||||||
logger.debug("Couldn't read role attribute '" + roleAttributes[i]
|
this.logger.debug("Couldn't read role attribute '"
|
||||||
+ "' for user " + dn);
|
+ this.roleAttributes[i] + "' for user " + dn);
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -110,6 +108,7 @@ public class LdapUserDetailsMapper implements UserDetailsContextMapper, Applicat
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
public void mapUserToContext(UserDetails user, DirContextAdapter ctx) {
|
public void mapUserToContext(UserDetails user, DirContextAdapter ctx) {
|
||||||
throw new UnsupportedOperationException(
|
throw new UnsupportedOperationException(
|
||||||
"LdapUserDetailsMapper only supports reading from a context. Please"
|
"LdapUserDetailsMapper only supports reading from a context. Please"
|
||||||
|
@ -149,10 +148,10 @@ public class LdapUserDetailsMapper implements UserDetailsContextMapper, Applicat
|
||||||
*/
|
*/
|
||||||
protected GrantedAuthority createAuthority(Object role) {
|
protected GrantedAuthority createAuthority(Object role) {
|
||||||
if (role instanceof String) {
|
if (role instanceof String) {
|
||||||
if (convertToUpperCase) {
|
if (this.convertToUpperCase) {
|
||||||
role = ((String) role).toUpperCase();
|
role = ((String) role).toUpperCase();
|
||||||
}
|
}
|
||||||
return new SimpleGrantedAuthority(this.rolePrefix.getRolePrefix() + role);
|
return new SimpleGrantedAuthority(this.rolePrefix + role);
|
||||||
}
|
}
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
@ -194,16 +193,6 @@ public class LdapUserDetailsMapper implements UserDetailsContextMapper, Applicat
|
||||||
* @param rolePrefix the prefix (defaults to "ROLE_").
|
* @param rolePrefix the prefix (defaults to "ROLE_").
|
||||||
*/
|
*/
|
||||||
public void setRolePrefix(String rolePrefix) {
|
public void setRolePrefix(String rolePrefix) {
|
||||||
this.rolePrefix = new GrantedAuthorityDefaults(rolePrefix);
|
this.rolePrefix = rolePrefix;
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
|
||||||
public void setApplicationContext(ApplicationContext context) throws
|
|
||||||
BeansException {
|
|
||||||
String[] beanNames = context.getBeanNamesForType(GrantedAuthorityDefaults.class);
|
|
||||||
if (beanNames.length == 1) {
|
|
||||||
this.rolePrefix = context.getBean(beanNames[0], GrantedAuthorityDefaults.class);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,60 +0,0 @@
|
||||||
/*
|
|
||||||
* Copyright 2002-2016 the original author or authors.
|
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
* you may not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
|
||||||
package org.springframework.security.ldap.userdetails;
|
|
||||||
|
|
||||||
import org.junit.Test;
|
|
||||||
|
|
||||||
import org.springframework.context.annotation.AnnotationConfigApplicationContext;
|
|
||||||
import org.springframework.context.annotation.Bean;
|
|
||||||
import org.springframework.context.annotation.Configuration;
|
|
||||||
import org.springframework.ldap.core.ContextSource;
|
|
||||||
import org.springframework.security.config.GrantedAuthorityDefaults;
|
|
||||||
|
|
||||||
import static org.assertj.core.api.Assertions.assertThat;
|
|
||||||
import static org.mockito.Mockito.mock;
|
|
||||||
|
|
||||||
/**
|
|
||||||
* @author Eddú Meléndez
|
|
||||||
*/
|
|
||||||
public class DefaultLdapAuthoritiesPopulatorTests {
|
|
||||||
|
|
||||||
@Test
|
|
||||||
public void testDefaultRolePrefix() {
|
|
||||||
AnnotationConfigApplicationContext context = new AnnotationConfigApplicationContext();
|
|
||||||
context.register(LdapAuthoritiesPopulatorConfiguration.class);
|
|
||||||
context.refresh();
|
|
||||||
|
|
||||||
DefaultLdapAuthoritiesPopulator ldapPopulator = context.getBean(DefaultLdapAuthoritiesPopulator.class);
|
|
||||||
assertThat(ldapPopulator.getRolePrefix()).isEqualTo("ROL_");
|
|
||||||
}
|
|
||||||
|
|
||||||
@Configuration
|
|
||||||
static class LdapAuthoritiesPopulatorConfiguration {
|
|
||||||
|
|
||||||
@Bean
|
|
||||||
public GrantedAuthorityDefaults authorityDefaults() {
|
|
||||||
return new GrantedAuthorityDefaults("ROL_");
|
|
||||||
}
|
|
||||||
|
|
||||||
@Bean
|
|
||||||
public DefaultLdapAuthoritiesPopulator ldapAuthoritiesPopulator() {
|
|
||||||
ContextSource contextSource = mock(ContextSource.class);
|
|
||||||
return new DefaultLdapAuthoritiesPopulator(contextSource, "ou=groups");
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
|
@ -21,14 +21,9 @@ import javax.naming.directory.BasicAttributes;
|
||||||
|
|
||||||
import org.junit.Test;
|
import org.junit.Test;
|
||||||
|
|
||||||
import org.springframework.context.annotation.AnnotationConfigApplicationContext;
|
|
||||||
import org.springframework.context.annotation.Bean;
|
|
||||||
import org.springframework.context.annotation.Configuration;
|
|
||||||
import org.springframework.ldap.core.DirContextAdapter;
|
import org.springframework.ldap.core.DirContextAdapter;
|
||||||
import org.springframework.ldap.core.DistinguishedName;
|
import org.springframework.ldap.core.DistinguishedName;
|
||||||
import org.springframework.security.config.GrantedAuthorityDefaults;
|
|
||||||
import org.springframework.security.core.authority.AuthorityUtils;
|
import org.springframework.security.core.authority.AuthorityUtils;
|
||||||
import org.springframework.test.util.ReflectionTestUtils;
|
|
||||||
|
|
||||||
import static org.assertj.core.api.Assertions.assertThat;
|
import static org.assertj.core.api.Assertions.assertThat;
|
||||||
|
|
||||||
|
@ -100,31 +95,4 @@ public class LdapUserDetailsMapperTests {
|
||||||
assertThat(user.getPassword()).isEqualTo("mypassword");
|
assertThat(user.getPassword()).isEqualTo("mypassword");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
|
||||||
public void testDefaultRolePrefix() {
|
|
||||||
AnnotationConfigApplicationContext context = new AnnotationConfigApplicationContext();
|
|
||||||
context.register(LdapUserDetailsMapperConfiguration.class);
|
|
||||||
context.refresh();
|
|
||||||
|
|
||||||
LdapUserDetailsMapper ldapUserDetailsMapper = context.getBean(LdapUserDetailsMapper.class);
|
|
||||||
|
|
||||||
GrantedAuthorityDefaults rolePrefix = (GrantedAuthorityDefaults) ReflectionTestUtils.getField(ldapUserDetailsMapper, "rolePrefix");
|
|
||||||
assertThat(rolePrefix.getRolePrefix()).isEqualTo("ROL_");
|
|
||||||
}
|
|
||||||
|
|
||||||
@Configuration
|
|
||||||
static class LdapUserDetailsMapperConfiguration {
|
|
||||||
|
|
||||||
@Bean
|
|
||||||
public GrantedAuthorityDefaults authorityDefaults() {
|
|
||||||
return new GrantedAuthorityDefaults("ROL_");
|
|
||||||
}
|
|
||||||
|
|
||||||
@Bean
|
|
||||||
public LdapUserDetailsMapper ldapUserDetailsMapper() {
|
|
||||||
return new LdapUserDetailsMapper();
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -15,14 +15,11 @@
|
||||||
*/
|
*/
|
||||||
package org.springframework.security.web.access.expression;
|
package org.springframework.security.web.access.expression;
|
||||||
|
|
||||||
import org.springframework.beans.BeansException;
|
|
||||||
import org.springframework.context.ApplicationContext;
|
|
||||||
import org.springframework.security.access.expression.AbstractSecurityExpressionHandler;
|
import org.springframework.security.access.expression.AbstractSecurityExpressionHandler;
|
||||||
import org.springframework.security.access.expression.SecurityExpressionHandler;
|
import org.springframework.security.access.expression.SecurityExpressionHandler;
|
||||||
import org.springframework.security.access.expression.SecurityExpressionOperations;
|
import org.springframework.security.access.expression.SecurityExpressionOperations;
|
||||||
import org.springframework.security.authentication.AuthenticationTrustResolver;
|
import org.springframework.security.authentication.AuthenticationTrustResolver;
|
||||||
import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
|
import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
|
||||||
import org.springframework.security.config.GrantedAuthorityDefaults;
|
|
||||||
import org.springframework.security.core.Authentication;
|
import org.springframework.security.core.Authentication;
|
||||||
import org.springframework.security.web.FilterInvocation;
|
import org.springframework.security.web.FilterInvocation;
|
||||||
import org.springframework.util.Assert;
|
import org.springframework.util.Assert;
|
||||||
|
@ -38,7 +35,7 @@ public class DefaultWebSecurityExpressionHandler extends
|
||||||
SecurityExpressionHandler<FilterInvocation> {
|
SecurityExpressionHandler<FilterInvocation> {
|
||||||
|
|
||||||
private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
|
private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
|
||||||
private GrantedAuthorityDefaults defaultRolePrefix = new GrantedAuthorityDefaults("ROLE_");
|
private String defaultRolePrefix = "ROLE_";
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
protected SecurityExpressionOperations createSecurityExpressionRoot(
|
protected SecurityExpressionOperations createSecurityExpressionRoot(
|
||||||
|
@ -47,7 +44,7 @@ public class DefaultWebSecurityExpressionHandler extends
|
||||||
root.setPermissionEvaluator(getPermissionEvaluator());
|
root.setPermissionEvaluator(getPermissionEvaluator());
|
||||||
root.setTrustResolver(trustResolver);
|
root.setTrustResolver(trustResolver);
|
||||||
root.setRoleHierarchy(getRoleHierarchy());
|
root.setRoleHierarchy(getRoleHierarchy());
|
||||||
root.setDefaultRolePrefix(this.defaultRolePrefix.getRolePrefix());
|
root.setDefaultRolePrefix(this.defaultRolePrefix);
|
||||||
return root;
|
return root;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -78,16 +75,6 @@ public class DefaultWebSecurityExpressionHandler extends
|
||||||
* @param defaultRolePrefix the default prefix to add to roles. Default "ROLE_".
|
* @param defaultRolePrefix the default prefix to add to roles. Default "ROLE_".
|
||||||
*/
|
*/
|
||||||
public void setDefaultRolePrefix(String defaultRolePrefix) {
|
public void setDefaultRolePrefix(String defaultRolePrefix) {
|
||||||
this.defaultRolePrefix = new GrantedAuthorityDefaults(defaultRolePrefix);
|
this.defaultRolePrefix = defaultRolePrefix;
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
|
||||||
public void setApplicationContext(ApplicationContext context) {
|
|
||||||
super.setApplicationContext(context);
|
|
||||||
String[] beanNames = context.getBeanNamesForType(GrantedAuthorityDefaults.class);
|
|
||||||
if (beanNames.length == 1) {
|
|
||||||
this.defaultRolePrefix = context.getBean(beanNames[0], GrantedAuthorityDefaults.class);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
}
|
|
@ -27,13 +27,9 @@ import javax.servlet.ServletResponse;
|
||||||
import javax.servlet.http.HttpServletRequest;
|
import javax.servlet.http.HttpServletRequest;
|
||||||
import javax.servlet.http.HttpServletResponse;
|
import javax.servlet.http.HttpServletResponse;
|
||||||
|
|
||||||
import org.springframework.beans.BeansException;
|
|
||||||
import org.springframework.context.ApplicationContext;
|
|
||||||
import org.springframework.context.ApplicationContextAware;
|
|
||||||
import org.springframework.security.authentication.AuthenticationManager;
|
import org.springframework.security.authentication.AuthenticationManager;
|
||||||
import org.springframework.security.authentication.AuthenticationTrustResolver;
|
import org.springframework.security.authentication.AuthenticationTrustResolver;
|
||||||
import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
|
import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
|
||||||
import org.springframework.security.config.GrantedAuthorityDefaults;
|
|
||||||
import org.springframework.security.core.context.SecurityContext;
|
import org.springframework.security.core.context.SecurityContext;
|
||||||
import org.springframework.security.core.context.SecurityContextHolder;
|
import org.springframework.security.core.context.SecurityContextHolder;
|
||||||
import org.springframework.security.web.AuthenticationEntryPoint;
|
import org.springframework.security.web.AuthenticationEntryPoint;
|
||||||
|
@ -77,11 +73,11 @@ import org.springframework.web.filter.GenericFilterBean;
|
||||||
* @author Rob Winch
|
* @author Rob Winch
|
||||||
* @author Eddú Meléndez
|
* @author Eddú Meléndez
|
||||||
*/
|
*/
|
||||||
public class SecurityContextHolderAwareRequestFilter extends GenericFilterBean implements ApplicationContextAware {
|
public class SecurityContextHolderAwareRequestFilter extends GenericFilterBean {
|
||||||
// ~ Instance fields
|
// ~ Instance fields
|
||||||
// ================================================================================================
|
// ================================================================================================
|
||||||
|
|
||||||
private GrantedAuthorityDefaults rolePrefix = new GrantedAuthorityDefaults("ROLE_");
|
private String rolePrefix = "ROLE_";
|
||||||
|
|
||||||
private HttpServletRequestFactory requestFactory;
|
private HttpServletRequestFactory requestFactory;
|
||||||
|
|
||||||
|
@ -98,7 +94,7 @@ public class SecurityContextHolderAwareRequestFilter extends GenericFilterBean i
|
||||||
|
|
||||||
public void setRolePrefix(String rolePrefix) {
|
public void setRolePrefix(String rolePrefix) {
|
||||||
Assert.notNull(rolePrefix, "Role prefix must not be null");
|
Assert.notNull(rolePrefix, "Role prefix must not be null");
|
||||||
this.rolePrefix = new GrantedAuthorityDefaults(rolePrefix);
|
this.rolePrefix = rolePrefix;
|
||||||
updateFactory();
|
updateFactory();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -182,7 +178,7 @@ public class SecurityContextHolderAwareRequestFilter extends GenericFilterBean i
|
||||||
}
|
}
|
||||||
|
|
||||||
private void updateFactory() {
|
private void updateFactory() {
|
||||||
String rolePrefix = this.rolePrefix.getRolePrefix();
|
String rolePrefix = this.rolePrefix;
|
||||||
this.requestFactory = isServlet3() ? createServlet3Factory(rolePrefix)
|
this.requestFactory = isServlet3() ? createServlet3Factory(rolePrefix)
|
||||||
: new HttpServlet25RequestFactory(this.trustResolver, rolePrefix);
|
: new HttpServlet25RequestFactory(this.trustResolver, rolePrefix);
|
||||||
}
|
}
|
||||||
|
@ -216,14 +212,4 @@ public class SecurityContextHolderAwareRequestFilter extends GenericFilterBean i
|
||||||
private boolean isServlet3() {
|
private boolean isServlet3() {
|
||||||
return ClassUtils.hasMethod(ServletRequest.class, "startAsync");
|
return ClassUtils.hasMethod(ServletRequest.class, "startAsync");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
|
||||||
public void setApplicationContext(ApplicationContext context) throws
|
|
||||||
BeansException {
|
|
||||||
String[] beanNames = context.getBeanNamesForType(GrantedAuthorityDefaults.class);
|
|
||||||
if (beanNames.length == 1) {
|
|
||||||
this.rolePrefix = context.getBean(beanNames[0], GrantedAuthorityDefaults.class);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -16,16 +16,13 @@
|
||||||
|
|
||||||
package org.springframework.security.web.access.expression;
|
package org.springframework.security.web.access.expression;
|
||||||
|
|
||||||
import static org.assertj.core.api.Assertions.assertThat;
|
|
||||||
import static org.mockito.Mockito.mock;
|
|
||||||
import static org.mockito.Mockito.verify;
|
|
||||||
|
|
||||||
import org.junit.After;
|
import org.junit.After;
|
||||||
import org.junit.Before;
|
import org.junit.Before;
|
||||||
import org.junit.Test;
|
import org.junit.Test;
|
||||||
import org.junit.runner.RunWith;
|
import org.junit.runner.RunWith;
|
||||||
import org.mockito.Mock;
|
import org.mockito.Mock;
|
||||||
import org.mockito.runners.MockitoJUnitRunner;
|
import org.mockito.runners.MockitoJUnitRunner;
|
||||||
|
|
||||||
import org.springframework.beans.factory.support.RootBeanDefinition;
|
import org.springframework.beans.factory.support.RootBeanDefinition;
|
||||||
import org.springframework.context.support.StaticApplicationContext;
|
import org.springframework.context.support.StaticApplicationContext;
|
||||||
import org.springframework.expression.EvaluationContext;
|
import org.springframework.expression.EvaluationContext;
|
||||||
|
@ -33,11 +30,14 @@ import org.springframework.expression.Expression;
|
||||||
import org.springframework.expression.ExpressionParser;
|
import org.springframework.expression.ExpressionParser;
|
||||||
import org.springframework.security.access.SecurityConfig;
|
import org.springframework.security.access.SecurityConfig;
|
||||||
import org.springframework.security.authentication.AuthenticationTrustResolver;
|
import org.springframework.security.authentication.AuthenticationTrustResolver;
|
||||||
import org.springframework.security.config.GrantedAuthorityDefaults;
|
|
||||||
import org.springframework.security.core.Authentication;
|
import org.springframework.security.core.Authentication;
|
||||||
import org.springframework.security.core.context.SecurityContextHolder;
|
import org.springframework.security.core.context.SecurityContextHolder;
|
||||||
import org.springframework.security.web.FilterInvocation;
|
import org.springframework.security.web.FilterInvocation;
|
||||||
|
|
||||||
|
import static org.assertj.core.api.Assertions.assertThat;
|
||||||
|
import static org.mockito.Mockito.mock;
|
||||||
|
import static org.mockito.Mockito.verify;
|
||||||
|
|
||||||
@RunWith(MockitoJUnitRunner.class)
|
@RunWith(MockitoJUnitRunner.class)
|
||||||
public class DefaultWebSecurityExpressionHandlerTests {
|
public class DefaultWebSecurityExpressionHandlerTests {
|
||||||
|
|
||||||
|
@ -97,21 +97,4 @@ public class DefaultWebSecurityExpressionHandlerTests {
|
||||||
verify(trustResolver).isAnonymous(authentication);
|
verify(trustResolver).isAnonymous(authentication);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
|
||||||
public void testDefaultRolePrefix() {
|
|
||||||
StaticApplicationContext appContext = new StaticApplicationContext();
|
|
||||||
RootBeanDefinition bean = new RootBeanDefinition(GrantedAuthorityDefaults.class);
|
|
||||||
bean.getConstructorArgumentValues().addGenericArgumentValue("ROL_");
|
|
||||||
appContext.registerBeanDefinition("authorityDefaults", bean);
|
|
||||||
handler.setApplicationContext(appContext);
|
|
||||||
|
|
||||||
EvaluationContext ctx = handler.createEvaluationContext(
|
|
||||||
mock(Authentication.class), mock(FilterInvocation.class));
|
|
||||||
ExpressionParser parser = handler.getExpressionParser();
|
|
||||||
assertThat(parser.parseExpression("@authorityDefaults.getRolePrefix() == 'ROL_'").getValue(
|
|
||||||
ctx, Boolean.class)).isTrue();
|
|
||||||
assertThat(parser.parseExpression("@authorityDefaults.rolePrefix == 'ROL_'").getValue(ctx,
|
|
||||||
Boolean.class)).isTrue();
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -36,9 +36,6 @@ import org.powermock.core.classloader.annotations.PrepareForTest;
|
||||||
import org.powermock.modules.junit4.PowerMockRunner;
|
import org.powermock.modules.junit4.PowerMockRunner;
|
||||||
import org.powermock.reflect.internal.WhiteboxImpl;
|
import org.powermock.reflect.internal.WhiteboxImpl;
|
||||||
|
|
||||||
import org.springframework.context.annotation.AnnotationConfigApplicationContext;
|
|
||||||
import org.springframework.context.annotation.Bean;
|
|
||||||
import org.springframework.context.annotation.Configuration;
|
|
||||||
import org.springframework.mock.web.MockHttpServletRequest;
|
import org.springframework.mock.web.MockHttpServletRequest;
|
||||||
import org.springframework.mock.web.MockHttpServletResponse;
|
import org.springframework.mock.web.MockHttpServletResponse;
|
||||||
import org.springframework.security.authentication.AuthenticationManager;
|
import org.springframework.security.authentication.AuthenticationManager;
|
||||||
|
@ -46,13 +43,11 @@ import org.springframework.security.authentication.BadCredentialsException;
|
||||||
import org.springframework.security.authentication.TestingAuthenticationToken;
|
import org.springframework.security.authentication.TestingAuthenticationToken;
|
||||||
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
|
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
|
||||||
import org.springframework.security.concurrent.DelegatingSecurityContextRunnable;
|
import org.springframework.security.concurrent.DelegatingSecurityContextRunnable;
|
||||||
import org.springframework.security.config.GrantedAuthorityDefaults;
|
|
||||||
import org.springframework.security.core.AuthenticationException;
|
import org.springframework.security.core.AuthenticationException;
|
||||||
import org.springframework.security.core.context.SecurityContext;
|
import org.springframework.security.core.context.SecurityContext;
|
||||||
import org.springframework.security.core.context.SecurityContextHolder;
|
import org.springframework.security.core.context.SecurityContextHolder;
|
||||||
import org.springframework.security.web.AuthenticationEntryPoint;
|
import org.springframework.security.web.AuthenticationEntryPoint;
|
||||||
import org.springframework.security.web.authentication.logout.LogoutHandler;
|
import org.springframework.security.web.authentication.logout.LogoutHandler;
|
||||||
import org.springframework.test.util.ReflectionTestUtils;
|
|
||||||
import org.springframework.util.ClassUtils;
|
import org.springframework.util.ClassUtils;
|
||||||
|
|
||||||
import static org.assertj.core.api.Assertions.assertThat;
|
import static org.assertj.core.api.Assertions.assertThat;
|
||||||
|
@ -422,30 +417,4 @@ public class SecurityContextHolderAwareRequestFilterTests {
|
||||||
return this.requestCaptor.getValue();
|
return this.requestCaptor.getValue();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
|
||||||
public void testDefaultRolePrefix() {
|
|
||||||
AnnotationConfigApplicationContext context = new AnnotationConfigApplicationContext();
|
|
||||||
context.register(FilterConfiguration.class);
|
|
||||||
context.refresh();
|
|
||||||
|
|
||||||
SecurityContextHolderAwareRequestFilter filter = context.getBean(SecurityContextHolderAwareRequestFilter.class);
|
|
||||||
GrantedAuthorityDefaults authorityDefaults = (GrantedAuthorityDefaults) ReflectionTestUtils.getField(filter, "rolePrefix");
|
|
||||||
assertThat(authorityDefaults.getRolePrefix()).isEqualTo("ROL_");
|
|
||||||
}
|
|
||||||
|
|
||||||
@Configuration
|
|
||||||
static class FilterConfiguration {
|
|
||||||
|
|
||||||
@Bean
|
|
||||||
public GrantedAuthorityDefaults authorityDefaults() {
|
|
||||||
return new GrantedAuthorityDefaults("ROL_");
|
|
||||||
}
|
|
||||||
|
|
||||||
@Bean
|
|
||||||
public SecurityContextHolderAwareRequestFilter requestFilter() {
|
|
||||||
return new SecurityContextHolderAwareRequestFilter();
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue