Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Polish use-authorization-manager 

- Use SecurityContextHolderStrategy
- Allow empty role prefix
- Disallow access-decision-manager-ref and authorization-manager-ref
together

Issue gh-11305
This commit is contained in:
Josh Cummings 2022-10-05 19:49:06 -06:00
parent 7043ef6ccb
commit b4d13e7726
No known key found for this signature in database
GPG Key ID: A306A51F43B8E5A5
2 changed files with 18 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
config/src/main/java/org/springframework/security/config/http/AuthorizationFilterParser.java
View File

@ -50,6 +50,8 @@ class AuthorizationFilterParser implements BeanDefinitionParser {
private static final String ATT_USE_EXPRESSIONS = "use-expressions";
private static final String ATT_ACCESS_DECISION_MANAGER_REF = "access-decision-manager-ref";
private static final String ATT_HTTP_METHOD = "method";
private static final String ATT_PATTERN = "pattern";
@ -60,6 +62,12 @@ class AuthorizationFilterParser implements BeanDefinitionParser {
private String authorizationManagerRef;
private final BeanMetadataElement securityContextHolderStrategy;
AuthorizationFilterParser(BeanMetadataElement securityContextHolderStrategy) {
this.securityContextHolderStrategy = securityContextHolderStrategy;
}
@Override
public BeanDefinition parse(Element element, ParserContext parserContext) {
if (!isUseExpressions(element)) {
@ -67,10 +75,16 @@ class AuthorizationFilterParser implements BeanDefinitionParser {
element);
return null;
}
if (StringUtils.hasText(element.getAttribute(ATT_ACCESS_DECISION_MANAGER_REF))) {
parserContext.getReaderContext().error(
"AuthorizationManager cannot be used in conjunction with `access-decision-manager-ref`", element);
return null;
}
this.authorizationManagerRef = createAuthorizationManager(element, parserContext);
BeanDefinitionBuilder filterBuilder = BeanDefinitionBuilder.rootBeanDefinition(AuthorizationFilter.class);
filterBuilder.getRawBeanDefinition().setSource(parserContext.extractSource(element));
BeanDefinition filter = filterBuilder.addConstructorArgReference(this.authorizationManagerRef)
.addPropertyValue("securityContextHolderStrategy", this.securityContextHolderStrategy)
.getBeanDefinition();
String id = element.getAttribute(AbstractBeanDefinitionParser.ID_ATTRIBUTE);
if (StringUtils.hasText(id)) {
@ -172,7 +186,9 @@ class AuthorizationFilterParser implements BeanDefinitionParser {
@Override
public DefaultHttpSecurityExpressionHandler getBean() {
this.handler.setDefaultRolePrefix(this.rolePrefix);
if (this.rolePrefix != null) {
this.handler.setDefaultRolePrefix(this.rolePrefix);
}
return this.handler;
}

2
config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java
View File

@ -729,7 +729,7 @@ class HttpConfigurationBuilder {
}
private void createAuthorizationFilter() {
AuthorizationFilterParser authorizationFilterParser = new AuthorizationFilterParser();
AuthorizationFilterParser authorizationFilterParser = new AuthorizationFilterParser(this.holderStrategyRef);
BeanDefinition fsiBean = authorizationFilterParser.parse(this.httpElt, this.pc);
String fsiId = this.pc.getReaderContext().generateBeanName(fsiBean);
this.pc.registerBeanComponent(new BeanComponentDefinition(fsiBean, fsiId));