From c1f2fa1983a19611fe2e8cd41478160a207708cd Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Wed, 5 Jan 2011 16:56:28 +0000 Subject: [PATCH] SEC-1558: Changed signatures of PrePostInvocationAttributeFactory to take strings rather than annotation types to allow the metadata to be obtained from other sources (not just annotations). --- ...pressionBasedAnnotationAttributeFactory.java | 17 ++++++----------- ...PrePostAnnotationSecurityMetadataSource.java | 13 ++++++++++--- .../PrePostInvocationAttributeFactory.java | 4 ++-- ...preterPrePostInvocationAttributeFactory.java | 10 +++------- 4 files changed, 21 insertions(+), 23 deletions(-) diff --git a/core/src/main/java/org/springframework/security/access/expression/method/ExpressionBasedAnnotationAttributeFactory.java b/core/src/main/java/org/springframework/security/access/expression/method/ExpressionBasedAnnotationAttributeFactory.java index 81250c04ff..1617b8014c 100644 --- a/core/src/main/java/org/springframework/security/access/expression/method/ExpressionBasedAnnotationAttributeFactory.java +++ b/core/src/main/java/org/springframework/security/access/expression/method/ExpressionBasedAnnotationAttributeFactory.java @@ -6,11 +6,7 @@ package org.springframework.security.access.expression.method; import org.springframework.expression.Expression; import org.springframework.expression.ExpressionParser; import org.springframework.expression.ParseException; -import org.springframework.security.access.prepost.PostAuthorize; -import org.springframework.security.access.prepost.PostFilter; import org.springframework.security.access.prepost.PostInvocationAttribute; -import org.springframework.security.access.prepost.PreAuthorize; -import org.springframework.security.access.prepost.PreFilter; import org.springframework.security.access.prepost.PreInvocationAttribute; import org.springframework.security.access.prepost.PrePostInvocationAttributeFactory; @@ -28,22 +24,21 @@ public class ExpressionBasedAnnotationAttributeFactory implements PrePostInvocat parser = handler.getExpressionParser(); } - public PreInvocationAttribute createPreInvocationAttribute(PreFilter preFilter, PreAuthorize preAuthorize) { + public PreInvocationAttribute createPreInvocationAttribute(String preFilterAttribute, String filterObject, String preAuthorizeAttribute) { try { // TODO: Optimization of permitAll - Expression preAuthorizeExpression = preAuthorize == null ? parser.parseExpression("permitAll") : parser.parseExpression(preAuthorize.value()); - Expression preFilterExpression = preFilter == null ? null : parser.parseExpression(preFilter.value()); - String filterObject = preFilter == null ? null : preFilter.filterTarget(); + Expression preAuthorizeExpression = preAuthorizeAttribute == null ? parser.parseExpression("permitAll") : parser.parseExpression(preAuthorizeAttribute); + Expression preFilterExpression = preFilterAttribute == null ? null : parser.parseExpression(preFilterAttribute); return new PreInvocationExpressionAttribute(preFilterExpression, filterObject, preAuthorizeExpression); } catch (ParseException e) { throw new IllegalArgumentException("Failed to parse expression '" + e.getExpressionString() + "'", e); } } - public PostInvocationAttribute createPostInvocationAttribute(PostFilter postFilter, PostAuthorize postAuthorize) { + public PostInvocationAttribute createPostInvocationAttribute(String postFilterAttribute, String postAuthorizeAttribute) { try { - Expression postAuthorizeExpression = postAuthorize == null ? null : parser.parseExpression(postAuthorize.value()); - Expression postFilterExpression = postFilter == null ? null : parser.parseExpression(postFilter.value()); + Expression postAuthorizeExpression = postAuthorizeAttribute == null ? null : parser.parseExpression(postAuthorizeAttribute); + Expression postFilterExpression = postFilterAttribute == null ? null : parser.parseExpression(postFilterAttribute); if (postFilterExpression != null || postAuthorizeExpression != null) { return new PostInvocationExpressionAttribute(postFilterExpression, postAuthorizeExpression); diff --git a/core/src/main/java/org/springframework/security/access/prepost/PrePostAnnotationSecurityMetadataSource.java b/core/src/main/java/org/springframework/security/access/prepost/PrePostAnnotationSecurityMetadataSource.java index 5138f5f25d..64ad62c392 100644 --- a/core/src/main/java/org/springframework/security/access/prepost/PrePostAnnotationSecurityMetadataSource.java +++ b/core/src/main/java/org/springframework/security/access/prepost/PrePostAnnotationSecurityMetadataSource.java @@ -44,6 +44,7 @@ public class PrePostAnnotationSecurityMetadataSource extends AbstractMethodSecur logger.trace("Looking for Pre/Post annotations for method '" + method.getName() + "' on target class '" + targetClass + "'"); PreFilter preFilter = findAnnotation(method, targetClass, PreFilter.class); + PreAuthorize preAuthorize = findAnnotation(method, targetClass, PreAuthorize.class); PostFilter postFilter = findAnnotation(method, targetClass, PostFilter.class); // TODO: Can we check for void methods and throw an exception here? @@ -55,15 +56,21 @@ public class PrePostAnnotationSecurityMetadataSource extends AbstractMethodSecur return null; } - ArrayList attrs = new ArrayList(); + String preFilterAttribute = preFilter == null ? null : preFilter.value(); + String filterObject = preFilter == null ? null : preFilter.filterTarget(); + String preAuthorizeAttribute = preAuthorize == null ? null : preAuthorize.value(); + String postFilterAttribute = postFilter == null ? null : postFilter.value(); + String postAuthorizeAttribute = postAuthorize == null ? null : postAuthorize.value(); - PreInvocationAttribute pre = attributeFactory.createPreInvocationAttribute(preFilter, preAuthorize); + ArrayList attrs = new ArrayList(2); + + PreInvocationAttribute pre = attributeFactory.createPreInvocationAttribute(preFilterAttribute, filterObject, preAuthorizeAttribute); if (pre != null) { attrs.add(pre); } - PostInvocationAttribute post = attributeFactory.createPostInvocationAttribute(postFilter, postAuthorize); + PostInvocationAttribute post = attributeFactory.createPostInvocationAttribute(postFilterAttribute, postAuthorizeAttribute); if (post != null) { attrs.add(post); diff --git a/core/src/main/java/org/springframework/security/access/prepost/PrePostInvocationAttributeFactory.java b/core/src/main/java/org/springframework/security/access/prepost/PrePostInvocationAttributeFactory.java index 5c34e03dec..c353a073b3 100644 --- a/core/src/main/java/org/springframework/security/access/prepost/PrePostInvocationAttributeFactory.java +++ b/core/src/main/java/org/springframework/security/access/prepost/PrePostInvocationAttributeFactory.java @@ -9,7 +9,7 @@ import org.springframework.aop.framework.AopInfrastructureBean; */ public interface PrePostInvocationAttributeFactory extends AopInfrastructureBean { - PreInvocationAttribute createPreInvocationAttribute(PreFilter preFilter, PreAuthorize preAuthorize); + PreInvocationAttribute createPreInvocationAttribute(String preFilterAttribute, String filterObject, String preAuthorizeAttribute); - PostInvocationAttribute createPostInvocationAttribute(PostFilter postFilter, PostAuthorize postAuthorize); + PostInvocationAttribute createPostInvocationAttribute(String postFilterAttribute, String postAuthorizeAttribute); } diff --git a/itest/context/src/main/java/org/springframework/security/integration/python/PythonInterpreterPrePostInvocationAttributeFactory.java b/itest/context/src/main/java/org/springframework/security/integration/python/PythonInterpreterPrePostInvocationAttributeFactory.java index a328702ac9..6612d02871 100644 --- a/itest/context/src/main/java/org/springframework/security/integration/python/PythonInterpreterPrePostInvocationAttributeFactory.java +++ b/itest/context/src/main/java/org/springframework/security/integration/python/PythonInterpreterPrePostInvocationAttributeFactory.java @@ -1,11 +1,7 @@ package org.springframework.security.integration.python; import org.python.util.PythonInterpreter; -import org.springframework.security.access.prepost.PostAuthorize; -import org.springframework.security.access.prepost.PostFilter; import org.springframework.security.access.prepost.PostInvocationAttribute; -import org.springframework.security.access.prepost.PreAuthorize; -import org.springframework.security.access.prepost.PreFilter; import org.springframework.security.access.prepost.PreInvocationAttribute; import org.springframework.security.access.prepost.PrePostInvocationAttributeFactory; @@ -16,11 +12,11 @@ public class PythonInterpreterPrePostInvocationAttributeFactory implements PrePo } - public PreInvocationAttribute createPreInvocationAttribute(PreFilter preFilter, PreAuthorize preAuthorize) { - return new PythonInterpreterPreInvocationAttribute(preAuthorize.value()); + public PreInvocationAttribute createPreInvocationAttribute(String preFilterAttribute, String filterObject, String preAuthorizeAttribute) { + return new PythonInterpreterPreInvocationAttribute(preAuthorizeAttribute ); } - public PostInvocationAttribute createPostInvocationAttribute(PostFilter postFilter, PostAuthorize postAuthorize) { + public PostInvocationAttribute createPostInvocationAttribute(String postFilterAttribute, String postAuthorizeAttribute) { return null; } }