Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SEC-2783: XML Configuration Defaults Should Match JavaConfig 

* j_username -> username
* j_password -> password
* j_spring_security_check -> login
* j_spring_cas_security_check -> login/cas
* j_spring_cas_security_proxyreceptor -> login/cas/proxyreceptor
* j_spring_openid_security_login -> login/openid
* j_spring_security_switch_user -> login/impersonate
* j_spring_security_exit_user -> logout/impersonate
* login_error -> error
* use-expressions=true by default
This commit is contained in:
Rob Winch 2014-12-05 09:52:29 -06:00
parent b56e5edbbd
commit c67ff42b8a
125 changed files with 8122 additions and 395 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cas/src/main/java/org/springframework/security/cas/ServiceProperties.java
View File

@ -60,7 +60,7 @@ public class ServiceProperties implements InitializingBean {
* This service is the callback URL belonging to the local Spring Security System for Spring secured application.
* For example,
* <pre>
* https://www.mycompany.com/application/j_spring_cas_security_check
* https://www.mycompany.com/application/login/cas
* </pre>
*
* @return the URL of the service the user is authenticating to

10
cas/src/main/java/org/springframework/security/cas/web/CasAuthenticationFilter.java
View File

@ -51,7 +51,7 @@ import org.springframework.util.Assert;
* presented in the <code>ticket</code> request parameter.
* <p>
* This filter monitors the <code>service</code> URL so it can
* receive the service ticket and process it. By default this filter processes the URL <tt>/j_spring_cas_security_check</tt>.
* receive the service ticket and process it. By default this filter processes the URL <tt>/login/cas</tt>.
* When processing this URL, the value of {@link ServiceProperties#getService()} is used as the <tt>service</tt> when validating
* the <code>ticket</code>. This means that it is important that {@link ServiceProperties#getService()} specifies the same value
* as the <tt>filterProcessesUrl</tt>.
@ -92,7 +92,7 @@ import org.springframework.util.Assert;
* <pre>
* &lt;b:bean id=&quot;serviceProperties&quot;
* class=&quot;org.springframework.security.cas.ServiceProperties&quot;
* p:service=&quot;https://service.example.com/cas-sample/j_spring_cas_security_check&quot;
* p:service=&quot;https://service.example.com/cas-sample/login/cas&quot;
* p:authenticateAllArtifacts=&quot;true&quot;/&gt;
* &lt;b:bean id=&quot;casEntryPoint&quot;
* class=&quot;org.springframework.security.cas.web.CasAuthenticationEntryPoint&quot;
@ -102,7 +102,7 @@ import org.springframework.util.Assert;
* p:authenticationManager-ref=&quot;authManager&quot;
* p:serviceProperties-ref=&quot;serviceProperties&quot;
* p:proxyGrantingTicketStorage-ref=&quot;pgtStorage&quot;
* p:proxyReceptorUrl=&quot;/j_spring_cas_security_proxyreceptor&quot;&gt;
* p:proxyReceptorUrl=&quot;/login/cas/proxyreceptor&quot;&gt;
* &lt;b:property name=&quot;authenticationDetailsSource&quot;&gt;
* &lt;b:bean class=&quot;org.springframework.security.cas.web.authentication.ServiceAuthenticationDetailsSource&quot;/&gt;
* &lt;/b:property&gt;
@ -129,7 +129,7 @@ import org.springframework.util.Assert;
* &lt;b:bean
* class=&quot;org.jasig.cas.client.validation.Cas20ProxyTicketValidator&quot;
* p:acceptAnyProxy=&quot;true&quot;
* p:proxyCallbackUrl=&quot;https://service.example.com/cas-sample/j_spring_cas_security_proxyreceptor&quot;
* p:proxyCallbackUrl=&quot;https://service.example.com/cas-sample/login/cas/proxyreceptor&quot;
* p:proxyGrantingTicketStorage-ref=&quot;pgtStorage&quot;&gt;
* &lt;b:constructor-arg value=&quot;https://login.example.org/cas&quot; /&gt;
* &lt;/b:bean&gt;
@ -188,7 +188,7 @@ public class CasAuthenticationFilter extends AbstractAuthenticationProcessingFil
//~ Constructors ===================================================================================================
public CasAuthenticationFilter() {
super("/j_spring_cas_security_check");
super("/login/cas");
setAuthenticationFailureHandler(new SimpleUrlAuthenticationFailureHandler());
}

8
cas/src/main/java/org/springframework/security/cas/web/authentication/DefaultServiceAuthenticationDetails.java
View File

@ -1,12 +1,12 @@
/*
* Copyright 2011 the original author or authors.
*
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
*
* http://www.apache.org/licenses/LICENSE-2.0
*
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@ -135,7 +135,7 @@ final class DefaultServiceAuthenticationDetails extends WebAuthenticationDetails
/**
* Gets the port from the casServiceURL ensuring to return the proper value if the default port is being used.
* @param casServiceUrl the casServerUrl to be used (i.e. "https://example.com/context/j_spring_security_cas_check")
* @param casServiceUrl the casServerUrl to be used (i.e. "https://example.com/context/login/cas")
* @return the port that is configured for the casServerUrl
*/
private static int getServicePort(URL casServiceUrl) {

2
cas/src/test/java/org/springframework/security/cas/authentication/AbstractStatelessTicketCacheTests.java
View File

@ -19,7 +19,7 @@ public abstract class AbstractStatelessTicketCacheTests {
protected CasAuthenticationToken getToken() {
List<String> proxyList = new ArrayList<String>();
proxyList.add("https://localhost/newPortal/j_spring_cas_security_check");
proxyList.add("https://localhost/newPortal/login/cas");
User user = new User("rod", "password", true, true, true, true, AuthorityUtils.createAuthorityList("ROLE_ONE", "ROLE_TWO"));
final Assertion assertion = new AssertionImpl("rod");

8
cas/src/test/java/org/springframework/security/cas/web/CasAuthenticationEntryPointTests.java
View File

@ -69,7 +69,7 @@ public class CasAuthenticationEntryPointTests extends TestCase {
public void testNormalOperationWithRenewFalse() throws Exception {
ServiceProperties sp = new ServiceProperties();
sp.setSendRenew(false);
sp.setService("https://mycompany.com/bigWebApp/j_spring_cas_security_check");
sp.setService("https://mycompany.com/bigWebApp/login/cas");
CasAuthenticationEntryPoint ep = new CasAuthenticationEntryPoint();
ep.setLoginUrl("https://cas/login");
@ -84,14 +84,14 @@ public class CasAuthenticationEntryPointTests extends TestCase {
ep.commence(request, response, null);
assertEquals("https://cas/login?service="
+ URLEncoder.encode("https://mycompany.com/bigWebApp/j_spring_cas_security_check", "UTF-8"),
+ URLEncoder.encode("https://mycompany.com/bigWebApp/login/cas", "UTF-8"),
response.getRedirectedUrl());
}
public void testNormalOperationWithRenewTrue() throws Exception {
ServiceProperties sp = new ServiceProperties();
sp.setSendRenew(true);
sp.setService("https://mycompany.com/bigWebApp/j_spring_cas_security_check");
sp.setService("https://mycompany.com/bigWebApp/login/cas");
CasAuthenticationEntryPoint ep = new CasAuthenticationEntryPoint();
ep.setLoginUrl("https://cas/login");
@ -105,7 +105,7 @@ public class CasAuthenticationEntryPointTests extends TestCase {
ep.afterPropertiesSet();
ep.commence(request, response, null);
assertEquals("https://cas/login?service="
+ URLEncoder.encode("https://mycompany.com/bigWebApp/j_spring_cas_security_check", "UTF-8") + "&renew=true",
+ URLEncoder.encode("https://mycompany.com/bigWebApp/login/cas", "UTF-8") + "&renew=true",
response.getRedirectedUrl());
}
}

2
cas/src/test/java/org/springframework/security/cas/web/CasAuthenticationFilterTests.java
View File

@ -71,7 +71,7 @@ public class CasAuthenticationFilterTests {
@Test
public void testNormalOperation() throws Exception {
MockHttpServletRequest request = new MockHttpServletRequest();
request.setServletPath("/j_spring_cas_security_check");
request.setServletPath("/login/cas");
request.addParameter("ticket", "ST-0-ER94xMJmn6pha35CQRoZ");
CasAuthenticationFilter filter = new CasAuthenticationFilter();

4
config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java
View File

@ -948,8 +948,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
* .antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
* .and()
* .formLogin()
* .usernameParameter("j_username") // default is username
* .passwordParameter("j_password") // default is password
* .usernameParameter("username") // default is username
* .passwordParameter("password") // default is password
* .loginPage("/authentication/login") // default is /login with an HTTP get
* .failureUrl("/authentication/login?failed") // default is /login?error
* .loginProcessingUrl("/authentication/login/process"); // default is /login with an HTTP post

12
config/src/main/java/org/springframework/security/config/authentication/AuthenticationManagerFactoryBean.java
View File

@ -6,8 +6,13 @@ import org.springframework.beans.factory.BeanFactoryAware;
import org.springframework.beans.factory.FactoryBean;
import org.springframework.beans.factory.NoSuchBeanDefinitionException;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.BeanIds;
import org.springframework.security.core.userdetails.UserDetailsService;
import java.util.Arrays;
/**
* Factory bean for the namespace AuthenticationManager, which allows a more meaningful error message
@ -28,6 +33,13 @@ public class AuthenticationManagerFactoryBean implements FactoryBean<Authenticat
return (AuthenticationManager) bf.getBean(BeanIds.AUTHENTICATION_MANAGER);
} catch (NoSuchBeanDefinitionException e) {
if (BeanIds.AUTHENTICATION_MANAGER.equals(e.getBeanName())) {
try {
UserDetailsService uds = bf.getBean(UserDetailsService.class);
DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
provider.setUserDetailsService(uds);
provider.afterPropertiesSet();
return new ProviderManager(Arrays.<AuthenticationProvider>asList(provider));
} catch(NoSuchBeanDefinitionException noUds) {}
throw new NoSuchBeanDefinitionException(BeanIds.AUTHENTICATION_MANAGER, MISSING_BEAN_ERROR_MESSAGE);
}
throw e;

14
config/src/main/java/org/springframework/security/config/http/AuthenticationConfigBuilder.java
View File

@ -130,12 +130,12 @@ final class AuthenticationConfigBuilder {
private String loginProcessingUrl;
private String openidLoginProcessingUrl;
public AuthenticationConfigBuilder(Element element, ParserContext pc, SessionCreationPolicy sessionPolicy,
public AuthenticationConfigBuilder(Element element, boolean forceAutoConfig, ParserContext pc, SessionCreationPolicy sessionPolicy,
BeanReference requestCache, BeanReference authenticationManager, BeanReference sessionStrategy, BeanReference portMapper, BeanReference portResolver, BeanMetadataElement csrfLogoutHandler) {
this.httpElt = element;
this.pc = pc;
this.requestCache = requestCache;
autoConfig = "true".equals(element.getAttribute(ATT_AUTO_CONFIG));
autoConfig = forceAutoConfig | "true".equals(element.getAttribute(ATT_AUTO_CONFIG));
this.allowSessionCreation = sessionPolicy != SessionCreationPolicy.NEVER
&& sessionPolicy != SessionCreationPolicy.STATELESS;
this.portMapper = portMapper;
@ -193,7 +193,7 @@ final class AuthenticationConfigBuilder {
RootBeanDefinition formFilter = null;
if (formLoginElt != null || autoConfig) {
FormLoginBeanDefinitionParser parser = new FormLoginBeanDefinitionParser("/j_spring_security_check",
FormLoginBeanDefinitionParser parser = new FormLoginBeanDefinitionParser("/login", "POST",
AUTHENTICATION_PROCESSING_FILTER_CLASS, requestCache, sessionStrategy, allowSessionCreation, portMapper, portResolver);
parser.parse(formLoginElt, pc);
@ -218,7 +218,7 @@ final class AuthenticationConfigBuilder {
RootBeanDefinition openIDFilter = null;
if (openIDLoginElt != null) {
FormLoginBeanDefinitionParser parser = new FormLoginBeanDefinitionParser("/j_spring_openid_security_check",
FormLoginBeanDefinitionParser parser = new FormLoginBeanDefinitionParser("/login/openid", null,
OPEN_ID_AUTHENTICATION_PROCESSING_FILTER_CLASS, requestCache, sessionStrategy, allowSessionCreation, portMapper, portResolver);
parser.parse(openIDLoginElt, pc);
@ -492,7 +492,11 @@ final class AuthenticationConfigBuilder {
void createLogoutFilter() {
Element logoutElt = DomUtils.getChildElementByTagName(httpElt, Elements.LOGOUT);
if (logoutElt != null || autoConfig) {
LogoutBeanDefinitionParser logoutParser = new LogoutBeanDefinitionParser(rememberMeServicesId, csrfLogoutHandler);
String formLoginPage = getLoginFormUrl(formEntryPoint);
if(formLoginPage == null) {
formLoginPage = DefaultLoginPageGeneratingFilter.DEFAULT_LOGIN_PAGE_URL;
}
LogoutBeanDefinitionParser logoutParser = new LogoutBeanDefinitionParser(formLoginPage,rememberMeServicesId, csrfLogoutHandler);
logoutFilter = logoutParser.parse(logoutElt, pc);
logoutHandlers = logoutParser.getLogoutHandlers();
}

28
config/src/main/java/org/springframework/security/config/http/FilterInvocationSecurityMetadataSourceParser.java
View File

@ -48,7 +48,7 @@ public class FilterInvocationSecurityMetadataSourceParser implements BeanDefinit
}
}
BeanDefinition mds = createSecurityMetadataSource(interceptUrls, element, parserContext);
BeanDefinition mds = createSecurityMetadataSource(interceptUrls, false, element, parserContext);
String id = element.getAttribute(AbstractBeanDefinitionParser.ID_ATTRIBUTE);
@ -60,16 +60,16 @@ public class FilterInvocationSecurityMetadataSourceParser implements BeanDefinit
return mds;
}
static RootBeanDefinition createSecurityMetadataSource(List<Element> interceptUrls, Element elt, ParserContext pc) {
MatcherType matcherType = MatcherType.fromElement(elt);
boolean useExpressions = isUseExpressions(elt);
static RootBeanDefinition createSecurityMetadataSource(List<Element> interceptUrls, boolean addAllAuth, Element httpElt, ParserContext pc) {
MatcherType matcherType = MatcherType.fromElement(httpElt);
boolean useExpressions = isUseExpressions(httpElt);
ManagedMap<BeanDefinition, BeanDefinition> requestToAttributesMap = parseInterceptUrlsForFilterInvocationRequestMap(
matcherType, interceptUrls, useExpressions, pc);
matcherType, interceptUrls, useExpressions, addAllAuth, pc);
BeanDefinitionBuilder fidsBuilder;
if (useExpressions) {
Element expressionHandlerElt = DomUtils.getChildElementByTagName(elt, Elements.EXPRESSION_HANDLER);
Element expressionHandlerElt = DomUtils.getChildElementByTagName(httpElt, Elements.EXPRESSION_HANDLER);
String expressionHandlerRef = expressionHandlerElt == null ? null : expressionHandlerElt.getAttribute("ref");
if (StringUtils.hasText(expressionHandlerRef)) {
@ -86,7 +86,7 @@ public class FilterInvocationSecurityMetadataSourceParser implements BeanDefinit
fidsBuilder.addConstructorArgValue(requestToAttributesMap);
}
fidsBuilder.getRawBeanDefinition().setSource(pc.extractSource(elt));
fidsBuilder.getRawBeanDefinition().setSource(pc.extractSource(httpElt));
return (RootBeanDefinition) fidsBuilder.getBeanDefinition();
}
@ -100,12 +100,13 @@ public class FilterInvocationSecurityMetadataSourceParser implements BeanDefinit
}
static boolean isUseExpressions(Element elt) {
return "true".equals(elt.getAttribute(ATT_USE_EXPRESSIONS));
String useExpressions = elt.getAttribute(ATT_USE_EXPRESSIONS);
return !StringUtils.hasText(useExpressions) || "true".equals(useExpressions);
}
private static ManagedMap<BeanDefinition, BeanDefinition>
parseInterceptUrlsForFilterInvocationRequestMap(MatcherType matcherType,
List<Element> urlElts, boolean useExpressions, ParserContext parserContext) {
List<Element> urlElts, boolean useExpressions, boolean addAuthenticatedAll, ParserContext parserContext) {
ManagedMap<BeanDefinition, BeanDefinition> filterInvocationDefinitionMap = new ManagedMap<BeanDefinition, BeanDefinition>();
@ -147,6 +148,15 @@ public class FilterInvocationSecurityMetadataSourceParser implements BeanDefinit
filterInvocationDefinitionMap.put(matcher, attributeBuilder.getBeanDefinition());
}
if(addAuthenticatedAll && filterInvocationDefinitionMap.isEmpty()) {
BeanDefinition matcher = matcherType.createMatcher("/**", null);
BeanDefinitionBuilder attributeBuilder = BeanDefinitionBuilder.rootBeanDefinition(SecurityConfig.class);
attributeBuilder.addConstructorArgValue(new String[] { "authenticated" });
attributeBuilder.setFactoryMethod("createList");
filterInvocationDefinitionMap.put(matcher, attributeBuilder.getBeanDefinition());
}
return filterInvocationDefinitionMap;
}

7
config/src/main/java/org/springframework/security/config/http/FormLoginBeanDefinitionParser.java
View File

@ -66,11 +66,13 @@ public class FormLoginBeanDefinitionParser {
private RootBeanDefinition filterBean;
private RootBeanDefinition entryPointBean;
private String loginPage;
private String loginMethod;
private String loginProcessingUrl;
FormLoginBeanDefinitionParser(String defaultLoginProcessingUrl, String filterClassName,
FormLoginBeanDefinitionParser(String defaultLoginProcessingUrl, String loginMethod, String filterClassName,
BeanReference requestCache, BeanReference sessionStrategy, boolean allowSessionCreation, BeanReference portMapper, BeanReference portResolver) {
this.defaultLoginProcessingUrl = defaultLoginProcessingUrl;
this.loginMethod = loginMethod;
this.filterClassName = filterClassName;
this.requestCache = requestCache;
this.sessionStrategy = sessionStrategy;
@ -153,6 +155,9 @@ public class FormLoginBeanDefinitionParser {
BeanDefinitionBuilder matcherBuilder = BeanDefinitionBuilder.rootBeanDefinition("org.springframework.security.web.util.matcher.AntPathRequestMatcher");
matcherBuilder.addConstructorArgValue(loginUrl);
if(loginMethod != null) {
matcherBuilder.addConstructorArgValue("POST");
}
filterBuilder.addPropertyValue("requiresAuthenticationRequestMatcher", matcherBuilder.getBeanDefinition());

6
config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java
View File

@ -133,10 +133,12 @@ class HttpConfigurationBuilder {
private CsrfBeanDefinitionParser csrfParser;
private BeanDefinition invalidSession;
private boolean addAllAuth;
public HttpConfigurationBuilder(Element element, ParserContext pc,
public HttpConfigurationBuilder(Element element, boolean addAllAuth, ParserContext pc,
BeanReference portMapper, BeanReference portResolver, BeanReference authenticationManager) {
this.httpElt = element;
this.addAllAuth = addAllAuth;
this.pc = pc;
this.portMapper = portMapper;
this.portResolver = portResolver;
@ -583,7 +585,7 @@ class HttpConfigurationBuilder {
private void createFilterSecurityInterceptor(BeanReference authManager) {
boolean useExpressions = FilterInvocationSecurityMetadataSourceParser.isUseExpressions(httpElt);
RootBeanDefinition securityMds = FilterInvocationSecurityMetadataSourceParser.createSecurityMetadataSource(interceptUrls, httpElt, pc);
RootBeanDefinition securityMds = FilterInvocationSecurityMetadataSourceParser.createSecurityMetadataSource(interceptUrls, addAllAuth, httpElt, pc);
RootBeanDefinition accessDecisionMgr;
ManagedList<BeanDefinition> voters = new ManagedList<BeanDefinition>(2);

9
config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java
View File

@ -132,10 +132,11 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
ManagedList<BeanReference> authenticationProviders = new ManagedList<BeanReference>();
BeanReference authenticationManager = createAuthenticationManager(element, pc, authenticationProviders);
HttpConfigurationBuilder httpBldr = new HttpConfigurationBuilder(element, pc,
boolean forceAutoConfig = isDefaultHttpConfig(element);
HttpConfigurationBuilder httpBldr = new HttpConfigurationBuilder(element, forceAutoConfig, pc,
portMapper, portResolver, authenticationManager);
AuthenticationConfigBuilder authBldr = new AuthenticationConfigBuilder(element, pc,
AuthenticationConfigBuilder authBldr = new AuthenticationConfigBuilder(element, forceAutoConfig, pc,
httpBldr.getSessionCreationPolicy(), httpBldr.getRequestCache(), authenticationManager,
httpBldr.getSessionStrategy(), portMapper, portResolver, httpBldr.getCsrfLogoutHandler());
@ -164,6 +165,10 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
return createSecurityFilterChainBean(element, pc, filterChain);
}
private static boolean isDefaultHttpConfig(Element httpElt) {
return httpElt.getChildNodes().getLength() == 0 && httpElt.getAttributes().getLength() == 0;
}
private BeanReference createSecurityFilterChainBean(Element element, ParserContext pc, List<?> filterChain) {
BeanMetadataElement filterChainMatcher;

11
config/src/main/java/org/springframework/security/config/http/LogoutBeanDefinitionParser.java
View File

@ -35,23 +35,24 @@ import org.w3c.dom.Element;
*/
class LogoutBeanDefinitionParser implements BeanDefinitionParser {
static final String ATT_LOGOUT_SUCCESS_URL = "logout-success-url";
static final String DEF_LOGOUT_SUCCESS_URL = "/";
static final String ATT_INVALIDATE_SESSION = "invalidate-session";
static final String ATT_LOGOUT_URL = "logout-url";
static final String DEF_LOGOUT_URL = "/j_spring_security_logout";
static final String DEF_LOGOUT_URL = "/logout";
static final String ATT_LOGOUT_HANDLER = "success-handler-ref";
static final String ATT_DELETE_COOKIES = "delete-cookies";
final String rememberMeServices;
private final String defaultLogoutUrl;
private ManagedList<BeanMetadataElement> logoutHandlers = new ManagedList<BeanMetadataElement>();
private boolean csrfEnabled;
public LogoutBeanDefinitionParser(String rememberMeServices, BeanMetadataElement csrfLogoutHandler) {
public LogoutBeanDefinitionParser(String loginPageUrl, String rememberMeServices, BeanMetadataElement csrfLogoutHandler) {
this.defaultLogoutUrl = loginPageUrl + "?logout";
this.rememberMeServices = rememberMeServices;
this.csrfEnabled = csrfLogoutHandler != null;
if(this.csrfEnabled) {
if (this.csrfEnabled) {
logoutHandlers.add(csrfLogoutHandler);
}
}
@ -93,7 +94,7 @@ class LogoutBeanDefinitionParser implements BeanDefinitionParser {
} else {
// Use the logout URL if no handler set
if (!StringUtils.hasText(logoutSuccessUrl)) {
logoutSuccessUrl = DEF_LOGOUT_SUCCESS_URL;
logoutSuccessUrl = defaultLogoutUrl;
}
builder.addConstructorArgValue(logoutSuccessUrl);
}

4
config/src/main/resources/org/springframework/security/config/spring-security-2.0.1.xsd
View File

@ -844,7 +844,7 @@
<xs:annotation>
<xs:documentation>Specifies the URL that will cause a logout. Spring Security will
initialize a filter that responds to this particular URL. Defaults to
/j_spring_security_logout if unspecified.</xs:documentation>
/logout if unspecified.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="logout-success-url" type="xs:string">
@ -864,7 +864,7 @@
<xs:attribute name="login-processing-url" type="xs:string">
<xs:annotation>
<xs:documentation>The URL that the login form is posted to. If unspecified, it defaults to
/j_spring_security_check.</xs:documentation>
/login.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="default-target-url" type="xs:string">

4
config/src/main/resources/org/springframework/security/config/spring-security-2.0.2.xsd
View File

@ -863,7 +863,7 @@
<xs:annotation>
<xs:documentation>Specifies the URL that will cause a logout. Spring Security will
initialize a filter that responds to this particular URL. Defaults to
/j_spring_security_logout if unspecified.</xs:documentation>
/logout if unspecified.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="logout-success-url" type="xs:string">
@ -883,7 +883,7 @@
<xs:attribute name="login-processing-url" type="xs:string">
<xs:annotation>
<xs:documentation>The URL that the login form is posted to. If unspecified, it defaults to
/j_spring_security_check.</xs:documentation>
/login.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="default-target-url" type="xs:string">

4
config/src/main/resources/org/springframework/security/config/spring-security-2.0.4.xsd
View File

@ -893,7 +893,7 @@
<xs:annotation>
<xs:documentation>Specifies the URL that will cause a logout. Spring Security will
initialize a filter that responds to this particular URL. Defaults to
/j_spring_security_logout if unspecified.</xs:documentation>
/logout if unspecified.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="logout-success-url" type="xs:string">
@ -913,7 +913,7 @@
<xs:attribute name="login-processing-url" type="xs:string">
<xs:annotation>
<xs:documentation>The URL that the login form is posted to. If unspecified, it defaults to
/j_spring_security_check.</xs:documentation>
/login.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="default-target-url" type="xs:string">

4
config/src/main/resources/org/springframework/security/config/spring-security-2.0.xsd
View File

@ -772,7 +772,7 @@
<xs:annotation>
<xs:documentation>Specifies the URL that will cause a logout. Spring Security will
initialize a filter that responds to this particular URL. Defaults to
/j_spring_security_logout if unspecified.</xs:documentation>
/logout if unspecified.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="logout-success-url" type="xs:string">
@ -792,7 +792,7 @@
<xs:attribute name="login-processing-url" type="xs:string">
<xs:annotation>
<xs:documentation>The URL that the login form is posted to. If unspecified, it defaults to
/j_spring_security_check.</xs:documentation>
/login.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="default-target-url" type="xs:string">

4
config/src/main/resources/org/springframework/security/config/spring-security-3.0.3.xsd
View File

@ -799,7 +799,7 @@
<xs:attributeGroup name="logout.attlist">
<xs:attribute name="logout-url" type="xs:token">
<xs:annotation>
<xs:documentation>Specifies the URL that will cause a logout. Spring Security will initialize a filter that responds to this particular URL. Defaults to /j_spring_security_logout if unspecified.</xs:documentation>
<xs:documentation>Specifies the URL that will cause a logout. Spring Security will initialize a filter that responds to this particular URL. Defaults to /logout if unspecified.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="logout-success-url" type="xs:token">
@ -827,7 +827,7 @@
<xs:attributeGroup name="form-login.attlist">
<xs:attribute name="login-processing-url" type="xs:token">
<xs:annotation>
<xs:documentation>The URL that the login form is posted to. If unspecified, it defaults to /j_spring_security_check.</xs:documentation>
<xs:documentation>The URL that the login form is posted to. If unspecified, it defaults to /login.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="default-target-url" type="xs:token">

4
config/src/main/resources/org/springframework/security/config/spring-security-3.0.xsd
View File

@ -787,7 +787,7 @@
<xs:attributeGroup name="logout.attlist">
<xs:attribute name="logout-url" type="xs:token">
<xs:annotation>
<xs:documentation>Specifies the URL that will cause a logout. Spring Security will initialize a filter that responds to this particular URL. Defaults to /j_spring_security_logout if unspecified.</xs:documentation>
<xs:documentation>Specifies the URL that will cause a logout. Spring Security will initialize a filter that responds to this particular URL. Defaults to /logout if unspecified.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="logout-success-url" type="xs:token">
@ -815,7 +815,7 @@
<xs:attributeGroup name="form-login.attlist">
<xs:attribute name="login-processing-url" type="xs:token">
<xs:annotation>
<xs:documentation>The URL that the login form is posted to. If unspecified, it defaults to /j_spring_security_check.</xs:documentation>
<xs:documentation>The URL that the login form is posted to. If unspecified, it defaults to /login.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="default-target-url" type="xs:token">

8
config/src/main/resources/org/springframework/security/config/spring-security-3.1.rnc
View File

@ -370,7 +370,7 @@ logout =
## Incorporates a logout processing filter. Most web applications require a logout filter, although you may not require one if you write a controller to provider similar logic.
element logout {logout.attlist, empty}
logout.attlist &=
## Specifies the URL that will cause a logout. Spring Security will initialize a filter that responds to this particular URL. Defaults to /j_spring_security_logout if unspecified.
## Specifies the URL that will cause a logout. Spring Security will initialize a filter that responds to this particular URL. Defaults to /logout if unspecified.
attribute logout-url {xsd:token}?
logout.attlist &=
## Specifies the URL to display once the user has logged out. If not specified, defaults to /.
@ -393,13 +393,13 @@ form-login =
## Sets up a form login configuration for authentication with a username and password
element form-login {form-login.attlist, empty}
form-login.attlist &=
## The URL that the login form is posted to. If unspecified, it defaults to /j_spring_security_check.
## The URL that the login form is posted to. If unspecified, it defaults to /login.
attribute login-processing-url {xsd:token}?
form-login.attlist &=
## The name of the request parameter which contains the username. Defaults to 'j_username'.
## The name of the request parameter which contains the username. Defaults to 'username'.
attribute username-parameter {xsd:token}?
form-login.attlist &=
## The name of the request parameter which contains the password. Defaults to 'j_password'.
## The name of the request parameter which contains the password. Defaults to 'password'.
attribute password-parameter {xsd:token}?
form-login.attlist &=
## The URL that will be redirected to after successful authentication, if the user's previous action could not be resumed. This generally happens if the user visits a login page without having first requested a secured operation that triggers authentication. If unspecified, defaults to the root of the application.

8
config/src/main/resources/org/springframework/security/config/spring-security-3.1.xsd
View File

@ -1278,7 +1278,7 @@
<xs:attribute name="logout-url" type="xs:token">
<xs:annotation>
<xs:documentation>Specifies the URL that will cause a logout. Spring Security will initialize a filter that
responds to this particular URL. Defaults to /j_spring_security_logout if unspecified.
responds to this particular URL. Defaults to /logout if unspecified.
</xs:documentation>
</xs:annotation>
</xs:attribute>
@ -1325,19 +1325,19 @@
<xs:attribute name="login-processing-url" type="xs:token">
<xs:annotation>
<xs:documentation>The URL that the login form is posted to. If unspecified, it defaults to
/j_spring_security_check.
/login.
</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="username-parameter" type="xs:token">
<xs:annotation>
<xs:documentation>The name of the request parameter which contains the username. Defaults to 'j_username'.
<xs:documentation>The name of the request parameter which contains the username. Defaults to 'username'.
</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="password-parameter" type="xs:token">
<xs:annotation>
<xs:documentation>The name of the request parameter which contains the password. Defaults to 'j_password'.
<xs:documentation>The name of the request parameter which contains the password. Defaults to 'password'.
</xs:documentation>
</xs:annotation>
</xs:attribute>

8
config/src/main/resources/org/springframework/security/config/spring-security-3.2.rnc
View File

@ -370,7 +370,7 @@ logout =
## Incorporates a logout processing filter. Most web applications require a logout filter, although you may not require one if you write a controller to provider similar logic.
element logout {logout.attlist, empty}
logout.attlist &=
## Specifies the URL that will cause a logout. Spring Security will initialize a filter that responds to this particular URL. Defaults to /j_spring_security_logout if unspecified.
## Specifies the URL that will cause a logout. Spring Security will initialize a filter that responds to this particular URL. Defaults to /logout if unspecified.
attribute logout-url {xsd:token}?
logout.attlist &=
## Specifies the URL to display once the user has logged out. If not specified, defaults to /.
@ -393,13 +393,13 @@ form-login =
## Sets up a form login configuration for authentication with a username and password
element form-login {form-login.attlist, empty}
form-login.attlist &=
## The URL that the login form is posted to. If unspecified, it defaults to /j_spring_security_check.
## The URL that the login form is posted to. If unspecified, it defaults to /login.
attribute login-processing-url {xsd:token}?
form-login.attlist &=
## The name of the request parameter which contains the username. Defaults to 'j_username'.
## The name of the request parameter which contains the username. Defaults to 'username'.
attribute username-parameter {xsd:token}?
form-login.attlist &=
## The name of the request parameter which contains the password. Defaults to 'j_password'.
## The name of the request parameter which contains the password. Defaults to 'password'.
attribute password-parameter {xsd:token}?
form-login.attlist &=
## The URL that will be redirected to after successful authentication, if the user's previous action could not be resumed. This generally happens if the user visits a login page without having first requested a secured operation that triggers authentication. If unspecified, defaults to the root of the application.

8
config/src/main/resources/org/springframework/security/config/spring-security-3.2.xsd
View File

@ -1280,7 +1280,7 @@
<xs:attribute name="logout-url" type="xs:token">
<xs:annotation>
<xs:documentation>Specifies the URL that will cause a logout. Spring Security will initialize a filter that
responds to this particular URL. Defaults to /j_spring_security_logout if unspecified.
responds to this particular URL. Defaults to /logout if unspecified.
</xs:documentation>
</xs:annotation>
</xs:attribute>
@ -1327,19 +1327,19 @@
<xs:attribute name="login-processing-url" type="xs:token">
<xs:annotation>
<xs:documentation>The URL that the login form is posted to. If unspecified, it defaults to
/j_spring_security_check.
/login.
</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="username-parameter" type="xs:token">
<xs:annotation>
<xs:documentation>The name of the request parameter which contains the username. Defaults to 'j_username'.
<xs:documentation>The name of the request parameter which contains the username. Defaults to 'username'.
</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="password-parameter" type="xs:token">
<xs:annotation>
<xs:documentation>The name of the request parameter which contains the password. Defaults to 'j_password'.
<xs:documentation>The name of the request parameter which contains the password. Defaults to 'password'.
</xs:documentation>
</xs:annotation>
</xs:attribute>

14
config/src/main/resources/org/springframework/security/config/spring-security-4.0.rnc
View File

@ -73,7 +73,7 @@ role-prefix =
attribute role-prefix {xsd:token}
use-expressions =
## Enables the use of expressions in the 'access' attributes in <intercept-url> elements rather than the traditional list of configuration attributes. Defaults to 'false'. If enabled, each attribute should contain a single boolean expression. If the expression evaluates to 'true', access will be granted.
## Enables the use of expressions in the 'access' attributes in <intercept-url> elements rather than the traditional list of configuration attributes. Defaults to 'true'. If enabled, each attribute should contain a single boolean expression. If the expression evaluates to 'true', access will be granted.
attribute use-expressions {xsd:boolean}
ldap-server =
@ -380,7 +380,7 @@ logout =
## Incorporates a logout processing filter. Most web applications require a logout filter, although you may not require one if you write a controller to provider similar logic.
element logout {logout.attlist, empty}
logout.attlist &=
## Specifies the URL that will cause a logout. Spring Security will initialize a filter that responds to this particular URL. Defaults to /j_spring_security_logout if unspecified.
## Specifies the URL that will cause a logout. Spring Security will initialize a filter that responds to this particular URL. Defaults to /logout if unspecified.
attribute logout-url {xsd:token}?
logout.attlist &=
## Specifies the URL to display once the user has logged out. If not specified, defaults to /.
@ -403,13 +403,13 @@ form-login =
## Sets up a form login configuration for authentication with a username and password
element form-login {form-login.attlist, empty}
form-login.attlist &=
## The URL that the login form is posted to. If unspecified, it defaults to /j_spring_security_check.
## The URL that the login form is posted to. If unspecified, it defaults to /login.
attribute login-processing-url {xsd:token}?
form-login.attlist &=
## The name of the request parameter which contains the username. Defaults to 'j_username'.
## The name of the request parameter which contains the username. Defaults to 'username'.
attribute username-parameter {xsd:token}?
form-login.attlist &=
## The name of the request parameter which contains the password. Defaults to 'j_password'.
## The name of the request parameter which contains the password. Defaults to 'password'.
attribute password-parameter {xsd:token}?
form-login.attlist &=
## The URL that will be redirected to after successful authentication, if the user's previous action could not be resumed. This generally happens if the user visits a login page without having first requested a secured operation that triggers authentication. If unspecified, defaults to the root of the application.
@ -418,10 +418,10 @@ form-login.attlist &=
## Whether the user should always be redirected to the default-target-url after login.
attribute always-use-default-target {xsd:boolean}?
form-login.attlist &=
## The URL for the login page. If no login URL is specified, Spring Security will automatically create a login URL at /spring_security_login and a corresponding filter to render that login URL when requested.
## The URL for the login page. If no login URL is specified, Spring Security will automatically create a login URL at GET /login and a corresponding filter to render that login URL when requested.
attribute login-page {xsd:token}?
form-login.attlist &=
## The URL for the login failure page. If no login failure URL is specified, Spring Security will automatically create a failure login URL at /spring_security_login?login_error and a corresponding filter to render that login failure URL when requested.
## The URL for the login failure page. If no login failure URL is specified, Spring Security will automatically create a failure login URL at /login?error and a corresponding filter to render that login failure URL when requested.
attribute authentication-failure-url {xsd:token}?
form-login.attlist &=
## Reference to an AuthenticationSuccessHandler bean which should be used to handle a successful authentication request. Should not be used in combination with default-target-url (or always-use-default-target-url) as the implementation should always deal with navigation to the subsequent destination

12
config/src/main/resources/org/springframework/security/config/spring-security-4.0.xsd
View File

@ -1307,7 +1307,7 @@
<xs:attribute name="logout-url" type="xs:token">
<xs:annotation>
<xs:documentation>Specifies the URL that will cause a logout. Spring Security will initialize a filter that
responds to this particular URL. Defaults to /j_spring_security_logout if unspecified.
responds to this particular URL. Defaults to /logout if unspecified.
</xs:documentation>
</xs:annotation>
</xs:attribute>
@ -1354,19 +1354,19 @@
<xs:attribute name="login-processing-url" type="xs:token">
<xs:annotation>
<xs:documentation>The URL that the login form is posted to. If unspecified, it defaults to
/j_spring_security_check.
/login.
</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="username-parameter" type="xs:token">
<xs:annotation>
<xs:documentation>The name of the request parameter which contains the username. Defaults to 'j_username'.
<xs:documentation>The name of the request parameter which contains the username. Defaults to 'username'.
</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="password-parameter" type="xs:token">
<xs:annotation>
<xs:documentation>The name of the request parameter which contains the password. Defaults to 'j_password'.
<xs:documentation>The name of the request parameter which contains the password. Defaults to 'password'.
</xs:documentation>
</xs:annotation>
</xs:attribute>
@ -1388,7 +1388,7 @@
<xs:attribute name="login-page" type="xs:token">
<xs:annotation>
<xs:documentation>The URL for the login page. If no login URL is specified, Spring Security will
automatically create a login URL at /spring_security_login and a corresponding filter to
automatically create a login URL at GET /login and a corresponding filter to
render that login URL when requested.
</xs:documentation>
</xs:annotation>
@ -1396,7 +1396,7 @@
<xs:attribute name="authentication-failure-url" type="xs:token">
<xs:annotation>
<xs:documentation>The URL for the login failure page. If no login failure URL is specified, Spring Security
will automatically create a failure login URL at /spring_security_login?login_error and a
will automatically create a failure login URL at /login?error and a
corresponding filter to render that login failure URL when requested.
</xs:documentation>
</xs:annotation>

8
config/src/test/groovy/org/springframework/security/config/annotation/web/SampleWebSecurityConfigurerAdapterTests.groovy
View File

@ -63,7 +63,7 @@ public class SampleWebSecurityConfigurerAdapterTests extends BaseSpringSpec {
/**
* <code>
* <http use-expressions="true">
* <http>
* <intercept-url pattern="/resources/**" access="permitAll"/>
* <intercept-url pattern="/**" access="authenticated"/>
* <logout
@ -126,7 +126,7 @@ public class SampleWebSecurityConfigurerAdapterTests extends BaseSpringSpec {
/**
* <code>
* <http security="none" pattern="/resources/**"/>
* <http use-expressions="true">
* <http>
* <intercept-url pattern="/logout" access="permitAll"/>
* <intercept-url pattern="/login" access="permitAll"/>
* <intercept-url pattern="/signup" access="permitAll"/>
@ -239,12 +239,12 @@ public class SampleWebSecurityConfigurerAdapterTests extends BaseSpringSpec {
/**
* <code>
* <http security="none" pattern="/resources/**"/>
* <http use-expressions="true" pattern="/api/**">
* <http pattern="/api/**">
* <intercept-url pattern="/api/admin/**" access="hasRole('ROLE_ADMIN')"/>
* <intercept-url pattern="/api/**" access="hasRole('ROLE_USER')"/>
* <http-basic />
* </http>
* <http use-expressions="true">
* <http>
* <intercept-url pattern="/logout" access="permitAll"/>
* <intercept-url pattern="/login" access="permitAll"/>
* <intercept-url pattern="/signup" access="permitAll"/>

8
config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceHttpFormLoginTests.groovy
View File

@ -105,8 +105,8 @@ public class NamespaceHttpFormLoginTests extends BaseSpringSpec {
super.setup()
request.servletPath = "/authentication/login/process"
request.method = "POST"
request.parameters.j_username = ["user"] as String[]
request.parameters.j_password = ["password"] as String[]
request.parameters.username = ["user"] as String[]
request.parameters.password = ["password"] as String[]
springSecurityFilterChain.doFilter(request,response,chain)
then: "sent to default succes page"
response.getRedirectedUrl() == "/default"
@ -121,8 +121,8 @@ public class NamespaceHttpFormLoginTests extends BaseSpringSpec {
.anyRequest().hasRole("USER")
.and()
.formLogin()
.usernameParameter("j_username") // form-login@username-parameter
.passwordParameter("j_password") // form-login@password-parameter
.usernameParameter("username") // form-login@username-parameter
.passwordParameter("password") // form-login@password-parameter
.loginPage("/authentication/login") // form-login@login-page
.failureUrl("/authentication/login?failed") // form-login@authentication-failure-url
.loginProcessingUrl("/authentication/login/process") // form-login@login-processing-url

11
config/src/test/groovy/org/springframework/security/config/http/AbstractHttpConfigTests.groovy
View File

@ -20,6 +20,8 @@ import org.springframework.security.config.AbstractXmlConfigTests
import org.springframework.security.config.BeanIds
import org.springframework.security.web.FilterInvocation
import javax.servlet.http.HttpServletRequest
/**
*
* @author Rob Winch
@ -29,11 +31,11 @@ abstract class AbstractHttpConfigTests extends AbstractXmlConfigTests {
final int AUTO_CONFIG_FILTERS = 14;
def httpAutoConfig(Closure c) {
xml.http('auto-config': 'true', c)
xml.http(['auto-config': 'true', 'use-expressions':false], c)
}
def httpAutoConfig(String matcher, Closure c) {
xml.http(['auto-config': 'true', 'request-matcher': matcher], c)
xml.http(['auto-config': 'true', 'use-expressions':false, 'request-matcher': matcher], c)
}
def interceptUrl(String path, String authz) {
@ -72,4 +74,9 @@ abstract class AbstractHttpConfigTests extends AbstractXmlConfigTests {
return new FilterInvocation(request, new MockHttpServletResponse(), new MockFilterChain());
}
def basicLogin(HttpServletRequest request, String username="user",String password="password") {
def credentials = username + ":" + password
request.addHeader("Authorization", "Basic " + credentials.bytes.encodeBase64())
}
}

26
config/src/test/groovy/org/springframework/security/config/http/CsrfConfigTests.groovy
View File

@ -152,14 +152,14 @@ class CsrfConfigTests extends AbstractHttpConfigTests {
springSecurityFilterChain.doFilter(request,response,chain)
then: "sent to the login page"
response.status == HttpServletResponse.SC_MOVED_TEMPORARILY
response.redirectedUrl == "http://localhost/spring_security_login"
response.redirectedUrl == "http://localhost/login"
when: "authenticate successfully"
response = new MockHttpServletResponse()
request = new MockHttpServletRequest(session: request.session)
request.servletPath = "/j_spring_security_check"
request.servletPath = "/login"
request.setParameter(token.parameterName,token.token)
request.setParameter("j_username","user")
request.setParameter("j_password","password")
request.setParameter("username","user")
request.setParameter("password","password")
request.method = "POST"
springSecurityFilterChain.doFilter(request,response,chain)
then: "sent to default success because we don't want csrf attempts made prior to authentication to pass"
@ -186,14 +186,14 @@ class CsrfConfigTests extends AbstractHttpConfigTests {
springSecurityFilterChain.doFilter(request,response,chain)
then: "sent to the login page"
response.status == HttpServletResponse.SC_MOVED_TEMPORARILY
response.redirectedUrl == "http://localhost/spring_security_login"
response.redirectedUrl == "http://localhost/login"
when: "authenticate successfully"
response = new MockHttpServletResponse()
request = new MockHttpServletRequest(session: request.session)
request.servletPath = "/j_spring_security_check"
request.servletPath = "/login"
request.setParameter(token.parameterName,token.token)
request.setParameter("j_username","user")
request.setParameter("j_password","password")
request.setParameter("username","user")
request.setParameter("password","password")
request.method = "POST"
springSecurityFilterChain.doFilter(request,response,chain)
then: "sent to original URL since it was a GET"
@ -279,9 +279,9 @@ class CsrfConfigTests extends AbstractHttpConfigTests {
when(repo.loadToken(any(HttpServletRequest))).thenReturn(token)
request.setParameter(token.parameterName,token.token)
request.method = "POST"
request.setParameter("j_username","user")
request.setParameter("j_password","password")
request.servletPath = "/j_spring_security_check"
request.setParameter("username","user")
request.setParameter("password","password")
request.servletPath = "/login"
when:
springSecurityFilterChain.doFilter(request,response,chain)
then:
@ -300,7 +300,7 @@ class CsrfConfigTests extends AbstractHttpConfigTests {
when(repo.loadToken(any(HttpServletRequest))).thenReturn(token)
request.setParameter(token.parameterName,token.token)
request.method = "POST"
request.servletPath = "/j_spring_security_logout"
request.servletPath = "/logout"
when:
springSecurityFilterChain.doFilter(request,response,chain)
then:
@ -315,7 +315,7 @@ class CsrfConfigTests extends AbstractHttpConfigTests {
createAppContext()
login()
request.method = "GET"
request.requestURI = "/j_spring_security_logout"
request.requestURI = "/logout"
when:
springSecurityFilterChain.doFilter(request,response,chain)
then:

34
config/src/test/groovy/org/springframework/security/config/http/FormLoginBeanDefinitionParserTests.groovy
View File

@ -12,7 +12,7 @@ class FormLoginBeanDefinitionParserTests extends AbstractHttpConfigTests {
def 'form-login default login page'() {
setup:
MockHttpServletRequest request = new MockHttpServletRequest(method:'GET',requestURI:'/spring_security_login')
MockHttpServletRequest request = new MockHttpServletRequest(method:'GET',requestURI:'/login')
MockHttpServletResponse response = new MockHttpServletResponse()
MockFilterChain chain = new MockFilterChain()
httpAutoConfig {
@ -22,11 +22,11 @@ class FormLoginBeanDefinitionParserTests extends AbstractHttpConfigTests {
when:
springSecurityFilterChain.doFilter(request,response,chain)
then:
response.getContentAsString() == """<html><head><title>Login Page</title></head><body onload='document.f.j_username.focus();'>
<h3>Login with Username and Password</h3><form name='f' action='/j_spring_security_check' method='POST'>
response.getContentAsString() == """<html><head><title>Login Page</title></head><body onload='document.f.username.focus();'>
<h3>Login with Username and Password</h3><form name='f' action='/login' method='POST'>
<table>
<tr><td>User:</td><td><input type='text' name='j_username' value=''></td></tr>
<tr><td>Password:</td><td><input type='password' name='j_password'/></td></tr>
<tr><td>User:</td><td><input type='text' name='username' value=''></td></tr>
<tr><td>Password:</td><td><input type='password' name='password'/></td></tr>
<tr><td colspan='2'><input name="submit" type="submit" value="Login"/></td></tr>
</table>
</form></body></html>"""
@ -34,7 +34,7 @@ class FormLoginBeanDefinitionParserTests extends AbstractHttpConfigTests {
def 'form-login default login page custom attributes'() {
setup:
MockHttpServletRequest request = new MockHttpServletRequest(method:'GET',requestURI:'/spring_security_login')
MockHttpServletRequest request = new MockHttpServletRequest(method:'GET',requestURI:'/login')
MockHttpServletResponse response = new MockHttpServletResponse()
MockFilterChain chain = new MockFilterChain()
httpAutoConfig {
@ -57,7 +57,7 @@ class FormLoginBeanDefinitionParserTests extends AbstractHttpConfigTests {
def 'openid-login default login page'() {
setup:
MockHttpServletRequest request = new MockHttpServletRequest(method:'GET',requestURI:'/spring_security_login')
MockHttpServletRequest request = new MockHttpServletRequest(method:'GET',requestURI:'/login')
MockHttpServletResponse response = new MockHttpServletResponse()
MockFilterChain chain = new MockFilterChain()
httpAutoConfig {
@ -68,14 +68,14 @@ class FormLoginBeanDefinitionParserTests extends AbstractHttpConfigTests {
when:
springSecurityFilterChain.doFilter(request,response,chain)
then:
response.getContentAsString() == """<html><head><title>Login Page</title></head><body onload='document.f.j_username.focus();'>
<h3>Login with Username and Password</h3><form name='f' action='/j_spring_security_check' method='POST'>
response.getContentAsString() == """<html><head><title>Login Page</title></head><body onload='document.f.username.focus();'>
<h3>Login with Username and Password</h3><form name='f' action='/login' method='POST'>
<table>
<tr><td>User:</td><td><input type='text' name='j_username' value=''></td></tr>
<tr><td>Password:</td><td><input type='password' name='j_password'/></td></tr>
<tr><td>User:</td><td><input type='text' name='username' value=''></td></tr>
<tr><td>Password:</td><td><input type='password' name='password'/></td></tr>
<tr><td colspan='2'><input name="submit" type="submit" value="Login"/></td></tr>
</table>
</form><h3>Login with OpenID Identity</h3><form name='oidf' action='/j_spring_openid_security_check' method='POST'>
</form><h3>Login with OpenID Identity</h3><form name='oidf' action='/login/openid' method='POST'>
<table>
<tr><td>Identity:</td><td><input type='text' size='30' name='openid_identifier'/></td></tr>
<tr><td colspan='2'><input name="submit" type="submit" value="Login"/></td></tr>
@ -85,7 +85,7 @@ class FormLoginBeanDefinitionParserTests extends AbstractHttpConfigTests {
def 'openid-login default login page custom attributes'() {
setup:
MockHttpServletRequest request = new MockHttpServletRequest(method:'GET',requestURI:'/spring_security_login')
MockHttpServletRequest request = new MockHttpServletRequest(method:'GET',requestURI:'/login')
MockHttpServletResponse response = new MockHttpServletResponse()
MockFilterChain chain = new MockFilterChain()
httpAutoConfig {
@ -96,11 +96,11 @@ class FormLoginBeanDefinitionParserTests extends AbstractHttpConfigTests {
when:
springSecurityFilterChain.doFilter(request,response,chain)
then:
response.getContentAsString() == """<html><head><title>Login Page</title></head><body onload='document.f.j_username.focus();'>
<h3>Login with Username and Password</h3><form name='f' action='/j_spring_security_check' method='POST'>
response.getContentAsString() == """<html><head><title>Login Page</title></head><body onload='document.f.username.focus();'>
<h3>Login with Username and Password</h3><form name='f' action='/login' method='POST'>
<table>
<tr><td>User:</td><td><input type='text' name='j_username' value=''></td></tr>
<tr><td>Password:</td><td><input type='password' name='j_password'/></td></tr>
<tr><td>User:</td><td><input type='text' name='username' value=''></td></tr>
<tr><td>Password:</td><td><input type='password' name='password'/></td></tr>
<tr><td colspan='2'><input name="submit" type="submit" value="Login"/></td></tr>
</table>
</form><h3>Login with OpenID Identity</h3><form name='oidf' action='/login_custom' method='POST'>

62
config/src/test/groovy/org/springframework/security/config/http/HttpConfigTests.groovy Normal file
View File

@ -0,0 +1,62 @@
/*
* Copyright 2002-2012 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
* an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
* specific language governing permissions and limitations under the License.
*/
package org.springframework.security.config.http
import org.springframework.mock.web.MockFilterChain
import org.springframework.mock.web.MockHttpServletRequest
import org.springframework.mock.web.MockHttpServletResponse
import org.springframework.security.access.AccessDeniedException
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken
import org.springframework.security.core.Authentication
import org.springframework.security.core.authority.AuthorityUtils
import org.springframework.security.core.context.SecurityContextImpl
import org.springframework.security.web.access.AccessDeniedHandler
import org.springframework.security.web.context.HttpRequestResponseHolder
import org.springframework.security.web.context.HttpSessionSecurityContextRepository
import org.springframework.security.web.csrf.CsrfFilter
import org.springframework.security.web.csrf.CsrfToken
import org.springframework.security.web.csrf.CsrfTokenRepository
import org.springframework.security.web.csrf.DefaultCsrfToken
import org.springframework.security.web.util.matcher.RequestMatcher
import org.springframework.web.servlet.support.RequestDataValueProcessor
import spock.lang.Unroll
import javax.servlet.http.HttpServletRequest
import javax.servlet.http.HttpServletResponse
import static org.mockito.Matchers.any
import static org.mockito.Matchers.eq
import static org.mockito.Mockito.*
/**
*
* @author Rob Winch
*/
class HttpConfigTests extends AbstractHttpConfigTests {
MockHttpServletRequest request = new MockHttpServletRequest('GET','/secure')
MockHttpServletResponse response = new MockHttpServletResponse()
MockFilterChain chain = new MockFilterChain()
def 'http minimal configuration works'() {
setup:
xml.http() {}
createAppContext("""<user-service>
<user name="user" password="password" authorities="ROLE_USER" />
</user-service>""")
when: 'request protected URL'
springSecurityFilterChain.doFilter(request,response,chain)
then: 'sent to login page'
response.status == HttpServletResponse.SC_MOVED_TEMPORARILY
response.redirectedUrl == 'http://localhost/login'
}
}

13
config/src/test/groovy/org/springframework/security/config/http/HttpOpenIDConfigTests.groovy
View File

@ -34,7 +34,7 @@ class OpenIDConfigTests extends AbstractHttpConfigTests {
def ap = etf.getAuthenticationEntryPoint();
expect:
ap.loginFormUrl == "/spring_security_login"
ap.loginFormUrl == "/login"
// Default login filter should be present since we haven't specified any login URLs
getFilter(DefaultLoginPageGeneratingFilter) != null
}
@ -75,9 +75,10 @@ class OpenIDConfigTests extends AbstractHttpConfigTests {
def openIDAndRememberMeWorkTogether() {
xml.debug()
xml.http() {
interceptUrl('/**', 'ROLE_NOBODY')
interceptUrl('/**', 'denyAll')
'openid-login'()
'remember-me'()
'csrf'(disabled:true)
}
createAppContext()
@ -107,16 +108,16 @@ class OpenIDConfigTests extends AbstractHttpConfigTests {
request.setServletPath("/something.html")
fc.doFilter(request, response, new MockFilterChain())
then: "Redirected to login"
response.getRedirectedUrl().endsWith("/spring_security_login")
response.getRedirectedUrl().endsWith("/login")
when: "Login page is requested"
request.setServletPath("/spring_security_login")
request.setRequestURI("/spring_security_login")
request.setServletPath("/login")
request.setRequestURI("/login")
response = new MockHttpServletResponse()
fc.doFilter(request, response, new MockFilterChain())
then: "Remember-me choice is added to page"
response.getContentAsString().contains(AbstractRememberMeServices.DEFAULT_PARAMETER)
when: "Login is submitted with remember-me selected"
request.servletPath = "/j_spring_openid_security_check"
request.servletPath = "/login/openid"
request.setParameter(OpenIDAuthenticationFilter.DEFAULT_CLAIMED_IDENTITY_FIELD, "http://hey.openid.com/")
request.setParameter(AbstractRememberMeServices.DEFAULT_PARAMETER, "on")
response = new MockHttpServletResponse();

2
config/src/test/groovy/org/springframework/security/config/http/InterceptUrlConfigTests.groovy
View File

@ -108,7 +108,7 @@ class InterceptUrlConfigTests extends AbstractHttpConfigTests {
MockHttpServletRequest request = new MockHttpServletRequest(method:'GET')
MockHttpServletResponse response = new MockHttpServletResponse()
MockFilterChain chain = new MockFilterChain()
xml.http() {
xml.http('use-expressions':false) {
'http-basic'()
'intercept-url'(pattern: '/**', 'method':'PATCH',access: 'ROLE_ADMIN')
csrf(disabled:true)

8
config/src/test/groovy/org/springframework/security/config/http/MiscHttpConfigTests.groovy
View File

@ -609,10 +609,10 @@ class MiscHttpConfigTests extends AbstractHttpConfigTests {
anonymous(enabled: 'false')
}
createAppContext()
MockHttpServletRequest request = new MockHttpServletRequest("POST", "/j_spring_security_check");
request.setServletPath("/j_spring_security_check");
request.addParameter("j_username", "bob");
request.addParameter("j_password", "bobspassword");
MockHttpServletRequest request = new MockHttpServletRequest("POST", "/login");
request.setServletPath("/login");
request.addParameter("username", "bob");
request.addParameter("password", "bobspassword");
then: "App context creation and login request succeed"
DebugFilter debugFilter = appContext.getBean(BeanIds.SPRING_SECURITY_FILTER_CHAIN);
debugFilter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain());

4
config/src/test/groovy/org/springframework/security/config/http/MultiHttpBlockConfigTests.groovy
View File

@ -107,8 +107,8 @@ class MultiHttpBlockConfigTests extends AbstractHttpConfigTests {
MockHttpServletRequest request2 = new MockHttpServletRequest()
MockHttpServletResponse response2 = new MockHttpServletResponse()
MockFilterChain chain2 = new MockFilterChain()
request2.servletPath = "/j_spring_security_check"
request2.requestURI = "/j_spring_security_check"
request2.servletPath = "/login"
request2.requestURI = "/login"
request2.method = 'POST'
springSecurityFilterChain.doFilter(request2,response2,chain2)
then:

4
config/src/test/groovy/org/springframework/security/config/http/PlaceHolderAndELConfigTests.groovy
View File

@ -46,7 +46,7 @@ class PlaceHolderAndELConfigTests extends AbstractHttpConfigTests {
System.setProperty("auth.failure", "/authFailure");
xml.http(pattern: '${login.page}', security: 'none')
xml.http {
xml.http('use-expressions':false) {
interceptUrl('${secure.Url}', '${secure.role}')
'form-login'('login-page':'${login.page}', 'default-target-url': '${default.target}',
'authentication-failure-url':'${auth.failure}');
@ -66,7 +66,7 @@ class PlaceHolderAndELConfigTests extends AbstractHttpConfigTests {
System.setProperty("default.target", "/defaultTarget");
System.setProperty("auth.failure", "/authFailure");
xml.http {
xml.http('use-expressions':false) {
interceptUrl("#{systemProperties['secure.url']}", "#{systemProperties['secure.role']}")
'form-login'('login-page':"#{systemProperties['login.page']}", 'default-target-url': "#{systemProperties['default.target']}",
'authentication-failure-url':"#{systemProperties['auth.failure']}");

6
config/src/test/groovy/org/springframework/security/config/http/SessionManagementConfigTests.groovy
View File

@ -285,10 +285,10 @@ class SessionManagementConfigTests extends AbstractHttpConfigTests {
MockHttpServletRequest request = new MockHttpServletRequest();
request.getSession();
request.servletPath = "/j_spring_security_check"
request.servletPath = "/login"
request.setMethod("POST");
request.setParameter("j_username", "user");
request.setParameter("j_password", "password");
request.setParameter("username", "user");
request.setParameter("password", "password");
SessionAuthenticationStrategy sessionAuthStrategy = appContext.getBean('ss',SessionAuthenticationStrategy)
FilterChainProxy springSecurityFilterChain = appContext.getBean(FilterChainProxy)

14
config/src/test/java/org/springframework/security/config/http/FilterSecurityMetadataSourceBeanDefinitionParserTests.java
View File

@ -1,6 +1,8 @@
package org.springframework.security.config.http;
import static org.junit.Assert.*;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertTrue;
import java.util.Collection;
@ -42,7 +44,7 @@ public class FilterSecurityMetadataSourceBeanDefinitionParserTests {
@Test
public void parsingMinimalConfigurationIsSuccessful() {
setContext(
"<filter-security-metadata-source id='fids'>" +
"<filter-security-metadata-source id='fids' use-expressions='false'>" +
" <intercept-url pattern='/**' access='ROLE_A'/>" +
"</filter-security-metadata-source>");
DefaultFilterInvocationSecurityMetadataSource fids = (DefaultFilterInvocationSecurityMetadataSource) appContext.getBean("fids");
@ -54,7 +56,7 @@ public class FilterSecurityMetadataSourceBeanDefinitionParserTests {
@Test
public void expressionsAreSupported() {
setContext(
"<filter-security-metadata-source id='fids' use-expressions='true'>" +
"<filter-security-metadata-source id='fids'>" +
" <intercept-url pattern='/**' access=\"hasRole('ROLE_A')\" />" +
"</filter-security-metadata-source>");
@ -72,7 +74,7 @@ public class FilterSecurityMetadataSourceBeanDefinitionParserTests {
System.setProperty("secure.role", "ROLE_A");
setContext(
"<b:bean class='org.springframework.beans.factory.config.PropertyPlaceholderConfigurer'/>" +
"<filter-security-metadata-source id='fids'>" +
"<filter-security-metadata-source id='fids' use-expressions='false'>" +
" <intercept-url pattern='${secure.url}' access='${secure.role}'/>" +
"</filter-security-metadata-source>");
DefaultFilterInvocationSecurityMetadataSource fids = (DefaultFilterInvocationSecurityMetadataSource) appContext.getBean("fids");
@ -85,10 +87,10 @@ public class FilterSecurityMetadataSourceBeanDefinitionParserTests {
@Test
public void parsingWithinFilterSecurityInterceptorIsSuccessful() {
setContext(
"<http auto-config='true'/>" +
"<http auto-config='true' use-expressions='false'/>" +
"<b:bean id='fsi' class='org.springframework.security.web.access.intercept.FilterSecurityInterceptor' autowire='byType'>" +
" <b:property name='securityMetadataSource'>" +
" <filter-security-metadata-source>" +
" <filter-security-metadata-source use-expressions='false'>" +
" <intercept-url pattern='/secure/extreme/**' access='ROLE_SUPERVISOR'/>" +
" <intercept-url pattern='/secure/**' access='ROLE_USER'/>" +
" <intercept-url pattern='/**' access='ROLE_USER'/>" +

12
config/src/test/java/org/springframework/security/config/http/SessionManagementConfigServlet31Tests.java
View File

@ -98,10 +98,10 @@ public class SessionManagementConfigServlet31Tests {
Method method = mock(Method.class);
MockHttpServletRequest request = new MockHttpServletRequest();
request.getSession();
request.setServletPath("/j_spring_security_check");
request.setServletPath("/login");
request.setMethod("POST");
request.setParameter("j_username", "user");
request.setParameter("j_password", "password");
request.setParameter("username", "user");
request.setParameter("password", "password");
when(ReflectionUtils.findMethod(HttpServletRequest.class, "changeSessionId")).thenReturn(method);
loadContext("<http>\n" +
@ -124,10 +124,10 @@ public class SessionManagementConfigServlet31Tests {
Method method = mock(Method.class);
MockHttpServletRequest request = new MockHttpServletRequest();
request.getSession();
request.setServletPath("/j_spring_security_check");
request.setServletPath("/login");
request.setMethod("POST");
request.setParameter("j_username", "user");
request.setParameter("j_password", "password");
request.setParameter("username", "user");
request.setParameter("password", "password");
when(ReflectionUtils.findMethod(HttpServletRequest.class, "changeSessionId")).thenReturn(method);
loadContext("<http>\n" +

79
docs/manual/src/docs/asciidoc/index.adoc
View File

@ -542,7 +542,7 @@ You will notice that this configuration is quite similar the XML Namespace confi
[source,xml]
----
<http use-expressions="true">
<http>
<intercept-url pattern="/**" access="authenticated"/>
<form-login />
<http-basic />
@ -553,11 +553,6 @@ The Java Configuration equivalent of closing an XML tag is expressed using the `
However, Java configuration has different defaults URLs and parameters. Keep this in mind when creating custom login pages. The result is that our URLs are more RESTful. Additionally, it is not quite so obvious we are using Spring Security which helps to prevent https://www.owasp.org/index.php/Information_Leak_(information_disclosure)[information leaks]. For example:
* GET /login renders the login page instead of /spring_security_login
* POST /login authenticates the user instead of /j_spring_security_check
* The username parameter defaults to username instead of j_username
* The password parameter defaults to password instead of j_password
[[jc-form]]
=== Java Configuration and Form Login
You might be wondering where the login form came from when you were prompted to log in, since we made no mention of any HTML files or JSPs. Since Spring Security's default configuration does not explicitly set a URL for the login page, Spring Security generates one automatically, based on the features that are enabled and using standard values for the URL which processes the submitted login, the default target URL the user will be sent to after logging in and so on.
@ -1027,7 +1022,7 @@ All you need to enable web security to begin with is
[source,xml]
----
<http>
<intercept-url pattern="/**" access="ROLE_USER" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<form-login />
<logout />
</http>
@ -1100,7 +1095,7 @@ secured. It is also possible to have all requests matching a particular pattern
<http pattern="/css/**" security="none"/>
<http pattern="/login.jsp*" security="none"/>
<http>
<http use-expressions="false">
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login login-page='/login.jsp'/>
</http>
@ -1115,7 +1110,7 @@ If you want to use basic authentication instead of form login, then change the c
[source,xml]
----
<http>
<http use-expressions="false">
<intercept-url pattern="/**" access="ROLE_USER" />
<http-basic />
</http>
@ -1130,7 +1125,7 @@ If a form login isn't prompted by an attempt to access a protected resource, the
[source,xml]
----
<http pattern="/login.htm*" security="none"/>
<http>
<http use-expressions="false">
<intercept-url pattern='/**' access='ROLE_USER' />
<form-login login-page='/login.htm' default-target-url='/home.htm'
always-use-default-target='true' />
@ -1141,7 +1136,7 @@ For even more control over the destination, you can use the `authentication-succ
[[ns-logout]]
==== Logout Handling
The `logout` element adds support for logging out by navigating to a particular URL. The default logout URL is `/j_spring_security_logout`, but you can set it to something else using the `logout-url` attribute. More information on other available attributes may be found in the namespace appendix.
The `logout` element adds support for logging out by navigating to a particular URL. The default logout URL is `/logout`, but you can set it to something else using the `logout-url` attribute. More information on other available attributes may be found in the namespace appendix.
[[ns-auth-providers]]
==== Using other Authentication Providers
@ -1288,7 +1283,7 @@ If you are running your application behind a proxy, you may also be able to remo
[source,xml]
----
<LocationMatch "/tutorial/j_spring_security_logout">
<LocationMatch "/tutorial/logout">
Header always set Set-Cookie "JSESSIONID=;Path=/tutorial;Expires=Thu, 01 Jan 1970 00:00:00 GMT"
</LocationMatch>
----
@ -2397,7 +2392,7 @@ As we saw earlier in the namespace chapter, it's possible to use multiple `http`
----
<!-- Stateless RESTful service using Basic authentication -->
<http pattern="/restful/**" create-session="stateless">
<intercept-url pattern='/**' access='ROLE_REMOTE' />
<intercept-url pattern='/**' access="hasRole('ROLE_REMOTE')" />
<http-basic />
</http>
@ -2406,7 +2401,7 @@ As we saw earlier in the namespace chapter, it's possible to use multiple `http`
<!-- Additional filter chain for normal users, matching all other requests -->
<http>
<intercept-url pattern='/**' access='ROLE_USER' />
<intercept-url pattern='/**' access="hasRole('ROLE_USER')" />
<form-login login-page='/login.htm' default-target-url="/home.htm"/>
<logout />
</http>
@ -2567,7 +2562,7 @@ We've now seen the three main filters which are always present in a Spring Secur
* Configure an instance of `UsernamePasswordAuthenticationFilter` in the application context
* Add the filter bean to your filter chain proxy (making sure you pay attention to the order).
The login form simply contains `j_username` and `j_password` input fields, and posts to the URL that is monitored by the filter (by default this is `/j_spring_security_check`). The basic filter configuration looks something like this:
The login form simply contains `username` and `password` input fields, and posts to the URL that is monitored by the filter (by default this is `/login`). The basic filter configuration looks something like this:
[source,xml]
----
@ -4342,7 +4337,7 @@ To use expressions to secure individual URLs, you would first need to set the `u
[source,xml]
----
<http use-expressions="true">
<http>
<intercept-url pattern="/admin*"
access="hasRole('admin') and hasIpAddress('192.168.1.0/24')"/>
...
@ -5294,14 +5289,14 @@ The basic interaction between a web browser, CAS server and a Spring Security-se
* The web user is browsing the service's public pages. CAS or Spring Security is not involved.
* The user eventually requests a page that is either secure or one of the beans it uses is secure. Spring Security's `ExceptionTranslationFilter` will detect the `AccessDeniedException` or `AuthenticationException`.
* Because the user's `Authentication` object (or lack thereof) caused an `AuthenticationException`, the `ExceptionTranslationFilter` will call the configured `AuthenticationEntryPoint`. If using CAS, this will be the `CasAuthenticationEntryPoint` class.
* The `CasAuthenticationEntryPoint` will redirect the user's browser to the CAS server. It will also indicate a `service` parameter, which is the callback URL for the Spring Security service (your application). For example, the URL to which the browser is redirected might be https://my.company.com/cas/login?service=https%3A%2F%2Fserver3.company.com%2Fwebapp%2Fj_spring_cas_security_check.
* The `CasAuthenticationEntryPoint` will redirect the user's browser to the CAS server. It will also indicate a `service` parameter, which is the callback URL for the Spring Security service (your application). For example, the URL to which the browser is redirected might be https://my.company.com/cas/login?service=https%3A%2F%2Fserver3.company.com%2Fwebapp%2Flogin/cas.
* After the user's browser redirects to CAS, they will be prompted for their username and password. If the user presents a session cookie which indicates they've previously logged on, they will not be prompted to login again (there is an exception to this procedure, which we'll cover later). CAS will use the `PasswordHandler` (or `AuthenticationHandler` if using CAS 3.0) discussed above to decide whether the username and password is valid.
* Upon successful login, CAS will redirect the user's browser back to the original service. It will also include a `ticket` parameter, which is an opaque string representing the "service ticket". Continuing our earlier example, the URL the browser is redirected to might be https://server3.company.com/webapp/j_spring_cas_security_check?ticket=ST-0-ER94xMJmn6pha35CQRoZ.
* Back in the service web application, the `CasAuthenticationFilter` is always listening for requests to `/j_spring_cas_security_check` (this is configurable, but we'll use the defaults in this introduction). The processing filter will construct a `UsernamePasswordAuthenticationToken` representing the service ticket. The principal will be equal to `CasAuthenticationFilter.CAS_STATEFUL_IDENTIFIER`, whilst the credentials will be the service ticket opaque value. This authentication request will then be handed to the configured `AuthenticationManager`.
* Upon successful login, CAS will redirect the user's browser back to the original service. It will also include a `ticket` parameter, which is an opaque string representing the "service ticket". Continuing our earlier example, the URL the browser is redirected to might be https://server3.company.com/webapp/login/cas?ticket=ST-0-ER94xMJmn6pha35CQRoZ.
* Back in the service web application, the `CasAuthenticationFilter` is always listening for requests to `/login/cas` (this is configurable, but we'll use the defaults in this introduction). The processing filter will construct a `UsernamePasswordAuthenticationToken` representing the service ticket. The principal will be equal to `CasAuthenticationFilter.CAS_STATEFUL_IDENTIFIER`, whilst the credentials will be the service ticket opaque value. This authentication request will then be handed to the configured `AuthenticationManager`.
* The `AuthenticationManager` implementation will be the `ProviderManager`, which is in turn configured with the `CasAuthenticationProvider`. The `CasAuthenticationProvider` only responds to `UsernamePasswordAuthenticationToken` s containing the CAS-specific principal (such as `CasAuthenticationFilter.CAS_STATEFUL_IDENTIFIER`) and `CasAuthenticationToken` s (discussed later).
* `CasAuthenticationProvider` will validate the service ticket using a `TicketValidator` implementation. This will typically be a `Cas20ServiceTicketValidator` which is one of the classes included in the CAS client library. In the event the application needs to validate proxy tickets, the `Cas20ProxyTicketValidator` is used. The `TicketValidator` makes an HTTPS request to the CAS server in order to validate the service ticket. It may also include a proxy callback URL, which is included in this example: https://my.company.com/cas/proxyValidate?service=https%3A%2F%2Fserver3.company.com%2Fwebapp%2Fj_spring_cas_security_check&ticket=ST-0-ER94xMJmn6pha35CQRoZ&pgtUrl=https://server3.company.com/webapp/j_spring_cas_security_proxyreceptor.
* `CasAuthenticationProvider` will validate the service ticket using a `TicketValidator` implementation. This will typically be a `Cas20ServiceTicketValidator` which is one of the classes included in the CAS client library. In the event the application needs to validate proxy tickets, the `Cas20ProxyTicketValidator` is used. The `TicketValidator` makes an HTTPS request to the CAS server in order to validate the service ticket. It may also include a proxy callback URL, which is included in this example: https://my.company.com/cas/proxyValidate?service=https%3A%2F%2Fserver3.company.com%2Fwebapp%2Flogin/cas&ticket=ST-0-ER94xMJmn6pha35CQRoZ&pgtUrl=https://server3.company.com/webapp/login/cas/proxyreceptor.
* Back on the CAS server, the validation request will be received. If the presented service ticket matches the service URL the ticket was issued to, CAS will provide an affirmative response in XML indicating the username. If any proxy was involved in the authentication (discussed below), the list of proxies is also included in the XML response.
* [OPTIONAL] If the request to the CAS validation service included the proxy callback URL (in the `pgtUrl` parameter), CAS will include a `pgtIou` string in the XML response. This `pgtIou` represents a proxy-granting ticket IOU. The CAS server will then create its own HTTPS connection back to the `pgtUrl`. This is to mutually authenticate the CAS server and the claimed service URL. The HTTPS connection will be used to send a proxy granting ticket to the original web application. For example, https://server3.company.com/webapp/j_spring_cas_security_proxyreceptor?pgtIou=PGTIOU-0-R0zlgrl4pdAQwBvJWO3vnNpevwqStbSGcq3vKB2SqSFFRnjPHt&pgtId=PGT-1-si9YkkHLrtACBo64rmsi3v2nf7cpCResXg5MpESZFArbaZiOKH.
* [OPTIONAL] If the request to the CAS validation service included the proxy callback URL (in the `pgtUrl` parameter), CAS will include a `pgtIou` string in the XML response. This `pgtIou` represents a proxy-granting ticket IOU. The CAS server will then create its own HTTPS connection back to the `pgtUrl`. This is to mutually authenticate the CAS server and the claimed service URL. The HTTPS connection will be used to send a proxy granting ticket to the original web application. For example, https://server3.company.com/webapp/login/cas/proxyreceptor?pgtIou=PGTIOU-0-R0zlgrl4pdAQwBvJWO3vnNpevwqStbSGcq3vKB2SqSFFRnjPHt&pgtId=PGT-1-si9YkkHLrtACBo64rmsi3v2nf7cpCResXg5MpESZFArbaZiOKH.
* The `Cas20TicketValidator` will parse the XML received from the CAS server. It will return to the `CasAuthenticationProvider` a `TicketResponse`, which includes the username (mandatory), proxy list (if any were involved), and proxy-granting ticket IOU (if the proxy callback was requested).
* Next `CasAuthenticationProvider` will call a configured `CasProxyDecider`. The `CasProxyDecider` indicates whether the proxy list in the `TicketResponse` is acceptable to the service. Several implementations are provided with Spring Security: `RejectProxyTickets`, `AcceptAnyCasProxy` and `NamedCasProxyDecider`. These names are largely self-explanatory, except `NamedCasProxyDecider` which allows a `List` of trusted proxies to be provided.
* `CasAuthenticationProvider` will next request a `AuthenticationUserDetailsService` to load the `GrantedAuthority` objects that apply to the user contained in the `Assertion`.
@ -5325,7 +5320,7 @@ This section describes how to setup Spring Security to authenticate Service Tick
<bean id="serviceProperties"
class="org.springframework.security.cas.ServiceProperties">
<property name="service"
value="https://localhost:8443/cas-sample/j_spring_cas_security_check"/>
value="https://localhost:8443/cas-sample/login/cas"/>
<property name="sendRenew" value="false"/>
</bean>
----
@ -5418,7 +5413,7 @@ The CAS protocol supports Single Logout and can be easily added to your Spring S
<bean class=
"org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/>
</constructor-arg>
<property name="filterProcessesUrl" value="/j_spring_cas_security_logout"/>
<property name="filterProcessesUrl" value="/logout/cas"/>
</bean>
----
@ -5426,8 +5421,8 @@ The `logout` element logs the user out of the local application, but does not te
It might be confusing why both the `logout` element and the `singleLogoutFilter` are needed. It is considered best practice to logout locally first since the `SingleSignOutFilter` just stores the `HttpSession` in a static `Map` in order to call invalidate on it. With the configuration above, the flow of logout would be:
* The user requests `/j_spring_security_logout` which would log the user out of the local application and send the user to the logout success page.
* The logout success page, `/cas-logout.jsp`, should instruct the user to click a link pointing to `/j_spring_cas_security_logout` in order to logout out of all applications.
* The user requests `/logout` which would log the user out of the local application and send the user to the logout success page.
* The logout success page, `/cas-logout.jsp`, should instruct the user to click a link pointing to `/logout/cas` in order to logout out of all applications.
* When the user clicks the link, the user is redirected to the CAS single logout URL (https://localhost:9443/cas/logout).
* On the CAS Server side, the CAS single logout URL then submits single logout requests to all the CAS Services. On the CAS Service side, JASIG's `SingleSignOutFilter` processes the logout request by invaliditing the original session.
@ -5493,7 +5488,7 @@ The next step is to update the `CasAuthenticationProvider` to be able to obtain
<bean class="org.jasig.cas.client.validation.Cas20ProxyTicketValidator">
<constructor-arg value="https://localhost:9443/cas"/>
<property name="proxyCallbackUrl"
value="https://localhost:8443/cas-sample/j_spring_cas_security_proxyreceptor"/>
value="https://localhost:8443/cas-sample/login/cas/proxyreceptor"/>
<property name="proxyGrantingTicketStorage" ref="pgtStorage"/>
</bean>
</property>
@ -5509,7 +5504,7 @@ The last step is to update the `CasAuthenticationFilter` to accept PGT and to st
class="org.springframework.security.cas.web.CasAuthenticationFilter">
...
<property name="proxyGrantingTicketStorage" ref="pgtStorage"/>
<property name="proxyReceptorUrl" value="/j_spring_cas_security_proxyreceptor"/>
<property name="proxyReceptorUrl" value="/login/cas/proxyreceptor"/>
</bean>
----
@ -6569,7 +6564,7 @@ Provides versions of `HttpServletRequest` security methods such as `isUserInRole
[[nsa-http-use-expressions]]
* **use-expressions**
Enables EL-expressions in the `access` attribute, as described in the chapter on <<el-access-web,expression-based access-control>>.
Enables EL-expressions in the `access` attribute, as described in the chapter on <<el-access-web,expression-based access-control>>. The default value is true.
[[nsa-http-children]]
@ -6953,7 +6948,7 @@ Defines a reference to a Spring bean that implements `SecurityExpressionHandler`
[[nsa-form-login]]
==== <form-login>
Used to add an `UsernamePasswordAuthenticationFilter` to the filter stack and an `LoginUrlAuthenticationEntryPoint` to the application context to provide authentication on demand. This will always take precedence over other namespace-created entry points. If no attributes are supplied, a login page will be generated automatically at the URL "/spring_security_login" footnote:[
Used to add an `UsernamePasswordAuthenticationFilter` to the filter stack and an `LoginUrlAuthenticationEntryPoint` to the application context to provide authentication on demand. This will always take precedence over other namespace-created entry points. If no attributes are supplied, a login page will be generated automatically at the URL "/login" footnote:[
This feature is really just provided for convenience and is not intended for production (where a view technology will have been chosen and can be used to render a customized login page). The class `DefaultLoginPageGeneratingFilter` is responsible for rendering the login page and will provide login forms for both normal form login and/or OpenID if required.
] The behaviour can be customized using the <<nsa-form-login-attributes, `<form-login>` Attributes>>.
@ -6987,7 +6982,7 @@ Can be used as an alternative to <<nsa-form-login-authentication-failure-url,aut
[[nsa-form-login-authentication-failure-url]]
* **authentication-failure-url**
Maps to the `authenticationFailureUrl` property of `UsernamePasswordAuthenticationFilter`. Defines the URL the browser will be redirected to on login failure. Defaults to `/spring_security_login?login_error`, which will be automatically handled by the automatic login page generator, re-rendering the login page with an error message.
Maps to the `authenticationFailureUrl` property of `UsernamePasswordAuthenticationFilter`. Defines the URL the browser will be redirected to on login failure. Defaults to `/login?login_error`, which will be automatically handled by the automatic login page generator, re-rendering the login page with an error message.
[[nsa-form-login-authentication-success-handler-ref]]
@ -7002,22 +6997,22 @@ Maps to the `defaultTargetUrl` property of `UsernamePasswordAuthenticationFilter
[[nsa-form-login-login-page]]
* **login-page**
The URL that should be used to render the login page. Maps to the `loginFormUrl` property of the `LoginUrlAuthenticationEntryPoint`. Defaults to "/spring_security_login".
The URL that should be used to render the login page. Maps to the `loginFormUrl` property of the `LoginUrlAuthenticationEntryPoint`. Defaults to "/login".
[[nsa-form-login-login-processing-url]]
* **login-processing-url**
Maps to the `filterProcessesUrl` property of `UsernamePasswordAuthenticationFilter`. The default value is "/j_spring_security_check".
Maps to the `filterProcessesUrl` property of `UsernamePasswordAuthenticationFilter`. The default value is "/login".
[[nsa-form-login-password-parameter]]
* **password-parameter**
The name of the request parameter which contains the password. Defaults to "j_password".
The name of the request parameter which contains the password. Defaults to "password".
[[nsa-form-login-username-parameter]]
* **username-parameter**
The name of the request parameter which contains the username. Defaults to "j_username".
The name of the request parameter which contains the username. Defaults to "username".
[[nsa-http-basic]]
@ -7171,7 +7166,7 @@ Setting this attribute will inject the `SessionManagementFilter` with a `SimpleR
[[nsa-logout-logout-url]]
* **logout-url**
The URL which will cause a logout (i.e. which will be processed by the filter). Defaults to "/j_spring_security_logout".
The URL which will cause a logout (i.e. which will be processed by the filter). Defaults to "/logout".
[[nsa-logout-success-handler-ref]]
@ -7181,7 +7176,7 @@ May be used to supply an instance of `LogoutSuccessHandler` which will be invoke
[[nsa-openid-login]]
==== <openid-login>
Similar to `<form-login>` and has the same attributes. The default value for `login-processing-url` is "/j_spring_openid_security_check". An `OpenIDAuthenticationFilter` and `OpenIDAuthenticationProvider` will be registered. The latter requires a reference to a `UserDetailsService`. Again, this can be specified by `id`, using the `user-service-ref` attribute, or will be located automatically in the application context.
Similar to `<form-login>` and has the same attributes. The default value for `login-processing-url` is "/login/openid". An `OpenIDAuthenticationFilter` and `OpenIDAuthenticationProvider` will be registered. The latter requires a reference to a `UserDetailsService`. Again, this can be specified by `id`, using the `user-service-ref` attribute, or will be located automatically in the application context.
[[nsa-openid-login-parents]]
@ -7213,7 +7208,7 @@ Reference to an AuthenticationFailureHandler bean which should be used to handle
[[nsa-openid-login-authentication-failure-url]]
* **authentication-failure-url**
The URL for the login failure page. If no login failure URL is specified, Spring Security will automatically create a failure login URL at /spring_security_login?login_error and a corresponding filter to render that login failure URL when requested.
The URL for the login failure page. If no login failure URL is specified, Spring Security will automatically create a failure login URL at /login?login_error and a corresponding filter to render that login failure URL when requested.
[[nsa-openid-login-authentication-success-handler-ref]]
@ -7228,17 +7223,17 @@ The URL that will be redirected to after successful authentication, if the user'
[[nsa-openid-login-login-page]]
* **login-page**
The URL for the login page. If no login URL is specified, Spring Security will automatically create a login URL at /spring_security_login and a corresponding filter to render that login URL when requested.
The URL for the login page. If no login URL is specified, Spring Security will automatically create a login URL at /login and a corresponding filter to render that login URL when requested.
[[nsa-openid-login-login-processing-url]]
* **login-processing-url**
The URL that the login form is posted to. If unspecified, it defaults to /j_spring_security_check.
The URL that the login form is posted to. If unspecified, it defaults to /login.
[[nsa-openid-login-password-parameter]]
* **password-parameter**
The name of the request parameter which contains the password. Defaults to "j_password".
The name of the request parameter which contains the password. Defaults to "password".
[[nsa-openid-login-user-service-ref]]
@ -7248,7 +7243,7 @@ A reference to a user-service (or UserDetailsService bean) Id
[[nsa-openid-login-username-parameter]]
* **username-parameter**
The name of the request parameter which contains the username. Defaults to "j_username".
The name of the request parameter which contains the username. Defaults to "username".
[[nsa-openid-login-children]]
@ -7663,7 +7658,7 @@ Defines the strategy use for matching incoming requests. Currently the options a
[[nsa-filter-security-metadata-source-use-expressions]]
* **use-expressions**
Enables the use of expressions in the 'access' attributes in <intercept-url> elements rather than the traditional list of configuration attributes. Defaults to 'false'. If enabled, each attribute should contain a single boolean expression. If the expression evaluates to 'true', access will be granted.
Enables the use of expressions in the 'access' attributes in <intercept-url> elements rather than the traditional list of configuration attributes. Defaults to 'true'. If enabled, each attribute should contain a single boolean expression. If the expression evaluates to 'true', access will be granted.
[[nsa-filter-security-metadata-source-children]]

2
gradle/javaprojects.gradle
View File

@ -13,7 +13,7 @@ sourceCompatibility = 1.5
targetCompatibility = 1.5
ext.ehcacheVersion = '2.6.5'
ext.aspectjVersion = '1.6.10'
ext.aspectjVersion = '1.8.4'
ext.apacheDsVersion = '1.5.5'
ext.jstlVersion = '1.2.1'
ext.jettyVersion = '6.1.26'

3
itest/context/src/integration-test/java/org/springframework/security/integration/HttpNamespaceWithMultipleInterceptorsTests.java
View File

@ -28,6 +28,7 @@ public class HttpNamespaceWithMultipleInterceptorsTests {
@Test
public void requestThatIsMatchedByDefaultInterceptorIsAllowed() throws Exception {
MockHttpServletRequest request = new MockHttpServletRequest();
request.setMethod("GET");
request.setServletPath("/somefile.html");
request.setSession(createAuthenticatedSession("ROLE_0", "ROLE_1", "ROLE_2"));
MockHttpServletResponse response = new MockHttpServletResponse();
@ -38,6 +39,8 @@ public class HttpNamespaceWithMultipleInterceptorsTests {
@Test
public void securedUrlAccessIsRejectedWithoutRequiredRole() throws Exception {
MockHttpServletRequest request = new MockHttpServletRequest();
request.setMethod("GET");
request.setServletPath("/secure/somefile.html");
request.setSession(createAuthenticatedSession("ROLE_0"));
MockHttpServletResponse response = new MockHttpServletResponse();

2
itest/context/src/integration-test/resources/filter-chain-performance-app-context.xml
View File

@ -90,7 +90,7 @@
<property name="authenticationManager" ref="authenticationManager"/>
<property name="accessDecisionManager" ref="accessDecisionManager"/>
<property name="securityMetadataSource">
<sec:filter-security-metadata-source>
<sec:filter-security-metadata-source use-expressions="false">
<sec:intercept-url pattern="/secure/extreme/**" access="ROLE_2"/>
<sec:intercept-url pattern="/secure/**" access="ROLE_1"/>
<sec:intercept-url pattern="/**" access="ROLE_0"/>

4
itest/context/src/integration-test/resources/http-extra-fsi-app-context.xml
View File

@ -10,7 +10,7 @@
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<sec:http use-expressions="true">
<sec:http>
<!-- Slip in a bean property name EL test -->
<sec:intercept-url pattern="/**" access="@fsi.getAccessDecisionManager() eq @accessDecisionManager" />
<sec:form-login />
@ -22,7 +22,7 @@
<property name="authenticationManager" ref="authenticationManager"/>
<property name="accessDecisionManager" ref="accessDecisionManager"/>
<property name="securityMetadataSource">
<sec:filter-security-metadata-source>
<sec:filter-security-metadata-source use-expressions="false">
<sec:intercept-url pattern="/secure/extreme/**" access="ROLE_2"/>
<sec:intercept-url pattern="/secure/**" access="ROLE_1"/>
</sec:filter-security-metadata-source>

2
itest/context/src/integration-test/resources/http-path-param-stripping-app-context.xml
View File

@ -10,7 +10,7 @@
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<http pattern="/secured/**">
<http pattern="/secured/**" use-expressions="false">
<intercept-url pattern="/secured/*user.html" access="ROLE_USER" />
<intercept-url pattern="/secured/admin.html" access="ROLE_ADMIN" />
<intercept-url pattern="/secured/user/**" access="ROLE_USER" />

4
itest/web/src/integration-test/java/org/springframework/security/integration/AbstractWebServerIntegrationTests.java
View File

@ -150,8 +150,8 @@ public abstract class AbstractWebServerIntegrationTests {
protected void login(String username, String password) {
assertFormPresent();
setTextField("j_username", username);
setTextField("j_password", password);
setTextField("username", username);
setTextField("password", password);
submit();
}
}

8
itest/web/src/integration-test/java/org/springframework/security/integration/ConcurrentSessionManagementTests.java
View File

@ -24,8 +24,8 @@ public class ConcurrentSessionManagementTests extends AbstractWebServerIntegrati
tester2.beginAt("secure/index.html");
// seems to be a bug in checking for form here (it fails)
//tester2.assertFormPresent();
tester2.setTextField("j_username", "jimi");
tester2.setTextField("j_password", "jimispassword");
tester2.setTextField("username", "jimi");
tester2.setTextField("password", "jimispassword");
// tester2.submit() also fails to detect the form
tester2.getTestingEngine().submit();
tester2.assertTextPresent("Maximum sessions of 1 for this principal exceeded");
@ -35,8 +35,8 @@ public class ConcurrentSessionManagementTests extends AbstractWebServerIntegrati
// Try second session again
tester2.setTextField("j_username", "jimi");
tester2.setTextField("j_password", "jimispassword");
tester2.setTextField("username", "jimi");
tester2.setTextField("password", "jimispassword");
// tester2.submit() also fails to detect the form
tester2.getTestingEngine().submit();
tester2.assertTextPresent("A Secure Page");

10
itest/web/src/integration-test/java/org/springframework/security/integration/CustomConcurrentSessionManagementTests.java
View File

@ -24,8 +24,8 @@ public class CustomConcurrentSessionManagementTests extends AbstractWebServerInt
WebTester tester2 = new WebTester();
tester2.getTestContext().setBaseUrl(getBaseUrl());
tester2.beginAt("secure/index.html");
tester2.setTextField("j_username", "jimi");
tester2.setTextField("j_password", "jimispassword");
tester2.setTextField("username", "jimi");
tester2.setTextField("password", "jimispassword");
tester2.setIgnoreFailingStatusCodes(true);
tester2.submit();
Assert.assertTrue(tester2.getServerResponse().contains("Maximum sessions of 1 for this principal exceeded"));
@ -37,15 +37,15 @@ public class CustomConcurrentSessionManagementTests extends AbstractWebServerInt
login("bessie", "bessiespassword");
SessionRegistry reg = getAppContext().getBean(SessionRegistry.class);
tester.gotoPage("/j_spring_security_logout");
tester.gotoPage("/logout");
// Login again
System.out.println("Client: ******* Second login ******* ");
WebTester tester2 = new WebTester();
tester2.getTestContext().setBaseUrl(getBaseUrl());
tester2.beginAt("secure/index.html");
tester2.setTextField("j_username", "bessie");
tester2.setTextField("j_password", "bessiespassword");
tester2.setTextField("username", "bessie");
tester2.setTextField("password", "bessiespassword");
tester2.setIgnoreFailingStatusCodes(true);
tester2.submit();
Assert.assertTrue(tester2.getServerResponse().contains("A secure page"));

2
itest/web/src/main/webapp/WEB-INF/http-security-basic.xml
View File

@ -6,7 +6,7 @@
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<http>
<http use-expressions="false">
<intercept-url pattern="/**" access="ROLE_DEVELOPER,ROLE_USER" />
<http-basic />
</http>

2
itest/web/src/main/webapp/WEB-INF/http-security-concurrency.xml
View File

@ -14,7 +14,7 @@
-->
<http pattern="/login.jsp" security="none" />
<http use-expressions="true">
<http>
<intercept-url pattern="/secure/**" access="hasAnyRole('ROLE_DEVELOPER','ROLE_USER')" />
<intercept-url pattern="/**" access="hasAnyRole('ROLE_DEVELOPER','ROLE_USER')" />

2
itest/web/src/main/webapp/WEB-INF/http-security-custom-concurrency.xml
View File

@ -8,7 +8,7 @@
<http pattern="/login.jsp" security="none" />
<http entry-point-ref="aep">
<http entry-point-ref="aep" use-expressions="false">
<intercept-url pattern="/**" access="ROLE_DEVELOPER,ROLE_USER" />
<session-management session-authentication-strategy-ref="sas"/>

2
itest/web/src/main/webapp/WEB-INF/http-security.xml
View File

@ -12,7 +12,7 @@
-->
<http pattern="/login.jsp" security="none" />
<http use-expressions="true">
<http>
<intercept-url pattern="/secure/**" access="hasAnyRole('ROLE_DEVELOPER','ROLE_USER')" />
<intercept-url pattern="/**" access="hasAnyRole('ROLE_DEVELOPER','ROLE_USER')" />

6
itest/web/src/main/webapp/login.jsp
View File

@ -16,10 +16,10 @@ Your login attempt was not successful, try again. ${SPRING_SECURITY_LAST_EXCEPTI
}
%>
<form action="j_spring_security_check" method="POST">
<form action="login" method="POST">
<table>
<tr><td>User:</td><td><input type='text' name='j_username' value=''/></td></tr>
<tr><td>Password:</td><td><input type='password' name='j_password'></td></tr>
<tr><td>User:</td><td><input type='text' name='username' value=''/></td></tr>
<tr><td>Password:</td><td><input type='password' name='password'></td></tr>
<tr><td><input type="checkbox" name="_spring_security_remember_me"></td><td>Don't ask for my password for two weeks</td></tr>
<tr><td colspan='2'><input name="submit" type="submit"></td></tr>
<tr><td colspan='2'><input name="reset" type="reset"></td></tr>

6
openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationFilter.java
View File

@ -77,7 +77,7 @@ public class OpenIDAuthenticationFilter extends AbstractAuthenticationProcessing
//~ Constructors ===================================================================================================
public OpenIDAuthenticationFilter() {
super("/j_spring_openid_security_check");
super("/login/openid");
}
//~ Methods ========================================================================================================
@ -232,11 +232,11 @@ public class OpenIDAuthenticationFilter extends AbstractAuthenticationProcessing
/**
* Maps the <tt>return_to url</tt> to a realm, for example:
* <pre>
* http://www.example.com/j_spring_openid_security_check -> http://www.example.com/realm</tt>
* http://www.example.com/login/openid -> http://www.example.com/realm</tt>
* </pre>
* If no mapping is provided then the returnToUrl will be parsed to extract the protocol, hostname and port followed
* by a trailing slash.
* This means that <tt>http://www.example.com/j_spring_openid_security_check</tt> will automatically become
* This means that <tt>http://www.example.com/login/openid</tt> will automatically become
* <tt>http://www.example.com:80/</tt>
*
* @param realmMapping containing returnToUrl -> realm mappings

2
openid/src/test/java/org/springframework/security/openid/OpenIDAuthenticationFilterTests.java
View File

@ -24,7 +24,7 @@ public class OpenIDAuthenticationFilterTests {
OpenIDAuthenticationFilter filter;
private static final String REDIRECT_URL = "http://www.example.com/redirect";
private static final String CLAIMED_IDENTITY_URL = "http://www.example.com/identity";
private static final String REQUEST_PATH = "/j_spring_openid_security_check";
private static final String REQUEST_PATH = "/login/openid";
private static final String FILTER_PROCESS_URL = "http://localhost:8080" + REQUEST_PATH;
private static final String DEFAULT_TARGET_URL = FILTER_PROCESS_URL;

2
samples/cas/sample-xml/src/integration-test/groovy/org/springframework/security/samples/cas/CasSampleTests.groovy
View File

@ -52,7 +52,7 @@ class CasSampleTests extends AbstractCasTests {
def 'authenticate attempt with invaid ticket fails'() {
when: 'present invalid ticket'
go "j_spring_cas_security_check?ticket=invalid"
go "login/cas?ticket=invalid"
then: 'the login failed page is displayed'
$("h2").text() == 'Login to CAS failed!'
}

12
samples/cas/sample-xml/src/main/webapp/WEB-INF/applicationContext-security.xml
View File

@ -10,7 +10,7 @@
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd">
<http entry-point-ref="casEntryPoint" use-expressions="true">
<http entry-point-ref="casEntryPoint">
<intercept-url pattern="/" access="permitAll"/>
<intercept-url pattern="/index.jsp" access="permitAll"/>
<intercept-url pattern="/cas-logout.jsp" access="permitAll"/>
@ -41,7 +41,7 @@
<b:bean id="singleLogoutFilter" class="org.jasig.cas.client.session.SingleSignOutFilter"/>
<!-- This filter redirects to the CAS Server to signal Single Logout should be performed -->
<b:bean id="requestSingleLogoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter"
p:filterProcessesUrl="/j_spring_cas_security_logout">
p:filterProcessesUrl="/logout/cas">
<b:constructor-arg value="https://${cas.server.host}/cas/logout"/>
<b:constructor-arg>
<b:bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/>
@ -50,7 +50,7 @@
<b:bean id="serviceProperties"
class="org.springframework.security.cas.ServiceProperties"
p:service="https://${cas.service.host}/cas-sample/j_spring_cas_security_check"
p:service="https://${cas.service.host}/cas-sample/login/cas"
p:authenticateAllArtifacts="true"/>
<b:bean id="casEntryPoint"
class="org.springframework.security.cas.web.CasAuthenticationEntryPoint"
@ -60,10 +60,10 @@
p:authenticationManager-ref="authManager"
p:serviceProperties-ref="serviceProperties"
p:proxyGrantingTicketStorage-ref="pgtStorage"
p:proxyReceptorUrl="/j_spring_cas_security_proxyreceptor">
p:proxyReceptorUrl="/login/cas/proxyreceptor">
<b:property name="authenticationDetailsSource">
<b:bean class="org.springframework.security.cas.web.authentication.ServiceAuthenticationDetailsSource">
<b:constructor-arg ref="serviceProperties"/>
<b:constructor-arg ref="serviceProperties"/>
</b:bean>
</b:property>
<b:property name="authenticationFailureHandler">
@ -89,7 +89,7 @@
<b:bean
class="org.jasig.cas.client.validation.Cas20ProxyTicketValidator"
p:acceptAnyProxy="true"
p:proxyCallbackUrl="https://${cas.service.host}/cas-sample/j_spring_cas_security_proxyreceptor"
p:proxyCallbackUrl="https://${cas.service.host}/cas-sample/login/cas/proxyreceptor"
p:proxyGrantingTicketStorage-ref="pgtStorage">
<b:constructor-arg value="https://${cas.server.host}/cas" />
</b:bean>

2
samples/cas/sample-xml/src/main/webapp/cas-logout.jsp
View File

@ -9,7 +9,7 @@
<p>You have logged out of this application, but may still have an active single-sign on session with CAS.</p>
<p><a href="j_spring_cas_security_logout">Logout of CAS</a></p>
<p><a href="logout/cas">Logout of CAS</a></p>
</body>
</html>

2
samples/cas/sample-xml/src/main/webapp/secure/extreme/index.jsp
View File

@ -6,7 +6,7 @@ This is a protected page. You can only see me if you are a supervisor.
<p><a href="../../">Home</a>
<p><a href="../../secure/index.jsp">Secure page</a></p>
<p><a href="../../secure/ptSample">Proxy Ticket Sample page</a></p>
<p><a href="../../j_spring_security_logout">Logout</a>
<p><a href="../../logout">Logout</a>
<
</body>
</html>

2
samples/cas/sample-xml/src/main/webapp/secure/index.jsp
View File

@ -10,6 +10,6 @@ or if you've authenticated this session.</p>
<p><a href="../">Home</a>
<p><a href="ptSample">Proxy Ticket Sample page</a></p>
<p><a href="../j_spring_security_logout">Logout</a>
<p><a href="../logout">Logout</a>
</body>
</html>

4
samples/contacts-xml/src/integration-test/groovy/org/springframework/security/samples/pages/LoginPage.groovy
View File

@ -27,8 +27,8 @@ class LoginPage extends Page {
static at = { assert driver.title == 'Login'; true}
static content = {
login(required:false) { user='rod', password='koala' ->
loginForm.j_username = user
loginForm.j_password = password
loginForm.username = user
loginForm.password = password
submit.click()
}
loginForm { $('form') }

4
samples/contacts-xml/src/main/resources/applicationContext-security.xml
View File

@ -17,13 +17,13 @@
<expression-handler ref="expressionHandler"/>
</global-method-security>
<http realm="Contacts Realm">
<http realm="Contacts Realm" use-expressions="false">
<intercept-url pattern="/" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/index.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/hello.htm" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/login.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/switchuser.jsp" access="ROLE_SUPERVISOR"/>
<intercept-url pattern="/j_spring_security_switch_user" access="ROLE_SUPERVISOR"/>
<intercept-url pattern="/login/impersonate" access="ROLE_SUPERVISOR"/>
<intercept-url pattern="/**" access="ROLE_USER"/>
<form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?login_error=1"/>

2
samples/contacts-xml/src/main/webapp/WEB-INF/jsp/index.jsp
View File

@ -29,7 +29,7 @@
</table>
<p><a href="<c:url value="add.htm"/>">Add</a> </p>
<form action="<c:url value="/j_spring_security_logout"/>" method="post">
<form action="<c:url value="/logout"/>" method="post">
<input type="submit" value="Logoff"/> (also clears any remember-me cookie)
<security:csrfInput/>
</form>

2
samples/contacts-xml/src/main/webapp/exitUser.jsp
View File

@ -19,7 +19,7 @@
</font>
</c:if>
<form action="<c:url value='j_spring_security_exit_user'/>" method="POST">
<form action="<c:url value='logout/impersonate'/>" method="POST">
<table>
<tr><td>Current User:</td><td>

8
samples/contacts-xml/src/main/webapp/login.jsp
View File

@ -6,7 +6,7 @@
<title>Login</title>
</head>
<body onload="document.f.j_username.focus();">
<body onload="document.f.username.focus();">
<h1>Login</h1>
<p>Valid users:
@ -31,10 +31,10 @@
</font>
</c:if>
<form name="f" action="<c:url value='j_spring_security_check'/>" method="POST">
<form name="f" action="<c:url value='login'/>" method="POST">
<table>
<tr><td>User:</td><td><input type='text' name='j_username' value='<c:if test="${not empty param.login_error}"><c:out value="${SPRING_SECURITY_LAST_USERNAME}"/></c:if>'/></td></tr>
<tr><td>Password:</td><td><input type='password' name='j_password'></td></tr>
<tr><td>User:</td><td><input type='text' name='username' value='<c:if test="${not empty param.login_error}"><c:out value="${SPRING_SECURITY_LAST_USERNAME}"/></c:if>'/></td></tr>
<tr><td>Password:</td><td><input type='password' name='password'></td></tr>
<tr><td><input type="checkbox" name="_spring_security_remember_me"></td><td>Don't ask for my password for two weeks</td></tr>
<tr><td colspan='2'><input name="submit" type="submit"></td></tr>

4
samples/contacts-xml/src/main/webapp/switchUser.jsp
View File

@ -30,9 +30,9 @@
</p>
</c:if>
<form action="<c:url value='j_spring_security_switch_user'/>" method="POST">
<form action="<c:url value='login/impersonate'/>" method="POST">
<table>
<tr><td>User:</td><td><input type='text' name='j_username'></td></tr>
<tr><td>User:</td><td><input type='text' name='username'></td></tr>
<tr><td colspan='2'><input name="switch" type="submit" value="Switch to User"></td></tr>
</table>
<input type="hidden" name="<c:out value="${_csrf.parameterName}"/>" value="<c:out value="${_csrf.token}"/>"/>

2
samples/contacts-xml/src/site/resources/sslhowto.txt
View File

@ -73,7 +73,7 @@ TROUBLESHOOTING
load the Acegi Security webapp, get redirected to the CAS server, then
after login they get redirected back to the Acegi Security webapp and
receive a failure. This is because the CAS server redirects to something
like https://server3.company.com/webapp/j_spring_cas_security_check?ticket=ST-0-ER94xMJmn6pha35CQRoZ
like https://server3.company.com/webapp/login/cas?ticket=ST-0-ER94xMJmn6pha35CQRoZ
which causes the "service ticket" (the "ticket" parameter) to be validated.
net.sf.acegisecurity.providers.cas.ticketvalidator.CasProxyTicketValidator
performs service ticket validation by delegation to CAS'

8
samples/form-jc/src/main/webapp/WEB-INF/views/login.jspx
View File

@ -22,10 +22,10 @@
You have been logged out.
</div>
</c:if>
<label for="j_username">Username</label>
<input type="text" id="j_username" name="username" value="${username}"/>
<label for="j_password">Password</label>
<input type="password" id="j_password" name="password"/>
<label for="username">Username</label>
<input type="text" id="username" name="username" value="${username}"/>
<label for="password">Password</label>
<input type="password" id="password" name="password"/>
<div class="form-actions">
<button type="submit" class="btn">Log in</button>
</div>

16
samples/helloworld-xml/build.gradle Normal file
View File

@ -0,0 +1,16 @@
apply from: WAR_SAMPLE_GRADLE
dependencies {
providedCompile "javax.servlet:javax.servlet-api:3.0.1",
'javax.servlet.jsp:jsp-api:2.1'
compile project(":spring-security-config"),
project(":spring-security-web"),
jstlDependencies,
"org.slf4j:jcl-over-slf4j:$slf4jVersion"
runtime "ch.qos.logback:logback-classic:$logbackVersion"
integrationTestCompile gebDependencies
}

203
samples/helloworld-xml/pom.xml Normal file
View File

@ -0,0 +1,203 @@
<?xml version="1.0" encoding="UTF-8"?>
<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-helloworld-jc</artifactId>
<version>4.0.0.CI-SNAPSHOT</version>
<packaging>war</packaging>
<name>spring-security-samples-helloworld-jc</name>
<description>spring-security-samples-helloworld-jc</description>
<url>http://spring.io/spring-security</url>
<organization>
<name>spring.io</name>
<url>http://spring.io/</url>
</organization>
<licenses>
<license>
<name>The Apache Software License, Version 2.0</name>
<url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
<distribution>repo</distribution>
</license>
</licenses>
<developers>
<developer>
<id>rwinch</id>
<name>Rob Winch</name>
<email>rwinch@gopivotal.com</email>
</developer>
</developers>
<scm>
<connection>scm:git:git://github.com/spring-projects/spring-security</connection>
<developerConnection>scm:git:git://github.com/spring-projects/spring-security</developerConnection>
<url>https://github.com/spring-projects/spring-security</url>
</scm>
<build>
<plugins>
<plugin>
<artifactId>maven-compiler-plugin</artifactId>
<configuration>
<source>1.7</source>
<target>1.7</target>
</configuration>
</plugin>
<plugin>
<artifactId>maven-war-plugin</artifactId>
<version>2.3</version>
<configuration>
<failOnMissingWebXml>false</failOnMissingWebXml>
</configuration>
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>javax.servlet.jsp.jstl</groupId>
<artifactId>javax.servlet.jsp.jstl-api</artifactId>
<version>1.2.1</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.apache.taglibs</groupId>
<artifactId>taglibs-standard-jstlel</artifactId>
<version>1.2.1</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>jcl-over-slf4j</artifactId>
<version>1.7.5</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>4.0.0.CI-SNAPSHOT</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>4.0.0.CI-SNAPSHOT</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
<version>4.1.0.RC2</version>
<scope>compile</scope>
<exclusions>
<exclusion>
<artifactId>commons-logging</artifactId>
<groupId>commons-logging</groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
<version>1.1.1</version>
<scope>compile</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>javax.servlet.jsp</groupId>
<artifactId>jsp-api</artifactId>
<version>2.1</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>3.0.1</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
<version>0.9.29</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>commons-httpclient</groupId>
<artifactId>commons-httpclient</artifactId>
<version>3.1</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.11</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.codehaus.groovy</groupId>
<artifactId>groovy</artifactId>
<version>2.0.5</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.easytesting</groupId>
<artifactId>fest-assert</artifactId>
<version>1.4</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.gebish</groupId>
<artifactId>geb-spock</artifactId>
<version>0.9.0</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>1.9.5</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.seleniumhq.selenium</groupId>
<artifactId>selenium-htmlunit-driver</artifactId>
<version>2.33.0</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.spockframework</groupId>
<artifactId>spock-core</artifactId>
<version>0.7-groovy-2.0</version>
<scope>test</scope>
<exclusions>
<exclusion>
<artifactId>junit-dep</artifactId>
<groupId>junit</groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.spockframework</groupId>
<artifactId>spock-spring</artifactId>
<version>0.7-groovy-2.0</version>
<scope>test</scope>
<exclusions>
<exclusion>
<artifactId>junit-dep</artifactId>
<groupId>junit</groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-test</artifactId>
<version>4.1.0.RC2</version>
<scope>test</scope>
</dependency>
</dependencies>
<properties>
<m2eclipse.wtp.contextRoot>/sample</m2eclipse.wtp.contextRoot>
</properties>
</project>

57
samples/helloworld-xml/src/integration-test/groovy/org/springframework/security/samples/HelloWorldXmlTests.groovy Normal file
View File

@ -0,0 +1,57 @@
/*
* Copyright 2011 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.samples
import geb.spock.*
import org.junit.Ignore
import spock.lang.Shared
import spock.lang.Stepwise
import org.springframework.security.samples.pages.*
/**
* Tests the CAS sample application using service tickets.
*
* @author Rob Winch
*/
@Stepwise
class HelloWorldXmlTests extends GebReportingSpec {
def 'access home page with unauthenticated user sends to login page'() {
when: 'Unauthenticated user accesses the Home Page'
via HomePage
then: 'The login page is displayed'
at LoginPage
}
def 'authenticated user is sent to original page'() {
when: 'user authenticates'
login()
then: 'The home page is displayed'
at HomePage
and: 'The username is displayed'
message == 'Hello user'
}
def 'authenticated user logs out'() {
when: 'user logs out'
logout()
then: 'the login page is displayed'
at LoginPage
when: 'Unauthenticated user accesses the Home Page'
via HomePage
then: 'The login page is displayed'
at LoginPage
}
}

32
samples/helloworld-xml/src/integration-test/groovy/org/springframework/security/samples/pages/HomePage.groovy Normal file
View File

@ -0,0 +1,32 @@
/*
* Copyright 2011 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.samples.pages;
import geb.*
/**
* The home page
*
* @author Rob Winch
*/
class HomePage extends Page {
static url = ''
static at = { assert driver.title == 'Hello Security'; true}
static content = {
message { $('p').text() }
logout { $('input', type: 'submit').click() }
}
}

37
samples/helloworld-xml/src/integration-test/groovy/org/springframework/security/samples/pages/LoginPage.groovy Normal file
View File

@ -0,0 +1,37 @@
/*
* Copyright 2011 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.samples.pages;
import geb.*
/**
* The login page.
*
* @author Rob Winch
*/
class LoginPage extends Page {
static url = 'login'
static at = { assert driver.title == 'Login Page'; true}
static content = {
login(required:false) { user='user', password='password' ->
loginForm.username = user
loginForm.password = password
submit.click()
}
loginForm { $('form') }
submit { $('input', type: 'submit') }
}
}

2
samples/helloworld-xml/src/main/webapp/META-INF/MANIFEST.MF Normal file
View File

@ -0,0 +1,2 @@
Manifest-Version: 1.0

11
samples/helloworld-xml/src/main/webapp/WEB-INF/spring/security.xml Normal file
View File

@ -0,0 +1,11 @@
<b:beans xmlns="http://www.springframework.org/schema/security"
xmlns:b="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<http />
<user-service>
<user name="user" password="password" authorities="ROLE_USER" />
</user-service>
</b:beans>

36
samples/helloworld-xml/src/main/webapp/WEB-INF/web.xml Normal file
View File

@ -0,0 +1,36 @@
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<!--
- Location of the XML file that defines the root application context
- Applied by ContextLoaderListener.
-->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring/*.xml
</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
- Loads the root application context of this web app at startup.
- The application context is then available via
- WebApplicationContextUtils.getWebApplicationContext(servletContext).
-->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
</web-app>

38
samples/helloworld-xml/src/main/webapp/index.jsp Normal file
View File

@ -0,0 +1,38 @@
<?xml version="1.0" encoding="UTF-8" ?>
<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page"
xmlns:c="http://java.sun.com/jsp/jstl/core" version="2.0">
<jsp:directive.page contentType="text/html" pageEncoding="UTF-8" />
<jsp:output omit-xml-declaration="true" />
<jsp:output doctype-root-element="HTML"
doctype-system="about:legacy-compat" />
<html lang="en">
<head>
<title>Hello Security</title>
<c:url var="faviconUrl" value="/resources/img/favicon.ico"/>
<link rel="icon" type="image/x-icon" href="${faviconUrl}"/>
<c:url var="bootstrapUrl" value="/resources/css/bootstrap.css"/>
<link href="${bootstrapUrl}" rel="stylesheet"></link>
<c:url var="bootstrapResponsiveUrl" value="/resources/css/bootstrap-responsive.css"/>
<link href="${bootstrapResponsiveUrl}" rel="stylesheet"></link>
<!-- HTML5 shim, for IE6-8 support of HTML5 elements -->
<!--[if lt IE 9]>
<script src="http://html5shim.googlecode.com/svn/trunk/html5.js"></script>
<![endif]-->
</head>
<body>
<div class="container">
<h1>This is secured!</h1>
<p>
Hello <b><c:out value="${pageContext.request.remoteUser}"/></b>
</p>
<c:url var="logoutUrl" value="/logout"/>
<form class="form-inline" action="${logoutUrl}" method="post">
<input type="submit" value="Log out" />
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
</div>
</body>
</html>
</jsp:root>

1092
samples/helloworld-xml/src/main/webapp/resources/css/bootstrap-responsive.css vendored Normal file
View File

File diff suppressed because it is too large Load Diff

6039
samples/helloworld-xml/src/main/webapp/resources/css/bootstrap.css vendored Normal file
View File

File diff suppressed because it is too large Load Diff

BIN
samples/helloworld-xml/src/main/webapp/resources/img/favicon.ico Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.1 KiB

BIN
samples/helloworld-xml/src/main/webapp/resources/img/logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.1 KiB

2
samples/jaas-xml/src/integration-test/groovy/org/springframework/security/samples/JaasXmlTests.groovy
View File

@ -52,7 +52,7 @@ class JaasXmlTests extends GebReportingSpec {
when: 'user logs out'
logout()
then: 'the default logout success page is displayed'
at HomePage
at LogoutPage
when: 'Unauthenticated user accesses the Secure Page'
via SecurePage
then: 'The login page is displayed'

4
samples/jaas-xml/src/integration-test/groovy/org/springframework/security/samples/pages/LoginPage.groovy
View File

@ -27,8 +27,8 @@ class LoginPage extends Page {
static at = { assert driver.title == 'Login Page'; true}
static content = {
login(required:false) { user='user', password='user' ->
loginForm.j_username = user
loginForm.j_password = password
loginForm.username = user
loginForm.password = password
submit.click()
}
loginForm { $('form') }

28
samples/jaas-xml/src/integration-test/groovy/org/springframework/security/samples/pages/LogoutPage.groovy Normal file
View File

@ -0,0 +1,28 @@
/*
* Copyright 2011 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.samples.pages
import geb.Page
/**
* The login page.
*
* @author Rob Winch
*/
class LogoutPage extends LoginPage {
static url = 'login'
static at = { assert driver.title == 'Login Page' && $('p').text() == 'You have been logged out'; true}
}

92
samples/jaas-xml/src/main/resources/applicationContext-security.xml
View File

@ -1,52 +1,52 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:sec="http://www.springframework.org/schema/security"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd">
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:sec="http://www.springframework.org/schema/security"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd">
<sec:http auto-config="true" use-expressions="true" jaas-api-provision="true">
<sec:intercept-url pattern="/secure/**" access="isAuthenticated()"/>
</sec:http>
<sec:authentication-manager>
<sec:authentication-provider ref="jaasAuthProvider"/>
</sec:authentication-manager>
<sec:http auto-config="true" jaas-api-provision="true">
<sec:intercept-url pattern="/secure/**" access="isAuthenticated()"/>
</sec:http>
<bean id="jaasAuthProvider"
class="org.springframework.security.authentication.jaas.DefaultJaasAuthenticationProvider">
<property name="configuration">
<bean
class="org.springframework.security.authentication.jaas.memory.InMemoryConfiguration">
<constructor-arg>
<map>
<entry key="SPRINGSECURITY">
<array>
<bean class="javax.security.auth.login.AppConfigurationEntry">
<constructor-arg
value="samples.jaas.UsernameEqualsPasswordLoginModule" />
<constructor-arg>
<util:constant
static-field="javax.security.auth.login.AppConfigurationEntry$LoginModuleControlFlag.REQUIRED" />
</constructor-arg>
<constructor-arg>
<map></map>
</constructor-arg>
</bean>
</array>
</entry>
</map>
</constructor-arg>
</bean>
</property>
<property name="authorityGranters">
<list>
<bean class="samples.jaas.RoleUserAuthorityGranter" />
</list>
</property>
</bean>
<sec:authentication-manager>
<sec:authentication-provider ref="jaasAuthProvider"/>
</sec:authentication-manager>
<bean id="jaasAuthProvider"
class="org.springframework.security.authentication.jaas.DefaultJaasAuthenticationProvider">
<property name="configuration">
<bean
class="org.springframework.security.authentication.jaas.memory.InMemoryConfiguration">
<constructor-arg>
<map>
<entry key="SPRINGSECURITY">
<array>
<bean class="javax.security.auth.login.AppConfigurationEntry">
<constructor-arg
value="samples.jaas.UsernameEqualsPasswordLoginModule" />
<constructor-arg>
<util:constant
static-field="javax.security.auth.login.AppConfigurationEntry$LoginModuleControlFlag.REQUIRED" />
</constructor-arg>
<constructor-arg>
<map></map>
</constructor-arg>
</bean>
</array>
</entry>
</map>
</constructor-arg>
</bean>
</property>
<property name="authorityGranters">
<list>
<bean class="samples.jaas.RoleUserAuthorityGranter" />
</list>
</property>
</bean>
</beans>

2
samples/jaas-xml/src/main/webapp/secure/index.jsp
View File

@ -49,7 +49,7 @@
<% }
%>
<form action="<c:url value="/j_spring_security_logout"/>" method="post">
<form action="<c:url value="/logout"/>" method="post">
<input type="submit" value="Log Out"/>
<sec:csrfInput/>
</form>

2
samples/ldap-xml/src/integration-test/groovy/org/springframework/security/samples/LdapXmlTests.groovy
View File

@ -51,7 +51,7 @@ class LdapXmlTests extends GebReportingSpec {
when: 'user logs out'
logout.click()
then: 'the default logout success page is displayed'
at HomePage
at LogoutPage
when: 'Unauthenticated user accesses the Manage Page'
via SecurePage
then: 'The login page is displayed'

4
samples/ldap-xml/src/integration-test/groovy/org/springframework/security/samples/pages/LoginPage.groovy
View File

@ -27,8 +27,8 @@ class LoginPage extends Page {
static at = { assert driver.title == 'Login Page'; true}
static content = {
login(required:false) { user='rod', password='koala' ->
loginForm.j_username = user
loginForm.j_password = password
loginForm.username = user
loginForm.password = password
submit.click()
}
loginForm { $('form') }

25
samples/ldap-xml/src/integration-test/groovy/org/springframework/security/samples/pages/LogoutPage.groovy Normal file
View File

@ -0,0 +1,25 @@
/*
* Copyright 2011 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.samples.pages
/**
* The login page.
*
* @author Rob Winch
*/
class LogoutPage extends LoginPage {
static url = 'login'
static at = { assert driver.title == 'Login Page' && $('p').text() == 'You have been logged out'; true}
}

6
samples/ldap-xml/src/main/webapp/WEB-INF/applicationContext-security.xml
View File

@ -5,9 +5,9 @@
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<s:http>
<s:intercept-url pattern="/secure/extreme/**" access="ROLE_SUPERVISOR"/>
<s:intercept-url pattern="/secure/**" access="IS_AUTHENTICATED_REMEMBERED" />
<s:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<s:intercept-url pattern="/secure/extreme/**" access="hasRole('ROLE_SUPERVISOR')"/>
<s:intercept-url pattern="/secure/**" access="authenticated" />
<s:intercept-url pattern="/**" access="permitAll" />
<s:form-login />
<s:anonymous />

2
samples/ldap-xml/src/main/webapp/secure/extreme/index.jsp
View File

@ -7,7 +7,7 @@
This is a protected page. You can only see me if you are a supervisor.
<p><a href="../../">Home</a>
<form action="<c:url value="/j_spring_security_logout"/>" method="post">
<form action="<c:url value="/logout"/>" method="post">
<input type="submit" value="Logoff"/>
<security:csrfInput/>
</form>

2
samples/ldap-xml/src/main/webapp/secure/index.jsp
View File

@ -13,7 +13,7 @@ or if you've authenticated this session.<br><br>
<p><a href="../">Home</a>
<form action="<c:url value="/j_spring_security_logout"/>" method="post">
<form action="<c:url value="/logout"/>" method="post">
<input type="submit" value="Logoff"/> (also clears any remember-me cookie)
<security:csrfInput/>
</form>

2
samples/openid-xml/src/main/webapp/WEB-INF/applicationContext-security.xml
View File

@ -16,7 +16,7 @@
<http pattern="/js/*" security="none" />
<http>
<intercept-url pattern="/**" access="ROLE_USER"/>
<intercept-url pattern="/**" access="authenticated"/>
<logout/>
<openid-login login-page="/openidlogin.jsp" user-service-ref="registeringUserService"
authentication-failure-url="/openidlogin.jsp?login_error=true">

2
samples/openid-xml/src/main/webapp/index.jsp
View File

@ -21,6 +21,6 @@ by the application and will be recognized if you return.
<p>
Your principal object is....: <%= request.getUserPrincipal() %>
</p>
<p><a href="j_spring_security_logout">Logout</a>
<p><a href="logout">Logout</a>
</body>
</html>

2
samples/openid-xml/src/main/webapp/openidlogin.jsp
View File

@ -36,7 +36,7 @@
</c:if>
<!-- Simple OpenID Selector -->
<form action="<c:url value='j_spring_openid_security_check'/>" method="post" id="openid_form">
<form action="<c:url value='login/openid'/>" method="post" id="openid_form">
<input type="hidden" name="action" value="verify" />
<fieldset>

8
samples/preauth-jc/src/main/resources/views/login.html
View File

@ -13,10 +13,10 @@
<div th:if="${param.logout}" class="alert alert-success">
You have been logged out.
</div>
<label for="j_username">Username</label>
<input type="text" id="j_username" name="j_username"/>
<label for="j_password">Password</label>
<input type="password" id="j_password" name="j_password"/>
<label for="username">Username</label>
<input type="text" id="username" name="username"/>
<label for="password">Password</label>
<input type="password" id="password" name="password"/>
<div class="form-actions">
<button type="submit" class="btn">Log in</button>
</div>

2
samples/preauth-xml/src/main/webapp/secure/extreme/index.jsp
View File

@ -5,6 +5,6 @@
This is a protected page. You can only see me if you are a supervisor.
<p><a href="../../">Home</a>
<p><a href="../../j_spring_security_logout">Logout</a>
<p><a href="../../logout">Logout</a>
</body>
</html>

2
samples/preauth-xml/src/main/webapp/secure/index.jsp
View File

@ -10,6 +10,6 @@ or if you've authenticated this session.<br><br>
<p><a href="../">Home</a>
<p><a href="../j_spring_security_logout">Logout</a>
<p><a href="../logout">Logout</a>
</body>
</html>

2
samples/servletapi-xml/src/main/resources/applicationContext-security.xml
View File

@ -8,7 +8,7 @@
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd">
<http auto-config="true" use-expressions="true">
<http auto-config="true">
<intercept-url pattern="/**" access="permitAll"/>
</http>

Some files were not shown because too many files have changed in this diff Show More