SEC-1493: Added namespace support.

config/src/main/java/org/springframework/security/config/authentication/AuthenticationManagerBeanDefinitionParser.java

@@ -35,6 +35,7 @@ import org.w3c.dom.NodeList;
 public class AuthenticationManagerBeanDefinitionParser implements BeanDefinitionParser {
     private static final String ATT_ALIAS = "alias";
     private static final String ATT_REF = "ref";
+    private static final String ATT_ERASE_CREDENTIALS = "erase-credentials";
 
     public BeanDefinition parse(Element element, ParserContext pc) {
         Assert.state(!pc.getRegistry().containsBeanDefinition(BeanIds.AUTHENTICATION_MANAGER),
@@ -79,6 +80,11 @@ public class AuthenticationManagerBeanDefinitionParser implements BeanDefinition
         }
 
         providerManagerBldr.addPropertyValue("providers", providers);
+
+        if ("false".equals(element.getAttribute(ATT_ERASE_CREDENTIALS))) {
+            providerManagerBldr.addPropertyValue("eraseCredentialsAfterAuthentication", false);
+        }
+
         // Add the default event publisher
         BeanDefinition publisher = new RootBeanDefinition(DefaultAuthenticationEventPublisher.class);
         String id = pc.getReaderContext().generateBeanName(publisher);

config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java

@@ -10,6 +10,7 @@ import org.apache.commons.logging.LogFactory;
 import org.springframework.beans.BeanMetadataElement;
 import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.beans.factory.config.BeanReference;
+import org.springframework.beans.factory.config.MethodInvokingFactoryBean;
 import org.springframework.beans.factory.config.RuntimeBeanReference;
 import org.springframework.beans.factory.config.ConstructorArgumentValues.ValueHolder;
 import org.springframework.beans.factory.parsing.BeanComponentDefinition;
@@ -169,6 +170,10 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
         BeanDefinitionBuilder authManager = BeanDefinitionBuilder.rootBeanDefinition(ProviderManager.class);
         authManager.addPropertyValue("parent", new RootBeanDefinition(AuthenticationManagerFactoryBean.class));
         authManager.addPropertyValue("providers", authenticationProviders);
+        RootBeanDefinition clearCredentials = new RootBeanDefinition(MethodInvokingFactoryBean.class);
+        clearCredentials.getPropertyValues().addPropertyValue("targetObject", new RootBeanDefinition(AuthenticationManagerFactoryBean.class));
+        clearCredentials.getPropertyValues().addPropertyValue("targetMethod", "isEraseCredentialsAfterAuthentication");
+        authManager.addPropertyValue("eraseCredentialsAfterAuthentication", clearCredentials);
 
         if (concurrencyController != null) {
             authManager.addPropertyValue("sessionController", concurrencyController);

config/src/main/resources/org/springframework/security/config/spring-security-3.1.rnc

@@ -572,6 +572,9 @@ authentication-manager =
 authman.attlist &=
     ## The alias you wish to use for the AuthenticationManager bean
     attribute alias {xsd:ID}?
+authman.attlist &=
+    ## If set to true, the AuthenticationManger will attempt to clear any credentials data in the returned Authentication object, once the user has been authenticated.
+    attribute erase-credentials {boolean}?
 
 authentication-provider =
     ## Indicates that the contained user-service should be used as an authentication source.

config/src/main/resources/org/springframework/security/config/spring-security-3.1.xsd

@@ -1299,6 +1299,11 @@
         <xs:documentation>The alias you wish to use for the AuthenticationManager bean</xs:documentation>
       </xs:annotation>
     </xs:attribute>
+    <xs:attribute name="erase-credentials" type="security:boolean">
+      <xs:annotation>
+        <xs:documentation>If set to true, the AuthenticationManger will attempt to clear any credentials data in the returned Authentication object, once the user has been authenticated.</xs:documentation>
+      </xs:annotation>
+    </xs:attribute>
   </xs:attributeGroup>
   
   <xs:attributeGroup name="ap.attlist">

config/src/test/groovy/org/springframework/security/config/http/MiscHttpConfigTests.groovy

@@ -453,6 +453,24 @@ class MiscHttpConfigTests extends AbstractHttpConfigTests {
         then: "App context creation and login request succeed"
         fcp.doFilter(request, new MockHttpServletResponse(), new MockFilterChain());
     }
+
+    def eraseCredentialsDefaultsToTrue() {
+        xml.http() {
+            'form-login'()
+        }
+        createAppContext()
+        expect:
+        getFilter(UsernamePasswordAuthenticationFilter).authenticationManager.eraseCredentialsAfterAuthentication == true
+    }
+
+    def eraseCredentialsIsSetFromParentAuthenticationManager() {
+        xml.http() {
+            'form-login'()
+        }
+        createAppContext("<authentication-manager erase-credentials='false' />");
+        expect:
+        getFilter(UsernamePasswordAuthenticationFilter).authenticationManager.eraseCredentialsAfterAuthentication == false
+    }
 }
 
 class MockEntryPoint extends LoginUrlAuthenticationEntryPoint {

config/src/test/java/org/springframework/security/config/authentication/AuthenticationManagerBeanDefinitionParserTests.java

@@ -53,6 +53,20 @@ public class AuthenticationManagerBeanDefinitionParserTests {
         assertEquals(1, listener.events.size());
     }
 
+    @Test
+    public void credentialsAreClearedByDefault() throws Exception {
+        setContext(CONTEXT, "3.1");
+        ProviderManager pm = (ProviderManager) appContext.getBeansOfType(ProviderManager.class).values().toArray()[0];
+        assertTrue(pm.isEraseCredentialsAfterAuthentication());
+    }
+
+    @Test
+    public void clearCredentialsPropertyIsRespected() throws Exception {
+        setContext("<authentication-manager erase-credentials='false'/>", "3.1");
+        ProviderManager pm = (ProviderManager) appContext.getBeansOfType(ProviderManager.class).values().toArray()[0];
+        assertFalse(pm.isEraseCredentialsAfterAuthentication());
+    }
+
     private void setContext(String context, String version) {
         appContext = new InMemoryXmlApplicationContext(context, version, null);
     }