Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SEC-1152: Changes to add anonymous filter to default namespace configuration and added enabled flag to allow overriding of the behaviour.

This commit is contained in:
Luke Taylor 2009-05-05 07:23:31 +00:00
parent 331a04c07c
commit cef089376c
4 changed files with 1627 additions and 1584 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
config/src/main/java/org/springframework/security/config/HttpSecurityBeanDefinitionParser.java
View File

@ -204,7 +204,8 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
boolean autoConfig = "true".equals(element.getAttribute(ATT_AUTO_CONFIG)); boolean autoConfig = "true".equals(element.getAttribute(ATT_AUTO_CONFIG));
Element anonymousElt = DomUtils.getChildElementByTagName(element, Elements.ANONYMOUS); Element anonymousElt = DomUtils.getChildElementByTagName(element, Elements.ANONYMOUS);
if (anonymousElt != null || autoConfig) {
if (anonymousElt == null || !"false".equals(anonymousElt.getAttribute("enabled"))) {
new AnonymousBeanDefinitionParser().parse(anonymousElt, parserContext); new AnonymousBeanDefinitionParser().parse(anonymousElt, parserContext);
} }

4
config/src/main/resources/org/springframework/security/config/spring-security-3.0.rnc
View File

@ -429,6 +429,10 @@ anonymous.attlist &=
anonymous.attlist &= anonymous.attlist &=
## The granted authority that should be assigned to the anonymous request. Commonly this is used to assign the anonymous request particular roles, which can subsequently be used in authorization decisions. If unset, defaults to "ROLE_ANONYMOUS". ## The granted authority that should be assigned to the anonymous request. Commonly this is used to assign the anonymous request particular roles, which can subsequently be used in authorization decisions. If unset, defaults to "ROLE_ANONYMOUS".
attribute granted-authority {xsd:token}? attribute granted-authority {xsd:token}?
anonymous.attlist &=
## With the default namespace setup, the anonymous "authentication" facility is automatically enabled. You can disable it using this property.
attribute enabled {boolean}?
port-mappings = port-mappings =
## Defines the list of mappings between http and https ports for use in redirects ## Defines the list of mappings between http and https ports for use in redirects

3176
config/src/main/resources/org/springframework/security/config/spring-security-3.0.xsd
View File

File diff suppressed because it is too large Load Diff

28
config/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java
View File

@ -1,6 +1,7 @@
package org.springframework.security.config; package org.springframework.security.config;
import static org.junit.Assert.*; import static org.junit.Assert.*;
import static org.hamcrest.Matchers.*;
import static org.springframework.security.config.ConfigTestUtils.AUTH_PROVIDER_XML; import static org.springframework.security.config.ConfigTestUtils.AUTH_PROVIDER_XML;
import static org.springframework.security.config.HttpSecurityBeanDefinitionParser.*; import static org.springframework.security.config.HttpSecurityBeanDefinitionParser.*;
@ -122,15 +123,9 @@ public class HttpSecurityBeanDefinitionParserTests {
assertTrue(filters.next() instanceof LogoutFilter); assertTrue(filters.next() instanceof LogoutFilter);
Object authProcFilter = filters.next(); Object authProcFilter = filters.next();
assertTrue(authProcFilter instanceof AuthenticationProcessingFilter); assertTrue(authProcFilter instanceof AuthenticationProcessingFilter);
// Check RememberMeServices has been set on AuthenticationProcessingFilter
//Object rms = FieldUtils.getFieldValue(authProcFilter, "rememberMeServices");
//assertNotNull(rms);
//assertTrue(rms instanceof RememberMeServices);
//assertFalse(rms instanceof NullRememberMeServices);
assertTrue(filters.next() instanceof DefaultLoginPageGeneratingFilter); assertTrue(filters.next() instanceof DefaultLoginPageGeneratingFilter);
assertTrue(filters.next() instanceof BasicProcessingFilter); assertTrue(filters.next() instanceof BasicProcessingFilter);
assertTrue(filters.next() instanceof SecurityContextHolderAwareRequestFilter); assertTrue(filters.next() instanceof SecurityContextHolderAwareRequestFilter);
//assertTrue(filters.next() instanceof RememberMeProcessingFilter);
assertTrue(filters.next() instanceof AnonymousProcessingFilter); assertTrue(filters.next() instanceof AnonymousProcessingFilter);
assertTrue(filters.next() instanceof ExceptionTranslationFilter); assertTrue(filters.next() instanceof ExceptionTranslationFilter);
assertTrue(filters.next() instanceof SessionFixationProtectionFilter); assertTrue(filters.next() instanceof SessionFixationProtectionFilter);
@ -200,6 +195,27 @@ public class HttpSecurityBeanDefinitionParserTests {
assertEquals(Boolean.TRUE, FieldUtils.getFieldValue(filter, "successHandler.alwaysUseDefaultTargetUrl")); assertEquals(Boolean.TRUE, FieldUtils.getFieldValue(filter, "successHandler.alwaysUseDefaultTargetUrl"));
} }
// SEC-1152
@Test
public void anonymousFilterIsAddedByDefault() throws Exception {
setContext(
"<http>" +
" <form-login />" +
"</http>" + AUTH_PROVIDER_XML);
assertThat(getFilters("/anything").get(4), instanceOf(AnonymousProcessingFilter.class));
}
@Test
public void anonymousFilterIsRemovedIfDisabledFlagSet() throws Exception {
setContext(
"<http>" +
" <form-login />" +
" <anonymous enabled='false'/>" +
"</http>" + AUTH_PROVIDER_XML);
assertThat(getFilters("/anything").get(4), not(instanceOf(AnonymousProcessingFilter.class)));
}
@Test(expected=BeanCreationException.class) @Test(expected=BeanCreationException.class)
public void invalidLoginPageIsDetected() throws Exception { public void invalidLoginPageIsDetected() throws Exception {
setContext( setContext(