Bug-testing changes to heavyduty sample

sandbox/heavyduty/pom.xml

@@ -4,7 +4,7 @@
     <artifactId>spring-security-heavyduty</artifactId>
     <name>Spring Security - Heavy Duty Sample</name>
     <packaging>war</packaging>
-    <version>2.0.0</version>
+    <version>2.0.2-SNAPSHOT</version>
     <dependencies>
         <dependency>
             <groupId>org.springframework.security</groupId>
@@ -58,6 +58,12 @@
             <scope>runtime</scope>
             <version>${spring.version}</version>
         </dependency>
+        <dependency>
+            <groupId>org.freemarker</groupId>
+            <artifactId>freemarker</artifactId>
+            <scope>runtime</scope>
+            <version>2.3.12</version>
+        </dependency>        
 	    <dependency>
 	      <groupId>hsqldb</groupId>
 	      <artifactId>hsqldb</artifactId>
@@ -160,7 +166,7 @@
     </build>
     <properties>        
         <spring.version>2.5.4</spring.version>
-        <spring.security.version>2.0.1-SNAPSHOT</spring.security.version>
+        <spring.security.version>2.0.2-SNAPSHOT</spring.security.version>
     </properties>
 
-</project>
+</project>

sandbox/heavyduty/src/main/java/bigbank/web/ListAccounts.java

@@ -3,7 +3,6 @@ package bigbank.web;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import org.springframework.security.AuthenticationCredentialsNotFoundException;
 import org.springframework.util.Assert;
 import org.springframework.web.servlet.ModelAndView;
 import org.springframework.web.servlet.mvc.Controller;
@@ -19,12 +18,7 @@ public class ListAccounts implements Controller {
 		this.bankService = bankService;
 	}
 
-	public ModelAndView handleRequest(HttpServletRequest request, HttpServletResponse response) throws Exception {
-		// Security check (this is unnecessary if Spring Security is performing the authorization)
-//		if (request.getUserPrincipal() == null) {
-//			throw new AuthenticationCredentialsNotFoundException("You must login to view the account list (Spring Security message)"); // only for Spring Security managed authentication
-//		}
-		
+	public ModelAndView handleRequest(HttpServletRequest request, HttpServletResponse response) throws Exception {		
 		// Actual business logic
 		ModelAndView mav = new ModelAndView("listAccounts");
 		mav.addObject("accounts", bankService.findAccounts());

sandbox/heavyduty/src/main/java/bigbank/web/PostAccounts.java

@@ -3,7 +3,6 @@ package bigbank.web;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import org.springframework.security.AccessDeniedException;
 import org.springframework.util.Assert;
 import org.springframework.web.bind.ServletRequestUtils;
 import org.springframework.web.servlet.ModelAndView;

sandbox/heavyduty/src/main/webapp/WEB-INF/appContext-misc.xml

@@ -10,8 +10,10 @@
 <beans xmlns="http://www.springframework.org/schema/beans"
     xmlns:sec="http://www.springframework.org/schema/security"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:util="http://www.springframework.org/schema/util"
     xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
-                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">
+                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd
+                        http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-2.5.xsd">
 
     <bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
         <property name="decisionVoters">
@@ -45,6 +47,19 @@
     <bean id="basicProcessingFilterEntryPoint" class="org.springframework.security.ui.basicauth.BasicProcessingFilterEntryPoint">
         <property name="realmName"><value>My Realm</value></property>
     </bean>
+    
+	<bean id="bankServiceSecurityInterceptor"
+	    class="org.springframework.security.intercept.method.aopalliance.MethodSecurityInterceptor">
+	  <property name="authenticationManager" ref="authenticationManager"/>
+	  <property name="accessDecisionManager" ref="accessDecisionManager"/>
+	  <!-- property name="afterInvocationManager" ref="afterInvocationManager"/ -->
+	  <property name="objectDefinitionSource">
+	    <value>
+	        bigbank.BankService.post*=ROLE_SUPERVISOR
+	        bigbank.BankService.find*=ROLE_SUPERVISOR
+	    </value>
+	  </property>
+    </bean>
 
 </beans>
                         

sandbox/heavyduty/src/main/webapp/WEB-INF/appContext-persistence.xml

@@ -15,9 +15,7 @@
     http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-2.5.xsd">
   
   <bean id="AllPropertiesConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
-    <property name="location">
-      <value>classpath:jdbc.properties</value>
-    </property>
+    <property name="location" value="classpath:jdbc.properties"/>
   </bean>
 
   <tx:annotation-driven transaction-manager="transactionManager" />

sandbox/heavyduty/src/main/webapp/WEB-INF/appContext-security.xml

@@ -10,45 +10,70 @@
     xmlns:b="http://www.springframework.org/schema/beans"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
-                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">
+                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.2.xsd">
 
     <b:import resource="appContext-misc.xml"/>
     
-	<global-method-security secured-annotations="enabled"/>		
-
-    <http entry-point-ref='customEntryPoint'>
+	<!-- global-method-security secured-annotations="enabled" access-decision-manager-ref="methodAccessMgr"/ -->
+	
+	<b:bean id="methodAccessmanager" class="org.springframework.security.vote.AffirmativeBased">
+	   <b:property name="decisionVoters">
+	       <b:list>
+	           <b:bean class="sample.TestVoter"/>
+	       </b:list>
+	   </b:property>
+	</b:bean>
+    
+    <!-- http entry-point-ref='customEntryPoint'-->
+    <http>
         <intercept-url pattern="/secure/extreme/**" access="ROLE_SUPERVISOR"/>
-        <intercept-url pattern="/secure/**" access="IS_AUTHENTICATED_REMEMBERED" />
+        <intercept-url pattern="/secure/**" access="IS_AUTHENTICATED_REMEMBERED" />
+        <intercept-url pattern="/testMulti.htm*" access="IS_AUTHENTICATED_FULLY" />        
 		<!-- Disable web URI authorization, as we're using <global-method-security> and have @Secured the services layer instead
         <intercept-url pattern="/listAccounts.html" access="IS_AUTHENTICATED_REMEMBERED" />
         <intercept-url pattern="/post.html" access="ROLE_TELLER" />
         -->
         <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
 <!--
-    Uncomment to enable X509 client authentication support -->
-        <x509 user-service-ref="daoUserService"/> 
-
-
-        <!-- All of this is unnecessary if auto-config="true" -->
-        <form-login default-target-url="/secure/index.jsp" always-use-default-target="true"/>
+    Uncomment to enable X509 client authentication support
+        <x509 user-service-ref="daoUserService"/>
+-->
+        <!-- form-login default-target-url="/secure/index.jsp" login-page="/login.jsp" authentication-failure-url="/login.jsp?login-error=1" always-use-default-target="false"/-->
         <anonymous />
-        <!-- http-basic / -->
-        <logout />
+        <http-basic />
+        <logout />
+        <remember-me key='doesntmatter' token-repository-ref='tokenRepo' user-service-ref='daoUserService'/>
 <!--          <remember-me user-service-ref="daoUserService"/> -->
 
         <!-- Uncomment to limit the number of sessions a user can have -->
-        <concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true"/>
+        <concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true" session-registry-ref='sessionRegistry'/>
+        
     </http>
+
+    <authentication-manager alias="authenticationManager" />
     
-    <authentication-manager alias="authenticationManager"/> 
+    <b:bean id='tokenRepo' class='org.springframework.security.ui.rememberme.InMemoryTokenRepositoryImpl'/>    
     
+    <!-- Traditional Session Control Beans -->
+<!--     
+    <b:bean id='sessionControlFilter' class="org.springframework.security.concurrent.ConcurrentSessionFilter">
+        <custom-filter position="CONCURRENT_SESSION_FILTER"/>
+        <b:property name="sessionRegistry" ref='sessionRegistry'/>
+    </b:bean>
+    
+    <b:bean id='sessionController' class="org.springframework.security.concurrent.ConcurrentSessionControllerImpl">
+        <b:property name='sessionRegistry' ref='sessionRegistry'/>
+    </b:bean>
+ -->    
+    <b:bean id='sessionRegistry' class="org.springframework.security.concurrent.SessionRegistryImpl"/>
+<!-- 
     <b:bean id="customAuthFilter" class="heavyduty.security.ui.HeavyDutyAuthenticationProcessingFilter">
-        <custom-filter after="AUTHENTICATION_PROCESSING_FILTER"/>
+        <custom-filter position="AUTHENTICATION_PROCESSING_FILTER"/>
         <b:property name="defaultTargetUrl" value="/"/>
         <b:property name="authenticationManager" ref="authenticationManager"/>
     </b:bean>
-    
-    <b:bean id="customEntryPoint" class="heavyduty.security.ui.HeavyDutyEntryPoint">
+ -->    
+    <b:bean id="customEntryPoint" class="heavyduty.security.ui.HeavyDutyEntryPoint"> 
         <b:property name="loginFormUrl" value="/login.jsp"/>
     </b:bean>
 <!--     

sandbox/heavyduty/src/main/webapp/WEB-INF/bank-servlet.xml

@@ -1,20 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-
-<beans xmlns="http://www.springframework.org/schema/beans"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">
-
-	<bean name="/listAccounts.html" class="bigbank.web.ListAccounts">
-		<constructor-arg ref="bankService"/>
-	</bean>
-	
-	<bean name="/post.html" class="bigbank.web.PostAccounts">
-		<constructor-arg ref="bankService"/>
-	</bean>
-	
-	<bean id="viewResolver" class="org.springframework.web.servlet.view.InternalResourceViewResolver">
-		<property name="prefix" value="/WEB-INF/jsp/"/>
-		<property name="suffix" value=".jsp"/>
-	</bean>
-
-</beans>

sandbox/heavyduty/src/main/webapp/WEB-INF/heavyduty-servlet.xml

@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<beans xmlns="http://www.springframework.org/schema/beans"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">
+
+	<bean name="testMultiController" class="heavyduty.web.TestMultiActionController">
+	   <property name="methodNameResolver">
+	       <bean class="org.springframework.web.servlet.mvc.multiaction.ParameterMethodNameResolver"/>
+	   </property>
+	</bean>
+<!-- 	
+	<bean name="/post.html" class="bigbank.web.PostAccounts">
+		<constructor-arg ref="bankService"/>
+	</bean>
+ -->
+	<bean id="freemarkerConfig" class="org.springframework.web.servlet.view.freemarker.FreeMarkerConfigurer">
+	  <property name="templateLoaderPath" value="/WEB-INF/freemarker/"/>
+	</bean>
+	
+	<bean id="viewResolver" class="org.springframework.web.servlet.view.freemarker.FreeMarkerViewResolver">
+		<property name="prefix" value=""/>
+		<property name="suffix" value=".ftl"/>
+	</bean>
+
+    <bean class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
+        <property name="mappings">
+            <value>
+                **/testMulti.htm=testMultiController
+            </value>
+        </property>
+    </bean>
+
+</beans>

sandbox/heavyduty/src/main/webapp/WEB-INF/web.xml

@@ -64,14 +64,14 @@
 	- Provides core MVC application controller.
     -->
 	<servlet>
-		<servlet-name>bank</servlet-name>
+		<servlet-name>heavyduty</servlet-name>
 		<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
 		<load-on-startup>1</load-on-startup>
 	</servlet>
 
 	<servlet-mapping>
-    	<servlet-name>bank</servlet-name>
-    	<url-pattern>*.html</url-pattern>
+    	<servlet-name>heavyduty</servlet-name>
+    	<url-pattern>*.htm</url-pattern>
  	</servlet-mapping>
 
      <welcome-file-list>

sandbox/heavyduty/src/main/webapp/index.jsp

@@ -1,17 +1,17 @@
 <%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
 <html>
 <body>
-<h1>Home Page</h1>
+<h1>HeavyDuty App Home Page</h1>
 <p>
 Anyone can view this page.
 </p>
-<p>
-If you're logged in, you can <a href="listAccounts.html">list accounts</a>.
+<p>
+Test multi-action controller <a href="testMulti.htm?action=step1">SEC-830</a>.
 </p>
 <p>
 Your principal object is....: <%= request.getUserPrincipal() %>
 </p>
-
+<h3>Restricted Pages ...</h3>
 <p><a href="secure/index.jsp">Secure page</a></p>
 <p><a href="secure/extreme/index.jsp">Extremely secure page</a></p>
 </body>