SEC-1584: Backport of namespace support for injecting custom HttpFirewall instance into FilterChainProxy.

core/convert_schema.sh

@@ -0,0 +1,11 @@
+#! /bin/sh
+
+pushd src/main/resources/org/springframework/security/config/
+
+echo "Converting rnc file to xsd ..."
+java -jar ~/bin/trang.jar spring-security-2.0.6.rnc spring-security-2.0.6.xsd
+
+echo "Applying XSL transformation to xsd ..."
+xsltproc --output spring-security-2.0.6.xsd spring-security.xsl spring-security-2.0.6.xsd
+
+popd

core/src/main/java/org/springframework/security/config/Elements.java

@@ -40,4 +40,5 @@ abstract class Elements {
     public static final String X509 = "x509";
     public static final String FILTER_INVOCATION_DEFINITION_SOURCE = "filter-invocation-definition-source";
     public static final String LDAP_PASSWORD_COMPARE = "password-compare";
+    public static final String HTTP_FIREWALL = "http-firewall";
 }

core/src/main/java/org/springframework/security/config/HttpFirewallBeanDefinitionParser.java

@@ -0,0 +1,31 @@
+package org.springframework.security.config;
+
+import org.springframework.beans.factory.config.BeanDefinition;
+import org.springframework.beans.factory.support.BeanDefinitionBuilder;
+import org.springframework.beans.factory.xml.BeanDefinitionParser;
+import org.springframework.beans.factory.xml.ParserContext;
+import org.springframework.util.StringUtils;
+import org.w3c.dom.Element;
+
+/**
+ * Injects the supplied {@code HttpFirewall} bean reference into the {@code FilterChainProxy}.
+ *
+ * @author Luke Taylor
+ */
+public class HttpFirewallBeanDefinitionParser implements BeanDefinitionParser {
+
+    public BeanDefinition parse(Element element, ParserContext pc) {
+        String ref = element.getAttribute("ref");
+
+        if (!StringUtils.hasText(ref)) {
+            pc.getReaderContext().error("ref attribute is required", pc.extractSource(element));
+        }
+
+        BeanDefinitionBuilder injector = BeanDefinitionBuilder.rootBeanDefinition(HttpFirewallInjectionBeanPostProcessor.class);
+        injector.addConstructorArg(ref);
+
+        pc.getReaderContext().registerWithGeneratedName(injector.getBeanDefinition());
+
+        return null;
+    }
+}

core/src/main/java/org/springframework/security/config/HttpFirewallInjectionBeanPostProcessor.java

@@ -0,0 +1,40 @@
+package org.springframework.security.config;
+
+import org.springframework.beans.BeansException;
+import org.springframework.beans.factory.BeanFactory;
+import org.springframework.beans.factory.BeanFactoryAware;
+import org.springframework.beans.factory.config.BeanPostProcessor;
+import org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
+import org.springframework.security.config.BeanIds;
+import org.springframework.security.util.FilterChainProxy;
+import org.springframework.security.firewall.HttpFirewall;
+
+/**
+ * @author Luke Taylor
+ */
+public class HttpFirewallInjectionBeanPostProcessor implements BeanPostProcessor, BeanFactoryAware {
+    private ConfigurableListableBeanFactory beanFactory;
+    private String ref;
+
+    public HttpFirewallInjectionBeanPostProcessor(String ref) {
+        this.ref = ref;
+    }
+
+    public Object postProcessBeforeInitialization(Object bean, String beanName) throws BeansException {
+        if (BeanIds.FILTER_CHAIN_PROXY.equals(beanName)) {
+            HttpFirewall fw = (HttpFirewall) beanFactory.getBean(ref);
+            ((FilterChainProxy)bean).setFirewall(fw);
+        }
+
+        return bean;
+    }
+
+    public Object postProcessAfterInitialization(Object bean, String beanName) throws BeansException {
+        return bean;
+    }
+
+
+    public void setBeanFactory(BeanFactory beanFactory) throws BeansException {
+        this.beanFactory = (ConfigurableListableBeanFactory) beanFactory;
+    }
+}

core/src/main/java/org/springframework/security/config/SecurityNamespaceHandler.java

@@ -24,6 +24,7 @@ public class SecurityNamespaceHandler extends NamespaceHandlerSupport {
         registerBeanDefinitionParser(Elements.GLOBAL_METHOD_SECURITY, new GlobalMethodSecurityBeanDefinitionParser());
         registerBeanDefinitionParser(Elements.AUTHENTICATION_MANAGER, new AuthenticationManagerBeanDefinitionParser());
         registerBeanDefinitionParser(Elements.FILTER_INVOCATION_DEFINITION_SOURCE, new FilterInvocationDefinitionSourceBeanDefinitionParser());
+        registerBeanDefinitionParser(Elements.HTTP_FIREWALL, new HttpFirewallBeanDefinitionParser());
 
         // Decorators
         registerBeanDefinitionDecorator(Elements.INTERCEPT_METHODS, new InterceptMethodsBeanDefinitionDecorator());

core/src/main/java/org/springframework/security/util/FilterChainProxy.java

@@ -340,6 +340,10 @@ public class FilterChainProxy implements Filter, InitializingBean, ApplicationCo
         return matcher;
     }
 
+    public void setFirewall(HttpFirewall firewall) {
+        this.firewall = firewall;
+    }
+
     /**
      * If set to 'true', the query string will be stripped from the request URL before
      * attempting to find a matching filter chain. This is the default value.

core/src/main/java/org/springframework/security/util/InMemoryXmlApplicationContext.java

@@ -15,7 +15,7 @@ public class InMemoryXmlApplicationContext extends AbstractXmlApplicationContext
                     "    xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'\n" +
                     "    xsi:schemaLocation='http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd\n" +
                     "http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-2.0.xsd\n" +
-                    "http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.2.xsd'>\n";
+                    "http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.6.xsd'>\n";
     private static final String BEANS_CLOSE = "</b:beans>\n";
 
     Resource inMemoryXml;

core/src/main/resources/META-INF/spring.schemas

@@ -1,5 +1,6 @@
-http\://www.springframework.org/schema/security/spring-security.xsd=org/springframework/security/config/spring-security-2.0.4.xsd
+http\://www.springframework.org/schema/security/spring-security.xsd=org/springframework/security/config/spring-security-2.0.6.xsd
 http\://www.springframework.org/schema/security/spring-security-2.0.xsd=org/springframework/security/config/spring-security-2.0.xsd
 http\://www.springframework.org/schema/security/spring-security-2.0.1.xsd=org/springframework/security/config/spring-security-2.0.1.xsd
 http\://www.springframework.org/schema/security/spring-security-2.0.2.xsd=org/springframework/security/config/spring-security-2.0.2.xsd
 http\://www.springframework.org/schema/security/spring-security-2.0.4.xsd=org/springframework/security/config/spring-security-2.0.4.xsd
+http\://www.springframework.org/schema/security/spring-security-2.0.6.xsd=org/springframework/security/config/spring-security-2.0.6.xsd

core/src/main/resources/org/springframework/security/config/spring-security-2.0.6.rnc

@@ -206,6 +206,9 @@ protect-pointcut.attlist &=
     ## Access configuration attributes list that applies to all methods matching the pointcut, e.g. "ROLE_A,ROLE_B"
     attribute access {xsd:string}
 
+http-firewall =
+    ## Allows a custom instance of HttpFirewall to be injected into the FilterChainProxy created by the namespace.
+    element http-firewall {ref}
 
 http =
     ## Container element for HTTP security configuration
@@ -502,5 +505,3 @@ position =
 
 
 named-security-filter = "FIRST" | "CHANNEL_FILTER" | "CONCURRENT_SESSION_FILTER" | "SESSION_CONTEXT_INTEGRATION_FILTER" | "LOGOUT_FILTER" | "X509_FILTER" | "PRE_AUTH_FILTER" | "CAS_PROCESSING_FILTER" | "AUTHENTICATION_PROCESSING_FILTER" | "OPENID_PROCESSING_FILTER" |"BASIC_PROCESSING_FILTER" | "SERVLET_API_SUPPORT_FILTER" | "REMEMBER_ME_FILTER" | "ANONYMOUS_FILTER" | "EXCEPTION_TRANSLATION_FILTER" | "NTLM_FILTER" | "FILTER_SECURITY_INTERCEPTOR" | "SWITCH_USER_FILTER" | "LAST"
-    
-    

core/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java

@@ -24,6 +24,7 @@ import org.springframework.security.concurrent.ConcurrentLoginException;
 import org.springframework.security.concurrent.ConcurrentSessionControllerImpl;
 import org.springframework.security.concurrent.ConcurrentSessionFilter;
 import org.springframework.security.context.HttpSessionContextIntegrationFilter;
+import org.springframework.security.firewall.DefaultHttpFirewall;
 import org.springframework.security.intercept.web.FilterInvocation;
 import org.springframework.security.intercept.web.FilterInvocationDefinitionSource;
 import org.springframework.security.intercept.web.FilterSecurityInterceptor;
@@ -661,6 +662,19 @@ public class HttpSecurityBeanDefinitionParserTests {
         assertTrue(attrDef.contains(new SecurityConfig("ROLE_B")));
     }
 
+    @Test
+    public void httpFirewallInjectionIsSupported() throws Exception {
+        setContext(
+                "<http-firewall ref='fw'/>" +
+                "<http>" +
+                "   <form-login />" +
+                "</http>" +
+                "<b:bean id='fw' class='" + DefaultHttpFirewall.class.getName() +"'/>" +
+                AUTH_PROVIDER_XML);
+        FilterChainProxy fcp = (FilterChainProxy) appContext.getBean(BeanIds.FILTER_CHAIN_PROXY);
+        assertSame(appContext.getBean("fw"), FieldUtils.getFieldValue(fcp, "firewall"));
+    }
+
     private void setContext(String context) {
         appContext = new InMemoryXmlApplicationContext(context);
     }