diff --git a/core/src/main/java/org/springframework/security/config/BeanIds.java b/core/src/main/java/org/springframework/security/config/BeanIds.java
index 249721182c..1ff6b92aad 100644
--- a/core/src/main/java/org/springframework/security/config/BeanIds.java
+++ b/core/src/main/java/org/springframework/security/config/BeanIds.java
@@ -42,7 +42,7 @@ public abstract class BeanIds {
public static final String OPEN_ID_PROVIDER = "_openIDAuthenticationProvider";
public static final String MAIN_ENTRY_POINT = "_mainEntryPoint";
public static final String FILTER_CHAIN_PROXY = "_filterChainProxy";
- public static final String HTTP_SESSION_CONTEXT_INTEGRATION_FILTER = "_httpSessionContextIntegrationFilter";
+ public static final String SECURITY_CONTEXT_PERSISTENCE_FILTER = "_securityContextPersistenceFilter";
public static final String LDAP_AUTHENTICATION_PROVIDER = "_ldapAuthenticationProvider";
public static final String LOGOUT_FILTER = "_logoutFilter";
public static final String EXCEPTION_TRANSLATION_FILTER = "_exceptionTranslationFilter";
diff --git a/core/src/main/java/org/springframework/security/config/HttpSecurityBeanDefinitionParser.java b/core/src/main/java/org/springframework/security/config/HttpSecurityBeanDefinitionParser.java
index 55edf463b3..8676c9073b 100644
--- a/core/src/main/java/org/springframework/security/config/HttpSecurityBeanDefinitionParser.java
+++ b/core/src/main/java/org/springframework/security/config/HttpSecurityBeanDefinitionParser.java
@@ -19,7 +19,8 @@ import org.springframework.beans.factory.xml.ParserContext;
import org.springframework.security.ConfigAttribute;
import org.springframework.security.ConfigAttributeEditor;
import org.springframework.security.SecurityConfig;
-import org.springframework.security.context.HttpSessionContextIntegrationFilter;
+import org.springframework.security.context.HttpSessionSecurityContextRepository;
+import org.springframework.security.context.SecurityContextPersistenceFilter;
import org.springframework.security.intercept.web.DefaultFilterInvocationDefinitionSource;
import org.springframework.security.intercept.web.FilterSecurityInterceptor;
import org.springframework.security.intercept.web.RequestKey;
@@ -121,7 +122,7 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
parseInterceptUrlsForChannelSecurityAndFilterChain(interceptUrlElts, filterChainMap, channelRequestMap,
convertPathsToLowerCase, parserContext);
- boolean allowSessionCreation = registerHttpSessionIntegrationFilter(element, parserContext);
+ boolean allowSessionCreation = registerSecurityContextPersistenceFilter(element, parserContext);
registerServletApiFilter(element, parserContext);
@@ -219,26 +220,29 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
pc.getRegistry().registerAlias(BeanIds.FILTER_CHAIN_PROXY, BeanIds.SPRING_SECURITY_FILTER_CHAIN);
}
- private boolean registerHttpSessionIntegrationFilter(Element element, ParserContext pc) {
- RootBeanDefinition httpScif = new RootBeanDefinition(HttpSessionContextIntegrationFilter.class);
+ private boolean registerSecurityContextPersistenceFilter(Element element, ParserContext pc) {
+ BeanDefinitionBuilder scpf = BeanDefinitionBuilder.rootBeanDefinition(SecurityContextPersistenceFilter.class);
+ BeanDefinitionBuilder contextRepo = BeanDefinitionBuilder.rootBeanDefinition(HttpSessionSecurityContextRepository.class);
boolean sessionCreationAllowed = true;
String createSession = element.getAttribute(ATT_CREATE_SESSION);
if (OPT_CREATE_SESSION_ALWAYS.equals(createSession)) {
- httpScif.getPropertyValues().addPropertyValue("allowSessionCreation", Boolean.TRUE);
- httpScif.getPropertyValues().addPropertyValue("forceEagerSessionCreation", Boolean.TRUE);
+ contextRepo.addPropertyValue("allowSessionCreation", Boolean.TRUE);
+ scpf.addPropertyValue("forceEagerSessionCreation", Boolean.TRUE);
} else if (OPT_CREATE_SESSION_NEVER.equals(createSession)) {
- httpScif.getPropertyValues().addPropertyValue("allowSessionCreation", Boolean.FALSE);
- httpScif.getPropertyValues().addPropertyValue("forceEagerSessionCreation", Boolean.FALSE);
+ contextRepo.addPropertyValue("allowSessionCreation", Boolean.FALSE);
+ scpf.addPropertyValue("forceEagerSessionCreation", Boolean.FALSE);
sessionCreationAllowed = false;
} else {
createSession = DEF_CREATE_SESSION_IF_REQUIRED;
- httpScif.getPropertyValues().addPropertyValue("allowSessionCreation", Boolean.TRUE);
- httpScif.getPropertyValues().addPropertyValue("forceEagerSessionCreation", Boolean.FALSE);
+ contextRepo.addPropertyValue("allowSessionCreation", Boolean.TRUE);
+ scpf.addPropertyValue("forceEagerSessionCreation", Boolean.FALSE);
}
- pc.getRegistry().registerBeanDefinition(BeanIds.HTTP_SESSION_CONTEXT_INTEGRATION_FILTER, httpScif);
- ConfigUtils.addHttpFilter(pc, new RuntimeBeanReference(BeanIds.HTTP_SESSION_CONTEXT_INTEGRATION_FILTER));
+ scpf.addPropertyValue("securityContextRepository", contextRepo.getBeanDefinition());
+
+ pc.getRegistry().registerBeanDefinition(BeanIds.SECURITY_CONTEXT_PERSISTENCE_FILTER, scpf.getBeanDefinition());
+ ConfigUtils.addHttpFilter(pc, new RuntimeBeanReference(BeanIds.SECURITY_CONTEXT_PERSISTENCE_FILTER));
return sessionCreationAllowed;
}
@@ -265,7 +269,7 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
new ConcurrentSessionsBeanDefinitionParser().parse(sessionControlElt, parserContext);
logger.info("Concurrent session filter in use, setting 'forceEagerSessionCreation' to true");
- BeanDefinition sessionIntegrationFilter = parserContext.getRegistry().getBeanDefinition(BeanIds.HTTP_SESSION_CONTEXT_INTEGRATION_FILTER);
+ BeanDefinition sessionIntegrationFilter = parserContext.getRegistry().getBeanDefinition(BeanIds.SECURITY_CONTEXT_PERSISTENCE_FILTER);
sessionIntegrationFilter.getPropertyValues().addPropertyValue("forceEagerSessionCreation", Boolean.TRUE);
return true;
}
diff --git a/core/src/main/java/org/springframework/security/context/HttpSessionSecurityContextRepository.java b/core/src/main/java/org/springframework/security/context/HttpSessionSecurityContextRepository.java
index aae4ec177d..9ddc7f8c2a 100644
--- a/core/src/main/java/org/springframework/security/context/HttpSessionSecurityContextRepository.java
+++ b/core/src/main/java/org/springframework/security/context/HttpSessionSecurityContextRepository.java
@@ -201,7 +201,7 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo
}
@SuppressWarnings("unchecked")
- void setSecurityContextClass(Class contextClass) {
+ public void setSecurityContextClass(Class contextClass) {
if (contextClass == null || (!SecurityContext.class.isAssignableFrom(contextClass))) {
throw new IllegalArgumentException("securityContextClass must implement SecurityContext "
+ "(typically use org.springframework.security.context.SecurityContextImpl; existing class is "
@@ -212,11 +212,11 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo
contextObject = generateNewContext();
}
- void setCloneFromHttpSession(boolean cloneFromHttpSession) {
+ public void setCloneFromHttpSession(boolean cloneFromHttpSession) {
this.cloneFromHttpSession = cloneFromHttpSession;
}
- void setAllowSessionCreation(boolean allowSessionCreation) {
+ public void setAllowSessionCreation(boolean allowSessionCreation) {
this.allowSessionCreation = allowSessionCreation;
}
diff --git a/core/src/main/java/org/springframework/security/context/SecurityContextPersistenceFilter.java b/core/src/main/java/org/springframework/security/context/SecurityContextPersistenceFilter.java
index 01de284a62..a60b917045 100644
--- a/core/src/main/java/org/springframework/security/context/SecurityContextPersistenceFilter.java
+++ b/core/src/main/java/org/springframework/security/context/SecurityContextPersistenceFilter.java
@@ -85,7 +85,7 @@ public class SecurityContextPersistenceFilter extends SpringSecurityFilter {
this.repo = repo;
}
- void setForceEagerSessionCreation(boolean forceEagerSessionCreation) {
+ public void setForceEagerSessionCreation(boolean forceEagerSessionCreation) {
this.forceEagerSessionCreation = forceEagerSessionCreation;
}
diff --git a/core/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java b/core/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java
index 9bb244ab05..d55e8e943b 100644
--- a/core/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java
+++ b/core/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java
@@ -1,17 +1,14 @@
package org.springframework.security.config;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertNotNull;
-import static org.junit.Assert.assertSame;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
+import static org.junit.Assert.*;
import static org.springframework.security.config.ConfigTestUtils.AUTH_PROVIDER_XML;
import java.lang.reflect.Method;
import java.util.Iterator;
import java.util.List;
+import javax.servlet.Filter;
+
import org.junit.After;
import org.junit.Test;
import org.springframework.beans.factory.BeanCreationException;
@@ -27,7 +24,7 @@ import org.springframework.security.SecurityConfig;
import org.springframework.security.concurrent.ConcurrentLoginException;
import org.springframework.security.concurrent.ConcurrentSessionControllerImpl;
import org.springframework.security.concurrent.ConcurrentSessionFilter;
-import org.springframework.security.context.HttpSessionContextIntegrationFilter;
+import org.springframework.security.context.SecurityContextPersistenceFilter;
import org.springframework.security.intercept.web.FilterInvocation;
import org.springframework.security.intercept.web.FilterInvocationDefinitionSource;
import org.springframework.security.intercept.web.FilterSecurityInterceptor;
@@ -80,7 +77,7 @@ public class HttpSecurityBeanDefinitionParserTests {
public void httpAutoConfigSetsUpCorrectFilterList() throws Exception {
setContext("" + AUTH_PROVIDER_XML);
- List filterList = getFilters("/anyurl");
+ List filterList = getFilters("/anyurl");
checkAutoConfigFilters(filterList);
@@ -93,12 +90,12 @@ public class HttpSecurityBeanDefinitionParserTests {
setContext("" + AUTH_PROVIDER_XML);
}
- private void checkAutoConfigFilters(List filterList) throws Exception {
+ private void checkAutoConfigFilters(List filterList) throws Exception {
assertEquals("Expected 11 filters in chain", 11, filterList.size());
- Iterator filters = filterList.iterator();
+ Iterator filters = filterList.iterator();
- assertTrue(filters.next() instanceof HttpSessionContextIntegrationFilter);
+ assertTrue(filters.next() instanceof SecurityContextPersistenceFilter);
assertTrue(filters.next() instanceof LogoutFilter);
Object authProcFilter = filters.next();
assertTrue(authProcFilter instanceof AuthenticationProcessingFilter);
@@ -127,7 +124,7 @@ public class HttpSecurityBeanDefinitionParserTests {
" " +
" " + AUTH_PROVIDER_XML);
- List filters = getFilters("/unprotected");
+ List filters = getFilters("/unprotected");
assertTrue(filters.size() == 0);
}
@@ -140,7 +137,7 @@ public class HttpSecurityBeanDefinitionParserTests {
" " + AUTH_PROVIDER_XML);
assertEquals(0, getFilters("/imlowercase").size());
// This will be matched by the default pattern ".*"
- List allFilters = getFilters("/ImCaughtByTheUniversalMatchPattern");
+ List allFilters = getFilters("/ImCaughtByTheUniversalMatchPattern");
checkAutoConfigFilters(allFilters);
assertEquals(false, FieldUtils.getFieldValue(appContext.getBean("_filterChainProxy"), "stripQueryStringFromUrls"));
assertEquals(false, FieldUtils.getFieldValue(allFilters.get(10), "objectDefinitionSource.stripQueryStringFromUrls"));
@@ -254,7 +251,7 @@ public class HttpSecurityBeanDefinitionParserTests {
@Test
public void oncePerRequestAttributeIsSupported() throws Exception {
setContext("" + AUTH_PROVIDER_XML);
- List filters = getFilters("/someurl");
+ List filters = getFilters("/someurl");
FilterSecurityInterceptor fsi = (FilterSecurityInterceptor) filters.get(filters.size() - 1);
@@ -264,7 +261,7 @@ public class HttpSecurityBeanDefinitionParserTests {
@Test
public void accessDeniedPageAttributeIsSupported() throws Exception {
setContext("" + AUTH_PROVIDER_XML);
- List filters = getFilters("/someurl");
+ List filters = getFilters("/someurl");
ExceptionTranslationFilter etf = (ExceptionTranslationFilter) filters.get(filters.size() - 3);
@@ -282,7 +279,7 @@ public class HttpSecurityBeanDefinitionParserTests {
" " +
" " +
" " + AUTH_PROVIDER_XML);
- List filters = getFilters("/someurl");
+ List filters = getFilters("/someurl");
assertEquals("Expected 12 filters in chain", 12, filters.size());
@@ -349,7 +346,7 @@ public class HttpSecurityBeanDefinitionParserTests {
"" +
""
);
- List filters = getFilters("/someurl");
+ List filters = getFilters("/someurl");
assertEquals(14, filters.size());
assertTrue(filters.get(0) instanceof MockFilter);
@@ -442,7 +439,7 @@ public class HttpSecurityBeanDefinitionParserTests {
"" +
" " +
"" + AUTH_PROVIDER_XML);
- List filters = getFilters("/someurl");
+ List filters = getFilters("/someurl");
assertTrue(filters.get(2) instanceof X509PreAuthenticatedProcessingFilter);
}
@@ -453,7 +450,7 @@ public class HttpSecurityBeanDefinitionParserTests {
"" +
" " +
"" + AUTH_PROVIDER_XML);
- List filters = getFilters("/someurl");
+ List filters = getFilters("/someurl");
assertTrue(filters.get(0) instanceof ConcurrentSessionFilter);
assertNotNull(appContext.getBean("seshRegistry"));
@@ -568,7 +565,7 @@ public class HttpSecurityBeanDefinitionParserTests {
public void disablingSessionProtectionRemovesFilter() throws Exception {
setContext(
"" + AUTH_PROVIDER_XML);
- List filters = getFilters("/someurl");
+ List filters = getFilters("/someurl");
assertFalse(filters.get(1) instanceof SessionFixationProtectionFilter);
}
@@ -638,15 +635,18 @@ public class HttpSecurityBeanDefinitionParserTests {
@Test
public void settingCreateSessionToAlwaysSetsFilterPropertiesCorrectly() throws Exception {
setContext("" + AUTH_PROVIDER_XML);
- assertEquals(Boolean.TRUE, FieldUtils.getFieldValue(appContext.getBean(BeanIds.HTTP_SESSION_CONTEXT_INTEGRATION_FILTER), "forceEagerSessionCreation"));
- assertEquals(Boolean.TRUE, FieldUtils.getFieldValue(appContext.getBean(BeanIds.HTTP_SESSION_CONTEXT_INTEGRATION_FILTER), "allowSessionCreation"));
+ Object filter = appContext.getBean(BeanIds.SECURITY_CONTEXT_PERSISTENCE_FILTER);
+
+ assertEquals(Boolean.TRUE, FieldUtils.getFieldValue(filter, "forceEagerSessionCreation"));
+ assertEquals(Boolean.TRUE, FieldUtils.getFieldValue(filter, "repo.allowSessionCreation"));
}
@Test
public void settingCreateSessionToNeverSetsFilterPropertiesCorrectly() throws Exception {
setContext("" + AUTH_PROVIDER_XML);
- assertEquals(Boolean.FALSE, FieldUtils.getFieldValue(appContext.getBean(BeanIds.HTTP_SESSION_CONTEXT_INTEGRATION_FILTER), "forceEagerSessionCreation"));
- assertEquals(Boolean.FALSE, FieldUtils.getFieldValue(appContext.getBean(BeanIds.HTTP_SESSION_CONTEXT_INTEGRATION_FILTER), "allowSessionCreation"));
+ Object filter = appContext.getBean(BeanIds.SECURITY_CONTEXT_PERSISTENCE_FILTER);
+ assertEquals(Boolean.FALSE, FieldUtils.getFieldValue(filter, "forceEagerSessionCreation"));
+ assertEquals(Boolean.FALSE, FieldUtils.getFieldValue(filter, "repo.allowSessionCreation"));
}
/* SEC-934 */
@@ -669,11 +669,11 @@ public class HttpSecurityBeanDefinitionParserTests {
appContext = new InMemoryXmlApplicationContext(context);
}
- private List getFilters(String url) throws Exception {
+ private List getFilters(String url) throws Exception {
FilterChainProxy fcp = (FilterChainProxy) appContext.getBean(BeanIds.FILTER_CHAIN_PROXY);
Method getFilters = fcp.getClass().getDeclaredMethod("getFilters", String.class);
getFilters.setAccessible(true);
- return (List) ReflectionUtils.invokeMethod(getFilters, fcp, new Object[] {url});
+ return (List) ReflectionUtils.invokeMethod(getFilters, fcp, new Object[] {url});
}
private FilterInvocation createFilterinvocation(String path, String method) {