SEC-733: Changed names of <global-method-security> attributes as discussed with Ben and updated sample to reflect the changes. Also changed explicit instantiation of Jsr250 and Secured annotation MethodDefinitionSource beans in GlobalMethodSecurityBDP into bean definitions to make more tooling friendly.

2008-03-26 21:48:24 +00:00 · 2008-03-26 21:48:24 +00:00 · ef5b3e2f9c
parent 9ea2408ac6
commit ef5b3e2f9c
6 changed files with 2051 additions and 1920 deletions
--- a/core-tiger/src/test/resources/org/springframework/security/config/jsr250-annotated-method-security.xml
+++ b/core-tiger/src/test/resources/org/springframework/security/config/jsr250-annotated-method-security.xml
@ -8,7 +8,7 @@ http://www.springframework.org/schema/security http://www.springframework.org/sc

    <b:bean id="target" class="org.springframework.security.annotation.Jsr250BusinessServiceImpl"/>

-	<global-method-security jsr250="true"/>
+	<global-method-security jsr250-annotations="enabled"/>

    <authentication-provider>
        <user-service>
--- a/core-tiger/src/test/resources/org/springframework/security/config/secured-annotated-method-security.xml
+++ b/core-tiger/src/test/resources/org/springframework/security/config/secured-annotated-method-security.xml
@ -8,7 +8,7 @@ http://www.springframework.org/schema/security http://www.springframework.org/sc

    <b:bean id="target" class="org.springframework.security.annotation.Jsr250BusinessServiceImpl"/>

-	<global-method-security secured="true"/>
+	<global-method-security secured-annotations="enabled"/>

    <authentication-provider>
        <user-service>
--- a/core/src/main/java/org/springframework/security/config/GlobalMethodSecurityBeanDefinitionParser.java
+++ b/core/src/main/java/org/springframework/security/config/GlobalMethodSecurityBeanDefinitionParser.java
@ -10,6 +10,8 @@ import org.springframework.aop.config.AopNamespaceUtils;
 import org.springframework.beans.BeanUtils;
 import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.beans.factory.config.RuntimeBeanReference;
+import org.springframework.beans.factory.support.BeanDefinitionBuilder;
+import org.springframework.beans.factory.support.ManagedList;
 import org.springframework.beans.factory.support.RootBeanDefinition;
 import org.springframework.beans.factory.xml.BeanDefinitionParser;
 import org.springframework.beans.factory.xml.ParserContext;
@ -28,7 +30,6 @@ import org.w3c.dom.Element;
 /**
 * Processes the top-level "global-method-security" element.
 * 
- *
 * @author Ben Alex
 * @version $Id$
 */
@ -41,16 +42,16 @@ class GlobalMethodSecurityBeanDefinitionParser implements BeanDefinitionParser {
    private static final String ATT_ACCESS = "access";
    private static final String ATT_EXPRESSION = "expression";
    private static final String ATT_ACCESS_MGR = "access-decision-manager-ref";
-    private static final String ATT_USE_JSR250 = "jsr250";
-    private static final String ATT_USE_SECURED = "secured";
+    private static final String ATT_USE_JSR250 = "jsr250-annotations";
+    private static final String ATT_USE_SECURED = "secured-annotations";

    private void validatePresent(String className) {
    	Assert.isTrue(ClassUtils.isPresent(className), "Cannot locate '" + className + "'");
    }
    
    public BeanDefinition parse(Element element, ParserContext parserContext) {
-        boolean useJsr250 = "true".equals(element.getAttribute(ATT_USE_JSR250));
-        boolean useSecured = "true".equals(element.getAttribute(ATT_USE_SECURED));
+        boolean useJsr250 = "enabled".equals(element.getAttribute(ATT_USE_JSR250));
+        boolean useSecured = "enabled".equals(element.getAttribute(ATT_USE_SECURED));

        // Check the required classes are present
        if (useSecured) {
@ -91,23 +92,15 @@ class GlobalMethodSecurityBeanDefinitionParser implements BeanDefinitionParser {
        }
        
        // Create our list of method metadata delegates
-        List delegates = new ArrayList();
+        ManagedList delegates = new ManagedList();
        delegates.add(mapBasedMethodDefinitionSource);
        
        if (useSecured) {
-        	try {
-            	delegates.add(BeanUtils.instantiateClass(ClassUtils.forName(SECURED_METHOD_DEFINITION_SOURCE_CLASS)));
-        	} catch (ClassNotFoundException shouldNotHappen) {
-        		throw new IllegalStateException(shouldNotHappen);
-        	}
+            delegates.add(BeanDefinitionBuilder.rootBeanDefinition(SECURED_METHOD_DEFINITION_SOURCE_CLASS).getBeanDefinition());
        }
        
        if (useJsr250) {
-        	try {
-        		delegates.add(BeanUtils.instantiateClass(ClassUtils.forName(JSR_250_SECURITY_METHOD_DEFINITION_SOURCE_CLASS)));
-        	} catch (ClassNotFoundException shouldNotHappen) {
-        		throw new IllegalStateException(shouldNotHappen);
-        	}
+            delegates.add(BeanDefinitionBuilder.rootBeanDefinition(JSR_250_SECURITY_METHOD_DEFINITION_SOURCE_CLASS).getBeanDefinition());            
        }
        
    	// Register our DelegatingMethodDefinitionSource
--- a/core/src/main/resources/org/springframework/security/config/spring-security-2.0.rnc
+++ b/core/src/main/resources/org/springframework/security/config/spring-security-2.0.rnc
@ -157,13 +157,13 @@ global-method-security =
    ## Provides method security for all beans registered in the Spring application context. Specifically, beans will be scanned for Spring Security annotations and/or matches with the ordered list of "protect-pointcut" sub-elements. Where there is a match, the beans will automatically be proxied and security authorization applied to the methods accordingly. If you use and enable all three sources of method security metadata (ie "protect-pointcut" declarations, @Secured and also JSR 250 security annotations), the metadata sources will be queried in that order. In practical terms, this enables you to use XML to override method security metadata expressed by way of @Secured annotations, with @Secured annotations overriding method security metadata expressed by JSR 250 annotations. It is perfectly acceptable to mix and match, with a given Java type using a combination of XML, @Secured and JSR 250 to express method security metadata (albeit on different methods).
 	element global-method-security {global-method-security.attlist, protect-pointcut*}
 global-method-security.attlist &=
-    ## Specifies that Spring Security's @Secured annotation should be used. Please ensure you have the spring-security-tiger-xxx.jar on the classpath. Defaults to false.
-    attribute secured {"false" | "true" }?
+    ## Specifies whether the use of Spring Security's @Secured annotations should be enabled for this application context. Please ensure you have the spring-security-tiger-xxx.jar on the classpath. Defaults to "disabled".
+    attribute secured-annotations {"disabled" | "enabled" }?
 global-method-security.attlist &=
-    ## Specifies that JSR-250 style attributes are to be used (for example "RolesAllowed"). This will require the javax.annotation.security classes on the classpath. Defaults to false.
-    attribute jsr250 {"false" | "true" }?
+    ## Specifies whether JSR-250 style attributes are to be used (for example "RolesAllowed"). This will require the javax.annotation.security classes on the classpath. Defaults to "disabled".
+    attribute jsr250-annotations {"disabled" | "enabled" }?
 global-method-security.attlist &=
-    ## Optional AccessDecisionManager bean ID to override the default.
+    ## Optional AccessDecisionManager bean ID to override the default used for method security.
    attribute access-decision-manager-ref {xsd:string}?


@ -311,7 +311,7 @@ anonymous =
    ## Adds support for automatically granting all anonymous web requests a particular principal identity and a corresponding granted authority.
    element anonymous {anonymous.attlist}
 anonymous.attlist &=
-    ## The key used between the provider and filter. This generally does not need to be set. If unset, it will default to "doesNotMatter".
+    ## The key shared between the provider and filter. This generally does not need to be set. If unset, it will default to "doesNotMatter".
    attribute key {xsd:string}?
 anonymous.attlist &= 
    ## The username that should be assigned to the anonymous request. This allows the principal to be identified, which may be important for logging and auditing. if unset, defaults to "anonymousUser".
--- a/core/src/main/resources/org/springframework/security/config/spring-security-2.0.xsd
+++ b/core/src/main/resources/org/springframework/security/config/spring-security-2.0.xsd
--- a/samples/tutorial/src/main/webapp/WEB-INF/applicationContext-security-ns.xml
+++ b/samples/tutorial/src/main/webapp/WEB-INF/applicationContext-security-ns.xml
@ -12,7 +12,7 @@
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">

-	<global-method-security secured="true"/>
+	<global-method-security secured-annotations="enabled"/>

    <http>
        <intercept-url pattern="/secure/extreme/**" access="ROLE_SUPERVISOR"/>