Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Deprecate openID 2.0 support 

This commit adds deprecation notice to xml schema, parser of the schema and removes fixme comments.

Fixes gh-7153
This commit is contained in:
Dávid Kovács 2020-05-09 12:04:13 +02:00
parent 2d9a6aca98
commit f2a2b469c4
5 changed files with 127 additions and 111 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

105
config/src/main/java/org/springframework/security/config/http/AuthenticationConfigBuilder.java
View File

@ -350,51 +350,7 @@ final class AuthenticationConfigBuilder {
RootBeanDefinition openIDFilter = null;
if (openIDLoginElt != null) {
FormLoginBeanDefinitionParser parser = new FormLoginBeanDefinitionParser(
"/login/openid", null,
OPEN_ID_AUTHENTICATION_PROCESSING_FILTER_CLASS, requestCache,
sessionStrategy, allowSessionCreation, portMapper, portResolver);
parser.parse(openIDLoginElt, pc);
openIDFilter = parser.getFilterBean();
openIDEntryPoint = parser.getEntryPointBean();
openidLoginProcessingUrl = parser.getLoginProcessingUrl();
openIDLoginPage = parser.getLoginPage();
List<Element> attrExElts = DomUtils.getChildElementsByTagName(openIDLoginElt,
Elements.OPENID_ATTRIBUTE_EXCHANGE);
if (!attrExElts.isEmpty()) {
// Set up the consumer with the required attribute list
BeanDefinitionBuilder consumerBldr = BeanDefinitionBuilder
.rootBeanDefinition(OPEN_ID_CONSUMER_CLASS);
BeanDefinitionBuilder axFactory = BeanDefinitionBuilder
.rootBeanDefinition(OPEN_ID_ATTRIBUTE_FACTORY_CLASS);
ManagedMap<String, ManagedList<BeanDefinition>> axMap = new ManagedMap<>();
for (Element attrExElt : attrExElts) {
String identifierMatch = attrExElt.getAttribute("identifier-match");
if (!StringUtils.hasText(identifierMatch)) {
if (attrExElts.size() > 1) {
pc.getReaderContext().error(
"You must supply an identifier-match attribute if using more"
+ " than one "
+ Elements.OPENID_ATTRIBUTE_EXCHANGE
+ " element", attrExElt);
}
// Match anything
identifierMatch = ".*";
}
axMap.put(identifierMatch, parseOpenIDAttributes(attrExElt));
}
axFactory.addConstructorArgValue(axMap);
consumerBldr.addConstructorArgValue(axFactory.getBeanDefinition());
openIDFilter.getPropertyValues().addPropertyValue("consumer",
consumerBldr.getBeanDefinition());
}
openIDFilter = parseOpenIDFilter(sessionStrategy, openIDLoginElt);
}
if (openIDFilter != null) {
@ -412,6 +368,65 @@ final class AuthenticationConfigBuilder {
}
}
/**
* Parses OpenID 1.0 and 2.0 - related parts of configuration xmls
* @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
* <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
* to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
* @param sessionStrategy sessionStrategy
* @param openIDLoginElt the element from the xml file
* @return the parsed filter as rootBeanDefinition
*/
private RootBeanDefinition parseOpenIDFilter( BeanReference sessionStrategy, Element openIDLoginElt ) {
RootBeanDefinition openIDFilter;
FormLoginBeanDefinitionParser parser = new FormLoginBeanDefinitionParser(
"/login/openid", null,
OPEN_ID_AUTHENTICATION_PROCESSING_FILTER_CLASS, requestCache,
sessionStrategy, allowSessionCreation, portMapper, portResolver);
parser.parse(openIDLoginElt, pc);
openIDFilter = parser.getFilterBean();
openIDEntryPoint = parser.getEntryPointBean();
openidLoginProcessingUrl = parser.getLoginProcessingUrl();
openIDLoginPage = parser.getLoginPage();
List<Element> attrExElts = DomUtils.getChildElementsByTagName(openIDLoginElt,
Elements.OPENID_ATTRIBUTE_EXCHANGE);
if (!attrExElts.isEmpty()) {
// Set up the consumer with the required attribute list
BeanDefinitionBuilder consumerBldr = BeanDefinitionBuilder
.rootBeanDefinition(OPEN_ID_CONSUMER_CLASS);
BeanDefinitionBuilder axFactory = BeanDefinitionBuilder
.rootBeanDefinition(OPEN_ID_ATTRIBUTE_FACTORY_CLASS);
ManagedMap<String, ManagedList<BeanDefinition>> axMap = new ManagedMap<>();
for (Element attrExElt : attrExElts) {
String identifierMatch = attrExElt.getAttribute("identifier-match");
if (!StringUtils.hasText(identifierMatch)) {
if (attrExElts.size() > 1) {
pc.getReaderContext().error(
"You must supply an identifier-match attribute if using more"
+ " than one "
+ Elements.OPENID_ATTRIBUTE_EXCHANGE
+ " element", attrExElt);
}
// Match anything
identifierMatch = ".*";
}
axMap.put(identifierMatch, parseOpenIDAttributes(attrExElt));
}
axFactory.addConstructorArgValue(axMap);
consumerBldr.addConstructorArgValue(axFactory.getBeanDefinition());
openIDFilter.getPropertyValues().addPropertyValue("consumer",
consumerBldr.getBeanDefinition());
}
return openIDFilter;
}
private ManagedList<BeanDefinition> parseOpenIDAttributes(Element attrExElt) {
ManagedList<BeanDefinition> attributes = new ManagedList<>();
for (Element attElt : DomUtils.getChildElementsByTagName(attrExElt,

56
config/src/main/resources/org/springframework/security/config/spring-security-4.2.xsd
View File

@ -131,7 +131,7 @@
</xs:annotation>
<xs:complexType/>
</xs:element>
<xs:attributeGroup name="password-encoder.attlist">
<xs:attribute name="ref" type="xs:token">
<xs:annotation>
@ -164,7 +164,7 @@
</xs:annotation>
</xs:attribute>
</xs:attributeGroup>
<xs:attributeGroup name="user-property">
<xs:attribute name="user-property" use="required" type="xs:token">
<xs:annotation>
@ -433,7 +433,7 @@
</xs:annotation>
</xs:attribute>
</xs:attributeGroup>
<xs:attributeGroup name="ldap-ap.attlist">
<xs:attribute name="server-ref" type="xs:token">
<xs:annotation>
@ -513,7 +513,7 @@
</xs:annotation>
</xs:attribute>
</xs:attributeGroup>
<xs:attributeGroup name="password-compare.attlist">
<xs:attribute name="password-attribute" type="xs:token">
<xs:annotation>
@ -573,7 +573,7 @@
</xs:annotation>
</xs:attribute>
</xs:attributeGroup>
<xs:attributeGroup name="protect.attlist">
<xs:attribute name="method" use="required" type="xs:token">
<xs:annotation>
@ -817,13 +817,13 @@
</xs:annotation>
</xs:attribute>
</xs:attributeGroup>
<xs:attributeGroup name="protect-pointcut.attlist">
<xs:attribute name="expression" use="required" type="xs:string">
<xs:annotation>
@ -1265,7 +1265,7 @@
</xs:annotation>
</xs:attribute>
</xs:attributeGroup>
<xs:attributeGroup name="access-denied-handler.attlist">
<xs:attribute name="ref" type="xs:token">
<xs:annotation>
@ -1290,7 +1290,7 @@
</xs:annotation>
</xs:attribute>
</xs:attributeGroup>
<xs:attributeGroup name="intercept-url.attlist">
<xs:attribute name="pattern" type="xs:token">
<xs:annotation>
@ -1361,7 +1361,7 @@
</xs:annotation>
</xs:attribute>
</xs:attributeGroup>
<xs:attributeGroup name="logout.attlist">
<xs:attribute name="logout-url" type="xs:token">
<xs:annotation>
@ -1408,7 +1408,7 @@
<xs:attributeGroup ref="security:ref"/>
</xs:complexType>
</xs:element>
<xs:attributeGroup name="form-login.attlist">
<xs:attribute name="login-processing-url" type="xs:token">
<xs:annotation>
@ -1496,7 +1496,7 @@
</xs:annotation>
</xs:attribute>
</xs:attributeGroup>
<xs:element name="attribute-exchange">
<xs:annotation>
<xs:documentation>Sets up an attribute exchange configuration to request specified attributes from the
@ -1695,7 +1695,7 @@
</xs:simpleType>
</xs:attribute>
</xs:attributeGroup>
<xs:attributeGroup name="http-basic.attlist">
<xs:attribute name="entry-point-ref" type="xs:token">
<xs:annotation>
@ -1711,7 +1711,7 @@
</xs:annotation>
</xs:attribute>
</xs:attributeGroup>
<xs:attributeGroup name="session-management.attlist">
<xs:attribute name="session-fixation-protection">
<xs:annotation>
@ -1767,7 +1767,7 @@
</xs:annotation>
</xs:attribute>
</xs:attributeGroup>
<xs:attributeGroup name="concurrency-control.attlist">
<xs:attribute name="max-sessions" type="xs:integer">
<xs:annotation>
@ -1814,7 +1814,7 @@
</xs:annotation>
</xs:attribute>
</xs:attributeGroup>
<xs:attributeGroup name="remember-me.attlist">
<xs:attribute name="key" type="xs:token">
<xs:annotation>
@ -1912,7 +1912,7 @@
<xs:attributeGroup name="remember-me-data-source-ref">
<xs:attributeGroup ref="security:data-source-ref"/>
</xs:attributeGroup>
<xs:attributeGroup name="anonymous.attlist">
<xs:attribute name="key" type="xs:token">
<xs:annotation>
@ -1945,8 +1945,8 @@
</xs:annotation>
</xs:attribute>
</xs:attributeGroup>
<xs:attributeGroup name="http-port">
<xs:attribute name="http" use="required" type="xs:token">
<xs:annotation>
@ -1963,7 +1963,7 @@
</xs:annotation>
</xs:attribute>
</xs:attributeGroup>
<xs:attributeGroup name="x509.attlist">
<xs:attribute name="subject-principal-regex" type="xs:token">
<xs:annotation>
@ -2160,7 +2160,7 @@
</xs:annotation>
</xs:attribute>
</xs:attributeGroup>
<xs:attributeGroup name="ap.attlist">
<xs:attribute name="ref" type="xs:token">
<xs:annotation>
@ -2212,7 +2212,7 @@
</xs:annotation>
</xs:attribute>
</xs:attributeGroup>
<xs:attributeGroup name="user.attlist">
<xs:attribute name="name" use="required" type="xs:token">
<xs:annotation>
@ -2823,4 +2823,4 @@
<xs:enumeration value="LAST"/>
</xs:restriction>
</xs:simpleType>
</xs:schema>
</xs:schema>

4
config/src/main/resources/org/springframework/security/config/spring-security-5.4.rnc
View File

@ -615,7 +615,7 @@ opaque-token.attlist &=
attribute introspector-ref {xsd:token}?
openid-login =
## Sets up form login for authentication with an Open ID identity
## Sets up form login for authentication with an Open ID identity. NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a> to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
element openid-login {form-login.attlist, user-service-ref?, attribute-exchange*}
attribute-exchange =
@ -627,7 +627,7 @@ attribute-exchange.attlist &=
attribute identifier-match {xsd:token}?
openid-attribute =
## Attributes used when making an OpenID AX Fetch Request
## Attributes used when making an OpenID AX Fetch Request. NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a> to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
element openid-attribute {openid-attribute.attlist}
openid-attribute.attlist &=

72
config/src/main/resources/org/springframework/security/config/spring-security-5.4.xsd
View File

@ -124,7 +124,7 @@
</xs:annotation>
<xs:complexType/>
</xs:element>
<xs:attributeGroup name="password-encoder.attlist">
<xs:attribute name="ref" type="xs:token">
<xs:annotation>
@ -408,7 +408,7 @@
</xs:annotation>
</xs:attribute>
</xs:attributeGroup>
<xs:attributeGroup name="ldap-ap.attlist">
<xs:attribute name="server-ref" type="xs:token">
<xs:annotation>
@ -488,7 +488,7 @@
</xs:annotation>
</xs:attribute>
</xs:attributeGroup>
<xs:attributeGroup name="password-compare.attlist">
<xs:attribute name="password-attribute" type="xs:token">
<xs:annotation>
@ -541,7 +541,7 @@
</xs:annotation>
</xs:attribute>
</xs:attributeGroup>
<xs:attributeGroup name="protect.attlist">
<xs:attribute name="method" use="required" type="xs:token">
<xs:annotation>
@ -785,13 +785,13 @@
</xs:annotation>
</xs:attribute>
</xs:attributeGroup>
<xs:attributeGroup name="protect-pointcut.attlist">
<xs:attribute name="expression" use="required" type="xs:string">
<xs:annotation>
@ -960,10 +960,11 @@
<xs:element ref="security:oauth2-resource-server"/>
<xs:element name="openid-login">
<xs:annotation>
<xs:documentation>Sets up form login for authentication with an Open ID identity.
NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are
<a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
<xs:documentation>Sets up form login for authentication with an Open ID identity. NOTE: The OpenID 1.0 and
2.0 protocols have been deprecated and users are &lt;a
href="https://openid.net/specs/openid-connect-migration-1_0.html"&gt;encouraged to
migrate&lt;/a&gt; to &lt;a href="https://openid.net/connect/"&gt;OpenID Connect&lt;/a&gt;, which is
supported by &lt;code&gt;spring-security-oauth2&lt;/code&gt;.
</xs:documentation>
</xs:annotation>
<xs:complexType>
@ -1239,7 +1240,7 @@
</xs:annotation>
</xs:attribute>
</xs:attributeGroup>
<xs:attributeGroup name="access-denied-handler.attlist">
<xs:attribute name="ref" type="xs:token">
<xs:annotation>
@ -1264,7 +1265,7 @@
</xs:annotation>
</xs:attribute>
</xs:attributeGroup>
<xs:attributeGroup name="intercept-url.attlist">
<xs:attribute name="pattern" type="xs:token">
<xs:annotation>
@ -1321,7 +1322,7 @@
</xs:annotation>
</xs:attribute>
</xs:attributeGroup>
<xs:attributeGroup name="logout.attlist">
<xs:attribute name="logout-url" type="xs:token">
<xs:annotation>
@ -1368,7 +1369,7 @@
<xs:attributeGroup ref="security:ref"/>
</xs:complexType>
</xs:element>
<xs:attributeGroup name="form-login.attlist">
<xs:attribute name="login-processing-url" type="xs:token">
<xs:annotation>
@ -1881,7 +1882,7 @@
</xs:annotation>
</xs:attribute>
</xs:attributeGroup>
<xs:element name="attribute-exchange">
<xs:annotation>
<xs:documentation>Sets up an attribute exchange configuration to request specified attributes from the
@ -1908,10 +1909,11 @@
</xs:attributeGroup>
<xs:element name="openid-attribute">
<xs:annotation>
<xs:documentation>Attributes used when making an OpenID AX Fetch Request.
NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are
<a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
<xs:documentation>Attributes used when making an OpenID AX Fetch Request. NOTE: The OpenID 1.0 and 2.0
protocols have been deprecated and users are &lt;a
href="https://openid.net/specs/openid-connect-migration-1_0.html"&gt;encouraged to
migrate&lt;/a&gt; to &lt;a href="https://openid.net/connect/"&gt;OpenID Connect&lt;/a&gt;, which is
supported by &lt;code&gt;spring-security-oauth2&lt;/code&gt;.
</xs:documentation>
</xs:annotation>
<xs:complexType>
@ -2083,7 +2085,7 @@
</xs:simpleType>
</xs:attribute>
</xs:attributeGroup>
<xs:attributeGroup name="http-basic.attlist">
<xs:attribute name="entry-point-ref" type="xs:token">
<xs:annotation>
@ -2099,7 +2101,7 @@
</xs:annotation>
</xs:attribute>
</xs:attributeGroup>
<xs:attributeGroup name="session-management.attlist">
<xs:attribute name="session-fixation-protection">
<xs:annotation>
@ -2155,7 +2157,7 @@
</xs:annotation>
</xs:attribute>
</xs:attributeGroup>
<xs:attributeGroup name="concurrency-control.attlist">
<xs:attribute name="max-sessions" type="xs:integer">
<xs:annotation>
@ -2202,7 +2204,7 @@
</xs:annotation>
</xs:attribute>
</xs:attributeGroup>
<xs:attributeGroup name="remember-me.attlist">
<xs:attribute name="key" type="xs:token">
<xs:annotation>
@ -2300,7 +2302,7 @@
<xs:attributeGroup name="remember-me-data-source-ref">
<xs:attributeGroup ref="security:data-source-ref"/>
</xs:attributeGroup>
<xs:attributeGroup name="anonymous.attlist">
<xs:attribute name="key" type="xs:token">
<xs:annotation>
@ -2333,8 +2335,8 @@
</xs:annotation>
</xs:attribute>
</xs:attributeGroup>
<xs:attributeGroup name="http-port">
<xs:attribute name="http" use="required" type="xs:token">
<xs:annotation>
@ -2351,7 +2353,7 @@
</xs:annotation>
</xs:attribute>
</xs:attributeGroup>
<xs:attributeGroup name="x509.attlist">
<xs:attribute name="subject-principal-regex" type="xs:token">
<xs:annotation>
@ -2488,7 +2490,7 @@
</xs:annotation>
</xs:attribute>
</xs:attributeGroup>
<xs:attributeGroup name="ap.attlist">
<xs:attribute name="ref" type="xs:token">
<xs:annotation>
@ -2540,7 +2542,7 @@
</xs:annotation>
</xs:attribute>
</xs:attributeGroup>
<xs:attributeGroup name="user.attlist">
<xs:attribute name="name" use="required" type="xs:token">
<xs:annotation>
@ -3180,4 +3182,4 @@
<xs:enumeration value="LAST"/>
</xs:restriction>
</xs:simpleType>
</xs:schema>
</xs:schema>

1
docs/manual/src/docs/asciidoc/_includes/servlet/authentication/index.adoc
View File

@ -33,7 +33,6 @@ This also gives a good idea of the high level flow of authentication and how pie
* <<servlet-rememberme, Remember Me>> - How to remember a user past session expiration
* <<servlet-jaas, JAAS Authentication>> - Authenticate with JAAS
* <<servlet-openid,OpenID>> - OpenID Authentication (not to be confused with OpenID Connect)
// FIXME: The one above is deprecated. Should it be removed from here as well?
* <<servlet-preauth>> - Authenticate with an external mechanism such as https://www.siteminder.com/[SiteMinder] or Java EE security but still use Spring Security for authorization and protection against common exploits.
* <<servlet-x509,X509 Authentication>> - X509 Authentication