SEC-2191: Remove AuthenticationManagerBuilder default constructor

This ensures that users must choose what ObjectPostProcessor is being used
with AuthenticationManagerBuilder. To make things easier for users, we now
automatically add an AuthenticationManagerBuilder object that can be used
for creating an AuthenticationManager with @Autowired.
This commit is contained in:
Rob Winch 2013-07-05 12:10:03 -05:00
parent e88800cd9b
commit fb45db11e9
12 changed files with 118 additions and 34 deletions

View File

@ -23,6 +23,8 @@ import java.util.LinkedHashMap;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.util.Assert; import org.springframework.util.Assert;
import org.springframework.web.filter.DelegatingFilterProxy; import org.springframework.web.filter.DelegatingFilterProxy;
@ -51,6 +53,7 @@ import com.google.inject.internal.ImmutableList.Builder;
* The type of this builder (that is returned by the base class) * The type of this builder (that is returned by the base class)
*/ */
public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBuilder<O>> extends AbstractSecurityBuilder<O> { public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBuilder<O>> extends AbstractSecurityBuilder<O> {
private final Log logger = LogFactory.getLog(getClass());
private final LinkedHashMap<Class<? extends SecurityConfigurer<O, B>>, List<SecurityConfigurer<O, B>>> configurers = private final LinkedHashMap<Class<? extends SecurityConfigurer<O, B>>, List<SecurityConfigurer<O, B>>> configurers =
new LinkedHashMap<Class<? extends SecurityConfigurer<O, B>>, List<SecurityConfigurer<O, B>>>(); new LinkedHashMap<Class<? extends SecurityConfigurer<O, B>>, List<SecurityConfigurer<O, B>>>();
@ -95,6 +98,27 @@ public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBui
this.allowConfigurersOfSameType = allowConfigurersOfSameType; this.allowConfigurersOfSameType = allowConfigurersOfSameType;
} }
/**
* Similar to {@link #build()} and {@link #getObject()} but checks the state
* to determine if {@link #build()} needs to be called first.
*
* @return the result of {@link #build()} or {@link #getObject()}. If an
* error occurs while building, returns null.
*/
public O getOrBuild() {
if(isUnbuilt()) {
try {
return build();
} catch(Exception e) {
logger.debug("Failed to perform build. Returning null", e);
return null;
}
} else {
return getObject();
}
}
/** /**
* Applies a {@link SecurityConfigurerAdapter} to this * Applies a {@link SecurityConfigurerAdapter} to this
* {@link SecurityBuilder} and invokes * {@link SecurityBuilder} and invokes
@ -370,6 +394,16 @@ public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBui
return result; return result;
} }
/**
* Determines if the object is unbuilt.
* @return true, if unbuilt else false
*/
private boolean isUnbuilt() {
synchronized(configurers) {
return buildState == BuildState.UNBUILT;
}
}
/** /**
* The build state for the application * The build state for the application
* *

View File

@ -54,9 +54,10 @@ public class AuthenticationManagerBuilder extends AbstractConfiguredSecurityBuil
/** /**
* Creates a new instance * Creates a new instance
* @param the {@link ObjectPostProcessor} instance to use.
*/ */
public AuthenticationManagerBuilder() { public AuthenticationManagerBuilder(ObjectPostProcessor<Object> objectPostProcessor) {
super(ObjectPostProcessor.QUIESCENT_POSTPROCESSOR,true); super(objectPostProcessor,true);
} }
/** /**

View File

@ -0,0 +1,37 @@
/*
* Copyright 2002-2013 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.config.annotation.authentication.configuration;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.ObjectPostProcessor;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
/**
* Exports the authentication {@link Configuration}
*
* @author Rob Winch
* @since 3.2
*
*/
@Configuration
public class AuthenticationConfiguration {
@Bean
public AuthenticationManagerBuilder authenticationManagerBuilder(ObjectPostProcessor<Object> objectPostProcessor) {
return new AuthenticationManagerBuilder(objectPostProcessor);
}
}

View File

@ -23,6 +23,7 @@ import org.springframework.context.annotation.AdviceMode;
import org.springframework.context.annotation.Import; import org.springframework.context.annotation.Import;
import org.springframework.core.Ordered; import org.springframework.core.Ordered;
import org.springframework.security.access.annotation.Secured; import org.springframework.security.access.annotation.Secured;
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
import org.springframework.security.config.annotation.configuration.ObjectPostProcessorConfiguration; import org.springframework.security.config.annotation.configuration.ObjectPostProcessorConfiguration;
/** /**
@ -43,7 +44,7 @@ import org.springframework.security.config.annotation.configuration.ObjectPostPr
@Retention(value=java.lang.annotation.RetentionPolicy.RUNTIME) @Retention(value=java.lang.annotation.RetentionPolicy.RUNTIME)
@Target(value={java.lang.annotation.ElementType.TYPE}) @Target(value={java.lang.annotation.ElementType.TYPE})
@Documented @Documented
@Import({GlobalMethodSecuritySelector.class,ObjectPostProcessorConfiguration.class}) @Import({GlobalMethodSecuritySelector.class,ObjectPostProcessorConfiguration.class,AuthenticationConfiguration.class})
public @interface EnableGlobalMethodSecurity { public @interface EnableGlobalMethodSecurity {
/** /**

View File

@ -21,8 +21,11 @@ import java.util.List;
import java.util.Map; import java.util.Map;
import org.aopalliance.intercept.MethodInterceptor; import org.aopalliance.intercept.MethodInterceptor;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.aop.framework.ProxyFactoryBean; import org.springframework.aop.framework.ProxyFactoryBean;
import org.springframework.aop.target.LazyInitTargetSource; import org.springframework.aop.target.LazyInitTargetSource;
import org.springframework.beans.factory.NoSuchBeanDefinitionException;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.config.BeanDefinition; import org.springframework.beans.factory.config.BeanDefinition;
import org.springframework.context.ApplicationContext; import org.springframework.context.ApplicationContext;
@ -74,6 +77,7 @@ import org.springframework.util.Assert;
*/ */
@Configuration @Configuration
public class GlobalMethodSecurityConfiguration implements ImportAware { public class GlobalMethodSecurityConfiguration implements ImportAware {
private static final Log logger = LogFactory.getLog(GlobalMethodSecurityConfiguration.class);
private ApplicationContext context; private ApplicationContext context;
private ObjectPostProcessor<Object> objectPostProcessor = new ObjectPostProcessor<Object>() { private ObjectPostProcessor<Object> objectPostProcessor = new ObjectPostProcessor<Object>() {
@Override @Override
@ -82,7 +86,7 @@ public class GlobalMethodSecurityConfiguration implements ImportAware {
} }
}; };
private AuthenticationManager authenticationManager; private AuthenticationManager authenticationManager;
private AuthenticationManagerBuilder auth = new AuthenticationManagerBuilder(); private AuthenticationManagerBuilder auth = new AuthenticationManagerBuilder(ObjectPostProcessor.QUIESCENT_POSTPROCESSOR);
private boolean disableAuthenticationRegistry; private boolean disableAuthenticationRegistry;
private AnnotationAttributes enableMethodSecurity; private AnnotationAttributes enableMethodSecurity;
private MethodSecurityExpressionHandler expressionHandler; private MethodSecurityExpressionHandler expressionHandler;
@ -236,6 +240,13 @@ public class GlobalMethodSecurityConfiguration implements ImportAware {
if(!disableAuthenticationRegistry) { if(!disableAuthenticationRegistry) {
authenticationManager = auth.build(); authenticationManager = auth.build();
} }
if(authenticationManager == null) {
try {
authenticationManager = context.getBean(AuthenticationManagerBuilder.class).getOrBuild();
} catch(NoSuchBeanDefinitionException e) {
logger.debug("Could not obtain the AuthenticationManagerBuilder. This is ok for now, we will try using an AuthenticationManager directly",e);
}
}
if(authenticationManager == null) { if(authenticationManager == null) {
authenticationManager = lazyBean(AuthenticationManager.class); authenticationManager = lazyBean(AuthenticationManager.class);
} }

View File

@ -20,6 +20,7 @@ import java.lang.annotation.Retention;
import java.lang.annotation.Target; import java.lang.annotation.Target;
import org.springframework.context.annotation.Import; import org.springframework.context.annotation.Import;
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
import org.springframework.security.config.annotation.configuration.ObjectPostProcessorConfiguration; import org.springframework.security.config.annotation.configuration.ObjectPostProcessorConfiguration;
import org.springframework.security.config.annotation.web.WebSecurityConfigurer; import org.springframework.security.config.annotation.web.WebSecurityConfigurer;
@ -76,7 +77,7 @@ import org.springframework.security.config.annotation.web.WebSecurityConfigurer;
@Retention(value=java.lang.annotation.RetentionPolicy.RUNTIME) @Retention(value=java.lang.annotation.RetentionPolicy.RUNTIME)
@Target(value={java.lang.annotation.ElementType.TYPE}) @Target(value={java.lang.annotation.ElementType.TYPE})
@Documented @Documented
@Import({WebSecurityConfiguration.class,ObjectPostProcessorConfiguration.class}) @Import({WebSecurityConfiguration.class,ObjectPostProcessorConfiguration.class,AuthenticationConfiguration.class})
public @interface EnableWebSecurity { public @interface EnableWebSecurity {
/** /**

View File

@ -58,8 +58,8 @@ public abstract class WebSecurityConfigurerAdapter implements SecurityConfigurer
} }
}; };
private final AuthenticationManagerBuilder authenticationBuilder = new AuthenticationManagerBuilder(); private final AuthenticationManagerBuilder authenticationBuilder = new AuthenticationManagerBuilder(ObjectPostProcessor.QUIESCENT_POSTPROCESSOR);
private final AuthenticationManagerBuilder parentAuthenticationBuilder = new AuthenticationManagerBuilder() { private final AuthenticationManagerBuilder parentAuthenticationBuilder = new AuthenticationManagerBuilder(ObjectPostProcessor.QUIESCENT_POSTPROCESSOR) {
@Override @Override
public AuthenticationManagerBuilder eraseCredentials(boolean eraseCredentials) { public AuthenticationManagerBuilder eraseCredentials(boolean eraseCredentials) {
authenticationBuilder.eraseCredentials(eraseCredentials); authenticationBuilder.eraseCredentials(eraseCredentials);
@ -194,12 +194,18 @@ public abstract class WebSecurityConfigurerAdapter implements SecurityConfigurer
registerAuthentication(parentAuthenticationBuilder); registerAuthentication(parentAuthenticationBuilder);
if(disableAuthenticationRegistration) { if(disableAuthenticationRegistration) {
try { try {
authenticationManager = context.getBean(AuthenticationManager.class); authenticationManager = context.getBean(AuthenticationManagerBuilder.class).getOrBuild();
} catch(NoSuchBeanDefinitionException e) { } catch(NoSuchBeanDefinitionException e) {
logger.debug("The AuthenticationManager was not found. This is ok for now as it may not be required.",e); logger.debug("Could not obtain the AuthenticationManagerBuilder. This is ok for now, we will try using an AuthenticationManager directly",e);
}
if(authenticationManager == null) {
try {
authenticationManager = context.getBean(AuthenticationManager.class);
} catch(NoSuchBeanDefinitionException e) {
logger.debug("The AuthenticationManager was not found. This is ok for now as it may not be required.",e);
}
} }
} else { } else {
authenticationManagerInitialized = true;
authenticationManager = parentAuthenticationBuilder.build(); authenticationManager = parentAuthenticationBuilder.build();
} }
authenticationManagerInitialized = true; authenticationManagerInitialized = true;

View File

@ -57,7 +57,7 @@ abstract class BaseSpringSpec extends Specification {
chain = new MockFilterChain() chain = new MockFilterChain()
} }
AuthenticationManagerBuilder authenticationBldr = new AuthenticationManagerBuilder().inMemoryAuthentication().and() AuthenticationManagerBuilder authenticationBldr = new AuthenticationManagerBuilder(ObjectPostProcessor.QUIESCENT_POSTPROCESSOR).inMemoryAuthentication().and()
def cleanup() { def cleanup() {
SecurityContextHolder.clearContext() SecurityContextHolder.clearContext()

View File

@ -38,7 +38,7 @@ class AuthenticationManagerBuilderTests extends BaseSpringSpec {
setup: setup:
ObjectPostProcessor opp = Mock() ObjectPostProcessor opp = Mock()
AuthenticationProvider provider = Mock() AuthenticationProvider provider = Mock()
AuthenticationManagerBuilder builder = new AuthenticationManagerBuilder().objectPostProcessor(opp) AuthenticationManagerBuilder builder = new AuthenticationManagerBuilder(ObjectPostProcessor.QUIESCENT_POSTPROCESSOR).objectPostProcessor(opp)
when: "Adding an AuthenticationProvider" when: "Adding an AuthenticationProvider"
builder.authenticationProvider(provider) builder.authenticationProvider(provider)
builder.build() builder.build()
@ -51,7 +51,7 @@ class AuthenticationManagerBuilderTests extends BaseSpringSpec {
setup: setup:
AuthenticationEventPublisher aep = Mock() AuthenticationEventPublisher aep = Mock()
when: when:
AuthenticationManager am = new AuthenticationManagerBuilder() AuthenticationManager am = new AuthenticationManagerBuilder(ObjectPostProcessor.QUIESCENT_POSTPROCESSOR)
.authenticationEventPublisher(aep) .authenticationEventPublisher(aep)
.inMemoryAuthentication() .inMemoryAuthentication()
.and() .and()

View File

@ -17,6 +17,7 @@ package org.springframework.security.config.annotation.authentication
import java.rmi.registry.Registry; import java.rmi.registry.Registry;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean import org.springframework.context.annotation.Bean
import org.springframework.context.annotation.Configuration import org.springframework.context.annotation.Configuration
import org.springframework.security.authentication.AuthenticationManager import org.springframework.security.authentication.AuthenticationManager
@ -33,6 +34,7 @@ import org.springframework.security.core.userdetails.UserDetailsService;
*/ */
@Configuration @Configuration
class BaseAuthenticationConfig { class BaseAuthenticationConfig {
@Autowired
protected void registerAuthentication( protected void registerAuthentication(
AuthenticationManagerBuilder auth) throws Exception { AuthenticationManagerBuilder auth) throws Exception {
auth auth
@ -40,11 +42,4 @@ class BaseAuthenticationConfig {
.withUser("user").password("password").roles("USER").and() .withUser("user").password("password").roles("USER").and()
.withUser("admin").password("password").roles("USER", "ADMIN").and() .withUser("admin").password("password").roles("USER", "ADMIN").and()
} }
@Bean
public AuthenticationManager authenticationManager() {
AuthenticationManagerBuilder registry = new AuthenticationManagerBuilder();
registerAuthentication(registry);
return registry.build();
}
} }

View File

@ -15,6 +15,7 @@
*/ */
package org.springframework.security.config.annotation.method.configuration package org.springframework.security.config.annotation.method.configuration
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean import org.springframework.context.annotation.Bean
import org.springframework.context.annotation.Configuration import org.springframework.context.annotation.Configuration
import org.springframework.security.access.AccessDeniedException import org.springframework.security.access.AccessDeniedException
@ -65,14 +66,12 @@ public class SampleEnableGlobalMethodSecurityTests extends BaseSpringSpec {
return new MethodSecurityServiceImpl() return new MethodSecurityServiceImpl()
} }
@Bean @Autowired
public AuthenticationManager authenticationManager() throws Exception { public void registerAuthentication(AuthenticationManagerBuilder auth) throws Exception {
return new AuthenticationManagerBuilder() auth
.inMemoryAuthentication() .inMemoryAuthentication()
.withUser("user").password("password").roles("USER").and() .withUser("user").password("password").roles("USER").and()
.withUser("admin").password("password").roles("USER", "ADMIN").and() .withUser("admin").password("password").roles("USER", "ADMIN");
.and()
.build();
} }
} }

View File

@ -15,6 +15,7 @@
*/ */
package org.springframework.security.config.annotation.web package org.springframework.security.config.annotation.web
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean import org.springframework.context.annotation.Bean
import org.springframework.context.annotation.Configuration import org.springframework.context.annotation.Configuration
import org.springframework.core.annotation.Order import org.springframework.core.annotation.Order
@ -272,14 +273,12 @@ public class SampleWebSecurityConfigurerAdapterTests extends BaseWebSpecuritySpe
@Configuration @Configuration
@EnableWebSecurity @EnableWebSecurity
public static class SampleMultiHttpSecurityConfig { public static class SampleMultiHttpSecurityConfig {
@Bean @Autowired
public AuthenticationManager authenticationManager() { public void registerAuthentication(AuthenticationManagerBuilder auth) {
return new AuthenticationManagerBuilder() auth
.inMemoryAuthentication() .inMemoryAuthentication()
.withUser("user").password("password").roles("USER").and() .withUser("user").password("password").roles("USER").and()
.withUser("admin").password("password").roles("USER", "ADMIN").and() .withUser("admin").password("password").roles("USER", "ADMIN");
.and()
.build();
} }
@Configuration @Configuration