Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SEC-134 fix. Authorities array is now copied on access. Also refactored token classes to move authorities to the base class.

This commit is contained in:
Luke Taylor 2006-02-08 01:24:38 +00:00
parent ccfc574894
commit fe88d6ec17
19 changed files with 134 additions and 139 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
core/src/main/java/org/acegisecurity/Authentication.java
View File

@ -96,6 +96,11 @@ public interface Authentication extends Principal, Serializable {
* that the principal has been granted. Note that classes should not rely
* on this value as being valid unless it has been set by a trusted
* <code>AuthenticationManager</code>.
* <p>
* Implementations should ensure that modifications to the returned array
* do not affect the state of the Authentication object (e.g. by returning an
* array copy).
* </p>
*
* @return the authorities granted to the principal, or <code>null</code>
* if authentication has not been completed

16
core/src/main/java/org/acegisecurity/adapters/AbstractAdapterAuthenticationToken.java
View File

@ -29,13 +29,12 @@ public abstract class AbstractAdapterAuthenticationToken
extends AbstractAuthenticationToken implements AuthByAdapter {
//~ Instance fields ========================================================
private GrantedAuthority[] authorities;
private int keyHash;
//~ Constructors ===========================================================
protected AbstractAdapterAuthenticationToken() {
super();
super(null);
}
/**
@ -48,9 +47,8 @@ public abstract class AbstractAdapterAuthenticationToken
*/
protected AbstractAdapterAuthenticationToken(String key,
GrantedAuthority[] authorities) {
super();
super(authorities);
this.keyHash = key.hashCode();
this.authorities = authorities;
}
//~ Methods ================================================================
@ -73,10 +71,6 @@ public abstract class AbstractAdapterAuthenticationToken
return true;
}
public GrantedAuthority[] getAuthorities() {
return authorities;
}
public int getKeyHash() {
return this.keyHash;
}
@ -97,8 +91,10 @@ public abstract class AbstractAdapterAuthenticationToken
* <code>false</code> otherwise
*/
public boolean isUserInRole(String role) {
for (int i = 0; i < this.authorities.length; i++) {
if (role.equals(this.authorities[i].getAuthority())) {
GrantedAuthority[] authorities = super.getAuthorities();
for (int i = 0; i < authorities.length; i++) {
if (role.equals(authorities[i].getAuthority())) {
return true;
}
}

61
core/src/main/java/org/acegisecurity/providers/AbstractAuthenticationToken.java
View File

@ -16,17 +16,59 @@
package org.acegisecurity.providers;
import org.acegisecurity.Authentication;
import org.acegisecurity.GrantedAuthority;
import org.acegisecurity.userdetails.UserDetails;
/**
* Provides a <code>String</code> representation of the Authentication token.
* Base class for Authentication objects.
* <p>
* Implementations which use this class should be immutable.
* </p>
*
* @author Ben Alex
* @author Luke Taylor
* @version $Id$
*/
public abstract class AbstractAuthenticationToken implements Authentication {
//~ Instance fields
private GrantedAuthority[] authorities;
//~ Constructors ===========================================================
/**
* Retained for compatibility with subclasses written before the
* <tt>AbstractAuthenticationToken(GrantedAuthority[])</tt> constructor
* was introduced.
*
* @deprecated in favour of the constructor which takes a GrantedAuthority[]
* argument.
*/
public AbstractAuthenticationToken() {
}
/**
* Creates a token with the supplied array of authorities.
*
* @param authorities the list of <tt>GrantedAuthority</tt>s for the principal
* represented by this authentication object. A null value
* indicates that no authorities have been granted.
*/
public AbstractAuthenticationToken(GrantedAuthority[] authorities) {
if(authorities != null) {
for (int i = 0; i < authorities.length; i++) {
if(authorities[i] == null) {
throw new IllegalArgumentException("Granted authority element " + i
+ " is null - GrantedAuthority[] cannot contain any null elements");
}
}
}
this.authorities = authorities;
}
//~ Methods ================================================================
public boolean equals(Object obj) {
@ -53,8 +95,8 @@ public abstract class AbstractAuthenticationToken implements Authentication {
}
return (this.getPrincipal().equals(test.getPrincipal())
&& this.getCredentials().equals(test.getCredentials())
&& (this.isAuthenticated() == test.isAuthenticated()));
&& this.getCredentials().equals(test.getCredentials())
&& (this.isAuthenticated() == test.isAuthenticated()));
}
return false;
@ -78,6 +120,17 @@ public abstract class AbstractAuthenticationToken implements Authentication {
return this.getPrincipal().toString();
}
public GrantedAuthority[] getAuthorities() {
if(authorities == null) {
return null;
}
GrantedAuthority[] copy = new GrantedAuthority[authorities.length];
System.arraycopy(authorities, 0, copy, 0, authorities.length);
return copy;
}
public int hashCode() {
int code = 2305;

11
core/src/main/java/org/acegisecurity/providers/TestingAuthenticationToken.java
View File

@ -35,20 +35,15 @@ public class TestingAuthenticationToken extends AbstractAuthenticationToken {
private Object credentials;
private Object principal;
private GrantedAuthority[] authorities;
private boolean authenticated = false;
//~ Constructors ===========================================================
public TestingAuthenticationToken(Object principal, Object credentials,
GrantedAuthority[] authorities) {
super(authorities);
this.principal = principal;
this.credentials = credentials;
this.authorities = authorities;
}
protected TestingAuthenticationToken() {
throw new IllegalArgumentException("Cannot use default constructor");
}
//~ Methods ================================================================
@ -61,10 +56,6 @@ public class TestingAuthenticationToken extends AbstractAuthenticationToken {
return this.authenticated;
}
public GrantedAuthority[] getAuthorities() {
return this.authorities;
}
public Object getCredentials() {
return this.credentials;
}

8
core/src/main/java/org/acegisecurity/providers/UsernamePasswordAuthenticationToken.java
View File

@ -39,7 +39,6 @@ public class UsernamePasswordAuthenticationToken
private Object credentials;
private Object details = null;
private Object principal;
private GrantedAuthority[] authorities;
private boolean authenticated;
//~ Constructors ===========================================================
@ -54,6 +53,7 @@ public class UsernamePasswordAuthenticationToken
*/
public UsernamePasswordAuthenticationToken(Object principal,
Object credentials) {
super(null);
this.principal = principal;
this.credentials = credentials;
this.authenticated = false;
@ -72,9 +72,9 @@ public class UsernamePasswordAuthenticationToken
*/
public UsernamePasswordAuthenticationToken(Object principal,
Object credentials, GrantedAuthority[] authorities) {
super(authorities);
this.principal = principal;
this.credentials = credentials;
this.authorities = authorities;
this.authenticated = true;
}
@ -94,10 +94,6 @@ public class UsernamePasswordAuthenticationToken
return this.authenticated;
}
public GrantedAuthority[] getAuthorities() {
return this.authorities;
}
public Object getCredentials() {
return this.credentials;
}

19
core/src/main/java/org/acegisecurity/providers/anonymous/AnonymousAuthenticationToken.java
View File

@ -34,7 +34,6 @@ public class AnonymousAuthenticationToken extends AbstractAuthenticationToken
//~ Instance fields ========================================================
private Object principal;
private GrantedAuthority[] authorities;
private boolean authenticated;
private int keyHash;
@ -51,6 +50,9 @@ public class AnonymousAuthenticationToken extends AbstractAuthenticationToken
*/
public AnonymousAuthenticationToken(String key, Object principal,
GrantedAuthority[] authorities) {
super(authorities);
if ((key == null) || ("".equals(key)) || (principal == null)
|| "".equals(principal) || (authorities == null)
|| (authorities.length == 0)) {
@ -58,22 +60,11 @@ public class AnonymousAuthenticationToken extends AbstractAuthenticationToken
"Cannot pass null or empty values to constructor");
}
for (int i = 0; i < authorities.length; i++) {
Assert.notNull(authorities[i],
"Granted authority element " + i
+ " is null - GrantedAuthority[] cannot contain any null elements");
}
this.keyHash = key.hashCode();
this.principal = principal;
this.authorities = authorities;
this.authenticated = true;
}
protected AnonymousAuthenticationToken() {
throw new IllegalArgumentException("Cannot use default constructor");
}
//~ Methods ================================================================
public void setAuthenticated(boolean isAuthenticated) {
@ -84,10 +75,6 @@ public class AnonymousAuthenticationToken extends AbstractAuthenticationToken
return this.authenticated;
}
public GrantedAuthority[] getAuthorities() {
return this.authorities;
}
/**
* Always returns an empty <code>String</code>
*

27
core/src/main/java/org/acegisecurity/providers/cas/CasAuthenticationToken.java
View File

@ -43,7 +43,6 @@ public class CasAuthenticationToken extends AbstractAuthenticationToken
private Object principal;
private String proxyGrantingTicketIou;
private UserDetails userDetails;
private GrantedAuthority[] authorities;
private boolean authenticated;
private int keyHash;
@ -72,6 +71,7 @@ public class CasAuthenticationToken extends AbstractAuthenticationToken
public CasAuthenticationToken(String key, Object principal,
Object credentials, GrantedAuthority[] authorities,
UserDetails userDetails, List proxyList, String proxyGrantingTicketIou) {
super(authorities);
if ((key == null) || ("".equals(key)) || (principal == null)
|| "".equals(principal) || (credentials == null)
|| "".equals(credentials) || (authorities == null)
@ -81,26 +81,15 @@ public class CasAuthenticationToken extends AbstractAuthenticationToken
"Cannot pass null or empty values to constructor");
}
for (int i = 0; i < authorities.length; i++) {
Assert.notNull(authorities[i],
"Granted authority element " + i
+ " is null - GrantedAuthority[] cannot contain any null elements");
}
this.keyHash = key.hashCode();
this.principal = principal;
this.credentials = credentials;
this.authorities = authorities;
this.userDetails = userDetails;
this.proxyList = proxyList;
this.proxyGrantingTicketIou = proxyGrantingTicketIou;
this.authenticated = true;
}
protected CasAuthenticationToken() {
throw new IllegalArgumentException("Cannot use default constructor");
}
//~ Methods ================================================================
public boolean equals(Object obj) {
@ -132,10 +121,6 @@ public class CasAuthenticationToken extends AbstractAuthenticationToken
return false;
}
public GrantedAuthority[] getAuthorities() {
return this.authorities;
}
public Object getCredentials() {
return this.credentials;
}
@ -177,12 +162,10 @@ public class CasAuthenticationToken extends AbstractAuthenticationToken
public String toString() {
StringBuffer sb = new StringBuffer();
sb.append(super.toString());
sb.append("; Credentials (Service/Proxy Ticket): ");
sb.append(this.credentials);
sb.append("; Proxy-Granting Ticket IOU: ");
sb.append(this.proxyGrantingTicketIou);
sb.append("; Proxy List: ");
sb.append(this.proxyList.toString());
sb.append("; Credentials (Service/Proxy Ticket): ").append(this.credentials);
sb.append("; Proxy-Granting Ticket IOU: ").append(this.proxyGrantingTicketIou);
sb.append("; Proxy List: ").append(this.proxyList);
return (sb.toString());
}

12
core/src/main/java/org/acegisecurity/providers/rememberme/RememberMeAuthenticationToken.java
View File

@ -40,7 +40,6 @@ public class RememberMeAuthenticationToken extends AbstractAuthenticationToken
//~ Instance fields ========================================================
private Object principal;
private GrantedAuthority[] authorities;
private int keyHash;
private boolean authenticated;
@ -57,6 +56,8 @@ public class RememberMeAuthenticationToken extends AbstractAuthenticationToken
*/
public RememberMeAuthenticationToken(String key, Object principal,
GrantedAuthority[] authorities) {
super(authorities);
if ((key == null) || ("".equals(key)) || (principal == null)
|| "".equals(principal) || (authorities == null)
|| (authorities.length == 0)) {
@ -72,14 +73,9 @@ public class RememberMeAuthenticationToken extends AbstractAuthenticationToken
this.keyHash = key.hashCode();
this.principal = principal;
this.authorities = authorities;
this.authenticated = true;
}
protected RememberMeAuthenticationToken() {
throw new IllegalArgumentException("Cannot use default constructor");
}
//~ Methods ================================================================
public void setAuthenticated(boolean isAuthenticated) {
@ -90,10 +86,6 @@ public class RememberMeAuthenticationToken extends AbstractAuthenticationToken
return this.authenticated;
}
public GrantedAuthority[] getAuthorities() {
return this.authorities;
}
/**
* Always returns an empty <code>String</code>
*

14
core/src/main/java/org/acegisecurity/providers/x509/X509AuthenticationToken.java
View File

@ -31,7 +31,6 @@ public class X509AuthenticationToken extends AbstractAuthenticationToken {
private X509Certificate credentials;
private Object principal;
private GrantedAuthority[] authorities;
private boolean authenticated = false;
private Object details = null;
@ -39,13 +38,16 @@ public class X509AuthenticationToken extends AbstractAuthenticationToken {
/** Used for an authentication request */
public X509AuthenticationToken(X509Certificate credentials) {
super(null);
this.credentials = credentials;
}
public X509AuthenticationToken(Object principal, X509Certificate credentials, GrantedAuthority[] authorities) {
public X509AuthenticationToken(Object principal,
X509Certificate credentials,
GrantedAuthority[] authorities) {
super(authorities);
this.principal = principal;
this.credentials = credentials;
this.principal = principal;
this.authorities = authorities;
}
//~ Methods ================================================================
@ -67,10 +69,6 @@ public class X509AuthenticationToken extends AbstractAuthenticationToken {
return authenticated;
}
public GrantedAuthority[] getAuthorities() {
return authorities;
}
public Object getCredentials() {
return credentials;
}

14
core/src/main/java/org/acegisecurity/runas/RunAsUserToken.java
View File

@ -32,7 +32,6 @@ public class RunAsUserToken extends AbstractAuthenticationToken {
private Class originalAuthentication;
private Object credentials;
private Object principal;
private GrantedAuthority[] authorities;
private int keyHash;
private boolean authenticated;
@ -40,19 +39,14 @@ public class RunAsUserToken extends AbstractAuthenticationToken {
public RunAsUserToken(String key, Object principal, Object credentials,
GrantedAuthority[] authorities, Class originalAuthentication) {
super();
super(authorities);
this.keyHash = key.hashCode();
this.authorities = authorities;
this.principal = principal;
this.credentials = credentials;
this.originalAuthentication = originalAuthentication;
this.authenticated = true;
}
protected RunAsUserToken() {
throw new IllegalArgumentException("Cannot use default constructor");
}
//~ Methods ================================================================
public void setAuthenticated(boolean isAuthenticated) {
@ -63,10 +57,6 @@ public class RunAsUserToken extends AbstractAuthenticationToken {
return this.authenticated;
}
public GrantedAuthority[] getAuthorities() {
return this.authorities;
}
public Object getCredentials() {
return this.credentials;
}
@ -85,7 +75,7 @@ public class RunAsUserToken extends AbstractAuthenticationToken {
public String toString() {
StringBuffer sb = new StringBuffer(super.toString());
sb.append("; Original Class: " + this.originalAuthentication.getName());
sb.append("; Original Class: ").append(this.originalAuthentication.getName());
return sb.toString();
}

10
core/src/test/java/org/acegisecurity/MockRunAsAuthenticationToken.java
View File

@ -30,6 +30,12 @@ public class MockRunAsAuthenticationToken extends AbstractAuthenticationToken {
private boolean authenticated = false;
//~ Constructors ===========================================================
public MockRunAsAuthenticationToken() {
super(null);
}
//~ Methods ================================================================
public void setAuthenticated(boolean isAuthenticated) {
@ -40,10 +46,6 @@ public class MockRunAsAuthenticationToken extends AbstractAuthenticationToken {
return authenticated;
}
public GrantedAuthority[] getAuthorities() {
return null;
}
public Object getCredentials() {
return null;
}

4
core/src/test/java/org/acegisecurity/adapters/AuthByAdapterTests.java
View File

@ -24,6 +24,8 @@ import org.acegisecurity.GrantedAuthorityImpl;
import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
import java.util.Arrays;
/**
* Tests {@link AuthByAdapterProvider}
*
@ -67,7 +69,7 @@ public class AuthByAdapterTests extends TestCase {
assertEquals(token.getCredentials(), response.getCredentials());
assertEquals(token.getPrincipal(), response.getPrincipal());
assertEquals(token.getAuthorities(), response.getAuthorities());
assertTrue(Arrays.equals(token.getAuthorities(), response.getAuthorities()));
if (!response.getClass().equals(token.getClass())) {
fail("Should have returned same type of object it was given");

9
core/src/test/java/org/acegisecurity/providers/AbstractAuthenticationTokenTests.java
View File

@ -148,22 +148,17 @@ public class AbstractAuthenticationTokenTests extends TestCase {
private class MockAuthenticationImpl extends AbstractAuthenticationToken {
private Object credentials;
private Object principal;
private GrantedAuthority[] authorities;
private boolean authenticated = false;
public MockAuthenticationImpl(Object principal, Object credentials,
GrantedAuthority[] authorities) {
super(authorities);
this.principal = principal;
this.credentials = credentials;
this.authorities = authorities;
}
private MockAuthenticationImpl() {
super();
}
public GrantedAuthority[] getAuthorities() {
return this.authorities;
super(null);
}
public Object getCredentials() {

11
core/src/test/java/org/acegisecurity/providers/TestingAuthenticationTokenTests.java
View File

@ -19,6 +19,7 @@ import junit.framework.TestCase;
import org.acegisecurity.GrantedAuthority;
import org.acegisecurity.GrantedAuthorityImpl;
import org.acegisecurity.providers.rememberme.RememberMeAuthenticationToken;
/**
@ -67,11 +68,13 @@ public class TestingAuthenticationTokenTests extends TestCase {
assertEquals("ROLE_TWO", token.getAuthorities()[1].getAuthority());
}
public void testNoArgConstructor() {
public void testNoArgConstructorDoesntExist() {
Class clazz = TestingAuthenticationToken.class;
try {
new TestingAuthenticationToken();
fail("Should have thrown IllegalArgumentException");
} catch (IllegalArgumentException expected) {
clazz.getDeclaredConstructor((Class[])null);
fail("Should have thrown NoSuchMethodException");
} catch (NoSuchMethodException expected) {
assertTrue(true);
}
}

11
core/src/test/java/org/acegisecurity/providers/anonymous/AnonymousAuthenticationTokenTests.java
View File

@ -20,6 +20,7 @@ import junit.framework.TestCase;
import org.acegisecurity.GrantedAuthority;
import org.acegisecurity.GrantedAuthorityImpl;
import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
import org.acegisecurity.providers.rememberme.RememberMeAuthenticationToken;
import java.util.List;
import java.util.Vector;
@ -126,11 +127,13 @@ public class AnonymousAuthenticationTokenTests extends TestCase {
assertTrue(token.isAuthenticated());
}
public void testNoArgConstructor() {
public void testNoArgConstructorDoesntExist() {
Class clazz = AnonymousAuthenticationToken.class;
try {
new AnonymousAuthenticationToken();
fail("Should have thrown IllegalArgumentException");
} catch (IllegalArgumentException expected) {
clazz.getDeclaredConstructor((Class[])null);
fail("Should have thrown NoSuchMethodException");
} catch (NoSuchMethodException expected) {
assertTrue(true);
}
}

10
core/src/test/java/org/acegisecurity/providers/cas/CasAuthenticationTokenTests.java
View File

@ -178,11 +178,13 @@ public class CasAuthenticationTokenTests extends TestCase {
token.getUserDetails().getUsername());
}
public void testNoArgConstructor() {
public void testNoArgConstructorDoesntExist() {
Class clazz = CasAuthenticationToken.class;
try {
new CasAuthenticationToken();
fail("Should have thrown IllegalArgumentException");
} catch (IllegalArgumentException expected) {
clazz.getDeclaredConstructor((Class[])null);
fail("Should have thrown NoSuchMethodException");
} catch (NoSuchMethodException expected) {
assertTrue(true);
}
}

10
core/src/test/java/org/acegisecurity/providers/rememberme/RememberMeAuthenticationTokenTests.java
View File

@ -126,11 +126,13 @@ public class RememberMeAuthenticationTokenTests extends TestCase {
assertTrue(token.isAuthenticated());
}
public void testNoArgConstructor() {
public void testNoArgConstructorDoesntExist() {
Class clazz = RememberMeAuthenticationToken.class;
try {
new RememberMeAuthenticationToken();
fail("Should have thrown IllegalArgumentException");
} catch (IllegalArgumentException expected) {
clazz.getDeclaredConstructor((Class[])null);
fail("Should have thrown NoSuchMethodException");
} catch (NoSuchMethodException expected) {
assertTrue(true);
}
}

11
core/src/test/java/org/acegisecurity/runas/RunAsUserTokenTests.java
View File

@ -71,11 +71,14 @@ public class RunAsUserTokenTests extends TestCase {
token.getOriginalAuthentication());
}
public void testNoArgsConstructor() {
public void testNoArgConstructorDoesntExist() {
Class clazz = RunAsUserToken.class;
try {
new RunAsUserToken();
fail("Should have thrown IllegalArgumentException");
} catch (IllegalArgumentException expected) {
clazz.getDeclaredConstructor((Class[])null);
fail("Should have thrown NoSuchMethodException");
} catch (NoSuchMethodException expected) {
assertTrue(true);
}
}

10
sandbox/src/main/java/org/acegisecurity/providers/smb/NtlmAuthenticationToken.java
View File

@ -38,7 +38,6 @@ public class NtlmAuthenticationToken extends AbstractAuthenticationToken {
private NtlmPasswordAuthentication ntlmPasswordAuthentication;
private transient UniAddress domainController;
private GrantedAuthority[] authorities;
private boolean authenticated;
//~ Constructors ===========================================================
@ -46,6 +45,7 @@ public class NtlmAuthenticationToken extends AbstractAuthenticationToken {
public NtlmAuthenticationToken(
NtlmPasswordAuthentication ntlmPasswordAuthentication,
UniAddress domainController) {
super(null);
this.ntlmPasswordAuthentication = ntlmPasswordAuthentication;
this.domainController = domainController;
}
@ -60,14 +60,6 @@ public class NtlmAuthenticationToken extends AbstractAuthenticationToken {
return authenticated;
}
public void setAuthorities(GrantedAuthority[] authorities) {
this.authorities = authorities;
}
public GrantedAuthority[] getAuthorities() {
return authorities;
}
public Object getCredentials() {
return ntlmPasswordAuthentication.getPassword();
}