From ff5bfccdba7b31024ad319d175409dac47c6944c Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Thu, 19 Jun 2008 13:46:45 +0000 Subject: [PATCH] SEC-892: Linked use of create-session='never' in namespace to corresponding properties in ExceptionTranslationFilter and AbstractProcessingFilter --- .../HttpSecurityBeanDefinitionParser.java | 21 ++++++++++++------- ...HttpSecurityBeanDefinitionParserTests.java | 16 ++++++++++++++ 2 files changed, 30 insertions(+), 7 deletions(-) diff --git a/core/src/main/java/org/springframework/security/config/HttpSecurityBeanDefinitionParser.java b/core/src/main/java/org/springframework/security/config/HttpSecurityBeanDefinitionParser.java index 7718c4e66d..4a11e675e8 100644 --- a/core/src/main/java/org/springframework/security/config/HttpSecurityBeanDefinitionParser.java +++ b/core/src/main/java/org/springframework/security/config/HttpSecurityBeanDefinitionParser.java @@ -116,7 +116,7 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser { parseInterceptUrlsForChannelSecurityAndFilterChain(interceptUrlElts, filterChainMap, channelRequestMap, convertPathsToLowerCase, parserContext); - registerHttpSessionIntegrationFilter(element, parserContext); + boolean allowSessionCreation = registerHttpSessionIntegrationFilter(element, parserContext); registerServletApiFilter(element, parserContext); @@ -133,7 +133,7 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser { DomUtils.getChildElementByTagName(element, Elements.PORT_MAPPINGS), parserContext); registry.registerBeanDefinition(BeanIds.PORT_MAPPER, portMapper); - registerExceptionTranslationFilter(element, parserContext); + registerExceptionTranslationFilter(element, parserContext, allowSessionCreation); if (channelRequestMap.size() > 0) { @@ -174,7 +174,7 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser { new LogoutBeanDefinitionParser().parse(logoutElt, parserContext); } - parseBasicFormLoginAndOpenID(element, parserContext, autoConfig); + parseBasicFormLoginAndOpenID(element, parserContext, autoConfig, allowSessionCreation); Element x509Elt = DomUtils.getChildElementByTagName(element, Elements.X509); if (x509Elt != null) { @@ -205,8 +205,9 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser { pc.getRegistry().registerAlias(BeanIds.FILTER_CHAIN_PROXY, BeanIds.SPRING_SECURITY_FILTER_CHAIN); } - private void registerHttpSessionIntegrationFilter(Element element, ParserContext pc) { + private boolean registerHttpSessionIntegrationFilter(Element element, ParserContext pc) { RootBeanDefinition httpScif = new RootBeanDefinition(HttpSessionContextIntegrationFilter.class); + boolean sessionCreationAllowed = true; String createSession = element.getAttribute(ATT_CREATE_SESSION); if (OPT_CREATE_SESSION_ALWAYS.equals(createSession)) { @@ -215,6 +216,7 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser { } else if (OPT_CREATE_SESSION_NEVER.equals(createSession)) { httpScif.getPropertyValues().addPropertyValue("allowSessionCreation", Boolean.FALSE); httpScif.getPropertyValues().addPropertyValue("forceEagerSessionCreation", Boolean.FALSE); + sessionCreationAllowed = false; } else { createSession = DEF_CREATE_SESSION_IF_REQUIRED; httpScif.getPropertyValues().addPropertyValue("allowSessionCreation", Boolean.TRUE); @@ -223,6 +225,8 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser { pc.getRegistry().registerBeanDefinition(BeanIds.HTTP_SESSION_CONTEXT_INTEGRATION_FILTER, httpScif); ConfigUtils.addHttpFilter(pc, new RuntimeBeanReference(BeanIds.HTTP_SESSION_CONTEXT_INTEGRATION_FILTER)); + + return sessionCreationAllowed; } // Adds the servlet-api integration filter if required @@ -252,12 +256,13 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser { return true; } - private void registerExceptionTranslationFilter(Element element, ParserContext pc) { + private void registerExceptionTranslationFilter(Element element, ParserContext pc, boolean allowSessionCreation) { String accessDeniedPage = element.getAttribute(ATT_ACCESS_DENIED_PAGE); ConfigUtils.validateHttpRedirect(accessDeniedPage, pc, pc.extractSource(element)); BeanDefinitionBuilder exceptionTranslationFilterBuilder = BeanDefinitionBuilder.rootBeanDefinition(ExceptionTranslationFilter.class); - + exceptionTranslationFilterBuilder.addPropertyValue("createSessionAllowed", new Boolean(allowSessionCreation)); + if (StringUtils.hasText(accessDeniedPage)) { AccessDeniedHandlerImpl accessDeniedHandler = new AccessDeniedHandlerImpl(); accessDeniedHandler.setErrorPage(accessDeniedPage); @@ -338,7 +343,7 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser { } } - private void parseBasicFormLoginAndOpenID(Element element, ParserContext pc, boolean autoConfig) { + private void parseBasicFormLoginAndOpenID(Element element, ParserContext pc, boolean autoConfig, boolean allowSessionCreation) { RootBeanDefinition formLoginFilter = null; RootBeanDefinition formLoginEntryPoint = null; String formLoginPage = null; @@ -397,6 +402,7 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser { if (formLoginFilter != null) { needLoginPage = true; + formLoginFilter.getPropertyValues().addPropertyValue("allowSessionCreation", new Boolean(allowSessionCreation)); pc.getRegistry().registerBeanDefinition(BeanIds.FORM_LOGIN_FILTER, formLoginFilter); ConfigUtils.addHttpFilter(pc, new RuntimeBeanReference(BeanIds.FORM_LOGIN_FILTER)); pc.getRegistry().registerBeanDefinition(BeanIds.FORM_LOGIN_ENTRY_POINT, formLoginEntryPoint); @@ -404,6 +410,7 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser { if (openIDFilter != null) { needLoginPage = true; + openIDFilter.getPropertyValues().addPropertyValue("allowSessionCreation", new Boolean(allowSessionCreation)); pc.getRegistry().registerBeanDefinition(BeanIds.OPEN_ID_FILTER, openIDFilter); ConfigUtils.addHttpFilter(pc, new RuntimeBeanReference(BeanIds.OPEN_ID_FILTER)); pc.getRegistry().registerBeanDefinition(BeanIds.OPEN_ID_ENTRY_POINT, openIDEntryPoint); diff --git a/core/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java b/core/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java index 1d5a4f9db0..170704e5ac 100644 --- a/core/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java +++ b/core/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java @@ -601,6 +601,22 @@ public class HttpSecurityBeanDefinitionParserTests { " " + AUTH_PROVIDER_XML); } + @Test + public void settingCreateSessionToAlwaysSetsFilterPropertiesCorrectly() throws Exception { + // Protected, no anonymous filter configured. + setContext("" + AUTH_PROVIDER_XML); + assertEquals(Boolean.TRUE, FieldUtils.getFieldValue(appContext.getBean(BeanIds.HTTP_SESSION_CONTEXT_INTEGRATION_FILTER), "forceEagerSessionCreation")); + assertEquals(Boolean.TRUE, FieldUtils.getFieldValue(appContext.getBean(BeanIds.HTTP_SESSION_CONTEXT_INTEGRATION_FILTER), "allowSessionCreation")); + } + + @Test + public void settingCreateSessionToNeverSetsFilterPropertiesCorrectly() throws Exception { + // Protected, no anonymous filter configured. + setContext("" + AUTH_PROVIDER_XML); + assertEquals(Boolean.FALSE, FieldUtils.getFieldValue(appContext.getBean(BeanIds.HTTP_SESSION_CONTEXT_INTEGRATION_FILTER), "forceEagerSessionCreation")); + assertEquals(Boolean.FALSE, FieldUtils.getFieldValue(appContext.getBean(BeanIds.HTTP_SESSION_CONTEXT_INTEGRATION_FILTER), "allowSessionCreation")); + } + private void setContext(String context) { appContext = new InMemoryXmlApplicationContext(context); }