From cd946c4e23419e3b3adc4092830e2e5de558f1c3 Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Sat, 19 Jun 2010 01:40:47 +0100 Subject: [PATCH] SEC-1493: Added namespace support. --- ...henticationManagerBeanDefinitionParser.java | 6 ++++++ .../http/HttpSecurityBeanDefinitionParser.java | 5 +++++ .../security/config/spring-security-3.1.rnc | 3 +++ .../security/config/spring-security-3.1.xsd | 5 +++++ .../config/http/MiscHttpConfigTests.groovy | 18 ++++++++++++++++++ ...cationManagerBeanDefinitionParserTests.java | 14 ++++++++++++++ 6 files changed, 51 insertions(+) diff --git a/config/src/main/java/org/springframework/security/config/authentication/AuthenticationManagerBeanDefinitionParser.java b/config/src/main/java/org/springframework/security/config/authentication/AuthenticationManagerBeanDefinitionParser.java index 952052d1ce..1b700a14b1 100644 --- a/config/src/main/java/org/springframework/security/config/authentication/AuthenticationManagerBeanDefinitionParser.java +++ b/config/src/main/java/org/springframework/security/config/authentication/AuthenticationManagerBeanDefinitionParser.java @@ -35,6 +35,7 @@ import org.w3c.dom.NodeList; public class AuthenticationManagerBeanDefinitionParser implements BeanDefinitionParser { private static final String ATT_ALIAS = "alias"; private static final String ATT_REF = "ref"; + private static final String ATT_ERASE_CREDENTIALS = "erase-credentials"; public BeanDefinition parse(Element element, ParserContext pc) { Assert.state(!pc.getRegistry().containsBeanDefinition(BeanIds.AUTHENTICATION_MANAGER), @@ -79,6 +80,11 @@ public class AuthenticationManagerBeanDefinitionParser implements BeanDefinition } providerManagerBldr.addPropertyValue("providers", providers); + + if ("false".equals(element.getAttribute(ATT_ERASE_CREDENTIALS))) { + providerManagerBldr.addPropertyValue("eraseCredentialsAfterAuthentication", false); + } + // Add the default event publisher BeanDefinition publisher = new RootBeanDefinition(DefaultAuthenticationEventPublisher.class); String id = pc.getReaderContext().generateBeanName(publisher); diff --git a/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java b/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java index 9b76ca2629..04aeddeed6 100644 --- a/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java +++ b/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java @@ -10,6 +10,7 @@ import org.apache.commons.logging.LogFactory; import org.springframework.beans.BeanMetadataElement; import org.springframework.beans.factory.config.BeanDefinition; import org.springframework.beans.factory.config.BeanReference; +import org.springframework.beans.factory.config.MethodInvokingFactoryBean; import org.springframework.beans.factory.config.RuntimeBeanReference; import org.springframework.beans.factory.config.ConstructorArgumentValues.ValueHolder; import org.springframework.beans.factory.parsing.BeanComponentDefinition; @@ -169,6 +170,10 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser { BeanDefinitionBuilder authManager = BeanDefinitionBuilder.rootBeanDefinition(ProviderManager.class); authManager.addPropertyValue("parent", new RootBeanDefinition(AuthenticationManagerFactoryBean.class)); authManager.addPropertyValue("providers", authenticationProviders); + RootBeanDefinition clearCredentials = new RootBeanDefinition(MethodInvokingFactoryBean.class); + clearCredentials.getPropertyValues().addPropertyValue("targetObject", new RootBeanDefinition(AuthenticationManagerFactoryBean.class)); + clearCredentials.getPropertyValues().addPropertyValue("targetMethod", "isEraseCredentialsAfterAuthentication"); + authManager.addPropertyValue("eraseCredentialsAfterAuthentication", clearCredentials); if (concurrencyController != null) { authManager.addPropertyValue("sessionController", concurrencyController); diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-3.1.rnc b/config/src/main/resources/org/springframework/security/config/spring-security-3.1.rnc index 5cb3c9d4cf..9c6fd542d0 100644 --- a/config/src/main/resources/org/springframework/security/config/spring-security-3.1.rnc +++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.1.rnc @@ -572,6 +572,9 @@ authentication-manager = authman.attlist &= ## The alias you wish to use for the AuthenticationManager bean attribute alias {xsd:ID}? +authman.attlist &= + ## If set to true, the AuthenticationManger will attempt to clear any credentials data in the returned Authentication object, once the user has been authenticated. + attribute erase-credentials {boolean}? authentication-provider = ## Indicates that the contained user-service should be used as an authentication source. diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-3.1.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-3.1.xsd index 2637b440b3..9cbaaed04f 100644 --- a/config/src/main/resources/org/springframework/security/config/spring-security-3.1.xsd +++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.1.xsd @@ -1299,6 +1299,11 @@ The alias you wish to use for the AuthenticationManager bean + + + If set to true, the AuthenticationManger will attempt to clear any credentials data in the returned Authentication object, once the user has been authenticated. + + diff --git a/config/src/test/groovy/org/springframework/security/config/http/MiscHttpConfigTests.groovy b/config/src/test/groovy/org/springframework/security/config/http/MiscHttpConfigTests.groovy index 5607f2bb33..249323524c 100644 --- a/config/src/test/groovy/org/springframework/security/config/http/MiscHttpConfigTests.groovy +++ b/config/src/test/groovy/org/springframework/security/config/http/MiscHttpConfigTests.groovy @@ -453,6 +453,24 @@ class MiscHttpConfigTests extends AbstractHttpConfigTests { then: "App context creation and login request succeed" fcp.doFilter(request, new MockHttpServletResponse(), new MockFilterChain()); } + + def eraseCredentialsDefaultsToTrue() { + xml.http() { + 'form-login'() + } + createAppContext() + expect: + getFilter(UsernamePasswordAuthenticationFilter).authenticationManager.eraseCredentialsAfterAuthentication == true + } + + def eraseCredentialsIsSetFromParentAuthenticationManager() { + xml.http() { + 'form-login'() + } + createAppContext(""); + expect: + getFilter(UsernamePasswordAuthenticationFilter).authenticationManager.eraseCredentialsAfterAuthentication == false + } } class MockEntryPoint extends LoginUrlAuthenticationEntryPoint { diff --git a/config/src/test/java/org/springframework/security/config/authentication/AuthenticationManagerBeanDefinitionParserTests.java b/config/src/test/java/org/springframework/security/config/authentication/AuthenticationManagerBeanDefinitionParserTests.java index c63e43735f..142d200df1 100644 --- a/config/src/test/java/org/springframework/security/config/authentication/AuthenticationManagerBeanDefinitionParserTests.java +++ b/config/src/test/java/org/springframework/security/config/authentication/AuthenticationManagerBeanDefinitionParserTests.java @@ -53,6 +53,20 @@ public class AuthenticationManagerBeanDefinitionParserTests { assertEquals(1, listener.events.size()); } + @Test + public void credentialsAreClearedByDefault() throws Exception { + setContext(CONTEXT, "3.1"); + ProviderManager pm = (ProviderManager) appContext.getBeansOfType(ProviderManager.class).values().toArray()[0]; + assertTrue(pm.isEraseCredentialsAfterAuthentication()); + } + + @Test + public void clearCredentialsPropertyIsRespected() throws Exception { + setContext("", "3.1"); + ProviderManager pm = (ProviderManager) appContext.getBeansOfType(ProviderManager.class).values().toArray()[0]; + assertFalse(pm.isEraseCredentialsAfterAuthentication()); + } + private void setContext(String context, String version) { appContext = new InMemoryXmlApplicationContext(context, version, null); }