SEC-2139: named-security-filter are all defined and ordered correctly

config/src/main/resources/org/springframework/security/config/spring-security-3.1.rnc

@@ -553,7 +553,7 @@ remember-me =
     ## Sets up remember-me authentication. If used with the "key" attribute (or no attributes) the cookie-only implementation will be used. Specifying "token-repository-ref" or "remember-me-data-source-ref" will use the more secure, persisten token approach.
     element remember-me {remember-me.attlist}
 remember-me.attlist &=
-    ## The "key" used to identify cookies from a specific token-based remember-me application. You should set this to a unique value for your application. If unset, it will default to a random value generated by SecureRandom.
+    ## The "key" used to identify cookies from a specific token-based remember-me application. You should set this to a unique value for your application.
     attribute key {xsd:token}?
 
 remember-me.attlist &=
@@ -593,7 +593,7 @@ anonymous =
     ## Adds support for automatically granting all anonymous web requests a particular principal identity and a corresponding granted authority.
     element anonymous {anonymous.attlist}
 anonymous.attlist &=
-    ## The key shared between the provider and filter. This generally does not need to be set. If unset, it will default to a random value generated by SecureRandom.
+    ## The key shared between the provider and filter. This generally does not need to be set. If unset, it will default to "doesNotMatter".
     attribute key {xsd:token}?
 anonymous.attlist &=
     ## The username that should be assigned to the anonymous request. This allows the principal to be identified, which may be important for logging and auditing. if unset, defaults to "anonymousUser".
@@ -739,4 +739,4 @@ position =
     ## The explicit position at which the custom-filter should be placed in the chain. Use if you are replacing a standard filter.
     attribute position {named-security-filter}
 
-named-security-filter = "FIRST" | "CHANNEL_FILTER" | "CONCURRENT_SESSION_FILTER" | "SECURITY_CONTEXT_FILTER" | "LOGOUT_FILTER" | "X509_FILTER" | "PRE_AUTH_FILTER" | "CAS_FILTER" | "FORM_LOGIN_FILTER" | "OPENID_FILTER" |"BASIC_AUTH_FILTER" | "SERVLET_API_SUPPORT_FILTER" | "REMEMBER_ME_FILTER" | "ANONYMOUS_FILTER" | "EXCEPTION_TRANSLATION_FILTER" | "SESSION_MANAGEMENT_FILTER" | "FILTER_SECURITY_INTERCEPTOR" | "SWITCH_USER_FILTER" | "LAST"
+named-security-filter = "FIRST" | "CHANNEL_FILTER" | "SECURITY_CONTEXT_FILTER" | "CONCURRENT_SESSION_FILTER" | "LOGOUT_FILTER" | "X509_FILTER" | "PRE_AUTH_FILTER" | "CAS_FILTER" | "FORM_LOGIN_FILTER" | "OPENID_FILTER" | "LOGIN_PAGE_FILTER" | "DIGEST_AUTH_FILTER" |"BASIC_AUTH_FILTER" | "REQUEST_CACHE_FILTER" | "SERVLET_API_SUPPORT_FILTER" | "JAAS_API_SUPPORT_FILTER" | "REMEMBER_ME_FILTER" | "ANONYMOUS_FILTER" | "SESSION_MANAGEMENT_FILTER" | "EXCEPTION_TRANSLATION_FILTER" | "FILTER_SECURITY_INTERCEPTOR" | "SWITCH_USER_FILTER" | "LAST"

config/src/main/resources/org/springframework/security/config/spring-security-3.2.rnc

@@ -818,4 +818,4 @@ position =
     ## The explicit position at which the custom-filter should be placed in the chain. Use if you are replacing a standard filter.
     attribute position {named-security-filter}
 
-named-security-filter = "FIRST" | "CHANNEL_FILTER" | "CONCURRENT_SESSION_FILTER" | "HEADERS_FILTER" | "CSRF_FILTER" | "SECURITY_CONTEXT_FILTER" | "LOGOUT_FILTER" | "X509_FILTER" | "PRE_AUTH_FILTER" | "CAS_FILTER" | "FORM_LOGIN_FILTER" | "OPENID_FILTER" |"BASIC_AUTH_FILTER" | "SERVLET_API_SUPPORT_FILTER" | "REMEMBER_ME_FILTER" | "ANONYMOUS_FILTER" | "EXCEPTION_TRANSLATION_FILTER" | "SESSION_MANAGEMENT_FILTER" | "FILTER_SECURITY_INTERCEPTOR" | "SWITCH_USER_FILTER" | "LAST"
+named-security-filter = "FIRST" | "CHANNEL_FILTER" | "SECURITY_CONTEXT_FILTER" | "CONCURRENT_SESSION_FILTER" | "WEB_ASYNC_MANAGER_FILTER" | "HEADERS_FILTER" | "CSRF_FILTER" | "LOGOUT_FILTER" | "X509_FILTER" | "PRE_AUTH_FILTER" | "CAS_FILTER" | "FORM_LOGIN_FILTER" | "OPENID_FILTER" | "LOGIN_PAGE_FILTER" | "DIGEST_AUTH_FILTER" | "BASIC_AUTH_FILTER" | "REQUEST_CACHE_FILTER" | "SERVLET_API_SUPPORT_FILTER" | "JAAS_API_SUPPORT_FILTER" | "REMEMBER_ME_FILTER" | "ANONYMOUS_FILTER" | "SESSION_MANAGEMENT_FILTER" | "EXCEPTION_TRANSLATION_FILTER" | "FILTER_SECURITY_INTERCEPTOR" | "SWITCH_USER_FILTER" | "LAST"

config/src/main/resources/org/springframework/security/config/spring-security-3.2.xsd

@@ -2504,22 +2504,27 @@
       <xs:restriction base="xs:token">
          <xs:enumeration value="FIRST"/>
          <xs:enumeration value="CHANNEL_FILTER"/>
+         <xs:enumeration value="SECURITY_CONTEXT_FILTER"/>
          <xs:enumeration value="CONCURRENT_SESSION_FILTER"/>
+         <xs:enumeration value="WEB_ASYNC_MANAGER_FILTER"/>
          <xs:enumeration value="HEADERS_FILTER"/>
          <xs:enumeration value="CSRF_FILTER"/>
-         <xs:enumeration value="SECURITY_CONTEXT_FILTER"/>
          <xs:enumeration value="LOGOUT_FILTER"/>
          <xs:enumeration value="X509_FILTER"/>
          <xs:enumeration value="PRE_AUTH_FILTER"/>
          <xs:enumeration value="CAS_FILTER"/>
          <xs:enumeration value="FORM_LOGIN_FILTER"/>
          <xs:enumeration value="OPENID_FILTER"/>
+         <xs:enumeration value="LOGIN_PAGE_FILTER"/>
+         <xs:enumeration value="DIGEST_AUTH_FILTER"/>
          <xs:enumeration value="BASIC_AUTH_FILTER"/>
+         <xs:enumeration value="REQUEST_CACHE_FILTER"/>
          <xs:enumeration value="SERVLET_API_SUPPORT_FILTER"/>
+         <xs:enumeration value="JAAS_API_SUPPORT_FILTER"/>
          <xs:enumeration value="REMEMBER_ME_FILTER"/>
          <xs:enumeration value="ANONYMOUS_FILTER"/>
-         <xs:enumeration value="EXCEPTION_TRANSLATION_FILTER"/>
          <xs:enumeration value="SESSION_MANAGEMENT_FILTER"/>
+         <xs:enumeration value="EXCEPTION_TRANSLATION_FILTER"/>
          <xs:enumeration value="FILTER_SECURITY_INTERCEPTOR"/>
          <xs:enumeration value="SWITCH_USER_FILTER"/>
          <xs:enumeration value="LAST"/>

config/src/test/groovy/org/springframework/security/config/doc/XsdDocumentedTests.groovy

@@ -15,7 +15,11 @@
  */
 package org.springframework.security.config.doc
 
-import groovy.util.slurpersupport.NodeChild;
+import groovy.util.slurpersupport.GPathResult;
+import groovy.util.slurpersupport.NodeChild
+
+import org.springframework.security.config.http.SecurityFilters
+
 import spock.lang.*
 
 /**
@@ -29,12 +33,14 @@ class XsdDocumentedTests extends Specification {
     @Shared def appendix = new File('../docs/manual/src/docbook/appendix-namespace.xml')
     @Shared def appendixRoot = new XmlSlurper().parse(appendix)
 
+    @Shared File schema31xDocument = new File('src/main/resources/org/springframework/security/config/spring-security-3.1.xsd')
     @Shared File schemaDocument = new File('src/main/resources/org/springframework/security/config/spring-security-3.2.xsd')
     @Shared Map<String,Element> elementNameToElement
+    @Shared GPathResult schemaRootElement
 
     def setupSpec() {
-        def rootElement = new XmlSlurper().parse(schemaDocument)
-        elementNameToElement = new SpringSecurityXsdParser(rootElement: rootElement).parse()
+        schemaRootElement = new XmlSlurper().parse(schemaDocument)
+        elementNameToElement = new SpringSecurityXsdParser(rootElement: schemaRootElement).parse()
         appendixRoot.getMetaClass().sections = {
             delegate.breadthFirst().inject([]) {result, c->
                 if(c.name() == 'section' && c.@id) {
@@ -55,6 +61,36 @@ class XsdDocumentedTests extends Specification {
         }
     }
 
+    def 'SEC-2139: named-security-filter are all defined and ordered properly'() {
+        setup:
+            def expectedFilters = (EnumSet.allOf(SecurityFilters) as List).sort { it.order }
+        when:
+            def nsf = schemaRootElement.simpleType.find { it.@name == 'named-security-filter' }
+            def nsfValues = nsf.children().children().collect { c ->
+                Enum.valueOf(SecurityFilters, c.@value.toString())
+            }
+        then:
+            expectedFilters == nsfValues
+    }
+
+    def 'SEC-2139: 3.1.x named-security-filter are all defined and ordered properly'() {
+        setup:
+            def expectedFilters = ["FIRST", "CHANNEL_FILTER", "SECURITY_CONTEXT_FILTER", "CONCURRENT_SESSION_FILTER", "LOGOUT_FILTER", "X509_FILTER",
+                "PRE_AUTH_FILTER", "CAS_FILTER", "FORM_LOGIN_FILTER", "OPENID_FILTER", "LOGIN_PAGE_FILTER", "DIGEST_AUTH_FILTER","BASIC_AUTH_FILTER",
+                "REQUEST_CACHE_FILTER", "SERVLET_API_SUPPORT_FILTER", "JAAS_API_SUPPORT_FILTER", "REMEMBER_ME_FILTER", "ANONYMOUS_FILTER",
+                "SESSION_MANAGEMENT_FILTER", "EXCEPTION_TRANSLATION_FILTER", "FILTER_SECURITY_INTERCEPTOR", "SWITCH_USER_FILTER", "LAST"].collect {
+                Enum.valueOf(SecurityFilters, it)
+            }
+            def schema31xRootElement = new XmlSlurper().parse(schema31xDocument)
+        when:
+            def nsf = schema31xRootElement.simpleType.find { it.@name == 'named-security-filter' }
+            def nsfValues = nsf.children().children().collect { c ->
+                Enum.valueOf(SecurityFilters, c.@value.toString())
+            }
+        then:
+            expectedFilters == nsfValues
+    }
+
     /**
      * This will check to ensure that the expected number of xsd documents are found to ensure that we are validating
      * against the current xsd document. If this test fails, all that is needed is to update the schemaDocument