Add namespace support for anonymous requests. Also minor improvements to .rnc file as Trang didn't appear to be properly translating multi-line comments to the XSD (all multi-line comments were made single lines).

core/src/main/java/org/springframework/security/config/AnonymousBeanDefinitionParser.java

@@ -0,0 +1,45 @@
+package org.springframework.security.config;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.springframework.beans.factory.config.BeanDefinition;
+import org.springframework.beans.factory.support.ManagedList;
+import org.springframework.beans.factory.support.RootBeanDefinition;
+import org.springframework.beans.factory.xml.BeanDefinitionParser;
+import org.springframework.beans.factory.xml.ParserContext;
+import org.springframework.security.providers.anonymous.AnonymousAuthenticationProvider;
+import org.springframework.security.providers.anonymous.AnonymousProcessingFilter;
+import org.w3c.dom.Element;
+
+/**
+ * @author Ben Alex
+ * @version $Id: RememberMeBeanDefinitionParser.java 2231 2007-11-07 13:29:15Z luke_t $
+ */
+public class AnonymousBeanDefinitionParser implements BeanDefinitionParser {
+    protected final Log logger = LogFactory.getLog(getClass());
+
+    public static final String DEFAULT_ANONYMOUS_FILTER_ID = "_anonymousProcessingFilter";
+    public static final String DEFAULT_ANONYMOUS_AUTHENTICATION_PROVIDER_ID = "_anonymousAuthenticationProvider";
+
+    public BeanDefinition parse(Element element, ParserContext parserContext) {
+        BeanDefinition filter = new RootBeanDefinition(AnonymousProcessingFilter.class);
+
+        String grantedAuthority = element.getAttribute("grantedAuthority");
+        String username         = element.getAttribute("username");
+        String key              = element.getAttribute("key");
+
+        filter.getPropertyValues().addPropertyValue("userAttribute", username + "," + grantedAuthority);
+        filter.getPropertyValues().addPropertyValue("key", key);
+
+        BeanDefinition authManager = ConfigUtils.registerProviderManagerIfNecessary(parserContext);
+        BeanDefinition provider = new RootBeanDefinition(AnonymousAuthenticationProvider.class);
+        provider.getPropertyValues().addPropertyValue("key", key);
+
+        ManagedList authMgrProviderList = (ManagedList) authManager.getPropertyValues().getPropertyValue("providers").getValue();
+        authMgrProviderList.add(provider);
+
+        parserContext.getRegistry().registerBeanDefinition(DEFAULT_ANONYMOUS_FILTER_ID, filter);
+
+        return null;
+    }
+}

core/src/main/java/org/springframework/security/config/HttpSecurityBeanDefinitionParser.java

@@ -40,6 +40,7 @@ import java.util.Map;
  *
  *
  * @author Luke Taylor
+ * @author Ben Alex
  * @version $Id$
  */
 public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
@@ -58,6 +59,7 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
     public static final String FORM_LOGIN_ELEMENT = "form-login";
     public static final String BASIC_AUTH_ELEMENT = "http-basic";
     public static final String REMEMBER_ME_ELEMENT = "remember-me";
+    public static final String ANONYMOUS_ELEMENT = "anonymous";
 
     static final String PATH_PATTERN_ATTRIBUTE = "pattern";
     static final String PATTERN_TYPE_ATTRIBUTE = "pathType";
@@ -138,6 +140,12 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
             new ConcurrentSessionsBeanDefinitionParser().parse(sessionControlElt, parserContext);
         }
 
+        Element anonymousElt = DomUtils.getChildElementByTagName(element, ANONYMOUS_ELEMENT);
+        
+        if (anonymousElt != null) {
+            new AnonymousBeanDefinitionParser().parse(anonymousElt, parserContext);
+        }
+        
         // Parse remember me before logout as RememberMeServices is also a LogoutHandler implementation.
 
 

core/src/main/resources/org/springframework/security/config/spring-security-2.0.rnc

@@ -31,8 +31,7 @@ ldap =
     ## Sets up an ldap authentication provider, optionally with an embedded ldap server
     element ldap {ldap.attlist, empty}
 ldap.attlist &=
-    ## The url indicates the server location. If omitted, an embedded server will be 
-    ## started, optionally with the configured port number.
+    ## The url indicates the server location. If omitted, an embedded server will be started, optionally with the configured port number.
     (url | port)?
         
 ldap.attlist &=
@@ -40,8 +39,7 @@ ldap.attlist &=
     [ a:defaultValue = "classpath:*.ldif" ] attribute ldif { xsd:string }?
 
 intercept-methods = 
-    ## Can be used inside a bean definition to add a security interceptor to the bean and set up access 
-    ## configuration attributes for the bean's methods
+    ## Can be used inside a bean definition to add a security interceptor to the bean and set up access configuration attributes for the bean's methods
     element intercept-methods {intercept-methods.attlist, protect+} 
 
 intercept-methods.attlist = empty
@@ -60,7 +58,7 @@ protect.attlist &=
 
 http =
     ## Container element for HTTP security configuration
-   element http {http.attlist, (intercept-url+ & form-login? & http-basic? & logout? & concurrent-session-control? & remember-me?) }
+   element http {http.attlist, (intercept-url+ & form-login? & http-basic? & logout? & concurrent-session-control? & remember-me? & anonymous?) }
 http.attlist &=
     ## Controls the eagerness with which an HTTP session is created.
     [ a:defaultValue = "ifRequired" ] attribute createSession {"ifRequired" | "always" | "never" }?
@@ -71,8 +69,7 @@ http.attlist &=
     ## Whether test URLs should be converted to lower case prior to comparing with defined path patterns.
     [ a:defaultValue = "true" ] attribute lowerCaseComparisons {"true" | "false"}?
 http.attlist &=
-    ## Optional attribute specifying the ID of the AccessDecisionManager implementation which should be
-    ## used for authorizing HTTP requests.
+    ## Optional attribute specifying the ID of the AccessDecisionManager implementation which should be used for authorizing HTTP requests.
     attribute accessDecisionManager {xsd:string}?
 
 
@@ -80,15 +77,13 @@ intercept-url =
     ## Specifies the access attributes and/or filter list for a particular set of URLs.
     element intercept-url {intercept-url.attlist, empty}
 intercept-url.attlist &=
-    ## The pattern which defines the URL path. The content will depend on the type set in the containing http element, so will
-    ## default to ant path syntax.    
+    ## The pattern which defines the URL path. The content will depend on the type set in the containing http element, so will default to ant path syntax.    
     attribute pattern {xsd:string} 
 intercept-url.attlist &=
     ## The access configuration attributes that apply for the configured path.
     attribute access {xsd:string}?
-    ## The filter list for the path. Currently can be set to "none" to remove a path from having any filters applied.
-    ## The full filter stack (consisting of all defined filters, will be applied to any other paths).
 intercept-url.attlist &=
+    ## The filter list for the path. Currently can be set to "none" to remove a path from having any filters applied. The full filter stack (consisting of all defined filters, will be applied to any other paths).
     attribute filters {"none"}?
 intercept-url.attlist &=
     ## Used to specify that a URL must be accessed over http or https
@@ -120,10 +115,7 @@ filter-chain-map.attlist &=
     path-type    
 
 filter-chain =
-    ## Used within filter-chain-map to define a specific URL pattern and the list of filters 
-    ## which apply to the URLs matching that pattern. When multiple filter-chain elements are used within a
-    ## filter-chain-map element, the most specific patterns must be placed at the top of the list, with 
-    ## most general ones at the bottom.
+    ## Used within filter-chain-map to define a specific URL pattern and the list of filters which apply to the URLs matching that pattern. When multiple filter-chain elements are used within a filter-chain-map element, the most specific patterns must be placed at the top of the list, with  most general ones at the bottom.
     element filter-chain {filter-chain.attlist, empty}
 filter-chain.attlist &= 
     attribute pattern {xsd:string}
@@ -137,8 +129,7 @@ http-basic.attlist &=
     attribute realm {xsd:string}
 
 concurrent-session-control =
-    ## Adds support for concurrent session control, allowing limits to be placed on the number of sessions a
-    ## user can have.
+    ## Adds support for concurrent session control, allowing limits to be placed on the number of sessions a user can have.
     element concurrent-session-control {concurrent-sessions.attlist, empty}
 concurrent-sessions.attlist &=
     attribute maxSessions {xsd:positiveInteger}?
@@ -149,10 +140,22 @@ concurrent-sessions.attlist &=
 
 remember-me = 
     element remember-me {remember-me.attlist} 
-    
 remember-me.attlist &= 
     (attribute key {xsd:string} | (attribute tokenRepository {xsd:string} | attribute datasource {xsd:string}))        
     
+anonymous = 
+	## Adds support for automatically granting all anonymous web requests a particular principal identity and a corresponding granted authority.
+    element anonymous {anonymous.attlist} 
+anonymous.attlist &=
+	## The key used between the provider and filter. This generally does not need to be set.
+    [ a:defaultValue = "doesNotMatter" ] attribute key {xsd:string}?
+anonymous.attlist &=
+	## The username that should be assigned to the anonymous request. This allows the principal to be identified, which may be important for logging and auditing. 
+    [ a:defaultValue = "anonymousUser" ] attribute username {xsd:string}?
+anonymous.attlist &=
+	## The granted authority that should be assigned to the anonymous request. Commonly this is used to assign the anonymous request particular roles, which can subsequently be used in authorization decisions.
+    [ a:defaultValue = "ROLE_ANONYMOUS" ] attribute grantedAuthority {xsd:string}?
+
 authentication-provider =
     element authentication-provider {authentication-provider.attlist, (user-service | jdbc-user-service)}
 authentication-provider.attlist &= empty

core/src/main/resources/org/springframework/security/config/spring-security-2.0.xsd

@@ -60,6 +60,9 @@
     </xs:attribute>
   </xs:attributeGroup>
   <xs:element name="intercept-methods">
+    <xs:annotation>
+      <xs:documentation>Can be used inside a bean definition to add a security interceptor to the bean and set up access configuration attributes for the bean's methods</xs:documentation>
+    </xs:annotation>
     <xs:complexType>
       <xs:sequence>
         <xs:element maxOccurs="unbounded" ref="security:protect"/>
@@ -98,6 +101,7 @@
         <xs:element ref="security:logout"/>
         <xs:element ref="security:concurrent-session-control"/>
         <xs:element ref="security:remember-me"/>
+        <xs:element ref="security:anonymous"/>
       </xs:choice>
       <xs:attributeGroup ref="security:http.attlist"/>
     </xs:complexType>
@@ -137,7 +141,11 @@
         </xs:restriction>
       </xs:simpleType>
     </xs:attribute>
-    <xs:attribute name="accessDecisionManager" type="xs:string"/>
+    <xs:attribute name="accessDecisionManager" type="xs:string">
+      <xs:annotation>
+        <xs:documentation>Optional attribute specifying the ID of the AccessDecisionManager implementation which should be used for authorizing HTTP requests.</xs:documentation>
+      </xs:annotation>
+    </xs:attribute>
   </xs:attributeGroup>
   <xs:element name="intercept-url">
     <xs:annotation>
@@ -148,13 +156,20 @@
     </xs:complexType>
   </xs:element>
   <xs:attributeGroup name="intercept-url.attlist">
-    <xs:attribute name="pattern" use="required" type="xs:string"/>
+    <xs:attribute name="pattern" use="required" type="xs:string">
+      <xs:annotation>
+        <xs:documentation>The pattern which defines the URL path. The content will depend on the type set in the containing http element, so will default to ant path syntax.    </xs:documentation>
+      </xs:annotation>
+    </xs:attribute>
     <xs:attribute name="access" type="xs:string">
       <xs:annotation>
         <xs:documentation>The access configuration attributes that apply for the configured path.</xs:documentation>
       </xs:annotation>
     </xs:attribute>
     <xs:attribute name="filters">
+      <xs:annotation>
+        <xs:documentation>The filter list for the path. Currently can be set to "none" to remove a path from having any filters applied. The full filter stack (consisting of all defined filters, will be applied to any other paths).</xs:documentation>
+      </xs:annotation>
       <xs:simpleType>
         <xs:restriction base="xs:token">
           <xs:enumeration value="none"/>
@@ -225,6 +240,9 @@
     <xs:attributeGroup ref="security:path-type"/>
   </xs:attributeGroup>
   <xs:element name="filter-chain">
+    <xs:annotation>
+      <xs:documentation>Used within filter-chain-map to define a specific URL pattern and the list of filters which apply to the URLs matching that pattern. When multiple filter-chain elements are used within a filter-chain-map element, the most specific patterns must be placed at the top of the list, with  most general ones at the bottom.</xs:documentation>
+    </xs:annotation>
     <xs:complexType>
       <xs:attributeGroup ref="security:filter-chain.attlist"/>
     </xs:complexType>
@@ -245,6 +263,9 @@
     <xs:attribute name="realm" use="required" type="xs:string"/>
   </xs:attributeGroup>
   <xs:element name="concurrent-session-control">
+    <xs:annotation>
+      <xs:documentation>Adds support for concurrent session control, allowing limits to be placed on the number of sessions a user can have.</xs:documentation>
+    </xs:annotation>
     <xs:complexType>
       <xs:attributeGroup ref="security:concurrent-sessions.attlist"/>
     </xs:complexType>
@@ -271,6 +292,31 @@
     <xs:attribute name="tokenRepository" type="xs:string"/>
     <xs:attribute name="datasource" type="xs:string"/>
   </xs:attributeGroup>
+  <xs:element name="anonymous">
+    <xs:annotation>
+      <xs:documentation>Adds support for automatically granting all anonymous web requests a particular principal identity and a corresponding granted authority.</xs:documentation>
+    </xs:annotation>
+    <xs:complexType>
+      <xs:attributeGroup ref="security:anonymous.attlist"/>
+    </xs:complexType>
+  </xs:element>
+  <xs:attributeGroup name="anonymous.attlist">
+    <xs:attribute name="key" default="doesNotMatter" type="xs:string">
+      <xs:annotation>
+        <xs:documentation>The key used between the provider and filter. This generally does not need to be set.</xs:documentation>
+      </xs:annotation>
+    </xs:attribute>
+    <xs:attribute name="username" default="anonymousUser" type="xs:string">
+      <xs:annotation>
+        <xs:documentation>The username that should be assigned to the anonymous request. This allows the principal to be identified, which may be important for logging and auditing. </xs:documentation>
+      </xs:annotation>
+    </xs:attribute>
+    <xs:attribute name="grantedAuthority" default="ROLE_ANONYMOUS" type="xs:string">
+      <xs:annotation>
+        <xs:documentation>The granted authority that should be assigned to the anonymous request. Commonly this is used to assign the anonymous request particular roles, which can subsequently be used in authorization decisions.</xs:documentation>
+      </xs:annotation>
+    </xs:attribute>
+  </xs:attributeGroup>
   <xs:element name="authentication-provider">
     <xs:complexType>
       <xs:choice>