SEC-638: Allow property names as well as method names to be used in ReflectionSaltSource.

2008-01-21 14:45:29 +00:00 · 2008-01-21 14:45:29 +00:00 · eb70db1dee
parent fe6e297358
commit eb70db1dee
2 changed files with 70 additions and 69 deletions
--- a/core/src/main/java/org/springframework/security/providers/dao/salt/ReflectionSaltSource.java
+++ b/core/src/main/java/org/springframework/security/providers/dao/salt/ReflectionSaltSource.java
@ -22,15 +22,20 @@ import org.springframework.security.providers.dao.SaltSource;
 import org.springframework.security.userdetails.UserDetails;
 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.beans.BeanUtils;
 import org.springframework.util.ReflectionUtils;
 import org.springframework.util.Assert;
 import java.lang.reflect.Method;
 import java.beans.PropertyDescriptor;
 /**
- * Obtains a salt from a specified property of the {@link org.springframework.security.userdetails.User} object.<P>This allows
+ * Obtains a salt from a specified property of the {@link org.springframework.security.userdetails.User} object.
- * you to subclass <code>User</code> and provide an additional bean getter for a salt. You should use a synthetic
+ * <p>
- * value that does not change, such as a database primary key.  Do not use <code>username</code> if it is likely to
+ * This allows you to subclass <code>User</code> and provide an additional bean getter for a salt. You should use a
- * change.</p>
+ * synthetic value that does not change, such as a database primary key.  Do not use <code>username</code> if it is
 * likely to change.
 *
 * @author Ben Alex
 * @version $Id$
@ -43,39 +48,59 @@ public class ReflectionSaltSource implements SaltSource, InitializingBean {
    //~ Methods ========================================================================================================
    public void afterPropertiesSet() throws Exception {
-        if ((this.getUserPropertyToUse() == null) || "".equals(this.getUserPropertyToUse())) {
+        Assert.hasText(userPropertyToUse, "A userPropertyToUse must be set");
            throw new IllegalArgumentException("A userPropertyToUse must be set");
        }
    }
    /**
-     * Performs reflection on the passed <code>User</code> to obtain the salt.<P>The property identified by
+     * Performs reflection on the passed <code>User</code> to obtain the salt.
-     * <code>userPropertyToUse</code> must be available from the passed <code>User</code> object. If it is not
+     * <p>
-     * available, an {@link AuthenticationServiceException} will be thrown.</p>
+     * The property identified by <code>userPropertyToUse</code> must be available from the passed <code>User</code>
     * object. If it is not available, an {@link AuthenticationServiceException} will be thrown.
     *
     * @param user which contains the method identified by <code>userPropertyToUse</code>
     *
-     * @return the result of invoking <code>user.userPropertyToUse()</code>
+     * @return the result of invoking <tt>user.userPropertyToUse()</tt>, or if the method doesn't exist,
     * <tt>user.getUserPropertyToUse()</tt>.
     *
     * @throws AuthenticationServiceException if reflection fails
     */
    public Object getSalt(UserDetails user) {
-        try {
+        Method saltMethod = findSaltMethod(user);
            Method reflectionMethod = user.getClass().getMethod(this.userPropertyToUse, new Class[] {});
-            return reflectionMethod.invoke(user, new Object[] {});
+        try {            
            return saltMethod.invoke(user, new Object[] {});
        } catch (Exception exception) {
            throw new AuthenticationServiceException(exception.getMessage(), exception);
        }
    }
-    public String getUserPropertyToUse() {
+    private Method findSaltMethod(UserDetails user) {
        Method saltMethod = ReflectionUtils.findMethod(user.getClass(), userPropertyToUse);
        if (saltMethod == null) {
            PropertyDescriptor pd = BeanUtils.getPropertyDescriptor(user.getClass(), userPropertyToUse);
            if (pd != null) {
                saltMethod = pd.getReadMethod();
            }
            if (saltMethod == null) {
                throw new AuthenticationServiceException("Unable to find salt method on user Object. Does the class '" +
                    user.getClass().getName() + "' have a method or getter named '" + userPropertyToUse + "' ?");
            }
        }
        return saltMethod;
    }
    protected String getUserPropertyToUse() {
        return userPropertyToUse;
    }
    /**
-     * The method name to call to obtain the salt. If your <code>UserDetails</code> contains a
+     * The method name to call to obtain the salt. Can be either a method name or a bean property name. If your
-     * <code>UserDetails.getSalt()</code> method, you should set this property to <code>getSalt</code>.
+     * <code>UserDetails</code> contains a <code>UserDetails.getSalt()</code> method, you should set this property to
     * "getSalt" or "salt".
     *
     * @param userPropertyToUse the name of the <b>getter</b> to call to obtain the salt from the
     *        <code>UserDetails</code>
@ -83,4 +108,8 @@ public class ReflectionSaltSource implements SaltSource, InitializingBean {
    public void setUserPropertyToUse(String userPropertyToUse) {
        this.userPropertyToUse = userPropertyToUse;
    }
    public String toString() {
        return "ReflectionSaltSource[ userPropertyToUse='" + userPropertyToUse + "'; ]";
    }
 }
--- a/core/src/test/java/org/springframework/security/providers/dao/salt/ReflectionSaltSourceTests.java
+++ b/core/src/test/java/org/springframework/security/providers/dao/salt/ReflectionSaltSourceTests.java
@ -15,8 +15,6 @@
 package org.springframework.security.providers.dao.salt;
 import junit.framework.TestCase;
 import org.springframework.security.AuthenticationServiceException;
 import org.springframework.security.GrantedAuthority;
 import org.springframework.security.GrantedAuthorityImpl;
@ -24,6 +22,8 @@ import org.springframework.security.GrantedAuthorityImpl;
 import org.springframework.security.userdetails.User;
 import org.springframework.security.userdetails.UserDetails;
 import org.junit.Test;
 import static junit.framework.Assert.*;
 /**
 * Tests {@link ReflectionSaltSource}.
@ -31,66 +31,38 @@ import org.springframework.security.userdetails.UserDetails;
 * @author Ben Alex
 * @version $Id$
 */
-public class ReflectionSaltSourceTests extends TestCase {
+public class ReflectionSaltSourceTests {
-    //~ Constructors ===================================================================================================
+    private UserDetails user = new User("scott", "wombat", true, true, true, true,
-
+            new GrantedAuthority[] {new GrantedAuthorityImpl("HOLDER")});
    public ReflectionSaltSourceTests() {
        super();
    }
    public ReflectionSaltSourceTests(String arg0) {
        super(arg0);
    }
    //~ Methods ========================================================================================================
-    public static void main(String[] args) {
+    @Test(expected=IllegalArgumentException.class)
-        junit.textui.TestRunner.run(ReflectionSaltSourceTests.class);
+    public void detectsMissingUserPropertyToUse() throws Exception {
    }
    public final void setUp() throws Exception {
        super.setUp();
    }
    public void testDetectsMissingUserPropertyToUse() throws Exception {
        ReflectionSaltSource saltSource = new ReflectionSaltSource();
        try {
        saltSource.afterPropertiesSet();
            fail("Should have thrown IllegalArgumentException");
        } catch (IllegalArgumentException expected) {
            assertEquals("A userPropertyToUse must be set", expected.getMessage());
        }
    }
-    public void testExceptionWhenInvalidPropertyRequested() {
+    @Test(expected=AuthenticationServiceException.class)
    public void exceptionIsThrownWhenInvalidPropertyRequested() throws Exception {
        ReflectionSaltSource saltSource = new ReflectionSaltSource();
        saltSource.setUserPropertyToUse("getDoesNotExist");
        UserDetails user = new User("scott", "wombat", true, true, true, true,
                new GrantedAuthority[] {new GrantedAuthorityImpl("HOLDER")});
        try {
            saltSource.getSalt(user);
            fail("Should have thrown AuthenticationServiceException");
        } catch (AuthenticationServiceException expected) {
            assertTrue(true);
        }
    }
    public void testGettersSetters() {
        ReflectionSaltSource saltSource = new ReflectionSaltSource();
        saltSource.setUserPropertyToUse("getUsername");
        assertEquals("getUsername", saltSource.getUserPropertyToUse());
    }
    public void testNormalOperation() throws Exception {
        ReflectionSaltSource saltSource = new ReflectionSaltSource();
        saltSource.setUserPropertyToUse("getUsername");
        saltSource.afterPropertiesSet();
        saltSource.getSalt(user);
    }
    @Test
    public void methodNameAsPropertyToUseReturnsCorrectSaltValue() {
        ReflectionSaltSource saltSource = new ReflectionSaltSource();
        saltSource.setUserPropertyToUse("getUsername");
        UserDetails user = new User("scott", "wombat", true, true, true, true,
                new GrantedAuthority[] {new GrantedAuthorityImpl("HOLDER")});
        assertEquals("scott", saltSource.getSalt(user));
    }
    @Test
    public void propertyNameAsPropertyToUseReturnsCorrectSaltValue() {
        ReflectionSaltSource saltSource = new ReflectionSaltSource();
        saltSource.setUserPropertyToUse("password");
        assertEquals("wombat", saltSource.getSalt(user));
    }
 }