root
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Actions 9 Packages Projects Releases Wiki Activity

SEC-1841: Added request-matcher-ref attribute to namespace for defining a filter chain.

This commit is contained in:
Luke Taylor 2011-10-21 20:04:35 +01:00
parent 58f7d3acc6
commit f2786805e6
4 changed files with 35 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java
View File

@ -41,6 +41,7 @@ import java.util.*;
public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser { public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
private static final Log logger = LogFactory.getLog(HttpSecurityBeanDefinitionParser.class); private static final Log logger = LogFactory.getLog(HttpSecurityBeanDefinitionParser.class);
private static final String ATT_REQUEST_MATCHER_REF = "request-matcher-ref";
static final String ATT_PATH_PATTERN = "pattern"; static final String ATT_PATH_PATTERN = "pattern";
static final String ATT_HTTP_METHOD = "method"; static final String ATT_HTTP_METHOD = "method";
@ -90,9 +91,11 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
boolean secured = !OPT_SECURITY_NONE.equals(element.getAttribute(ATT_SECURED)); boolean secured = !OPT_SECURITY_NONE.equals(element.getAttribute(ATT_SECURED));
if (!secured) { if (!secured) {
if (!StringUtils.hasText(element.getAttribute(ATT_PATH_PATTERN))) { if (!StringUtils.hasText(element.getAttribute(ATT_PATH_PATTERN)) &&
!StringUtils.hasText(ATT_REQUEST_MATCHER_REF)) {
pc.getReaderContext().error("The '" + ATT_SECURED + "' attribute must be used in combination with" + pc.getReaderContext().error("The '" + ATT_SECURED + "' attribute must be used in combination with" +
" the '" + ATT_PATH_PATTERN +"' attribute.", pc.extractSource(element)); " the '" + ATT_PATH_PATTERN +"' or '" + ATT_REQUEST_MATCHER_REF + "' attributes.",
pc.extractSource(element));
} }
for (int n=0; n < element.getChildNodes().getLength(); n ++) { for (int n=0; n < element.getChildNodes().getLength(); n ++) {
@ -139,10 +142,19 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
} }
private BeanReference createSecurityFilterChainBean(Element element, ParserContext pc, List<?> filterChain) { private BeanReference createSecurityFilterChainBean(Element element, ParserContext pc, List<?> filterChain) {
BeanDefinition filterChainMatcher; BeanMetadataElement filterChainMatcher;
String requestMatcherRef = element.getAttribute(ATT_REQUEST_MATCHER_REF);
String filterChainPattern = element.getAttribute(ATT_PATH_PATTERN); String filterChainPattern = element.getAttribute(ATT_PATH_PATTERN);
if (StringUtils.hasText(requestMatcherRef)) {
if (StringUtils.hasText(filterChainPattern)) { if (StringUtils.hasText(filterChainPattern)) {
pc.getReaderContext().error("You can't define a pattern and a request-matcher-ref for the " +
"same filter chain", pc.extractSource(element));
}
filterChainMatcher = new RuntimeBeanReference(requestMatcherRef);
} else if (StringUtils.hasText(filterChainPattern)) {
filterChainMatcher = MatcherType.fromElement(element).createMatcher(filterChainPattern, null); filterChainMatcher = MatcherType.fromElement(element).createMatcher(filterChainPattern, null);
} else { } else {
filterChainMatcher = new RootBeanDefinition(AnyRequestMatcher.class); filterChainMatcher = new RootBeanDefinition(AnyRequestMatcher.class);

4
config/src/main/resources/org/springframework/security/config/spring-security-3.1.rnc
View File

@ -275,7 +275,9 @@ http.attlist &=
http.attlist &= http.attlist &=
## When set to 'none', requests matching the pattern attribute will be ignored by Spring Security. No security filters will be applied and no SecurityContext will be available. If set, the <http> element must be empty, with no children. ## When set to 'none', requests matching the pattern attribute will be ignored by Spring Security. No security filters will be applied and no SecurityContext will be available. If set, the <http> element must be empty, with no children.
attribute security {"none"}? attribute security {"none"}?
http.attlist &=
## Allows a RequestMatcher instance to be used, as an alternative to pattern-matching.
attribute request-matcher-ref { xsd:token }?
http.attlist &= http.attlist &=
## Automatically registers a login form, BASIC authentication, anonymous authentication, logout services, remember-me and servlet-api-integration. If set to "true", all of these capabilities are added (although you can still customize the configuration of each by providing the respective element). If unspecified, defaults to "false". ## Automatically registers a login form, BASIC authentication, anonymous authentication, logout services, remember-me and servlet-api-integration. If set to "true", all of these capabilities are added (although you can still customize the configuration of each by providing the respective element). If unspecified, defaults to "false".
attribute auto-config {xsd:boolean}? attribute auto-config {xsd:boolean}?

5
config/src/main/resources/org/springframework/security/config/spring-security-3.1.xsd
View File

@ -706,6 +706,11 @@
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="request-matcher-ref" type="xs:token">
<xs:annotation>
<xs:documentation>Allows a RequestMatcher instance to be used, as an alternative to pattern-matching.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="auto-config" type="xs:boolean"> <xs:attribute name="auto-config" type="xs:boolean">
<xs:annotation> <xs:annotation>
<xs:documentation>Automatically registers a login form, BASIC authentication, anonymous authentication, logout services, remember-me and servlet-api-integration. If set to "true", all of these capabilities are added (although you can still customize the configuration of each by providing the respective element). If unspecified, defaults to "false".</xs:documentation> <xs:documentation>Automatically registers a login form, BASIC authentication, anonymous authentication, logout services, remember-me and servlet-api-integration. If set to "true", all of these capabilities are added (although you can still customize the configuration of each by providing the respective element). If unspecified, defaults to "false".</xs:documentation>

12
config/src/test/groovy/org/springframework/security/config/http/MiscHttpConfigTests.groovy
View File

@ -53,6 +53,7 @@ import org.springframework.security.access.vote.AffirmativeBased
import org.springframework.security.access.PermissionEvaluator import org.springframework.security.access.PermissionEvaluator
import org.springframework.security.core.Authentication import org.springframework.security.core.Authentication
import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler
import org.springframework.security.web.util.AntPathRequestMatcher
class MiscHttpConfigTests extends AbstractHttpConfigTests { class MiscHttpConfigTests extends AbstractHttpConfigTests {
def 'Minimal configuration parses'() { def 'Minimal configuration parses'() {
@ -138,6 +139,17 @@ class MiscHttpConfigTests extends AbstractHttpConfigTests {
filtersMatchExpectedAutoConfigList('/Im_caught_by_the_Universal_Match'); filtersMatchExpectedAutoConfigList('/Im_caught_by_the_Universal_Match');
} }
def requestMatcherRefWorksCorrectly() {
xml.http('request-matcher-ref': 'matcher', security: 'none')
bean('matcher', AntPathRequestMatcher.class.name, ['/nofilters'])
httpAutoConfig() {}
createAppContext()
expect:
getFilters('/nofilters').size() == 0
filtersMatchExpectedAutoConfigList('/somethingElse');
}
// SEC-1152 // SEC-1152
def anonymousFilterIsAddedByDefault() { def anonymousFilterIsAddedByDefault() {
xml.http { xml.http {