SEC-1909: Namespace configuration no longer uses deprecated API's

Previously the namespace configuration used deprecated API's
causing warnings to show up in Spring Tool suite when editing
Spring configuration files.

Now the namespace configuration uses the replacement API's for
those that have been deprecated. The tests have also been updated
to ensure the new constructors are used and that the updates did
not break anything.

config/src/main/java/org/springframework/security/config/http/AuthenticationConfigBuilder.java

@@ -1,3 +1,18 @@
+/*
+ * Copyright 2002-2012 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package org.springframework.security.config.http;
 
 import static org.springframework.security.config.http.SecurityFilters.*;
@@ -5,10 +20,10 @@ import static org.springframework.security.config.http.SecurityFilters.*;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.springframework.beans.BeanMetadataElement;
-import org.springframework.beans.PropertyValue;
-import org.springframework.beans.PropertyValues;
 import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.beans.factory.config.BeanReference;
+import org.springframework.beans.factory.config.ConstructorArgumentValues;
+import org.springframework.beans.factory.config.ConstructorArgumentValues.ValueHolder;
 import org.springframework.beans.factory.config.RuntimeBeanReference;
 import org.springframework.beans.factory.parsing.BeanComponentDefinition;
 import org.springframework.beans.factory.support.BeanDefinitionBuilder;
@@ -20,6 +35,7 @@ import org.springframework.security.authentication.AnonymousAuthenticationProvid
 import org.springframework.security.authentication.RememberMeAuthenticationProvider;
 import org.springframework.security.config.BeanIds;
 import org.springframework.security.config.Elements;
+import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.authority.mapping.SimpleAttributes2GrantedAuthoritiesMapper;
 import org.springframework.security.core.authority.mapping.SimpleMappableAttributesRetriever;
 import org.springframework.security.web.access.AccessDeniedHandlerImpl;
@@ -143,9 +159,9 @@ final class AuthenticationConfigBuilder {
                 key = createKey();
             }
 
-            rememberMeFilter = new RememberMeBeanDefinitionParser(key).parse(rememberMeElt, pc);
-            rememberMeFilter.getPropertyValues().addPropertyValue("authenticationManager", authenticationManager);
-            rememberMeServicesId = ((RuntimeBeanReference) rememberMeFilter.getPropertyValues().getPropertyValue("rememberMeServices").getValue()).getBeanName();
+            RememberMeBeanDefinitionParser rememberMeParser = new RememberMeBeanDefinitionParser(key, authenticationManager);
+            rememberMeFilter = rememberMeParser.parse(rememberMeElt, pc);
+            rememberMeServicesId = rememberMeParser.getRememberMeServicesId();
             createRememberMeProvider(key);
         }
     }
@@ -154,7 +170,7 @@ final class AuthenticationConfigBuilder {
         RootBeanDefinition provider = new RootBeanDefinition(RememberMeAuthenticationProvider.class);
         provider.setSource(rememberMeFilter.getSource());
 
-        provider.getPropertyValues().addPropertyValue("key", key);
+        provider.getConstructorArgumentValues().addGenericArgumentValue(key);
 
         String id = pc.getReaderContext().generateBeanName(provider);
         pc.registerBeanComponent(new BeanComponentDefinition(provider, id));
@@ -320,8 +336,8 @@ final class AuthenticationConfigBuilder {
             basicEntryPoint = new RuntimeBeanReference(entryPointId);
         }
 
-        filterBuilder.addPropertyValue("authenticationManager", authManager);
-        filterBuilder.addPropertyValue("authenticationEntryPoint", basicEntryPoint);
+        filterBuilder.addConstructorArgValue(authManager);
+        filterBuilder.addConstructorArgValue(basicEntryPoint);
         basicFilter = filterBuilder.getBeanDefinition();
     }
 
@@ -500,15 +516,14 @@ final class AuthenticationConfigBuilder {
         }
 
         anonymousFilter = new RootBeanDefinition(AnonymousAuthenticationFilter.class);
-
-        PropertyValue keyPV = new PropertyValue("key", key);
+        anonymousFilter.getConstructorArgumentValues().addIndexedArgumentValue(0, key);
+        anonymousFilter.getConstructorArgumentValues().addIndexedArgumentValue(1, username);
+        anonymousFilter.getConstructorArgumentValues().addIndexedArgumentValue(2, AuthorityUtils.createAuthorityList(grantedAuthority));
         anonymousFilter.setSource(source);
-        anonymousFilter.getPropertyValues().addPropertyValue("userAttribute", username + "," + grantedAuthority);
-        anonymousFilter.getPropertyValues().addPropertyValue(keyPV);
 
         RootBeanDefinition anonymousProviderBean = new RootBeanDefinition(AnonymousAuthenticationProvider.class);
+        anonymousProviderBean.getConstructorArgumentValues().addIndexedArgumentValue(0, key);
         anonymousProviderBean.setSource(anonymousFilter.getSource());
-        anonymousProviderBean.getPropertyValues().addPropertyValue(keyPV);
         String id = pc.getReaderContext().generateBeanName(anonymousProviderBean);
         pc.registerBeanComponent(new BeanComponentDefinition(anonymousProviderBean, id));
 
@@ -525,8 +540,8 @@ final class AuthenticationConfigBuilder {
         BeanDefinitionBuilder etfBuilder = BeanDefinitionBuilder.rootBeanDefinition(ExceptionTranslationFilter.class);
         etfBuilder.addPropertyValue("accessDeniedHandler", createAccessDeniedHandler(httpElt, pc));
         assert requestCache != null;
-        etfBuilder.addPropertyValue("requestCache", requestCache);
-        etfBuilder.addPropertyValue("authenticationEntryPoint", selectEntryPoint());
+        etfBuilder.addConstructorArgValue(selectEntryPoint());
+        etfBuilder.addConstructorArgValue(requestCache);
 
         etf = etfBuilder.getBeanDefinition();
     }
@@ -620,18 +635,18 @@ final class AuthenticationConfigBuilder {
             return null;
         }
 
-        PropertyValues pvs = entryPoint.getPropertyValues();
-        PropertyValue pv = pvs.getPropertyValue("loginFormUrl");
-        if (pv == null) {
+        ConstructorArgumentValues cavs = entryPoint.getConstructorArgumentValues();
+        ValueHolder vh = cavs.getIndexedArgumentValue(0, String.class);
+        if (vh == null) {
              return null;
         }
 
         // If the login URL is the default one, then it is assumed not to have been set explicitly
-        if (DefaultLoginPageGeneratingFilter.DEFAULT_LOGIN_PAGE_URL.equals(pv.getValue())) {
+        if (DefaultLoginPageGeneratingFilter.DEFAULT_LOGIN_PAGE_URL.equals(vh.getValue())) {
             return null;
         }
 
-        return (String) pv.getValue();
+        return (String) vh.getValue();
     }
 
     private void createUserDetailsServiceFactory() {

config/src/main/java/org/springframework/security/config/http/FormLoginBeanDefinitionParser.java

@@ -1,3 +1,18 @@
+/*
+ * Copyright 2002-2012 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package org.springframework.security.config.http;
 
 import org.apache.commons.logging.Log;
@@ -115,7 +130,7 @@ public class FormLoginBeanDefinitionParser {
         BeanDefinitionBuilder entryPointBuilder =
                 BeanDefinitionBuilder.rootBeanDefinition(LoginUrlAuthenticationEntryPoint.class);
         entryPointBuilder.getRawBeanDefinition().setSource(source);
-        entryPointBuilder.addPropertyValue("loginFormUrl", loginPage != null ? loginPage : DEF_LOGIN_PAGE);
+        entryPointBuilder.addConstructorArgValue(loginPage != null ? loginPage : DEF_LOGIN_PAGE);
         entryPointBuilder.addPropertyValue("portMapper", portMapper);
         entryPointBuilder.addPropertyValue("portResolver", portResolver);
         entryPointBean = (RootBeanDefinition) entryPointBuilder.getBeanDefinition();

config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java

@@ -1,3 +1,18 @@
+/*
+ * Copyright 2002-2012 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package org.springframework.security.config.http;
 
 import static org.springframework.security.config.http.HttpSecurityBeanDefinitionParser.*;
@@ -22,7 +37,6 @@ import org.springframework.security.access.vote.AuthenticatedVoter;
 import org.springframework.security.access.vote.RoleVoter;
 import org.springframework.security.config.Elements;
 import org.springframework.security.core.session.SessionRegistryImpl;
-import org.springframework.security.web.PortResolverImpl;
 import org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator;
 import org.springframework.security.web.access.channel.ChannelDecisionManagerImpl;
 import org.springframework.security.web.access.channel.ChannelProcessingFilter;
@@ -179,7 +193,7 @@ class HttpConfigurationBuilder {
         }
 
         contextRepoRef = new RuntimeBeanReference(repoRef);
-        scpf.addPropertyValue("securityContextRepository", contextRepoRef);
+        scpf.addConstructorArgValue(contextRepoRef);
 
         securityContextPersistenceFilter = scpf.getBeanDefinition();
     }
@@ -277,7 +291,7 @@ class HttpConfigurationBuilder {
             sessionMgmtFilter.addPropertyValue("invalidSessionStrategy", new SimpleRedirectInvalidSessionStrategy(invalidSessionUrl));
         }
 
-        sessionMgmtFilter.addPropertyReference("sessionAuthenticationStrategy", sessionAuthStratRef);
+        sessionMgmtFilter.addConstructorArgReference(sessionAuthStratRef);
 
         sfpf = (RootBeanDefinition) sessionMgmtFilter.getBeanDefinition();
         sessionStrategyRef = new RuntimeBeanReference(sessionAuthStratRef);
@@ -310,7 +324,7 @@ class HttpConfigurationBuilder {
 
         BeanDefinitionBuilder filterBuilder =
                 BeanDefinitionBuilder.rootBeanDefinition(ConcurrentSessionFilter.class);
-        filterBuilder.addPropertyReference("sessionRegistry", sessionRegistryId);
+        filterBuilder.addConstructorArgReference(sessionRegistryId);
 
         Object source = pc.extractSource(element);
         filterBuilder.getRawBeanDefinition().setSource(source);
@@ -320,7 +334,7 @@ class HttpConfigurationBuilder {
 
         if (StringUtils.hasText(expiryUrl)) {
             WebConfigUtils.validateHttpRedirect(expiryUrl, pc, source);
-            filterBuilder.addPropertyValue("expiredUrl", expiryUrl);
+            filterBuilder.addConstructorArgValue(expiryUrl);
         }
 
         pc.popAndRegisterContainingComponent();
@@ -450,7 +464,7 @@ class HttpConfigurationBuilder {
         }
 
         requestCacheAwareFilter = new RootBeanDefinition(RequestCacheAwareFilter.class);
-        requestCacheAwareFilter.getPropertyValues().addPropertyValue("requestCache", requestCache);
+        requestCacheAwareFilter.getConstructorArgumentValues().addGenericArgumentValue(requestCache);
     }
 
     private void createFilterSecurityInterceptor(BeanReference authManager) {

config/src/main/java/org/springframework/security/config/http/RememberMeBeanDefinitionParser.java

@@ -1,8 +1,24 @@
+/*
+ * Copyright 2002-2012 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package org.springframework.security.config.http;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.springframework.beans.factory.config.BeanDefinition;
+import org.springframework.beans.factory.config.BeanReference;
 import org.springframework.beans.factory.config.RuntimeBeanReference;
 import org.springframework.beans.factory.parsing.BeanComponentDefinition;
 import org.springframework.beans.factory.parsing.CompositeComponentDefinition;
@@ -21,6 +37,7 @@ import org.w3c.dom.Element;
 /**
  * @author Luke Taylor
  * @author Ben Alex
+ * @author Rob Winch
  */
 class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
     static final String ATT_DATA_SOURCE = "data-source-ref";
@@ -34,9 +51,12 @@ class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
 
     protected final Log logger = LogFactory.getLog(getClass());
     private final String key;
+    private final BeanReference authenticationManager;
+    private String rememberMeServicesId;
 
-    RememberMeBeanDefinitionParser(String key) {
+    RememberMeBeanDefinitionParser(String key, BeanReference authenticationManager) {
         this.key = key;
+        this.authenticationManager = authenticationManager;
     }
 
     public BeanDefinition parse(Element element, ParserContext pc) {
@@ -83,7 +103,7 @@ class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
                 ((BeanDefinition)tokenRepo).getPropertyValues().addPropertyValue("dataSource",
                         new RuntimeBeanReference(dataSource));
             }
-            services.getPropertyValues().addPropertyValue("tokenRepository", tokenRepo);
+            services.getConstructorArgumentValues().addIndexedArgumentValue(2, tokenRepo);
         } else if (!servicesRefSet) {
             services = new RootBeanDefinition(TokenBasedRememberMeServices.class);
         }
@@ -96,7 +116,9 @@ class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
             uds.setFactoryMethodName("cachingUserDetailsService");
             uds.getConstructorArgumentValues().addGenericArgumentValue(userServiceRef);
 
-            services.getPropertyValues().addPropertyValue("userDetailsService", uds);
+            services.getConstructorArgumentValues().addGenericArgumentValue(key);
+            services.getConstructorArgumentValues().addGenericArgumentValue(uds);
+            // tokenRepo is already added if it is a PersistentTokenBasedRememberMeServices
 
             String useSecureCookie = element.getAttribute(ATT_SECURE_COOKIE);
             if (StringUtils.hasText(useSecureCookie)) {
@@ -112,7 +134,6 @@ class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
                 services.getPropertyValues().addPropertyValue("tokenValiditySeconds", tokenValidity);
             }
             services.setSource(source);
-            services.getPropertyValues().addPropertyValue("key", key);
             servicesName = pc.getReaderContext().generateBeanName(services);
             pc.registerBeanComponent(new BeanComponentDefinition(services, servicesName));
         } else {
@@ -123,6 +144,8 @@ class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
             pc.getRegistry().registerAlias(servicesName, element.getAttribute(ATT_SERVICES_ALIAS));
         }
 
+        this.rememberMeServicesId = servicesName;
+
         BeanDefinitionBuilder filter = BeanDefinitionBuilder.rootBeanDefinition(RememberMeAuthenticationFilter.class);
         filter.getRawBeanDefinition().setSource(source);
 
@@ -130,11 +153,15 @@ class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
             filter.addPropertyReference("authenticationSuccessHandler", successHandlerRef);
         }
 
-        filter.addPropertyReference("rememberMeServices", servicesName);
+        filter.addConstructorArgValue(authenticationManager);
+        filter.addConstructorArgReference(servicesName);
 
         pc.popAndRegisterContainingComponent();
 
         return filter.getBeanDefinition();
     }
 
+    String getRememberMeServicesId() {
+        return this.rememberMeServicesId;
+    }
 }

config/src/main/java/org/springframework/security/config/method/MethodConfigUtils.java

@@ -1,3 +1,18 @@
+/*
+ * Copyright 2002-2012 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package org.springframework.security.config.method;
 
 import org.springframework.beans.factory.support.BeanDefinitionBuilder;
@@ -15,6 +30,7 @@ import org.springframework.security.config.BeanIds;
  *
  * @author Luke Taylor
  * @author Ben Alex
+ * @author Rob Winch
  */
 abstract class MethodConfigUtils {
     @SuppressWarnings("unchecked")
@@ -34,7 +50,7 @@ abstract class MethodConfigUtils {
         }
 
         BeanDefinitionBuilder accessMgrBuilder = BeanDefinitionBuilder.rootBeanDefinition(AffirmativeBased.class);
-        accessMgrBuilder.addPropertyValue("decisionVoters", defaultVoters);
+        accessMgrBuilder.addConstructorArgValue(defaultVoters);
         return (RootBeanDefinition) accessMgrBuilder.getBeanDefinition();
     }
 }

config/src/test/groovy/org/springframework/security/config/http/MiscHttpConfigTests.groovy

@@ -1,3 +1,18 @@
+/*
+ * Copyright 2002-2012 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package org.springframework.security.config.http;
 
 
@@ -12,6 +27,7 @@ import org.springframework.mock.web.MockHttpServletRequest
 import org.springframework.mock.web.MockHttpServletResponse
 import org.springframework.security.access.AccessDeniedException
 import org.springframework.security.access.SecurityConfig
+import org.springframework.security.authentication.AnonymousAuthenticationProvider;
 import org.springframework.security.authentication.TestingAuthenticationToken
 import org.springframework.security.config.BeanIds
 import org.springframework.security.config.MockUserServiceBeanPostProcessor
@@ -56,6 +72,12 @@ import org.springframework.security.web.access.expression.DefaultWebSecurityExpr
 import org.springframework.security.web.util.AntPathRequestMatcher
 import org.springframework.security.authentication.AuthenticationManager
 
+
+/**
+ *
+ * @author Luke Taylor
+ * @author Rob Winch
+ */
 class MiscHttpConfigTests extends AbstractHttpConfigTests {
     def 'Minimal configuration parses'() {
         setup:
@@ -181,8 +203,10 @@ class MiscHttpConfigTests extends AbstractHttpConfigTests {
         createAppContext()
 
         AnonymousAuthenticationFilter filter = getFilter(AnonymousAuthenticationFilter);
+        def providers = appContext.getBeansOfType(AuthenticationManager).values()*.providers.flatten()
 
         expect:
+        'customKey' == providers.find { it instanceof AnonymousAuthenticationProvider }.key
         'customKey' == filter.key
         'joe' == filter.principal
         'anonymity' == filter.authorities[0].authority
@@ -667,7 +691,7 @@ class MiscHttpConfigTests extends AbstractHttpConfigTests {
     def customAccessDecisionManagerIsSupported() {
         xml.http('auto-config': 'true', 'access-decision-manager-ref': 'adm')
         xml.'b:bean'(id: 'adm', 'class': AffirmativeBased.class.name) {
-            'b:property'(name: 'decisionVoters') {
+            'b:constructor-arg' {
                 'b:list'() {
                     'b:bean'('class': RoleVoter.class.name)
                     'b:bean'('class': RoleVoter.class.name)
@@ -736,6 +760,6 @@ class MockPermissionEvaluator implements PermissionEvaluator {
 
 class MockEntryPoint extends LoginUrlAuthenticationEntryPoint {
     public MockEntryPoint() {
-        super.setLoginFormUrl("/notused");
+        super("/notused");
     }
 }

config/src/test/groovy/org/springframework/security/config/http/RememberMeConfigTests.groovy

@@ -1,3 +1,18 @@
+/*
+ * Copyright 2002-2012 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package org.springframework.security.config.http
 
 import org.springframework.beans.factory.parsing.BeanDefinitionParsingException
@@ -9,15 +24,19 @@ import org.springframework.security.core.userdetails.MockUserDetailsService
 import org.springframework.security.util.FieldUtils
 import org.springframework.security.web.authentication.logout.LogoutFilter
 import org.springframework.security.web.authentication.rememberme.InMemoryTokenRepositoryImpl
+import org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl;
 import org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices
 import org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter
 import org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices
 import static org.springframework.security.config.ConfigTestUtils.AUTH_PROVIDER_XML
+
+import org.springframework.security.web.authentication.RememberMeServices;
 import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler
 
 /**
  *
  * @author Luke Taylor
+ * @author Rob Winch
  */
 class RememberMeConfigTests extends AbstractHttpConfigTests {
 
@@ -25,13 +44,16 @@ class RememberMeConfigTests extends AbstractHttpConfigTests {
         httpAutoConfig () {
             'remember-me'('token-repository-ref': 'tokenRepo')
         }
-        bean('tokenRepo', InMemoryTokenRepositoryImpl.class.name)
+        bean('tokenRepo', CustomTokenRepository.class.name)
 
         createAppContext(AUTH_PROVIDER_XML)
 
+        def rememberMeServices  = rememberMeServices()
+
         expect:
-        rememberMeServices() instanceof PersistentTokenBasedRememberMeServices
-        FieldUtils.getFieldValue(rememberMeServices(), "useSecureCookie") == null
+        rememberMeServices instanceof PersistentTokenBasedRememberMeServices
+        rememberMeServices.tokenRepository instanceof CustomTokenRepository
+        FieldUtils.getFieldValue(rememberMeServices, "useSecureCookie") == null
     }
 
     def rememberMeServiceWorksWithDataSourceRef() {
@@ -42,8 +64,11 @@ class RememberMeConfigTests extends AbstractHttpConfigTests {
 
         createAppContext(AUTH_PROVIDER_XML)
 
+        def rememberMeServices  = rememberMeServices()
+
         expect:
-        rememberMeServices() instanceof PersistentTokenBasedRememberMeServices
+        rememberMeServices instanceof PersistentTokenBasedRememberMeServices
+        rememberMeServices.tokenRepository instanceof JdbcTokenRepositoryImpl
     }
 
     def rememberMeServiceWorksWithAuthenticationSuccessHandlerRef() {
@@ -62,8 +87,11 @@ class RememberMeConfigTests extends AbstractHttpConfigTests {
         httpAutoConfig () {
             'remember-me'('key': "#{'our' + 'key'}", 'services-ref': 'rms')
         }
-        bean('rms', TokenBasedRememberMeServices.class.name,
-                ['key':'ourKey', 'tokenValiditySeconds':'5000'], ['userDetailsService':'us'])
+        xml.'b:bean'(id: 'rms', 'class': TokenBasedRememberMeServices.class.name) {
+            'b:constructor-arg'(value: 'ourKey')
+            'b:constructor-arg'(ref: 'us')
+            'b:property'(name: 'tokenValiditySeconds', value: '5000')
+        }
 
         createAppContext(AUTH_PROVIDER_XML)
 
@@ -88,8 +116,15 @@ class RememberMeConfigTests extends AbstractHttpConfigTests {
         }
 
         createAppContext(AUTH_PROVIDER_XML)
+
+        def rememberMeServices = rememberMeServices()
+        def rememberMeFilter = getFilter(RememberMeAuthenticationFilter.class)
+
         expect:
-        rememberMeServices().tokenValiditySeconds == 10000
+        rememberMeFilter.authenticationManager
+        rememberMeServices.key == 'ourkey'
+        rememberMeServices.tokenValiditySeconds == 10000
+        rememberMeServices.userDetailsService
     }
 
     def 'Remember-me token validity allows negative value for non-persistent implementation'() {
@@ -165,4 +200,8 @@ class RememberMeConfigTests extends AbstractHttpConfigTests {
     def rememberMeServices() {
         getFilter(RememberMeAuthenticationFilter.class).getRememberMeServices()
     }
+
+    static class CustomTokenRepository extends InMemoryTokenRepositoryImpl {
+
+    }
 }

config/src/test/groovy/org/springframework/security/config/http/SessionManagementConfigTests.groovy

@@ -1,3 +1,18 @@
+/*
+ * Copyright 2002-2012 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package org.springframework.security.config.http
 
 import org.springframework.mock.web.MockFilterChain
@@ -22,6 +37,7 @@ import static org.junit.Assert.assertSame
  * Tests session-related functionality for the <http> namespace element and <session-management>
  *
  * @author Luke Taylor
+ * @author Rob Winch
  */
 class SessionManagementConfigTests extends AbstractHttpConfigTests {
 
@@ -87,11 +103,25 @@ class SessionManagementConfigTests extends AbstractHttpConfigTests {
 
         expect:
         filters.get(0) instanceof ConcurrentSessionFilter
+        filters.get(0).expiredUrl == '/expired'
         appContext.getBean("sr") != null
         getFilter(SessionManagementFilter.class) != null
         sessionRegistryIsValid();
     }
 
+    def 'concurrency-control handles default expired-url as null'() {
+        httpAutoConfig {
+            'session-management'() {
+                'concurrency-control'('session-registry-alias':'sr')
+            }
+        }
+        createAppContext();
+        List filters = getFilters("/someurl");
+
+        expect:
+        filters.get(0).expiredUrl == null
+    }
+
     def externalSessionStrategyIsSupported() {
         when:
         httpAutoConfig {