SEC-2257: Remove HttpSecurityBuilder#getAuthenticationManager()

Removed in favor of using shared object.

config/src/main/java/org/springframework/security/config/annotation/web/HttpSecurityBuilder.java

@@ -171,7 +171,4 @@ public interface HttpSecurityBuilder<H extends HttpSecurityBuilder<H>> extends S
      * @return the {@link HttpSecurity} for further customizations
      */
     H addFilter(Filter filter);
-
-    // FIXME shared object or explicit?
-    AuthenticationManager getAuthenticationManager();
 }

config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java

@@ -112,8 +112,6 @@ import org.springframework.util.Assert;
  * @see EnableWebSecurity
  */
 public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<DefaultSecurityFilterChain,HttpSecurity> implements SecurityBuilder<DefaultSecurityFilterChain>, HttpSecurityBuilder<HttpSecurity> {
-    private AuthenticationManager authenticationManager;
-
     private final RequestMatcherConfigurer requestMatcherConfigurer = new RequestMatcherConfigurer();
     private List<Filter> filters =  new ArrayList<Filter>();
     private RequestMatcher requestMatcher = new AnyRequestMatcher();
@@ -984,7 +982,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 
     @Override
     protected void beforeConfigure() throws Exception {
-        this.authenticationManager = getAuthenticationRegistry().build();
+        setSharedObject(AuthenticationManager.class,getAuthenticationRegistry().build());
     }
 
     @Override
@@ -1222,14 +1220,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
         return requestMatcher(new RegexRequestMatcher(pattern, null));
     }
 
-    /*
-     * (non-Javadoc)
-     * @see org.springframework.security.config.annotation.web.HttpBuilder#getAuthenticationManager()
-     */
-    public AuthenticationManager getAuthenticationManager() {
-        return authenticationManager;
-    }
-
     /**
      * Allows mapping HTTP requests that this {@link HttpSecurity} will be used for
      *

config/src/main/java/org/springframework/security/config/annotation/web/configurers/AbstractAuthenticationFilterConfigurer.java

@@ -19,6 +19,7 @@ import javax.servlet.http.HttpServletRequest;
 
 import org.springframework.http.MediaType;
 import org.springframework.security.authentication.AuthenticationDetailsSource;
+import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.annotation.web.configurers.openid.OpenIDLoginConfigurer;
@@ -245,7 +246,7 @@ public abstract class AbstractAuthenticationFilterConfigurer<B  extends HttpSecu
             authenticationEntryPoint.setPortMapper(portMapper);
         }
 
-        authFilter.setAuthenticationManager(http.getAuthenticationManager());
+        authFilter.setAuthenticationManager(http.getSharedObject(AuthenticationManager.class));
         authFilter.setAuthenticationSuccessHandler(successHandler);
         authFilter.setAuthenticationFailureHandler(failureHandler);
         if(authenticationDetailsSource != null) {

config/src/main/java/org/springframework/security/config/annotation/web/configurers/AbstractInterceptUrlConfigurer.java

@@ -102,7 +102,7 @@ abstract class AbstractInterceptUrlConfigurer<H extends HttpSecurityBuilder<H>,C
         if(metadataSource == null) {
             return;
         }
-        FilterSecurityInterceptor securityInterceptor = createFilterSecurityInterceptor(metadataSource, http.getAuthenticationManager());
+        FilterSecurityInterceptor securityInterceptor = createFilterSecurityInterceptor(metadataSource, http.getSharedObject(AuthenticationManager.class));
         if(filterSecurityInterceptorOncePerRequest != null) {
             securityInterceptor.setObserveOncePerRequest(filterSecurityInterceptorOncePerRequest);
         }

config/src/main/java/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurer.java

@@ -56,11 +56,7 @@ import org.springframework.util.StringUtils;
  *
  * <h2>Shared Objects Used</h2>
  *
- * The following shared objects are used:
- *
- * <ul>
- *     <li>{@link org.springframework.security.config.annotation.web.builders.HttpSecurity#getAuthenticationManager()}</li>
- * </ul>
+ * No shared objects are used.
  *
  * @param <H> the type of {@link HttpSecurityBuilder} that is being configured
  *

config/src/main/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurer.java

@@ -54,7 +54,7 @@ import org.springframework.security.web.util.RequestMatcher;
  * The following shared objects are used:
  *
  * <ul>
- * <li>{@link HttpSecurity#getAuthenticationManager()}</li>
+ * <li>{@link AuthenticationManager}</li>
  * <li>{@link RememberMeServices} - is optionally used. See {@link RememberMeConfigurer}</li>
  * <li>{@link SessionAuthenticationStrategy} - is optionally used. See {@link SessionManagementConfigurer}</li>
  * <li>{@link DefaultLoginPageViewFilter} - if present will be populated with information from the configuration</li>

config/src/main/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurer.java

@@ -59,7 +59,7 @@ import org.springframework.web.accept.HeaderContentNegotiationStrategy;
  * The following shared objects are used:
  *
  * <ul>
- * <li>{@link HttpSecurity#getAuthenticationManager()}</li>
+ * <li>{@link AuthenticationManager}</li>
  * </ul>
  *
  * @author Rob Winch
@@ -145,7 +145,7 @@ public final class HttpBasicConfigurer<B extends HttpSecurityBuilder<B>> extends
 
     @Override
     public void configure(B http) throws Exception {
-        AuthenticationManager authenticationManager = http.getAuthenticationManager();
+        AuthenticationManager authenticationManager = http.getSharedObject(AuthenticationManager.class);
         BasicAuthenticationFilter basicAuthenticationFilter = new BasicAuthenticationFilter(authenticationManager, authenticationEntryPoint);
         if(authenticationDetailsSource != null) {
             basicAuthenticationFilter.setAuthenticationDetailsSource(authenticationDetailsSource);

config/src/main/java/org/springframework/security/config/annotation/web/configurers/JeeConfigurer.java

@@ -62,7 +62,7 @@ import org.springframework.security.web.authentication.preauth.j2ee.J2eePreAuthe
  * The following shared objects are used:
  *
  * <ul>
- * <li>{@link HttpSecurity#getAuthenticationManager()}</li>
+ * <li>{@link AuthenticationManager}</li>
  * </ul>
  *
  * @author Rob Winch
@@ -204,8 +204,7 @@ public final class JeeConfigurer<H extends HttpSecurityBuilder<H>> extends Abstr
 
     @Override
     public void configure(H http) throws Exception {
-        J2eePreAuthenticatedProcessingFilter filter = getFilter(http
-                .getAuthenticationManager());
+        J2eePreAuthenticatedProcessingFilter filter = getFilter(http.getSharedObject(AuthenticationManager.class));
         http.addFilter(filter);
     }
 

config/src/main/java/org/springframework/security/config/annotation/web/configurers/RememberMeConfigurer.java

@@ -17,6 +17,7 @@ package org.springframework.security.config.annotation.web.configurers;
 
 import java.util.UUID;
 
+import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.RememberMeAuthenticationProvider;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -64,7 +65,7 @@ import org.springframework.security.web.authentication.ui.DefaultLoginPageViewFi
  * The following shared objects are used:
  *
  * <ul>
- * <li>{@link HttpSecurity#getAuthenticationManager()}</li>
+ * <li>{@link AuthenticationManager}</li>
  * <li>{@link UserDetailsService} if no {@link #userDetailsService(UserDetailsService)} was specified.</li>
  * <li> {@link DefaultLoginPageViewFilter} - if present will be populated with information from the configuration</li>
  * </ul>
@@ -210,7 +211,7 @@ public final class RememberMeConfigurer<H extends HttpSecurityBuilder<H>> extend
     @Override
     public void configure(H http) throws Exception {
         RememberMeAuthenticationFilter rememberMeFilter = new RememberMeAuthenticationFilter(
-                http.getAuthenticationManager(), rememberMeServices);
+                http.getSharedObject(AuthenticationManager.class), rememberMeServices);
         if (authenticationSuccessHandler != null) {
             rememberMeFilter
                     .setAuthenticationSuccessHandler(authenticationSuccessHandler);

config/src/main/java/org/springframework/security/config/annotation/web/configurers/ServletApiConfigurer.java

@@ -19,6 +19,7 @@ import java.util.List;
 
 import javax.servlet.http.HttpServletRequest;
 
+import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.core.context.SecurityContext;
@@ -67,7 +68,7 @@ public final class ServletApiConfigurer<H extends HttpSecurityBuilder<H>> extend
     @Override
     @SuppressWarnings("unchecked")
     public void configure(H http) throws Exception {
-        securityContextRequestFilter.setAuthenticationManager(http.getAuthenticationManager());
+        securityContextRequestFilter.setAuthenticationManager(http.getSharedObject(AuthenticationManager.class));
         ExceptionHandlingConfigurer<H> exceptionConf = http.getConfigurer(ExceptionHandlingConfigurer.class);
         AuthenticationEntryPoint authenticationEntryPoint = exceptionConf == null ? null : exceptionConf.getAuthenticationEntryPoint(http);
         securityContextRequestFilter.setAuthenticationEntryPoint(authenticationEntryPoint);

config/src/main/java/org/springframework/security/config/annotation/web/configurers/X509Configurer.java

@@ -163,7 +163,7 @@ public final class X509Configurer<H extends HttpSecurityBuilder<H>> extends Abst
 
     @Override
     public void configure(H http) throws Exception {
-        X509AuthenticationFilter filter = getFilter(http.getAuthenticationManager());
+        X509AuthenticationFilter filter = getFilter(http.getSharedObject(AuthenticationManager.class));
         http.addFilter(filter);
     }
 

config/src/main/java/org/springframework/security/config/annotation/web/configurers/openid/OpenIDLoginConfigurer.java

@@ -25,6 +25,7 @@ import javax.servlet.http.HttpServletRequest;
 import org.openid4java.consumer.ConsumerException;
 import org.openid4java.consumer.ConsumerManager;
 import org.springframework.security.authentication.AuthenticationDetailsSource;
+import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@@ -110,7 +111,7 @@ import org.springframework.security.web.util.RequestMatcher;
  * The following shared objects are used:
  *
  * <ul>
- * <li>{@link HttpSecurity#getAuthenticationManager()}</li>
+ * <li>{@link AuthenticationManager}</li>
  * <li>{@link RememberMeServices} - is optionally used. See
  * {@link RememberMeConfigurer}</li>
  * <li>{@link SessionAuthenticationStrategy} - is optionally used. See