SEC-2230: Polish scoping and finals

config/src/main/java/org/springframework/security/config/http/HeadersBeanDefinitionParser.java

@@ -18,7 +18,6 @@ package org.springframework.security.config.http;
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.util.List;
-import java.util.regex.PatternSyntaxException;
 
 import org.springframework.beans.BeanMetadataElement;
 import org.springframework.beans.factory.config.BeanDefinition;
@@ -33,7 +32,6 @@ import org.springframework.security.web.header.writers.HstsHeaderWriter;
 import org.springframework.security.web.header.writers.StaticHeadersWriter;
 import org.springframework.security.web.header.writers.XContentTypeOptionsHeaderWriter;
 import org.springframework.security.web.header.writers.XXssProtectionHeaderWriter;
-import org.springframework.security.web.header.writers.frameoptions.AbstractRequestParameterAllowFromStrategy;
 import org.springframework.security.web.header.writers.frameoptions.RegExpAllowFromStrategy;
 import org.springframework.security.web.header.writers.frameoptions.StaticAllowFromStrategy;
 import org.springframework.security.web.header.writers.frameoptions.WhiteListedAllowFromStrategy;
@@ -200,20 +198,16 @@ public class HeadersBeanDefinitionParser implements BeanDefinitionParser {
                                     "'value' attribute doesn't represent a valid URI.", frameElt, e);
                         }
                     } else {
-                        AbstractRequestParameterAllowFromStrategy allowFromStrategy = null;
+                        BeanDefinitionBuilder allowFromStrategy;
                         if ("whitelist".equals(strategy)) {
-                            allowFromStrategy = new WhiteListedAllowFromStrategy(
-                                    StringUtils.commaDelimitedListToSet(value));
+                            allowFromStrategy =  BeanDefinitionBuilder.rootBeanDefinition(WhiteListedAllowFromStrategy.class);
+                            allowFromStrategy.addConstructorArgValue(StringUtils.commaDelimitedListToSet(value));
                         } else {
-                            try {
-                                allowFromStrategy = new RegExpAllowFromStrategy(value);
-                            } catch (PatternSyntaxException e) {
-                                parserContext.getReaderContext().error(
-                                        "'value' attribute doesn't represent a valid regular expression.", frameElt, e);
-                            }
+                            allowFromStrategy =  BeanDefinitionBuilder.rootBeanDefinition(RegExpAllowFromStrategy.class);
+                            allowFromStrategy.addConstructorArgValue(value);
                         }
                         String fromParameter = getAttribute(frameElt, ATT_FROM_PARAMETER, "from");
-                        allowFromStrategy.setAllowFromParameterName(fromParameter);
+                        allowFromStrategy.addPropertyValue("allowFromParameterName", fromParameter);
                         builder.addConstructorArgValue(allowFromStrategy);
                     }
                 } else {

web/src/main/java/org/springframework/security/web/header/writers/DelegatingRequestMatcherHeaderWriter.java

@@ -29,7 +29,7 @@ import org.springframework.util.Assert;
  * @author Rob Winch
  * @since 3.2
  */
-public class DelegatingRequestMatcherHeaderWriter implements HeaderWriter {
+public final class DelegatingRequestMatcherHeaderWriter implements HeaderWriter {
     private final RequestMatcher requestMatcher;
 
     private final HeaderWriter delegateHeaderWriter;

web/src/main/java/org/springframework/security/web/header/writers/frameoptions/AbstractRequestParameterAllowFromStrategy.java

@@ -14,7 +14,7 @@ import javax.servlet.http.HttpServletRequest;
  * @author Marten Deinum
  * @since 3.2
  */
-public abstract class AbstractRequestParameterAllowFromStrategy implements AllowFromStrategy {
+abstract class AbstractRequestParameterAllowFromStrategy implements AllowFromStrategy {
 
     private static final String DEFAULT_ORIGIN_REQUEST_PARAMETER = "x-frames-allow-from";
 

web/src/main/java/org/springframework/security/web/header/writers/frameoptions/RegExpAllowFromStrategy.java

@@ -12,7 +12,7 @@ import java.util.regex.Pattern;
  * @author Marten Deinum
  * @since 3.2
  */
-public class RegExpAllowFromStrategy extends AbstractRequestParameterAllowFromStrategy {
+public final class RegExpAllowFromStrategy extends AbstractRequestParameterAllowFromStrategy {
 
     private final Pattern pattern;
 

web/src/main/java/org/springframework/security/web/header/writers/frameoptions/StaticAllowFromStrategy.java

@@ -6,12 +6,12 @@ import java.net.URI;
 /**
  * Simple implementation of the {@code AllowFromStrategy}
  */
-public class StaticAllowFromStrategy implements AllowFromStrategy {
+public final class StaticAllowFromStrategy implements AllowFromStrategy {
 
     private final URI uri;
 
     public StaticAllowFromStrategy(URI uri) {
-        this.uri=uri;
+        this.uri = uri;
     }
 
     public String getAllowFromValue(HttpServletRequest request) {

web/src/main/java/org/springframework/security/web/header/writers/frameoptions/WhiteListedAllowFromStrategy.java

@@ -10,7 +10,7 @@ import org.springframework.util.Assert;
  * @author Marten Deinum
  * @since 3.2
  */
-public class WhiteListedAllowFromStrategy extends AbstractRequestParameterAllowFromStrategy {
+public final class WhiteListedAllowFromStrategy extends AbstractRequestParameterAllowFromStrategy {
 
     private final Collection<String> allowed;
 

web/src/main/java/org/springframework/security/web/header/writers/frameoptions/XFrameOptionsHeaderWriter.java

@@ -31,7 +31,7 @@ import javax.servlet.http.HttpServletResponse;
  *
  * @see AllowFromStrategy
  */
-public class XFrameOptionsHeaderWriter implements HeaderWriter {
+public final class XFrameOptionsHeaderWriter implements HeaderWriter {
 
     public static final String XFRAME_OPTIONS_HEADER = "X-Frame-Options";
 
@@ -110,7 +110,7 @@ public class XFrameOptionsHeaderWriter implements HeaderWriter {
          *
          * @return the mode for the X-Frame-Options header value.
          */
-        public String getMode() {
+        private String getMode() {
             return mode;
         }
     }