SEC-1465: Change DelegatingMethodSecurityMetadataSource to use constructor injection to get round the problem of it being invoked before it has been initialized properly. Also changed the contacts tests to use the same app context and loading order as the actual webapp, to give better reassurance that the app will run successfully.

config/src/main/java/org/springframework/security/config/method/GlobalMethodSecurityBeanDefinitionParser.java

@@ -252,7 +252,7 @@ public class GlobalMethodSecurityBeanDefinitionParser implements BeanDefinitionP
     private BeanReference registerDelegatingMethodSecurityMetadataSource(ParserContext pc, ManagedList delegates, Object source) {
         RootBeanDefinition delegatingMethodSecurityMetadataSource = new RootBeanDefinition(DelegatingMethodSecurityMetadataSource.class);
         delegatingMethodSecurityMetadataSource.setSource(source);
-        delegatingMethodSecurityMetadataSource.getPropertyValues().addPropertyValue("methodSecurityMetadataSources", delegates);
+        delegatingMethodSecurityMetadataSource.getConstructorArgumentValues().addGenericArgumentValue(delegates);
 
         String id = pc.getReaderContext().generateBeanName(delegatingMethodSecurityMetadataSource);
         pc.registerBeanComponent(new BeanComponentDefinition(delegatingMethodSecurityMetadataSource, id));

core/src/main/java/org/springframework/security/access/method/DelegatingMethodSecurityMetadataSource.java

@@ -9,7 +9,6 @@ import java.util.List;
 import java.util.Map;
 import java.util.Set;
 
-import org.springframework.beans.factory.InitializingBean;
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.util.Assert;
 import org.springframework.util.ObjectUtils;
@@ -21,19 +20,22 @@ import org.springframework.util.ObjectUtils;
  * @author Ben Alex
  * @author Luke Taylor
  */
-public final class DelegatingMethodSecurityMetadataSource extends AbstractMethodSecurityMetadataSource implements InitializingBean {
+public final class DelegatingMethodSecurityMetadataSource extends AbstractMethodSecurityMetadataSource {
     private final static List<ConfigAttribute> NULL_CONFIG_ATTRIBUTE = Collections.emptyList();
 
-    private List<MethodSecurityMetadataSource> methodSecurityMetadataSources;
+    private final List<MethodSecurityMetadataSource> methodSecurityMetadataSources;
     private final Map<DefaultCacheKey, Collection<ConfigAttribute>> attributeCache =
         new HashMap<DefaultCacheKey, Collection<ConfigAttribute>>();
 
-    //~ Methods ========================================================================================================
+    //~ Constructor ====================================================================================================
 
-    public void afterPropertiesSet() throws Exception {
-        Assert.notNull(methodSecurityMetadataSources, "A list of MethodSecurityMetadataSources is required");
+    public DelegatingMethodSecurityMetadataSource(List<MethodSecurityMetadataSource> methodSecurityMetadataSources) {
+        Assert.notEmpty(methodSecurityMetadataSources, "MethodSecurityMetadataSources cannot be null or empty");
+        this.methodSecurityMetadataSources = methodSecurityMetadataSources;
     }
 
+    //~ Methods ========================================================================================================
+
     public Collection<ConfigAttribute> getAttributes(Method method, Class<?> targetClass) {
         DefaultCacheKey cacheKey = new DefaultCacheKey(method, targetClass);
         synchronized (attributeCache) {
@@ -83,11 +85,6 @@ public final class DelegatingMethodSecurityMetadataSource extends AbstractMethod
         return set;
     }
 
-    @SuppressWarnings("unchecked")
-    public void setMethodSecurityMetadataSources(List methodSecurityMetadataSources) {
-        this.methodSecurityMetadataSources = methodSecurityMetadataSources;
-    }
-
     //~ Inner Classes ==================================================================================================
 
     private static class DefaultCacheKey {

gradle/javaprojects.gradle

@@ -1,7 +1,7 @@
 apply plugin: 'java'
 apply plugin: 'eclipse'
 
-springVersion = '3.0.1.RELEASE'
+springVersion = '3.0.2.RELEASE'
 springLdapVersion = '1.3.0.RELEASE'
 ehcacheVersion = '1.6.2'
 aspectjVersion = '1.6.8'

samples/contacts/src/main/webapp/WEB-INF/applicationContext-security.xml → samples/contacts/src/main/resources/applicationContext-security.xml

@@ -11,7 +11,7 @@
     xmlns:b="http://www.springframework.org/schema/beans"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
-                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
+                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
 
     <global-method-security pre-post-annotations="enabled">
         <expression-handler ref="expressionHandler"/>

samples/contacts/src/main/webapp/WEB-INF/web.xml

@@ -18,9 +18,9 @@
     <context-param>
         <param-name>contextConfigLocation</param-name>
         <param-value>
-            /WEB-INF/applicationContext-security.xml
             classpath:applicationContext-common-business.xml
             classpath:applicationContext-common-authorization.xml
+            classpath:applicationContext-security.xml
         </param-value>
     </context-param>
 

samples/contacts/src/test/java/sample/contact/ContactManagerTests.java

@@ -40,9 +40,9 @@ import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
  * @Author Luke Taylor
  */
 @ContextConfiguration(locations={
+                "/applicationContext-security.xml",
                 "/applicationContext-common-authorization.xml",
-                "/applicationContext-common-business.xml",
-                "/applicationContext-contacts-test.xml"})
+                "/applicationContext-common-business.xml"})
 @RunWith(SpringJUnit4ClassRunner.class)
 public class ContactManagerTests {
     //~ Instance fields ================================================================================================

samples/contacts/src/test/resources/applicationContext-contacts-test.xml

@@ -1,34 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-  - Application context containing authentication beans.
-  -
-  - Only used by unit tests.
-  -
-  -->
-
-<b:beans xmlns="http://www.springframework.org/schema/security"
-    xmlns:b="http://www.springframework.org/schema/beans"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
-                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
-
-    <global-method-security pre-post-annotations="enabled">
-        <expression-handler ref="expressionHandler"/>
-    </global-method-security>
-
-    <authentication-manager>
-        <authentication-provider>
-            <password-encoder hash="md5"/>
-            <jdbc-user-service data-source-ref="dataSource"/>
-        </authentication-provider>
-    </authentication-manager>
-
-    <b:bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
-        <b:property name="permissionEvaluator">
-            <b:bean class="org.springframework.security.acls.AclPermissionEvaluator">
-                <b:constructor-arg ref="aclService"/>
-            </b:bean>
-        </b:property>
-    </b:bean>
-
-</b:beans>