Updated contact app to make more use of namespace configuration (now uses intercept-methods in target bean to set up method interceptor).

samples/contacts/src/main/resources/applicationContext-common-authorization.xml

@@ -1,5 +1,10 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">
+
+<beans xmlns="http://www.springframework.org/schema/beans"
+    xmlns:security="http://www.springframework.org/schema/security"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
+                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">
 
 <!--
   - Application context containing authentication beans.
@@ -9,7 +14,6 @@
   - $Id$
   -->
 
-<beans>
 
   <bean id="messageSource" class="org.springframework.context.support.ResourceBundleMessageSource">
     <property name="basenames">
@@ -106,25 +110,25 @@
   <bean id="lookupStrategy" class="org.springframework.security.acls.jdbc.BasicLookupStrategy">
     <constructor-arg ref="dataSource"/>
     <constructor-arg ref="aclCache"/>
-    <constructor-arg ref="aclAuthorizationStrategy"/>
     <constructor-arg>
-      <bean class="org.springframework.security.acls.domain.ConsoleAuditLogger"/>
+        <bean class="org.springframework.security.acls.domain.AclAuthorizationStrategyImpl">
+            <constructor-arg>
+            <list>
+                <bean class="org.springframework.security.GrantedAuthorityImpl">
+                    <constructor-arg value="ROLE_ADMINISTRATOR"/>
+                </bean>
+                <bean class="org.springframework.security.GrantedAuthorityImpl">
+                    <constructor-arg value="ROLE_ADMINISTRATOR"/>
+                </bean>
+                <bean class="org.springframework.security.GrantedAuthorityImpl">
+                    <constructor-arg value="ROLE_ADMINISTRATOR"/>
+                </bean>
+            </list>
+            </constructor-arg>
+        </bean>
     </constructor-arg>
-  </bean>
-
-  <bean id="aclAuthorizationStrategy" class="org.springframework.security.acls.domain.AclAuthorizationStrategyImpl">
     <constructor-arg>
-      <list>
-        <bean class="org.springframework.security.GrantedAuthorityImpl">
-          <constructor-arg value="ROLE_ADMINISTRATOR"/>
-        </bean>
-        <bean class="org.springframework.security.GrantedAuthorityImpl">
-          <constructor-arg value="ROLE_ADMINISTRATOR"/>
-        </bean>
-        <bean class="org.springframework.security.GrantedAuthorityImpl">
-          <constructor-arg value="ROLE_ADMINISTRATOR"/>
-        </bean>
-      </list>
+      <bean class="org.springframework.security.acls.domain.ConsoleAuditLogger"/>
     </constructor-arg>
   </bean>
 
@@ -168,34 +172,4 @@
     </constructor-arg>
   </bean>
 
-  <!-- ================= METHOD INVOCATION AUTHORIZATION ==================== -->
-
-  <!-- getRandomContact() is public.
-
-  The create, getAll, getById etc have ROLE_USER to ensure user is
-  authenticated (all users hold ROLE_USER in this application).
-
-  The delete and update methods don't need a ROLE_USER as they will
-  ensure the user is authenticated via their ACL_CONTACT_DELETE or
-  ACL_CONTACT_READ attribute, which also ensures the user has permission
-  to the Contact presented as a method argument.
-
-  Autowired to pick up authentication manager from namespace config.
-  -->
-  <bean id="contactManagerSecurity" class="org.springframework.security.intercept.method.aopalliance.MethodSecurityInterceptor" autowire="byType">
-    <property name="accessDecisionManager" ref="businessAccessDecisionManager"/>
-    <property name="afterInvocationManager" ref="afterInvocationManager"/>
-    <property name="objectDefinitionSource">
-      <value>
-        sample.contact.ContactManager.create=ROLE_USER
-        sample.contact.ContactManager.getAllRecipients=ROLE_USER
-        sample.contact.ContactManager.getAll=ROLE_USER,AFTER_ACL_COLLECTION_READ
-        sample.contact.ContactManager.getById=ROLE_USER,AFTER_ACL_READ
-        sample.contact.ContactManager.delete=ACL_CONTACT_DELETE
-        sample.contact.ContactManager.deletePermission=ACL_CONTACT_ADMIN
-        sample.contact.ContactManager.addPermission=ACL_CONTACT_ADMIN
-      </value>
-    </property>
-  </bean>
-
 </beans>

samples/contacts/src/main/resources/applicationContext-common-business.xml

@@ -9,23 +9,24 @@
   -->
 
 <beans xmlns="http://www.springframework.org/schema/beans"
-    xmlns:security="http://www.springframework.org/schema/security"
+    xmlns:sec="http://www.springframework.org/schema/security"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                         http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">
 
-  <bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
-      <property name="driverClassName" value="org.hsqldb.jdbcDriver"/>
-      <property name="url" value="jdbc:hsqldb:mem:test"/> <!-- <value>jdbc:hsqldb:hsql://localhost/acl</value> -->
-      <property name="username" value="sa"/>
-      <property name="password" value=""/>
-  </bean>
+    <bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
+        <property name="driverClassName" value="org.hsqldb.jdbcDriver"/>
+        <property name="url" value="jdbc:hsqldb:mem:test"/>
+        <!-- <value>jdbc:hsqldb:hsql://localhost/acl</value> -->
+        <property name="username" value="sa"/>
+        <property name="password" value=""/>
+    </bean>
 
-	<bean id="transactionManager" class="org.springframework.jdbc.datasource.DataSourceTransactionManager">
-		<property name="dataSource"><ref local="dataSource"/></property>
-	</bean>
+    <bean id="transactionManager" class="org.springframework.jdbc.datasource.DataSourceTransactionManager">
+        <property name="dataSource" ref="dataSource"/>
+    </bean>
 
-	<bean id="transactionInterceptor" class="org.springframework.transaction.interceptor.TransactionInterceptor">
+    <bean id="transactionInterceptor" class="org.springframework.transaction.interceptor.TransactionInterceptor">
     <property name="transactionManager"><ref local="transactionManager"/></property>
 		<property name="transactionAttributeSource">
       <value>
@@ -40,27 +41,35 @@
 		</property>
 	</bean>
 
-   <bean id="dataSourcePopulator" class="sample.contact.DataSourcePopulator">
-	   <property name="dataSource" ref="dataSource"/>
-	   <property name="mutableAclService" ref="aclService"/>
-	   <property name="platformTransactionManager" ref="transactionManager"/>
-   </bean>
+    <bean id="dataSourcePopulator" class="sample.contact.DataSourcePopulator">
+        <property name="dataSource" ref="dataSource"/>
+        <property name="mutableAclService" ref="aclService"/>
+        <property name="platformTransactionManager" ref="transactionManager"/>
+    </bean>
 
-   <bean id="contactManager" class="org.springframework.aop.framework.ProxyFactoryBean">
-     <property name="proxyInterfaces" value="sample.contact.ContactManager"/>
-     <property name="interceptorNames">
-       <list>
-         <idref local="transactionInterceptor"/>
-         <idref bean="contactManagerSecurity"/>
-         <idref local="contactManagerTarget"/>
-       </list>
-     </property>
-   </bean>
+    <bean id="contactManager" class="org.springframework.aop.framework.ProxyFactoryBean">
+        <property name="proxyInterfaces" value="sample.contact.ContactManager"/>
+        <property name="interceptorNames">
+            <list>
+                <idref local="transactionInterceptor"/>
+                <idref local="contactManagerTarget"/>
+            </list>
+        </property>
+    </bean>
 
-   <bean id="contactManagerTarget" class="sample.contact.ContactManagerBackend">
+    <bean id="contactManagerTarget" class="sample.contact.ContactManagerBackend">
+       <sec:intercept-methods access-decision-manager-ref="businessAccessDecisionManager">
+           <sec:protect method="sample.contact.ContactManager.create" access="ROLE_USER"/>
+           <sec:protect method="sample.contact.ContactManager.getAllRecipients" access="ROLE_USER"/>
+           <sec:protect method="sample.contact.ContactManager.getAll" access="ROLE_USER,AFTER_ACL_COLLECTION_READ"/>
+           <sec:protect method="sample.contact.ContactManager.getById" access="ROLE_USER,AFTER_ACL_READ"/>
+           <sec:protect method="sample.contact.ContactManager.delete" access="ACL_CONTACT_DELETE"/>
+           <sec:protect method="sample.contact.ContactManager.deletePermission" access="ACL_CONTACT_ADMIN"/>
+           <sec:protect method="sample.contact.ContactManager.addPermission" access="ACL_CONTACT_ADMIN"/>
+       </sec:intercept-methods>
        <property name="contactDao">
             <bean class="sample.contact.ContactDaoSpring">
-               <property name="dataSource"><ref local="dataSource"/></property>
+               <property name="dataSource" ref="dataSource"/>
             </bean>
         </property>
         <property name="mutableAclService" ref="aclService"/>

samples/contacts/src/main/webapp/WEB-INF/applicationContext-acegi-security.xml

@@ -27,141 +27,20 @@
         <logout logout-success-url="/index.jsp"/>
     </http>
 
-<!--
-	<bean id="filterChainProxy" class="org.springframework.security.util.FilterChainProxy">
-      <property name="filterInvocationDefinitionSource">
-         <value><![CDATA[
-		    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
-		    PATTERN_TYPE_APACHE_ANT
-            /**=httpSessionContextIntegrationFilter,logoutFilter,authenticationProcessingFilter,basicProcessingFilter,securityContextHolderAwareRequestFilter,rememberMeProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor,switchUserProcessingFilter
-         ]]></value>
-      </property>
-    </bean>
-
-   <bean id="basicProcessingFilter" class="org.springframework.security.ui.basicauth.BasicProcessingFilter">
-      <property name="authenticationManager"><ref local="authenticationManager"/></property>
-      <property name="authenticationEntryPoint"><ref local="basicProcessingFilterEntryPoint"/></property>
-   </bean>
-
-   <bean id="basicProcessingFilterEntryPoint" class="org.springframework.security.ui.basicauth.BasicProcessingFilterEntryPoint">
-      <property name="realmName" value="Contacts Realm"/>
-   </bean>
-
-   <bean id="anonymousProcessingFilter" class="org.springframework.security.providers.anonymous.AnonymousProcessingFilter">
-      <property name="key" value="foobar"/>
-      <property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS"/>
-   </bean>
-
-   <bean id="anonymousAuthenticationProvider" class="org.springframework.security.providers.anonymous.AnonymousAuthenticationProvider">
-      <property name="key" value="foobar"/>
-   </bean>
-
-   <bean id="httpSessionContextIntegrationFilter" class="org.springframework.security.context.HttpSessionContextIntegrationFilter"/>
-
-   <bean id="rememberMeProcessingFilter" class="org.springframework.security.ui.rememberme.RememberMeProcessingFilter">
-      <property name="authenticationManager"><ref local="authenticationManager"/></property>
-      <property name="rememberMeServices"><ref local="rememberMeServices"/></property>
-   </bean>
-
-   <bean id="rememberMeServices" class="org.springframework.security.ui.rememberme.TokenBasedRememberMeServices">
-      <property name="userDetailsService"><ref local="jdbcDaoImpl"/></property>
-      <property name="key" value="springRocks"/>
-   </bean>
-
-   <bean id="rememberMeAuthenticationProvider" class="org.springframework.security.providers.rememberme.RememberMeAuthenticationProvider">
-      <property name="key" value="springRocks"/>
-   </bean>
-
-   <bean id="logoutFilter" class="org.springframework.security.ui.logout.LogoutFilter">
-      <constructor-arg value="/index.jsp"/>
-      <constructor-arg>
-         <list>
-              <ref bean="rememberMeServices"/>
-              <bean class="org.springframework.security.ui.logout.SecurityContextLogoutHandler"/>
-         </list>
-      </constructor-arg>
-   </bean>
-
-   <bean id="securityContextHolderAwareRequestFilter" class="org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter"/>
-
-   <bean id="exceptionTranslationFilter" class="org.springframework.security.ui.ExceptionTranslationFilter">
-      <property name="authenticationEntryPoint"><ref local="authenticationProcessingFilterEntryPoint"/></property>
-      <property name="accessDeniedHandler">
-      	<bean class="org.springframework.security.ui.AccessDeniedHandlerImpl">
-      		<property name="errorPage" value="/accessDenied.jsp"/>
-      	</bean>
-      </property>
-   </bean>
-
-   <bean id="authenticationProcessingFilter" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter">
-      <property name="authenticationManager"><ref bean="authenticationManager"/></property>
-      <property name="authenticationFailureUrl"><value>/acegilogin.jsp?login_error=1</value></property>
-      <property name="defaultTargetUrl"><value>/</value></property>
-      <property name="filterProcessesUrl"><value>/j_spring_security_check</value></property>
-      <property name="rememberMeServices"><ref local="rememberMeServices"/></property>
-   </bean>
-
-   <bean id="authenticationProcessingFilterEntryPoint" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
-      <property name="loginFormUrl"><value>/acegilogin.jsp</value></property>
-      <property name="forceHttps"><value>false</value></property>
-   </bean>
-
-   <bean id="filterInvocationInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
-      <property name="authenticationManager"><ref bean="authenticationManager"/></property>
-      <property name="accessDecisionManager"><ref local="httpRequestAccessDecisionManager"/></property>
-      <property name="objectDefinitionSource">
-         <value><![CDATA[
-			    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
-			    PATTERN_TYPE_APACHE_ANT
-			    /index.jsp=ROLE_ANONYMOUS,ROLE_USER
-			    /hello.htm=ROLE_ANONYMOUS,ROLE_USER
-			    /logoff.jsp=ROLE_ANONYMOUS,ROLE_USER
-			    /switchuser.jsp=ROLE_SUPERVISOR
-			    /j_spring_security_switch_user=ROLE_SUPERVISOR
-			    /acegilogin.jsp*=ROLE_ANONYMOUS,ROLE_USER
-				/**=ROLE_USER
-         ]]></value>
-      </property>
-   </bean>
-
--->
-
    <authentication-provider>
        <password-encoder hash="md5"/>
        <jdbc-user-service data-source-ref="dataSource"/>
    </authentication-provider>
-<!--
-   <bean id="jdbcDaoImpl" class="org.springframework.security.userdetails.jdbc.JdbcDaoImpl">
-      <property name="dataSource" ref="dataSource"/>
-   </bean>
-
-   <bean id="passwordEncoder" class="org.springframework.security.providers.encoding.Md5PasswordEncoder"/>
-
-   <bean id="daoAuthenticationProvider" class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
-      <property name="userDetailsService"><ref local="jdbcDaoImpl"/></property>
-      <property name="passwordEncoder"><ref local="passwordEncoder"/></property>
-   </bean>
--->
 
    <!-- Automatically receives AuthenticationEvent messages -->
    <b:bean id="loggerListener" class="org.springframework.security.event.authentication.LoggerListener"/>
 
-
-   <b:bean id="httpRequestAccessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
-      <b:property name="allowIfAllAbstainDecisions" value="false" />
-      <b:property name="decisionVoters">
-         <b:list>
-            <b:ref bean="roleVoter"/>
-         </b:list>
-      </b:property>
-   </b:bean>
-
-
    <!-- Filter used to switch the user context. Note: the switch and exit url must be secured
         based on the role granted the ability to 'switch' to another user -->
    <!-- In this example 'rod' has ROLE_SUPERVISOR that can switch to regular ROLE_USER(s) -->
    <b:bean id="switchUserProcessingFilter" class="org.springframework.security.ui.switchuser.SwitchUserProcessingFilter" autowire="byType">
-	  <b:property name="targetUrl" value="/spring-security-sample-contacts-filter/secure/index.htm"/>
+       <custom-filter after="SWITCH_USER_FILTER"/>       
+       <b:property name="targetUrl" value="/secure/index.htm"/>
    </b:bean>
 
 </b:beans>

samples/contacts/src/main/webapp/WEB-INF/jsp/index.jsp

@@ -3,7 +3,7 @@
 <html>
 <head><title>Your Contacts</title></head>
 <body>
-<h1><security:authentication operation="username"/>'s Contacts</h1>
+<h1><security:authentication property="principal.username"/>'s Contacts</h1>
 <P>
 <table cellpadding=3 border=0>
 <tr><td><b>id</b></td><td><b>Name</b></td><td><b>Email</b></td></tr>

samples/contacts/src/test/resources/applicationContext-contacts-test.xml

@@ -1,6 +1,4 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">
-
 <!--
   - Application context containing authentication beans.
   -
@@ -9,30 +7,22 @@
   - $Id$
   -->
 
-<beans>
-
-   <!-- ======================== AUTHENTICATION ======================= -->
+<b:beans xmlns="http://www.springframework.org/schema/security"
+    xmlns:b="http://www.springframework.org/schema/beans"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
+                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">
 
-   <bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
-      <property name="providers">
-         <list>
-            <ref local="daoAuthenticationProvider"/>
-         </list>
-      </property>
-   </bean>
 
-   <bean id="daoAuthenticationProvider" class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
-      <property name="userDetailsService"><ref local="jdbcDaoImpl"/></property>
-      <property name="passwordEncoder"><ref local="passwordEncoder"/></property>
-   </bean>
+   <!-- ======================== AUTHENTICATION ======================= -->
 
-   <bean id="jdbcDaoImpl" class="org.springframework.security.userdetails.jdbc.JdbcDaoImpl">
-      <property name="dataSource"><ref bean="dataSource"/></property>
-   </bean>
+    <authentication-provider>
+        <password-encoder hash="md5"/>
+        <jdbc-user-service data-source-ref="dataSource"/>
+    </authentication-provider>
 
-   <bean id="passwordEncoder" class="org.springframework.security.providers.encoding.Md5PasswordEncoder"/>
 
    <!-- Automatically receives AuthenticationEvent messages -->
-   <bean id="loggerListener" class="org.springframework.security.event.authentication.LoggerListener"/>
+   <b:bean id="loggerListener" class="org.springframework.security.event.authentication.LoggerListener"/>
 
-</beans>
+</b:beans>