Home Esplora Aiuto
Registrati Accedi
github
/
spring-security
mirror da https://github.com/spring-projects/spring-security
2
0
Forka 0
File Problemi 0 Wiki
Sfoglia il codice sorgente

SEC-892: Linked use of create-session='never' in namespace to corresponding properties in ExceptionTranslationFilter and AbstractProcessingFilter

Luke Taylor 17 anni fa
parent
5b089aea16
commit
ff5bfccdba
2 ha cambiato i file con 30 aggiunte e 7 eliminazioni
Visualizzazione separata Mostra Diff Stats
  1. 14 7
      core/src/main/java/org/springframework/security/config/HttpSecurityBeanDefinitionParser.java
  2. 16 0
      core/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java

+ 14 - 7
core/src/main/java/org/springframework/security/config/HttpSecurityBeanDefinitionParser.java
Vedi File 

@@ -116,7 +116,7 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
 
         parseInterceptUrlsForChannelSecurityAndFilterChain(interceptUrlElts, filterChainMap, channelRequestMap, 
                 convertPathsToLowerCase, parserContext);
 
 
-        registerHttpSessionIntegrationFilter(element, parserContext);
 
+        boolean allowSessionCreation = registerHttpSessionIntegrationFilter(element, parserContext);
 
         
         registerServletApiFilter(element, parserContext);
 
                 
@@ -133,7 +133,7 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
 
                 DomUtils.getChildElementByTagName(element, Elements.PORT_MAPPINGS), parserContext);
 
         registry.registerBeanDefinition(BeanIds.PORT_MAPPER, portMapper);
 
 
-        registerExceptionTranslationFilter(element, parserContext);
 
+        registerExceptionTranslationFilter(element, parserContext, allowSessionCreation);
 
 
 
         if (channelRequestMap.size() > 0) {
 
@@ -174,7 +174,7 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
 
             new LogoutBeanDefinitionParser().parse(logoutElt, parserContext);
 
         }
 
         
-        parseBasicFormLoginAndOpenID(element, parserContext, autoConfig);
 
+        parseBasicFormLoginAndOpenID(element, parserContext, autoConfig, allowSessionCreation);
 
 
         Element x509Elt = DomUtils.getChildElementByTagName(element, Elements.X509);
 
         if (x509Elt != null) {
 
@@ -205,8 +205,9 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
 
         pc.getRegistry().registerAlias(BeanIds.FILTER_CHAIN_PROXY, BeanIds.SPRING_SECURITY_FILTER_CHAIN);        
     }
 
 
-    private void registerHttpSessionIntegrationFilter(Element element, ParserContext pc) {
 
+    private boolean registerHttpSessionIntegrationFilter(Element element, ParserContext pc) {
 
         RootBeanDefinition httpScif = new RootBeanDefinition(HttpSessionContextIntegrationFilter.class);
 
+        boolean sessionCreationAllowed = true;
 
         
         String createSession = element.getAttribute(ATT_CREATE_SESSION);
 
         if (OPT_CREATE_SESSION_ALWAYS.equals(createSession)) {
 
@@ -215,6 +216,7 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
 
         } else if (OPT_CREATE_SESSION_NEVER.equals(createSession)) {
 
             httpScif.getPropertyValues().addPropertyValue("allowSessionCreation", Boolean.FALSE);
 
             httpScif.getPropertyValues().addPropertyValue("forceEagerSessionCreation", Boolean.FALSE);
 
+            sessionCreationAllowed = false;
 
         } else {
 
             createSession = DEF_CREATE_SESSION_IF_REQUIRED;
 
             httpScif.getPropertyValues().addPropertyValue("allowSessionCreation", Boolean.TRUE);
 
@@ -223,6 +225,8 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
 
 
         pc.getRegistry().registerBeanDefinition(BeanIds.HTTP_SESSION_CONTEXT_INTEGRATION_FILTER, httpScif);
 
         ConfigUtils.addHttpFilter(pc, new RuntimeBeanReference(BeanIds.HTTP_SESSION_CONTEXT_INTEGRATION_FILTER));
 
+        
+        return sessionCreationAllowed;
 
     }
 
 
     // Adds the servlet-api integration filter if required    
@@ -252,12 +256,13 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
 
         return true;
 
     }
 
     
-    private void registerExceptionTranslationFilter(Element element, ParserContext pc) {
 
+    private void registerExceptionTranslationFilter(Element element, ParserContext pc, boolean allowSessionCreation) {
 
     	String accessDeniedPage = element.getAttribute(ATT_ACCESS_DENIED_PAGE);
 
     	ConfigUtils.validateHttpRedirect(accessDeniedPage, pc, pc.extractSource(element));
 
         BeanDefinitionBuilder exceptionTranslationFilterBuilder
 
             = BeanDefinitionBuilder.rootBeanDefinition(ExceptionTranslationFilter.class);
 
- 
+        exceptionTranslationFilterBuilder.addPropertyValue("createSessionAllowed", new Boolean(allowSessionCreation));
 
+        
         if (StringUtils.hasText(accessDeniedPage)) {
 
             AccessDeniedHandlerImpl accessDeniedHandler = new AccessDeniedHandlerImpl();
 
             accessDeniedHandler.setErrorPage(accessDeniedPage);
 
@@ -338,7 +343,7 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
 
         }
 
     }
 
     
-    private void parseBasicFormLoginAndOpenID(Element element, ParserContext pc, boolean autoConfig) {
 
+    private void parseBasicFormLoginAndOpenID(Element element, ParserContext pc, boolean autoConfig, boolean allowSessionCreation) {
 
         RootBeanDefinition formLoginFilter = null;
 
         RootBeanDefinition formLoginEntryPoint = null;
 
         String formLoginPage = null;        
@@ -397,6 +402,7 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
 
         
         if (formLoginFilter != null) {
 
         	needLoginPage = true;
 
+        	formLoginFilter.getPropertyValues().addPropertyValue("allowSessionCreation", new Boolean(allowSessionCreation));
 
 	        pc.getRegistry().registerBeanDefinition(BeanIds.FORM_LOGIN_FILTER, formLoginFilter);
 
 	        ConfigUtils.addHttpFilter(pc, new RuntimeBeanReference(BeanIds.FORM_LOGIN_FILTER));
 
 	        pc.getRegistry().registerBeanDefinition(BeanIds.FORM_LOGIN_ENTRY_POINT, formLoginEntryPoint);
 
@@ -404,6 +410,7 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
 
 
         if (openIDFilter != null) {
 
         	needLoginPage = true;
 
+        	openIDFilter.getPropertyValues().addPropertyValue("allowSessionCreation", new Boolean(allowSessionCreation));
 
 	        pc.getRegistry().registerBeanDefinition(BeanIds.OPEN_ID_FILTER, openIDFilter);
 
 	        ConfigUtils.addHttpFilter(pc, new RuntimeBeanReference(BeanIds.OPEN_ID_FILTER));
 
 	        pc.getRegistry().registerBeanDefinition(BeanIds.OPEN_ID_ENTRY_POINT, openIDEntryPoint);

+ 16 - 0
core/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java
Vedi File 

@@ -601,6 +601,22 @@ public class HttpSecurityBeanDefinitionParserTests {
 
                 "    </http>" + AUTH_PROVIDER_XML);
 
     }
 
 
+    @Test
 
+    public void settingCreateSessionToAlwaysSetsFilterPropertiesCorrectly() throws Exception {
 
+        // Protected, no anonymous filter configured.
 
+        setContext("<http auto-config='true' create-session='always'/>" + AUTH_PROVIDER_XML);
 
+        assertEquals(Boolean.TRUE, FieldUtils.getFieldValue(appContext.getBean(BeanIds.HTTP_SESSION_CONTEXT_INTEGRATION_FILTER), "forceEagerSessionCreation"));
 
+        assertEquals(Boolean.TRUE, FieldUtils.getFieldValue(appContext.getBean(BeanIds.HTTP_SESSION_CONTEXT_INTEGRATION_FILTER), "allowSessionCreation"));        
+    }    
+
 
+    @Test
 
+    public void settingCreateSessionToNeverSetsFilterPropertiesCorrectly() throws Exception {
 
+        // Protected, no anonymous filter configured.
 
+        setContext("<http auto-config='true' create-session='never'/>" + AUTH_PROVIDER_XML);
 
+        assertEquals(Boolean.FALSE, FieldUtils.getFieldValue(appContext.getBean(BeanIds.HTTP_SESSION_CONTEXT_INTEGRATION_FILTER), "forceEagerSessionCreation"));
 
+        assertEquals(Boolean.FALSE, FieldUtils.getFieldValue(appContext.getBean(BeanIds.HTTP_SESSION_CONTEXT_INTEGRATION_FILTER), "allowSessionCreation"));        
+    }    
+    
     private void setContext(String context) {
 
         appContext = new InMemoryXmlApplicationContext(context);
 
     }