Example 6 with BeanMetadataElement
use of org.springframework.beans.BeanMetadataElement in project spring-security by spring-projects.
the class HttpConfigurationBuilder method createSessionManagementFilters.
private void createSessionManagementFilters() {
Element sessionMgmtElt = DomUtils.getChildElementByTagName(httpElt, Elements.SESSION_MANAGEMENT);
Element sessionCtrlElt = null;
String sessionFixationAttribute = null;
String invalidSessionUrl = null;
String invalidSessionStrategyRef = null;
String sessionAuthStratRef = null;
String errorUrl = null;
boolean sessionControlEnabled = false;
if (sessionMgmtElt != null) {
if (sessionPolicy == SessionCreationPolicy.STATELESS) {
pc.getReaderContext().error(Elements.SESSION_MANAGEMENT + " cannot be used" + " in combination with " + ATT_CREATE_SESSION + "='" + SessionCreationPolicy.STATELESS + "'", pc.extractSource(sessionMgmtElt));
}
sessionFixationAttribute = sessionMgmtElt.getAttribute(ATT_SESSION_FIXATION_PROTECTION);
invalidSessionUrl = sessionMgmtElt.getAttribute(ATT_INVALID_SESSION_URL);
invalidSessionStrategyRef = sessionMgmtElt.getAttribute(ATT_INVALID_SESSION_STRATEGY_REF);
sessionAuthStratRef = sessionMgmtElt.getAttribute(ATT_SESSION_AUTH_STRATEGY_REF);
errorUrl = sessionMgmtElt.getAttribute(ATT_SESSION_AUTH_ERROR_URL);
sessionCtrlElt = DomUtils.getChildElementByTagName(sessionMgmtElt, Elements.CONCURRENT_SESSIONS);
sessionControlEnabled = sessionCtrlElt != null;
if (StringUtils.hasText(invalidSessionUrl) && StringUtils.hasText(invalidSessionStrategyRef)) {
pc.getReaderContext().error(ATT_INVALID_SESSION_URL + " attribute cannot be used in combination with" + " the " + ATT_INVALID_SESSION_STRATEGY_REF + " attribute.", sessionMgmtElt);
}
if (sessionControlEnabled) {
if (StringUtils.hasText(sessionAuthStratRef)) {
pc.getReaderContext().error(ATT_SESSION_AUTH_STRATEGY_REF + " attribute cannot be used" + " in combination with <" + Elements.CONCURRENT_SESSIONS + ">", pc.extractSource(sessionCtrlElt));
}
createConcurrencyControlFilterAndSessionRegistry(sessionCtrlElt);
}
}
if (!StringUtils.hasText(sessionFixationAttribute)) {
Method changeSessionIdMethod = ReflectionUtils.findMethod(HttpServletRequest.class, "changeSessionId");
sessionFixationAttribute = changeSessionIdMethod == null ? OPT_SESSION_FIXATION_MIGRATE_SESSION : OPT_CHANGE_SESSION_ID;
} else if (StringUtils.hasText(sessionAuthStratRef)) {
pc.getReaderContext().error(ATT_SESSION_FIXATION_PROTECTION + " attribute cannot be used" + " in combination with " + ATT_SESSION_AUTH_STRATEGY_REF, pc.extractSource(sessionMgmtElt));
}
if (sessionPolicy == SessionCreationPolicy.STATELESS) {
// SEC-1424: do nothing
return;
}
boolean sessionFixationProtectionRequired = !sessionFixationAttribute.equals(OPT_SESSION_FIXATION_NO_PROTECTION);
ManagedList<BeanMetadataElement> delegateSessionStrategies = new ManagedList<BeanMetadataElement>();
BeanDefinitionBuilder concurrentSessionStrategy;
BeanDefinitionBuilder sessionFixationStrategy = null;
BeanDefinitionBuilder registerSessionStrategy;
if (csrfAuthStrategy != null) {
delegateSessionStrategies.add(csrfAuthStrategy);
}
if (sessionControlEnabled) {
assert sessionRegistryRef != null;
concurrentSessionStrategy = BeanDefinitionBuilder.rootBeanDefinition(ConcurrentSessionControlAuthenticationStrategy.class);
concurrentSessionStrategy.addConstructorArgValue(sessionRegistryRef);
String maxSessions = sessionCtrlElt.getAttribute("max-sessions");
if (StringUtils.hasText(maxSessions)) {
concurrentSessionStrategy.addPropertyValue("maximumSessions", maxSessions);
}
String exceptionIfMaximumExceeded = sessionCtrlElt.getAttribute("error-if-maximum-exceeded");
if (StringUtils.hasText(exceptionIfMaximumExceeded)) {
concurrentSessionStrategy.addPropertyValue("exceptionIfMaximumExceeded", exceptionIfMaximumExceeded);
}
delegateSessionStrategies.add(concurrentSessionStrategy.getBeanDefinition());
}
boolean useChangeSessionId = OPT_CHANGE_SESSION_ID.equals(sessionFixationAttribute);
if (sessionFixationProtectionRequired || StringUtils.hasText(invalidSessionUrl)) {
if (useChangeSessionId) {
sessionFixationStrategy = BeanDefinitionBuilder.rootBeanDefinition(ChangeSessionIdAuthenticationStrategy.class);
} else {
sessionFixationStrategy = BeanDefinitionBuilder.rootBeanDefinition(SessionFixationProtectionStrategy.class);
}
delegateSessionStrategies.add(sessionFixationStrategy.getBeanDefinition());
}
if (StringUtils.hasText(sessionAuthStratRef)) {
delegateSessionStrategies.add(new RuntimeBeanReference(sessionAuthStratRef));
}
if (sessionControlEnabled) {
registerSessionStrategy = BeanDefinitionBuilder.rootBeanDefinition(RegisterSessionAuthenticationStrategy.class);
registerSessionStrategy.addConstructorArgValue(sessionRegistryRef);
delegateSessionStrategies.add(registerSessionStrategy.getBeanDefinition());
}
if (delegateSessionStrategies.isEmpty()) {
sfpf = null;
return;
}
BeanDefinitionBuilder sessionMgmtFilter = BeanDefinitionBuilder.rootBeanDefinition(SessionManagementFilter.class);
RootBeanDefinition failureHandler = new RootBeanDefinition(SimpleUrlAuthenticationFailureHandler.class);
if (StringUtils.hasText(errorUrl)) {
failureHandler.getPropertyValues().addPropertyValue("defaultFailureUrl", errorUrl);
}
sessionMgmtFilter.addPropertyValue("authenticationFailureHandler", failureHandler);
sessionMgmtFilter.addConstructorArgValue(contextRepoRef);
if (!StringUtils.hasText(sessionAuthStratRef) && sessionFixationStrategy != null && !useChangeSessionId) {
if (sessionFixationProtectionRequired) {
sessionFixationStrategy.addPropertyValue("migrateSessionAttributes", Boolean.valueOf(sessionFixationAttribute.equals(OPT_SESSION_FIXATION_MIGRATE_SESSION)));
}
}
if (!delegateSessionStrategies.isEmpty()) {
BeanDefinitionBuilder sessionStrategy = BeanDefinitionBuilder.rootBeanDefinition(CompositeSessionAuthenticationStrategy.class);
BeanDefinition strategyBean = sessionStrategy.getBeanDefinition();
sessionStrategy.addConstructorArgValue(delegateSessionStrategies);
sessionAuthStratRef = pc.getReaderContext().generateBeanName(strategyBean);
pc.registerBeanComponent(new BeanComponentDefinition(strategyBean, sessionAuthStratRef));
}
if (StringUtils.hasText(invalidSessionUrl)) {
BeanDefinitionBuilder invalidSessionBldr = BeanDefinitionBuilder.rootBeanDefinition(SimpleRedirectInvalidSessionStrategy.class);
invalidSessionBldr.addConstructorArgValue(invalidSessionUrl);
invalidSession = invalidSessionBldr.getBeanDefinition();
sessionMgmtFilter.addPropertyValue("invalidSessionStrategy", invalidSession);
} else if (StringUtils.hasText(invalidSessionStrategyRef)) {
sessionMgmtFilter.addPropertyReference("invalidSessionStrategy", invalidSessionStrategyRef);
}
sessionMgmtFilter.addConstructorArgReference(sessionAuthStratRef);
sfpf = (RootBeanDefinition) sessionMgmtFilter.getBeanDefinition();
sessionStrategyRef = new RuntimeBeanReference(sessionAuthStratRef);
}
Also used :
BeanMetadataElement(org.springframework.beans.BeanMetadataElement)
Element(org.w3c.dom.Element)
ManagedList(org.springframework.beans.factory.support.ManagedList)
RegisterSessionAuthenticationStrategy(org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy)
Method(java.lang.reflect.Method)
RootBeanDefinition(org.springframework.beans.factory.support.RootBeanDefinition)
BeanDefinition(org.springframework.beans.factory.config.BeanDefinition)
BeanMetadataElement(org.springframework.beans.BeanMetadataElement)
BeanDefinitionBuilder(org.springframework.beans.factory.support.BeanDefinitionBuilder)
ChangeSessionIdAuthenticationStrategy(org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy)
RootBeanDefinition(org.springframework.beans.factory.support.RootBeanDefinition)
BeanComponentDefinition(org.springframework.beans.factory.parsing.BeanComponentDefinition)
RuntimeBeanReference(org.springframework.beans.factory.config.RuntimeBeanReference)
SessionFixationProtectionStrategy(org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy)
ConcurrentSessionControlAuthenticationStrategy(org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy)
Example 7 with BeanMetadataElement
use of org.springframework.beans.BeanMetadataElement in project spring-security by spring-projects.
the class CsrfBeanDefinitionParser method initAccessDeniedHandler.
/**
* Populate the AccessDeniedHandler on the {@link CsrfFilter}
*
* @param invalidSessionStrategy the {@link InvalidSessionStrategy} to use
* @param defaultDeniedHandler the {@link AccessDeniedHandler} to use
*/
void initAccessDeniedHandler(BeanDefinition invalidSessionStrategy, BeanMetadataElement defaultDeniedHandler) {
BeanMetadataElement accessDeniedHandler = createAccessDeniedHandler(invalidSessionStrategy, defaultDeniedHandler);
this.csrfFilter.getPropertyValues().addPropertyValue("accessDeniedHandler", accessDeniedHandler);
}
Also used :
BeanMetadataElement(org.springframework.beans.BeanMetadataElement)
Example 8 with BeanMetadataElement
use of org.springframework.beans.BeanMetadataElement in project spring-security by spring-projects.
the class FilterChainMapBeanDefinitionDecorator method decorate.
@SuppressWarnings("unchecked")
public BeanDefinitionHolder decorate(Node node, BeanDefinitionHolder holder, ParserContext parserContext) {
BeanDefinition filterChainProxy = holder.getBeanDefinition();
ManagedList<BeanMetadataElement> securityFilterChains = new ManagedList<BeanMetadataElement>();
Element elt = (Element) node;
MatcherType matcherType = MatcherType.fromElement(elt);
List<Element> filterChainElts = DomUtils.getChildElementsByTagName(elt, Elements.FILTER_CHAIN);
for (Element chain : filterChainElts) {
String path = chain.getAttribute(HttpSecurityBeanDefinitionParser.ATT_PATH_PATTERN);
String filters = chain.getAttribute(HttpSecurityBeanDefinitionParser.ATT_FILTERS);
if (!StringUtils.hasText(path)) {
parserContext.getReaderContext().error("The attribute '" + HttpSecurityBeanDefinitionParser.ATT_PATH_PATTERN + "' must not be empty", elt);
}
if (!StringUtils.hasText(filters)) {
parserContext.getReaderContext().error("The attribute '" + HttpSecurityBeanDefinitionParser.ATT_FILTERS + "'must not be empty", elt);
}
BeanDefinition matcher = matcherType.createMatcher(parserContext, path, null);
if (filters.equals(HttpSecurityBeanDefinitionParser.OPT_FILTERS_NONE)) {
securityFilterChains.add(createSecurityFilterChain(matcher, new ManagedList(0)));
} else {
String[] filterBeanNames = StringUtils.tokenizeToStringArray(filters, ",");
ManagedList filterChain = new ManagedList(filterBeanNames.length);
for (String name : filterBeanNames) {
filterChain.add(new RuntimeBeanReference(name));
}
securityFilterChains.add(createSecurityFilterChain(matcher, filterChain));
}
}
filterChainProxy.getConstructorArgumentValues().addGenericArgumentValue(securityFilterChains);
return holder;
}
Also used :
BeanMetadataElement(org.springframework.beans.BeanMetadataElement)
BeanMetadataElement(org.springframework.beans.BeanMetadataElement)
Element(org.w3c.dom.Element)
ManagedList(org.springframework.beans.factory.support.ManagedList)
BeanDefinition(org.springframework.beans.factory.config.BeanDefinition)
RuntimeBeanReference(org.springframework.beans.factory.config.RuntimeBeanReference)
Example 9 with BeanMetadataElement
use of org.springframework.beans.BeanMetadataElement in project spring-security by spring-projects.
the class AuthenticationConfigBuilder method createAccessDeniedHandler.
private BeanMetadataElement createAccessDeniedHandler(Element element, ParserContext pc) {
Element accessDeniedElt = DomUtils.getChildElementByTagName(element, Elements.ACCESS_DENIED_HANDLER);
BeanDefinitionBuilder accessDeniedHandler = BeanDefinitionBuilder.rootBeanDefinition(AccessDeniedHandlerImpl.class);
if (accessDeniedElt != null) {
String errorPage = accessDeniedElt.getAttribute("error-page");
String ref = accessDeniedElt.getAttribute("ref");
if (StringUtils.hasText(errorPage)) {
if (StringUtils.hasText(ref)) {
pc.getReaderContext().error("The attribute " + ATT_ACCESS_DENIED_ERROR_PAGE + " cannot be used together with the 'ref' attribute within <" + Elements.ACCESS_DENIED_HANDLER + ">", pc.extractSource(accessDeniedElt));
}
accessDeniedHandler.addPropertyValue("errorPage", errorPage);
} else if (StringUtils.hasText(ref)) {
return new RuntimeBeanReference(ref);
}
}
return accessDeniedHandler.getBeanDefinition();
}
Also used :
BeanDefinitionBuilder(org.springframework.beans.factory.support.BeanDefinitionBuilder)
BeanMetadataElement(org.springframework.beans.BeanMetadataElement)
Element(org.w3c.dom.Element)
RuntimeBeanReference(org.springframework.beans.factory.config.RuntimeBeanReference)
Example 10 with BeanMetadataElement
use of org.springframework.beans.BeanMetadataElement in project spring-security by spring-projects.
the class CorsBeanDefinitionParser method parse.
public BeanMetadataElement parse(Element element, ParserContext parserContext) {
if (element == null) {
return null;
}
String filterRef = element.getAttribute(ATT_REF);
if (StringUtils.hasText(filterRef)) {
return new RuntimeBeanReference(filterRef);
}
BeanMetadataElement configurationSource = getSource(element, parserContext);
if (configurationSource == null) {
throw new BeanCreationException("Could not create CorsFilter");
}
BeanDefinitionBuilder filterBldr = BeanDefinitionBuilder.rootBeanDefinition(CorsFilter.class);
filterBldr.addConstructorArgValue(configurationSource);
return filterBldr.getBeanDefinition();
}
Also used :
BeanMetadataElement(org.springframework.beans.BeanMetadataElement)
BeanCreationException(org.springframework.beans.factory.BeanCreationException)
BeanDefinitionBuilder(org.springframework.beans.factory.support.BeanDefinitionBuilder)
RuntimeBeanReference(org.springframework.beans.factory.config.RuntimeBeanReference)
Aggregations
BeanMetadataElement (org.springframework.beans.BeanMetadataElement)23
BeanDefinitionBuilder (org.springframework.beans.factory.support.BeanDefinitionBuilder)16
RuntimeBeanReference (org.springframework.beans.factory.config.RuntimeBeanReference)15
Element (org.w3c.dom.Element)14
BeanDefinition (org.springframework.beans.factory.config.BeanDefinition)10
RootBeanDefinition (org.springframework.beans.factory.support.RootBeanDefinition)8
ManagedList (org.springframework.beans.factory.support.ManagedList)7
ManagedMap (org.springframework.beans.factory.support.ManagedMap)5
BeanComponentDefinition (org.springframework.beans.factory.parsing.BeanComponentDefinition)4
TypedStringValue (org.springframework.beans.factory.config.TypedStringValue)3
Method (java.lang.reflect.Method)2
BeanReference (org.springframework.beans.factory.config.BeanReference)2
CompositeComponentDefinition (org.springframework.beans.factory.parsing.CompositeComponentDefinition)2
ParameterizedType (java.lang.reflect.ParameterizedType)1
Type (java.lang.reflect.Type)1
TypeVariable (java.lang.reflect.TypeVariable)1
ArrayList (java.util.ArrayList)1
List (java.util.List)1
TypeConverter (org.springframework.beans.TypeConverter)1
TypeMismatchException (org.springframework.beans.TypeMismatchException)1
