Search in sources :

Example 6 with RuntimeBeanReference

use of org.springframework.beans.factory.config.RuntimeBeanReference in project spring-security by spring-projects.

the class HttpConfigurationBuilder method createSecurityContextPersistenceFilter.

private void createSecurityContextPersistenceFilter() {
    BeanDefinitionBuilder scpf = BeanDefinitionBuilder.rootBeanDefinition(SecurityContextPersistenceFilter.class);
    String repoRef = httpElt.getAttribute(ATT_SECURITY_CONTEXT_REPOSITORY);
    String disableUrlRewriting = httpElt.getAttribute(ATT_DISABLE_URL_REWRITING);
    if (!StringUtils.hasText(disableUrlRewriting)) {
        disableUrlRewriting = "true";
    }
    if (StringUtils.hasText(repoRef)) {
        if (sessionPolicy == SessionCreationPolicy.ALWAYS) {
            scpf.addPropertyValue("forceEagerSessionCreation", Boolean.TRUE);
        }
    } else {
        BeanDefinitionBuilder contextRepo;
        if (sessionPolicy == SessionCreationPolicy.STATELESS) {
            contextRepo = BeanDefinitionBuilder.rootBeanDefinition(NullSecurityContextRepository.class);
        } else {
            contextRepo = BeanDefinitionBuilder.rootBeanDefinition(HttpSessionSecurityContextRepository.class);
            switch(sessionPolicy) {
                case ALWAYS:
                    contextRepo.addPropertyValue("allowSessionCreation", Boolean.TRUE);
                    scpf.addPropertyValue("forceEagerSessionCreation", Boolean.TRUE);
                    break;
                case NEVER:
                    contextRepo.addPropertyValue("allowSessionCreation", Boolean.FALSE);
                    scpf.addPropertyValue("forceEagerSessionCreation", Boolean.FALSE);
                    break;
                default:
                    contextRepo.addPropertyValue("allowSessionCreation", Boolean.TRUE);
                    scpf.addPropertyValue("forceEagerSessionCreation", Boolean.FALSE);
            }
            if ("true".equals(disableUrlRewriting)) {
                contextRepo.addPropertyValue("disableUrlRewriting", Boolean.TRUE);
            }
        }
        BeanDefinition repoBean = contextRepo.getBeanDefinition();
        repoRef = pc.getReaderContext().generateBeanName(repoBean);
        pc.registerBeanComponent(new BeanComponentDefinition(repoBean, repoRef));
    }
    contextRepoRef = new RuntimeBeanReference(repoRef);
    scpf.addConstructorArgValue(contextRepoRef);
    securityContextPersistenceFilter = scpf.getBeanDefinition();
}
Also used : BeanDefinitionBuilder(org.springframework.beans.factory.support.BeanDefinitionBuilder) HttpSessionSecurityContextRepository(org.springframework.security.web.context.HttpSessionSecurityContextRepository) NullSecurityContextRepository(org.springframework.security.web.context.NullSecurityContextRepository) BeanComponentDefinition(org.springframework.beans.factory.parsing.BeanComponentDefinition) RootBeanDefinition(org.springframework.beans.factory.support.RootBeanDefinition) BeanDefinition(org.springframework.beans.factory.config.BeanDefinition) RuntimeBeanReference(org.springframework.beans.factory.config.RuntimeBeanReference)

Example 7 with RuntimeBeanReference

use of org.springframework.beans.factory.config.RuntimeBeanReference in project spring-security by spring-projects.

the class HttpConfigurationBuilder method createFilterSecurityInterceptor.

private void createFilterSecurityInterceptor(BeanReference authManager) {
    boolean useExpressions = FilterInvocationSecurityMetadataSourceParser.isUseExpressions(httpElt);
    RootBeanDefinition securityMds = FilterInvocationSecurityMetadataSourceParser.createSecurityMetadataSource(interceptUrls, addAllAuth, httpElt, pc);
    RootBeanDefinition accessDecisionMgr;
    ManagedList<BeanDefinition> voters = new ManagedList<BeanDefinition>(2);
    if (useExpressions) {
        BeanDefinitionBuilder expressionVoter = BeanDefinitionBuilder.rootBeanDefinition(WebExpressionVoter.class);
        // Read the expression handler from the FISMS
        RuntimeBeanReference expressionHandler = (RuntimeBeanReference) securityMds.getConstructorArgumentValues().getArgumentValue(1, RuntimeBeanReference.class).getValue();
        expressionVoter.addPropertyValue("expressionHandler", expressionHandler);
        voters.add(expressionVoter.getBeanDefinition());
    } else {
        voters.add(GrantedAuthorityDefaultsParserUtils.registerWithDefaultRolePrefix(pc, RoleVoterBeanFactory.class));
        voters.add(new RootBeanDefinition(AuthenticatedVoter.class));
    }
    accessDecisionMgr = new RootBeanDefinition(AffirmativeBased.class);
    accessDecisionMgr.getConstructorArgumentValues().addGenericArgumentValue(voters);
    accessDecisionMgr.setSource(pc.extractSource(httpElt));
    // Set up the access manager reference for http
    String accessManagerId = httpElt.getAttribute(ATT_ACCESS_MGR);
    if (!StringUtils.hasText(accessManagerId)) {
        accessManagerId = pc.getReaderContext().generateBeanName(accessDecisionMgr);
        pc.registerBeanComponent(new BeanComponentDefinition(accessDecisionMgr, accessManagerId));
    }
    BeanDefinitionBuilder builder = BeanDefinitionBuilder.rootBeanDefinition(FilterSecurityInterceptor.class);
    builder.addPropertyReference("accessDecisionManager", accessManagerId);
    builder.addPropertyValue("authenticationManager", authManager);
    if ("false".equals(httpElt.getAttribute(ATT_ONCE_PER_REQUEST))) {
        builder.addPropertyValue("observeOncePerRequest", Boolean.FALSE);
    }
    builder.addPropertyValue("securityMetadataSource", securityMds);
    BeanDefinition fsiBean = builder.getBeanDefinition();
    String fsiId = pc.getReaderContext().generateBeanName(fsiBean);
    pc.registerBeanComponent(new BeanComponentDefinition(fsiBean, fsiId));
    // Create and register a DefaultWebInvocationPrivilegeEvaluator for use with
    // taglibs etc.
    BeanDefinition wipe = new RootBeanDefinition(DefaultWebInvocationPrivilegeEvaluator.class);
    wipe.getConstructorArgumentValues().addGenericArgumentValue(new RuntimeBeanReference(fsiId));
    pc.registerBeanComponent(new BeanComponentDefinition(wipe, pc.getReaderContext().generateBeanName(wipe)));
    this.fsi = new RuntimeBeanReference(fsiId);
}
Also used : AuthenticatedVoter(org.springframework.security.access.vote.AuthenticatedVoter) BeanDefinitionBuilder(org.springframework.beans.factory.support.BeanDefinitionBuilder) AffirmativeBased(org.springframework.security.access.vote.AffirmativeBased) RootBeanDefinition(org.springframework.beans.factory.support.RootBeanDefinition) ManagedList(org.springframework.beans.factory.support.ManagedList) BeanComponentDefinition(org.springframework.beans.factory.parsing.BeanComponentDefinition) RootBeanDefinition(org.springframework.beans.factory.support.RootBeanDefinition) BeanDefinition(org.springframework.beans.factory.config.BeanDefinition) RuntimeBeanReference(org.springframework.beans.factory.config.RuntimeBeanReference)

Example 8 with RuntimeBeanReference

use of org.springframework.beans.factory.config.RuntimeBeanReference in project spring-security by spring-projects.

the class HttpConfigurationBuilder method createSessionManagementFilters.

private void createSessionManagementFilters() {
    Element sessionMgmtElt = DomUtils.getChildElementByTagName(httpElt, Elements.SESSION_MANAGEMENT);
    Element sessionCtrlElt = null;
    String sessionFixationAttribute = null;
    String invalidSessionUrl = null;
    String invalidSessionStrategyRef = null;
    String sessionAuthStratRef = null;
    String errorUrl = null;
    boolean sessionControlEnabled = false;
    if (sessionMgmtElt != null) {
        if (sessionPolicy == SessionCreationPolicy.STATELESS) {
            pc.getReaderContext().error(Elements.SESSION_MANAGEMENT + "  cannot be used" + " in combination with " + ATT_CREATE_SESSION + "='" + SessionCreationPolicy.STATELESS + "'", pc.extractSource(sessionMgmtElt));
        }
        sessionFixationAttribute = sessionMgmtElt.getAttribute(ATT_SESSION_FIXATION_PROTECTION);
        invalidSessionUrl = sessionMgmtElt.getAttribute(ATT_INVALID_SESSION_URL);
        invalidSessionStrategyRef = sessionMgmtElt.getAttribute(ATT_INVALID_SESSION_STRATEGY_REF);
        sessionAuthStratRef = sessionMgmtElt.getAttribute(ATT_SESSION_AUTH_STRATEGY_REF);
        errorUrl = sessionMgmtElt.getAttribute(ATT_SESSION_AUTH_ERROR_URL);
        sessionCtrlElt = DomUtils.getChildElementByTagName(sessionMgmtElt, Elements.CONCURRENT_SESSIONS);
        sessionControlEnabled = sessionCtrlElt != null;
        if (StringUtils.hasText(invalidSessionUrl) && StringUtils.hasText(invalidSessionStrategyRef)) {
            pc.getReaderContext().error(ATT_INVALID_SESSION_URL + " attribute cannot be used in combination with" + " the " + ATT_INVALID_SESSION_STRATEGY_REF + " attribute.", sessionMgmtElt);
        }
        if (sessionControlEnabled) {
            if (StringUtils.hasText(sessionAuthStratRef)) {
                pc.getReaderContext().error(ATT_SESSION_AUTH_STRATEGY_REF + " attribute cannot be used" + " in combination with <" + Elements.CONCURRENT_SESSIONS + ">", pc.extractSource(sessionCtrlElt));
            }
            createConcurrencyControlFilterAndSessionRegistry(sessionCtrlElt);
        }
    }
    if (!StringUtils.hasText(sessionFixationAttribute)) {
        Method changeSessionIdMethod = ReflectionUtils.findMethod(HttpServletRequest.class, "changeSessionId");
        sessionFixationAttribute = changeSessionIdMethod == null ? OPT_SESSION_FIXATION_MIGRATE_SESSION : OPT_CHANGE_SESSION_ID;
    } else if (StringUtils.hasText(sessionAuthStratRef)) {
        pc.getReaderContext().error(ATT_SESSION_FIXATION_PROTECTION + " attribute cannot be used" + " in combination with " + ATT_SESSION_AUTH_STRATEGY_REF, pc.extractSource(sessionMgmtElt));
    }
    if (sessionPolicy == SessionCreationPolicy.STATELESS) {
        // SEC-1424: do nothing
        return;
    }
    boolean sessionFixationProtectionRequired = !sessionFixationAttribute.equals(OPT_SESSION_FIXATION_NO_PROTECTION);
    ManagedList<BeanMetadataElement> delegateSessionStrategies = new ManagedList<BeanMetadataElement>();
    BeanDefinitionBuilder concurrentSessionStrategy;
    BeanDefinitionBuilder sessionFixationStrategy = null;
    BeanDefinitionBuilder registerSessionStrategy;
    if (csrfAuthStrategy != null) {
        delegateSessionStrategies.add(csrfAuthStrategy);
    }
    if (sessionControlEnabled) {
        assert sessionRegistryRef != null;
        concurrentSessionStrategy = BeanDefinitionBuilder.rootBeanDefinition(ConcurrentSessionControlAuthenticationStrategy.class);
        concurrentSessionStrategy.addConstructorArgValue(sessionRegistryRef);
        String maxSessions = sessionCtrlElt.getAttribute("max-sessions");
        if (StringUtils.hasText(maxSessions)) {
            concurrentSessionStrategy.addPropertyValue("maximumSessions", maxSessions);
        }
        String exceptionIfMaximumExceeded = sessionCtrlElt.getAttribute("error-if-maximum-exceeded");
        if (StringUtils.hasText(exceptionIfMaximumExceeded)) {
            concurrentSessionStrategy.addPropertyValue("exceptionIfMaximumExceeded", exceptionIfMaximumExceeded);
        }
        delegateSessionStrategies.add(concurrentSessionStrategy.getBeanDefinition());
    }
    boolean useChangeSessionId = OPT_CHANGE_SESSION_ID.equals(sessionFixationAttribute);
    if (sessionFixationProtectionRequired || StringUtils.hasText(invalidSessionUrl)) {
        if (useChangeSessionId) {
            sessionFixationStrategy = BeanDefinitionBuilder.rootBeanDefinition(ChangeSessionIdAuthenticationStrategy.class);
        } else {
            sessionFixationStrategy = BeanDefinitionBuilder.rootBeanDefinition(SessionFixationProtectionStrategy.class);
        }
        delegateSessionStrategies.add(sessionFixationStrategy.getBeanDefinition());
    }
    if (StringUtils.hasText(sessionAuthStratRef)) {
        delegateSessionStrategies.add(new RuntimeBeanReference(sessionAuthStratRef));
    }
    if (sessionControlEnabled) {
        registerSessionStrategy = BeanDefinitionBuilder.rootBeanDefinition(RegisterSessionAuthenticationStrategy.class);
        registerSessionStrategy.addConstructorArgValue(sessionRegistryRef);
        delegateSessionStrategies.add(registerSessionStrategy.getBeanDefinition());
    }
    if (delegateSessionStrategies.isEmpty()) {
        sfpf = null;
        return;
    }
    BeanDefinitionBuilder sessionMgmtFilter = BeanDefinitionBuilder.rootBeanDefinition(SessionManagementFilter.class);
    RootBeanDefinition failureHandler = new RootBeanDefinition(SimpleUrlAuthenticationFailureHandler.class);
    if (StringUtils.hasText(errorUrl)) {
        failureHandler.getPropertyValues().addPropertyValue("defaultFailureUrl", errorUrl);
    }
    sessionMgmtFilter.addPropertyValue("authenticationFailureHandler", failureHandler);
    sessionMgmtFilter.addConstructorArgValue(contextRepoRef);
    if (!StringUtils.hasText(sessionAuthStratRef) && sessionFixationStrategy != null && !useChangeSessionId) {
        if (sessionFixationProtectionRequired) {
            sessionFixationStrategy.addPropertyValue("migrateSessionAttributes", Boolean.valueOf(sessionFixationAttribute.equals(OPT_SESSION_FIXATION_MIGRATE_SESSION)));
        }
    }
    if (!delegateSessionStrategies.isEmpty()) {
        BeanDefinitionBuilder sessionStrategy = BeanDefinitionBuilder.rootBeanDefinition(CompositeSessionAuthenticationStrategy.class);
        BeanDefinition strategyBean = sessionStrategy.getBeanDefinition();
        sessionStrategy.addConstructorArgValue(delegateSessionStrategies);
        sessionAuthStratRef = pc.getReaderContext().generateBeanName(strategyBean);
        pc.registerBeanComponent(new BeanComponentDefinition(strategyBean, sessionAuthStratRef));
    }
    if (StringUtils.hasText(invalidSessionUrl)) {
        BeanDefinitionBuilder invalidSessionBldr = BeanDefinitionBuilder.rootBeanDefinition(SimpleRedirectInvalidSessionStrategy.class);
        invalidSessionBldr.addConstructorArgValue(invalidSessionUrl);
        invalidSession = invalidSessionBldr.getBeanDefinition();
        sessionMgmtFilter.addPropertyValue("invalidSessionStrategy", invalidSession);
    } else if (StringUtils.hasText(invalidSessionStrategyRef)) {
        sessionMgmtFilter.addPropertyReference("invalidSessionStrategy", invalidSessionStrategyRef);
    }
    sessionMgmtFilter.addConstructorArgReference(sessionAuthStratRef);
    sfpf = (RootBeanDefinition) sessionMgmtFilter.getBeanDefinition();
    sessionStrategyRef = new RuntimeBeanReference(sessionAuthStratRef);
}
Also used : BeanMetadataElement(org.springframework.beans.BeanMetadataElement) Element(org.w3c.dom.Element) ManagedList(org.springframework.beans.factory.support.ManagedList) RegisterSessionAuthenticationStrategy(org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy) Method(java.lang.reflect.Method) RootBeanDefinition(org.springframework.beans.factory.support.RootBeanDefinition) BeanDefinition(org.springframework.beans.factory.config.BeanDefinition) BeanMetadataElement(org.springframework.beans.BeanMetadataElement) BeanDefinitionBuilder(org.springframework.beans.factory.support.BeanDefinitionBuilder) ChangeSessionIdAuthenticationStrategy(org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy) RootBeanDefinition(org.springframework.beans.factory.support.RootBeanDefinition) BeanComponentDefinition(org.springframework.beans.factory.parsing.BeanComponentDefinition) RuntimeBeanReference(org.springframework.beans.factory.config.RuntimeBeanReference) SessionFixationProtectionStrategy(org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy) ConcurrentSessionControlAuthenticationStrategy(org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy)

Example 9 with RuntimeBeanReference

use of org.springframework.beans.factory.config.RuntimeBeanReference in project spring-security by spring-projects.

the class ClearCredentialsMethodInvokingFactoryBean method createPortMapper.

private BeanReference createPortMapper(Element elt, ParserContext pc) {
    // Register the portMapper. A default will always be created, even if no element
    // exists.
    BeanDefinition portMapper = new PortMappingsBeanDefinitionParser().parse(DomUtils.getChildElementByTagName(elt, Elements.PORT_MAPPINGS), pc);
    String portMapperName = pc.getReaderContext().generateBeanName(portMapper);
    pc.registerBeanComponent(new BeanComponentDefinition(portMapper, portMapperName));
    return new RuntimeBeanReference(portMapperName);
}
Also used : BeanComponentDefinition(org.springframework.beans.factory.parsing.BeanComponentDefinition) RootBeanDefinition(org.springframework.beans.factory.support.RootBeanDefinition) BeanDefinition(org.springframework.beans.factory.config.BeanDefinition) RuntimeBeanReference(org.springframework.beans.factory.config.RuntimeBeanReference)

Example 10 with RuntimeBeanReference

use of org.springframework.beans.factory.config.RuntimeBeanReference in project spring-security by spring-projects.

the class FilterChainBeanDefinitionParser method parse.

public BeanDefinition parse(Element elt, ParserContext pc) {
    MatcherType matcherType = MatcherType.fromElement(elt);
    String path = elt.getAttribute(HttpSecurityBeanDefinitionParser.ATT_PATH_PATTERN);
    String requestMatcher = elt.getAttribute(ATT_REQUEST_MATCHER_REF);
    String filters = elt.getAttribute(HttpSecurityBeanDefinitionParser.ATT_FILTERS);
    BeanDefinitionBuilder builder = BeanDefinitionBuilder.rootBeanDefinition(DefaultSecurityFilterChain.class);
    if (StringUtils.hasText(path)) {
        Assert.isTrue(!StringUtils.hasText(requestMatcher), "");
        builder.addConstructorArgValue(matcherType.createMatcher(pc, path, null));
    } else {
        Assert.isTrue(StringUtils.hasText(requestMatcher), "");
        builder.addConstructorArgReference(requestMatcher);
    }
    if (filters.equals(HttpSecurityBeanDefinitionParser.OPT_FILTERS_NONE)) {
        builder.addConstructorArgValue(Collections.EMPTY_LIST);
    } else {
        String[] filterBeanNames = StringUtils.tokenizeToStringArray(filters, ",");
        ManagedList<RuntimeBeanReference> filterChain = new ManagedList<RuntimeBeanReference>(filterBeanNames.length);
        for (String name : filterBeanNames) {
            filterChain.add(new RuntimeBeanReference(name));
        }
        builder.addConstructorArgValue(filterChain);
    }
    return builder.getBeanDefinition();
}
Also used : BeanDefinitionBuilder(org.springframework.beans.factory.support.BeanDefinitionBuilder) ManagedList(org.springframework.beans.factory.support.ManagedList) RuntimeBeanReference(org.springframework.beans.factory.config.RuntimeBeanReference)

Aggregations

RuntimeBeanReference (org.springframework.beans.factory.config.RuntimeBeanReference)156 RootBeanDefinition (org.springframework.beans.factory.support.RootBeanDefinition)86 Element (org.w3c.dom.Element)47 BeanDefinition (org.springframework.beans.factory.config.BeanDefinition)39 BeanComponentDefinition (org.springframework.beans.factory.parsing.BeanComponentDefinition)33 BeanDefinitionBuilder (org.springframework.beans.factory.support.BeanDefinitionBuilder)32 ManagedList (org.springframework.beans.factory.support.ManagedList)27 BeanMetadataElement (org.springframework.beans.BeanMetadataElement)24 Test (org.junit.Test)21 ManagedMap (org.springframework.beans.factory.support.ManagedMap)20 MutablePropertyValues (org.springframework.beans.MutablePropertyValues)16 ConstructorArgumentValues (org.springframework.beans.factory.config.ConstructorArgumentValues)15 GroovyObject (groovy.lang.GroovyObject)12 TestBean (org.springframework.tests.sample.beans.TestBean)12 DefaultListableBeanFactory (org.springframework.beans.factory.support.DefaultListableBeanFactory)11 Map (java.util.Map)10 Node (org.w3c.dom.Node)10 HashMap (java.util.HashMap)9 CompositeComponentDefinition (org.springframework.beans.factory.parsing.CompositeComponentDefinition)9 ITestBean (org.springframework.tests.sample.beans.ITestBean)8