GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

SEC-309: Patch for Authentication tag to use property of authentication object, rather than invoking an operation on the principal. Allows use of nested properties.

2.0.x
Luke Taylor 18 years ago
parent
e0d0cc20c7
commit
10ab4136d1
6 changed files with 170 additions and 185 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 152
      core/src/main/java/org/springframework/security/taglibs/authz/AuthenticationTag.java
  2. 2
      core/src/main/java/org/springframework/security/taglibs/velocity/AuthzImpl.java
  3. 32
      core/src/main/resources/org/springframework/security/taglibs/security.tld
  4. 66
      core/src/test/java/org/springframework/security/taglibs/authz/AuthenticationTagTests.java
  5. 20
      samples/tutorial/src/main/webapp/index.jsp
  6. 29
      samples/tutorial/src/main/webapp/secure/index.jsp

152
core/src/main/java/org/springframework/security/taglibs/authz/AuthenticationTag.java
Unescape View File

@ -20,137 +20,109 @@ import org.springframework.security.Authentication;
import org.springframework.security.context.SecurityContext; import org.springframework.security.context.SecurityContext;
import org.springframework.security.context.SecurityContextHolder; import org.springframework.security.context.SecurityContextHolder;
import org.springframework.security.userdetails.UserDetails; import org.springframework.beans.BeanWrapperImpl;
import org.springframework.beans.BeansException;
import org.springframework.web.util.TagUtils;
import java.io.IOException; import java.io.IOException;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.util.HashSet;
import java.util.Set;
import javax.servlet.jsp.JspException; import javax.servlet.jsp.JspException;
import javax.servlet.jsp.PageContext;
import javax.servlet.jsp.tagext.Tag; import javax.servlet.jsp.tagext.Tag;
import javax.servlet.jsp.tagext.TagSupport; import javax.servlet.jsp.tagext.TagSupport;
/** /**
* An {@link javax.servlet.jsp.tagext.Tag} implementation that allows convenient access to the current * An {@link javax.servlet.jsp.tagext.Tag} implementation that allows convenient access to the current
* <code>Authentication</code> object.<p>Whilst JSPs can access the <code>SecurityContext</code> directly, this tag * <code>Authentication</code> object. The <tt>operation</tt> attribute
* avoids handling <code>null</code> conditions. The tag also properly accommodates * <p>
* <code>Authentication.getPrincipal()</code>, which can either be a <code>String</code> or a * Whilst JSPs can access the <code>SecurityContext</code> directly, this tag avoids handling <code>null</code> conditions.
* <code>UserDetails</code>.</p>
* *
* @author Ben Alex * @author Thomas Champagne
* @version $Id$ * @version $Id$
*/ */
public class AuthenticationTag extends TagSupport { public class AuthenticationTag extends TagSupport {
//~ Static fields/initializers =====================================================================================
private static final Set methodPrefixValidOptions = new HashSet();
static {
methodPrefixValidOptions.add("get");
methodPrefixValidOptions.add("is");
}
//~ Instance fields ================================================================================================ //~ Instance fields ================================================================================================
private String methodPrefix = "get"; private String var;
private String operation = ""; private String property;
private int scope;
//~ Methods ======================================================================================================== private boolean scopeSpecified;
public int doStartTag() throws JspException {
if ((null == operation) || "".equals(operation)) {
return Tag.SKIP_BODY;
}
validateArguments(); //~ Methods ========================================================================================================
if ((SecurityContextHolder.getContext() == null) public AuthenticationTag() {
|| !(SecurityContextHolder.getContext() instanceof SecurityContext) init();
|| (((SecurityContext) SecurityContextHolder.getContext()).getAuthentication() == null)) {
return Tag.SKIP_BODY;
} }
Authentication auth = SecurityContextHolder.getContext().getAuthentication(); // resets local state
private void init() {
if (auth.getPrincipal() == null) { var = null;
return Tag.SKIP_BODY; scopeSpecified = false;
} else if (auth.getPrincipal() instanceof UserDetails) { scope = PageContext.PAGE_SCOPE;
writeMessage(invokeOperation(auth.getPrincipal()));
return Tag.SKIP_BODY;
} else {
writeMessage(auth.getPrincipal().toString());
return Tag.SKIP_BODY;
} }
public void setVar(String var) {
this.var = var;
} }
public String getMethodPrefix() { public void setProperty(String operation) {
return methodPrefix; this.property = operation;
} }
public String getOperation() { public void setScope(String scope) {
return operation; this.scope = TagUtils.getScope(scope);
this.scopeSpecified = true;
} }
protected String invokeOperation(Object obj) throws JspException { public int doStartTag() throws JspException {
Class clazz = obj.getClass(); return super.doStartTag();
String methodToInvoke = getOperation(); }
StringBuffer methodName = new StringBuffer();
methodName.append(getMethodPrefix());
methodName.append(methodToInvoke.substring(0, 1).toUpperCase());
methodName.append(methodToInvoke.substring(1));
Method method = null;
try { public int doEndTag() throws JspException {
method = clazz.getMethod(methodName.toString(), (Class[]) null); Object result = null;
} catch (SecurityException se) { // determine the value by...
throw new JspException(se); if (property != null) {
} catch (NoSuchMethodException nsme) { if ((SecurityContextHolder.getContext() == null)
throw new JspException(nsme); || !(SecurityContextHolder.getContext() instanceof SecurityContext)
|| (SecurityContextHolder.getContext().getAuthentication() == null)) {
return Tag.EVAL_PAGE;
} }
Object retVal = null; Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (auth.getPrincipal() == null) {
return Tag.EVAL_PAGE;
} else {
try { try {
retVal = method.invoke(obj, (Object[]) null); BeanWrapperImpl wrapper = new BeanWrapperImpl(auth);
} catch (IllegalArgumentException iae) { result = wrapper.getPropertyValue(property);
throw new JspException(iae); } catch (BeansException e) {
} catch (IllegalAccessException iae) { throw new JspException(e);
throw new JspException(iae);
} catch (InvocationTargetException ite) {
throw new JspException(ite);
} }
if (retVal == null) {
retVal = "";
} }
return retVal.toString();
}
public void setMethodPrefix(String methodPrefix) {
this.methodPrefix = methodPrefix;
} }
public void setOperation(String operation) { if (var != null) {
this.operation = operation; /*
* Store the result, letting an IllegalArgumentException
* propagate back if the scope is invalid (e.g., if an attempt
* is made to store something in the session without any
* HttpSession existing).
*/
if (result != null) {
pageContext.setAttribute(var, result, scope);
} else {
if (scopeSpecified) {
pageContext.removeAttribute(var, scope);
} else {
pageContext.removeAttribute(var);
} }
protected void validateArguments() throws JspException {
if ((getMethodPrefix() != null) && !getMethodPrefix().equals("")) {
if (!methodPrefixValidOptions.contains(getMethodPrefix())) {
throw new JspException("Authorization tag : no valid method prefix available");
} }
} else { } else {
throw new JspException("Authorization tag : no method prefix available"); writeMessage(result.toString());
} }
return EVAL_PAGE;
} }
protected void writeMessage(String msg) throws JspException { protected void writeMessage(String msg) throws JspException {

2
core/src/main/java/org/springframework/security/taglibs/velocity/AuthzImpl.java
Unescape View File

@ -68,7 +68,7 @@ public class AuthzImpl implements Authz {
public String getPrincipal() { public String getPrincipal() {
MyAuthenticationTag authenticationTag = new MyAuthenticationTag(); MyAuthenticationTag authenticationTag = new MyAuthenticationTag();
authenticationTag.setOperation("username"); authenticationTag.setProperty("username");
try { try {
authenticationTag.doStartTag(); authenticationTag.doStartTag();

32
core/src/main/resources/org/springframework/security/taglibs/security.tld
Unescape View File

@ -8,8 +8,8 @@
<short-name>security</short-name> <short-name>security</short-name>
<uri>http://www.springframework.org/security/tags</uri> <uri>http://www.springframework.org/security/tags</uri>
<description> <description>
Spring Securitys Authorization Tag Library Spring Security Authorization Tag Library
$Id: authz.tld 2176 2007-10-03 14:02:39Z luke_t $ $Id$
</description> </description>
<tag> <tag>
@ -59,28 +59,36 @@
</description> </description>
<attribute> <attribute>
<name>operation</name> <name>property</name>
<required>true</required> <required>true</required>
<rtexprvalue>true</rtexprvalue> <rtexprvalue>true</rtexprvalue>
<description> <description>
Must be one of the methods of an instance that implements the UserDetails Property of the Authentication object which should be output. Supports nested
interface. Use the JavaBean style property, you can provide a custom prefix properties. For example if the principal object is an instance of UserDetails,
for the method to call. te property "principal.username" will return the username. Alternatively, using
"name" will call getName method on the Authentication object directly.
</description> </description>
</attribute> </attribute>
<attribute> <attribute>
<name>methodPrefix</name> <name>var</name>
<required>false</required> <required>false</required>
<rtexprvalue>true</rtexprvalue> <rtexprvalue>false</rtexprvalue>
<description>
Name of the exported scoped variable for the
exception thrown from a nested action. The type of the
scoped variable is the type of the exception thrown.
</description>
</attribute>
<attribute>
<name>scope</name>
<required>false</required>
<rtexprvalue>false</rtexprvalue>
<description> <description>
Must be get or is. This is used to determine the name of the Scope for var.
method to be called. The default is get.
</description> </description>
</attribute> </attribute>
</tag> </tag>
<tag> <tag>
<name>acl</name> <name>acl</name>
<tag-class>org.springframework.security.taglibs.authz.AclTag</tag-class> <tag-class>org.springframework.security.taglibs.authz.AclTag</tag-class>

66
core/src/test/java/org/springframework/security/taglibs/authz/AuthenticationTagTests.java
Unescape View File

@ -19,11 +19,8 @@ import junit.framework.TestCase;
import org.springframework.security.Authentication; import org.springframework.security.Authentication;
import org.springframework.security.GrantedAuthority; import org.springframework.security.GrantedAuthority;
import org.springframework.security.context.SecurityContextHolder; import org.springframework.security.context.SecurityContextHolder;
import org.springframework.security.providers.TestingAuthenticationToken; import org.springframework.security.providers.TestingAuthenticationToken;
import org.springframework.security.userdetails.User; import org.springframework.security.userdetails.User;
import javax.servlet.jsp.JspException; import javax.servlet.jsp.JspException;
@ -40,6 +37,8 @@ public class AuthenticationTagTests extends TestCase {
//~ Instance fields ================================================================================================ //~ Instance fields ================================================================================================
private final MyAuthenticationTag authenticationTag = new MyAuthenticationTag(); private final MyAuthenticationTag authenticationTag = new MyAuthenticationTag();
private final Authentication auth = new TestingAuthenticationToken(new User("rodUserDetails", "koala", true, true, true,
true, new GrantedAuthority[] {}), "koala", new GrantedAuthority[] {});
//~ Methods ======================================================================================================== //~ Methods ========================================================================================================
@ -47,86 +46,67 @@ public class AuthenticationTagTests extends TestCase {
SecurityContextHolder.clearContext(); SecurityContextHolder.clearContext();
} }
public void testOperationAndMethodPrefixWhenPrincipalIsAUserDetailsInstance() public void testOperationWhenPrincipalIsAUserDetailsInstance()throws JspException {
throws JspException {
Authentication auth = new TestingAuthenticationToken(new User("rodUserDetails", "koala", true, true, true,
true, new GrantedAuthority[] {}), "koala", new GrantedAuthority[] {});
SecurityContextHolder.getContext().setAuthentication(auth); SecurityContextHolder.getContext().setAuthentication(auth);
authenticationTag.setOperation("username"); authenticationTag.setProperty("name");
authenticationTag.setMethodPrefix("get");
assertEquals(Tag.SKIP_BODY, authenticationTag.doStartTag()); assertEquals(Tag.SKIP_BODY, authenticationTag.doStartTag());
assertEquals(Tag.EVAL_PAGE, authenticationTag.doEndTag());
assertEquals("rodUserDetails", authenticationTag.getLastMessage()); assertEquals("rodUserDetails", authenticationTag.getLastMessage());
} }
public void testOperationWhenPrincipalIsAString() throws JspException { public void testOperationWhenPrincipalIsAString() throws JspException {
Authentication auth = new TestingAuthenticationToken("rodAsString", "koala", new GrantedAuthority[] {}); SecurityContextHolder.getContext().setAuthentication(
SecurityContextHolder.getContext().setAuthentication(auth); new TestingAuthenticationToken("rodAsString", "koala", new GrantedAuthority[] {}));
authenticationTag.setOperation("principal"); authenticationTag.setProperty("principal");
assertEquals(Tag.SKIP_BODY, authenticationTag.doStartTag()); assertEquals(Tag.SKIP_BODY, authenticationTag.doStartTag());
assertEquals(Tag.EVAL_PAGE, authenticationTag.doEndTag());
assertEquals("rodAsString", authenticationTag.getLastMessage()); assertEquals("rodAsString", authenticationTag.getLastMessage());
} }
public void testOperationWhenPrincipalIsAUserDetailsInstance() public void testNestedPropertyIsReadCorrectly() throws JspException {
throws JspException {
Authentication auth = new TestingAuthenticationToken(new User("rodUserDetails", "koala", true, true, true,
true, new GrantedAuthority[] {}), "koala", new GrantedAuthority[] {});
SecurityContextHolder.getContext().setAuthentication(auth); SecurityContextHolder.getContext().setAuthentication(auth);
authenticationTag.setOperation("username"); authenticationTag.setProperty("principal.username");
assertEquals(Tag.SKIP_BODY, authenticationTag.doStartTag()); assertEquals(Tag.SKIP_BODY, authenticationTag.doStartTag());
assertEquals(Tag.EVAL_PAGE, authenticationTag.doEndTag());
assertEquals("rodUserDetails", authenticationTag.getLastMessage()); assertEquals("rodUserDetails", authenticationTag.getLastMessage());
} }
public void testOperationWhenPrincipalIsNull() throws JspException { public void testOperationWhenPrincipalIsNull() throws JspException {
Authentication auth = new TestingAuthenticationToken(null, "koala", new GrantedAuthority[] {}); SecurityContextHolder.getContext().setAuthentication(
SecurityContextHolder.getContext().setAuthentication(auth); new TestingAuthenticationToken(null, "koala", new GrantedAuthority[] {}));
authenticationTag.setOperation("principal"); authenticationTag.setProperty("principal");
assertEquals(Tag.SKIP_BODY, authenticationTag.doStartTag()); assertEquals(Tag.SKIP_BODY, authenticationTag.doStartTag());
assertEquals(Tag.EVAL_PAGE, authenticationTag.doEndTag());
} }
public void testOperationWhenSecurityContextIsNull() throws Exception { public void testOperationWhenSecurityContextIsNull() throws Exception {
SecurityContextHolder.getContext().setAuthentication(null); SecurityContextHolder.getContext().setAuthentication(null);
authenticationTag.setOperation("principal"); authenticationTag.setProperty("principal");
assertEquals(Tag.SKIP_BODY, authenticationTag.doStartTag()); assertEquals(Tag.SKIP_BODY, authenticationTag.doStartTag());
assertEquals(Tag.EVAL_PAGE, authenticationTag.doEndTag());
assertEquals(null, authenticationTag.getLastMessage()); assertEquals(null, authenticationTag.getLastMessage());
} }
public void testSkipsBodyIfNullOrEmptyOperation() throws Exception { public void testSkipsBodyIfNullOrEmptyOperation() throws Exception {
authenticationTag.setOperation(""); authenticationTag.setProperty("");
assertEquals("", authenticationTag.getOperation());
assertEquals(Tag.SKIP_BODY, authenticationTag.doStartTag()); assertEquals(Tag.SKIP_BODY, authenticationTag.doStartTag());
assertEquals(Tag.EVAL_PAGE, authenticationTag.doEndTag());
} }
public void testThrowsExceptionForUnrecognisedMethodPrefix() { public void testThrowsExceptionForUnrecognisedProperty() {
Authentication auth = new TestingAuthenticationToken(new User("rodUserDetails", "koala", true, true, true,
true, new GrantedAuthority[] {}), "koala", new GrantedAuthority[] {});
SecurityContextHolder.getContext().setAuthentication(auth);
authenticationTag.setOperation("username");
authenticationTag.setMethodPrefix("qrq");
try {
authenticationTag.doStartTag();
fail("Should have thrown a JspException");
} catch (JspException expected) {
assertTrue(true);
}
}
public void testThrowsExceptionForUnrecognisedOperation() {
Authentication auth = new TestingAuthenticationToken(new User("rodUserDetails", "koala", true, true, true,
true, new GrantedAuthority[] {}), "koala", new GrantedAuthority[] {});
SecurityContextHolder.getContext().setAuthentication(auth); SecurityContextHolder.getContext().setAuthentication(auth);
authenticationTag.setOperation("qsq"); authenticationTag.setProperty("qsq");
try { try {
authenticationTag.doStartTag(); authenticationTag.doStartTag();
authenticationTag.doEndTag();
fail("Should have throwns JspException"); fail("Should have throwns JspException");
} catch (JspException expected) { } catch (JspException expected) {
assertTrue(true);
} }
} }

20
samples/tutorial/src/main/webapp/index.jsp
Unescape View File

@ -1,14 +1,18 @@
<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
<html> <html>
<body> <body>
<h1>Home Page</h1> <h1>Home Page</h1>
Anyone can view this page.<br><br> <p>
Anyone can view this page.
</p>
<p>
If you're logged in, you can <a href="listAccounts.html">list accounts</a>.
</p>
<p>
Your principal object is....: <%= request.getUserPrincipal() %>
</p>
If you're logged in, you can <a href="listAccounts.html">list accounts</a>.<br><br> <p><a href="secure/index.jsp">Secure page</a></p>
<p><a href="secure/extreme/index.jsp">Extremely secure page</a></p>
Your principal object is....: <%= request.getUserPrincipal() %><br><br>
<p><a href="secure/index.jsp">Secure page</a>
<p><a href="secure/extreme/index.jsp">Extremely secure page</a>
</body> </body>
</html> </html>

29
samples/tutorial/src/main/webapp/secure/index.jsp
Unescape View File

@ -1,12 +1,33 @@
<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
<html> <html>
<body> <body>
<h1>Secure Page</h1> <h1>Secure Page</h1>
<p>
This is a protected page. You can get to me if you've been remembered, This is a protected page. You can get to me if you've been remembered,
or if you've authenticated this session.<br><br> or if you've authenticated this session.
</p>
<sec:authorize ifAllGranted="ROLE_SUPERVISOR">
You are a supervisor! You can therefore see the <a href="extreme/index.jsp">extremely secure page</a>.<br/><br/>
</sec:authorize>
<%if (request.isUserInRole("ROLE_SUPERVISOR")) { %> <h3>Properties obtained using &lt;sec:authentication /&gt; tag</h3>
You are a supervisor! You can therefore see the <a href="extreme/index.jsp">extremely secure page</a>.<br><br> <table border="1">
<% } %> <tr><th>Tag</th><th>Value</th></tr>
<tr>
<td>&lt;sec:authentication property='name' /&gt;</td><td><sec:authentication property="name"/></td>
</tr>
<tr>
<td>&lt;sec:authentication property='principal.username' /&gt;</td><td><sec:authentication property="principal.username"/></td>
</tr>
<tr>
<td>&lt;sec:authentication property='principal.enabled' /&gt;</td><td><sec:authentication property="principal.enabled"/></td>
</tr>
<tr>
<td>&lt;sec:authentication property='principal.accountNonLocked' /&gt;</td><td><sec:authentication property="principal.accountNonLocked"/></td>
</tr>
</table>
<p><a href="../">Home</a> <p><a href="../">Home</a>

Write Preview
Loading…
Cancel
Save