GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

SEC-309: Patch for Authentication tag to use property of authentication object, rather than invoking an operation on the principal. Allows use of nested properties.

2.0.x
Luke Taylor 18 years ago
parent
e0d0cc20c7
commit
10ab4136d1
6 changed files with 170 additions and 185 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 152
      core/src/main/java/org/springframework/security/taglibs/authz/AuthenticationTag.java
  2. 2
      core/src/main/java/org/springframework/security/taglibs/velocity/AuthzImpl.java
  3. 32
      core/src/main/resources/org/springframework/security/taglibs/security.tld
  4. 66
      core/src/test/java/org/springframework/security/taglibs/authz/AuthenticationTagTests.java
  5. 20
      samples/tutorial/src/main/webapp/index.jsp
  6. 29
      samples/tutorial/src/main/webapp/secure/index.jsp

152
core/src/main/java/org/springframework/security/taglibs/authz/AuthenticationTag.java
Unescape View File

@ -20,137 +20,109 @@ import org.springframework.security.Authentication; @@ -20,137 +20,109 @@ import org.springframework.security.Authentication;
import org.springframework.security.context.SecurityContext;
import org.springframework.security.context.SecurityContextHolder;
import org.springframework.security.userdetails.UserDetails;
import org.springframework.beans.BeanWrapperImpl;
import org.springframework.beans.BeansException;
import org.springframework.web.util.TagUtils;
import java.io.IOException;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.util.HashSet;
import java.util.Set;
import javax.servlet.jsp.JspException;
import javax.servlet.jsp.PageContext;
import javax.servlet.jsp.tagext.Tag;
import javax.servlet.jsp.tagext.TagSupport;
/**
* An {@link javax.servlet.jsp.tagext.Tag} implementation that allows convenient access to the current
* <code>Authentication</code> object.<p>Whilst JSPs can access the <code>SecurityContext</code> directly, this tag
* avoids handling <code>null</code> conditions. The tag also properly accommodates
* <code>Authentication.getPrincipal()</code>, which can either be a <code>String</code> or a
* <code>UserDetails</code>.</p>
* <code>Authentication</code> object. The <tt>operation</tt> attribute
* <p>
* Whilst JSPs can access the <code>SecurityContext</code> directly, this tag avoids handling <code>null</code> conditions.
*
* @author Ben Alex
* @author Thomas Champagne
* @version $Id$
*/
public class AuthenticationTag extends TagSupport {
//~ Static fields/initializers =====================================================================================
private static final Set methodPrefixValidOptions = new HashSet();
static {
methodPrefixValidOptions.add("get");
methodPrefixValidOptions.add("is");
}
//~ Instance fields ================================================================================================
private String methodPrefix = "get";
private String operation = "";
//~ Methods ========================================================================================================
private String var;
private String property;
private int scope;
private boolean scopeSpecified;
public int doStartTag() throws JspException {
if ((null == operation) || "".equals(operation)) {
return Tag.SKIP_BODY;
}
validateArguments();
//~ Methods ========================================================================================================
if ((SecurityContextHolder.getContext() == null)
|| !(SecurityContextHolder.getContext() instanceof SecurityContext)
|| (((SecurityContext) SecurityContextHolder.getContext()).getAuthentication() == null)) {
return Tag.SKIP_BODY;
public AuthenticationTag() {
init();
}
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (auth.getPrincipal() == null) {
return Tag.SKIP_BODY;
} else if (auth.getPrincipal() instanceof UserDetails) {
writeMessage(invokeOperation(auth.getPrincipal()));
return Tag.SKIP_BODY;
} else {
writeMessage(auth.getPrincipal().toString());
return Tag.SKIP_BODY;
// resets local state
private void init() {
var = null;
scopeSpecified = false;
scope = PageContext.PAGE_SCOPE;
}
public void setVar(String var) {
this.var = var;
}
public String getMethodPrefix() {
return methodPrefix;
public void setProperty(String operation) {
this.property = operation;
}
public String getOperation() {
return operation;
public void setScope(String scope) {
this.scope = TagUtils.getScope(scope);
this.scopeSpecified = true;
}
protected String invokeOperation(Object obj) throws JspException {
Class clazz = obj.getClass();
String methodToInvoke = getOperation();
StringBuffer methodName = new StringBuffer();
methodName.append(getMethodPrefix());
methodName.append(methodToInvoke.substring(0, 1).toUpperCase());
methodName.append(methodToInvoke.substring(1));
Method method = null;
public int doStartTag() throws JspException {
return super.doStartTag();
}
try {
method = clazz.getMethod(methodName.toString(), (Class[]) null);
} catch (SecurityException se) {
throw new JspException(se);
} catch (NoSuchMethodException nsme) {
throw new JspException(nsme);
public int doEndTag() throws JspException {
Object result = null;
// determine the value by...
if (property != null) {
if ((SecurityContextHolder.getContext() == null)
|| !(SecurityContextHolder.getContext() instanceof SecurityContext)
|| (SecurityContextHolder.getContext().getAuthentication() == null)) {
return Tag.EVAL_PAGE;
}
Object retVal = null;
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (auth.getPrincipal() == null) {
return Tag.EVAL_PAGE;
} else {
try {
retVal = method.invoke(obj, (Object[]) null);
} catch (IllegalArgumentException iae) {
throw new JspException(iae);
} catch (IllegalAccessException iae) {
throw new JspException(iae);
} catch (InvocationTargetException ite) {
throw new JspException(ite);
BeanWrapperImpl wrapper = new BeanWrapperImpl(auth);
result = wrapper.getPropertyValue(property);
} catch (BeansException e) {
throw new JspException(e);
}
if (retVal == null) {
retVal = "";
}
return retVal.toString();
}
public void setMethodPrefix(String methodPrefix) {
this.methodPrefix = methodPrefix;
}
public void setOperation(String operation) {
this.operation = operation;
if (var != null) {
/*
* Store the result, letting an IllegalArgumentException
* propagate back if the scope is invalid (e.g., if an attempt
* is made to store something in the session without any
* HttpSession existing).
*/
if (result != null) {
pageContext.setAttribute(var, result, scope);
} else {
if (scopeSpecified) {
pageContext.removeAttribute(var, scope);
} else {
pageContext.removeAttribute(var);
}
protected void validateArguments() throws JspException {
if ((getMethodPrefix() != null) && !getMethodPrefix().equals("")) {
if (!methodPrefixValidOptions.contains(getMethodPrefix())) {
throw new JspException("Authorization tag : no valid method prefix available");
}
} else {
throw new JspException("Authorization tag : no method prefix available");
writeMessage(result.toString());
}
return EVAL_PAGE;
}
protected void writeMessage(String msg) throws JspException {

2
core/src/main/java/org/springframework/security/taglibs/velocity/AuthzImpl.java
Unescape View File

@ -68,7 +68,7 @@ public class AuthzImpl implements Authz { @@ -68,7 +68,7 @@ public class AuthzImpl implements Authz {
public String getPrincipal() {
MyAuthenticationTag authenticationTag = new MyAuthenticationTag();
authenticationTag.setOperation("username");
authenticationTag.setProperty("username");
try {
authenticationTag.doStartTag();

32
core/src/main/resources/org/springframework/security/taglibs/security.tld
Unescape View File

@ -8,8 +8,8 @@ @@ -8,8 +8,8 @@
<short-name>security</short-name>
<uri>http://www.springframework.org/security/tags</uri>
<description>
Spring Securitys Authorization Tag Library
$Id: authz.tld 2176 2007-10-03 14:02:39Z luke_t $
Spring Security Authorization Tag Library
$Id$
</description>
<tag>
@ -59,28 +59,36 @@ @@ -59,28 +59,36 @@
</description>
<attribute>
<name>operation</name>
<name>property</name>
<required>true</required>
<rtexprvalue>true</rtexprvalue>
<description>
Must be one of the methods of an instance that implements the UserDetails
interface. Use the JavaBean style property, you can provide a custom prefix
for the method to call.
Property of the Authentication object which should be output. Supports nested
properties. For example if the principal object is an instance of UserDetails,
te property "principal.username" will return the username. Alternatively, using
"name" will call getName method on the Authentication object directly.
</description>
</attribute>
<attribute>
<name>methodPrefix</name>
<name>var</name>
<required>false</required>
<rtexprvalue>true</rtexprvalue>
<rtexprvalue>false</rtexprvalue>
<description>
Name of the exported scoped variable for the
exception thrown from a nested action. The type of the
scoped variable is the type of the exception thrown.
</description>
</attribute>
<attribute>
<name>scope</name>
<required>false</required>
<rtexprvalue>false</rtexprvalue>
<description>
Must be get or is. This is used to determine the name of the
method to be called. The default is get.
Scope for var.
</description>
</attribute>
</tag>
<tag>
<name>acl</name>
<tag-class>org.springframework.security.taglibs.authz.AclTag</tag-class>

66
core/src/test/java/org/springframework/security/taglibs/authz/AuthenticationTagTests.java
Unescape View File

@ -19,11 +19,8 @@ import junit.framework.TestCase; @@ -19,11 +19,8 @@ import junit.framework.TestCase;
import org.springframework.security.Authentication;
import org.springframework.security.GrantedAuthority;
import org.springframework.security.context.SecurityContextHolder;
import org.springframework.security.providers.TestingAuthenticationToken;
import org.springframework.security.userdetails.User;
import javax.servlet.jsp.JspException;
@ -40,6 +37,8 @@ public class AuthenticationTagTests extends TestCase { @@ -40,6 +37,8 @@ public class AuthenticationTagTests extends TestCase {
//~ Instance fields ================================================================================================
private final MyAuthenticationTag authenticationTag = new MyAuthenticationTag();
private final Authentication auth = new TestingAuthenticationToken(new User("rodUserDetails", "koala", true, true, true,
true, new GrantedAuthority[] {}), "koala", new GrantedAuthority[] {});
//~ Methods ========================================================================================================
@ -47,86 +46,67 @@ public class AuthenticationTagTests extends TestCase { @@ -47,86 +46,67 @@ public class AuthenticationTagTests extends TestCase {
SecurityContextHolder.clearContext();
}
public void testOperationAndMethodPrefixWhenPrincipalIsAUserDetailsInstance()
throws JspException {
Authentication auth = new TestingAuthenticationToken(new User("rodUserDetails", "koala", true, true, true,
true, new GrantedAuthority[] {}), "koala", new GrantedAuthority[] {});
public void testOperationWhenPrincipalIsAUserDetailsInstance()throws JspException {
SecurityContextHolder.getContext().setAuthentication(auth);
authenticationTag.setOperation("username");
authenticationTag.setMethodPrefix("get");
authenticationTag.setProperty("name");
assertEquals(Tag.SKIP_BODY, authenticationTag.doStartTag());
assertEquals(Tag.EVAL_PAGE, authenticationTag.doEndTag());
assertEquals("rodUserDetails", authenticationTag.getLastMessage());
}
public void testOperationWhenPrincipalIsAString() throws JspException {
Authentication auth = new TestingAuthenticationToken("rodAsString", "koala", new GrantedAuthority[] {});
SecurityContextHolder.getContext().setAuthentication(auth);
SecurityContextHolder.getContext().setAuthentication(
new TestingAuthenticationToken("rodAsString", "koala", new GrantedAuthority[] {}));
authenticationTag.setOperation("principal");
authenticationTag.setProperty("principal");
assertEquals(Tag.SKIP_BODY, authenticationTag.doStartTag());
assertEquals(Tag.EVAL_PAGE, authenticationTag.doEndTag());
assertEquals("rodAsString", authenticationTag.getLastMessage());
}
public void testOperationWhenPrincipalIsAUserDetailsInstance()
throws JspException {
Authentication auth = new TestingAuthenticationToken(new User("rodUserDetails", "koala", true, true, true,
true, new GrantedAuthority[] {}), "koala", new GrantedAuthority[] {});
public void testNestedPropertyIsReadCorrectly() throws JspException {
SecurityContextHolder.getContext().setAuthentication(auth);
authenticationTag.setOperation("username");
authenticationTag.setProperty("principal.username");
assertEquals(Tag.SKIP_BODY, authenticationTag.doStartTag());
assertEquals(Tag.EVAL_PAGE, authenticationTag.doEndTag());
assertEquals("rodUserDetails", authenticationTag.getLastMessage());
}
public void testOperationWhenPrincipalIsNull() throws JspException {
Authentication auth = new TestingAuthenticationToken(null, "koala", new GrantedAuthority[] {});
SecurityContextHolder.getContext().setAuthentication(auth);
SecurityContextHolder.getContext().setAuthentication(
new TestingAuthenticationToken(null, "koala", new GrantedAuthority[] {}));
authenticationTag.setOperation("principal");
authenticationTag.setProperty("principal");
assertEquals(Tag.SKIP_BODY, authenticationTag.doStartTag());
assertEquals(Tag.EVAL_PAGE, authenticationTag.doEndTag());
}
public void testOperationWhenSecurityContextIsNull() throws Exception {
SecurityContextHolder.getContext().setAuthentication(null);
authenticationTag.setOperation("principal");
authenticationTag.setProperty("principal");
assertEquals(Tag.SKIP_BODY, authenticationTag.doStartTag());
assertEquals(Tag.EVAL_PAGE, authenticationTag.doEndTag());
assertEquals(null, authenticationTag.getLastMessage());
}
public void testSkipsBodyIfNullOrEmptyOperation() throws Exception {
authenticationTag.setOperation("");
assertEquals("", authenticationTag.getOperation());
authenticationTag.setProperty("");
assertEquals(Tag.SKIP_BODY, authenticationTag.doStartTag());
assertEquals(Tag.EVAL_PAGE, authenticationTag.doEndTag());
}
public void testThrowsExceptionForUnrecognisedMethodPrefix() {
Authentication auth = new TestingAuthenticationToken(new User("rodUserDetails", "koala", true, true, true,
true, new GrantedAuthority[] {}), "koala", new GrantedAuthority[] {});
SecurityContextHolder.getContext().setAuthentication(auth);
authenticationTag.setOperation("username");
authenticationTag.setMethodPrefix("qrq");
try {
authenticationTag.doStartTag();
fail("Should have thrown a JspException");
} catch (JspException expected) {
assertTrue(true);
}
}
public void testThrowsExceptionForUnrecognisedOperation() {
Authentication auth = new TestingAuthenticationToken(new User("rodUserDetails", "koala", true, true, true,
true, new GrantedAuthority[] {}), "koala", new GrantedAuthority[] {});
public void testThrowsExceptionForUnrecognisedProperty() {
SecurityContextHolder.getContext().setAuthentication(auth);
authenticationTag.setOperation("qsq");
authenticationTag.setProperty("qsq");
try {
authenticationTag.doStartTag();
authenticationTag.doEndTag();
fail("Should have throwns JspException");
} catch (JspException expected) {
assertTrue(true);
}
}

20
samples/tutorial/src/main/webapp/index.jsp
Unescape View File

@ -1,14 +1,18 @@ @@ -1,14 +1,18 @@
<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
<html>
<body>
<h1>Home Page</h1>
Anyone can view this page.<br><br>
<p>
Anyone can view this page.
</p>
<p>
If you're logged in, you can <a href="listAccounts.html">list accounts</a>.
</p>
<p>
Your principal object is....: <%= request.getUserPrincipal() %>
</p>
If you're logged in, you can <a href="listAccounts.html">list accounts</a>.<br><br>
Your principal object is....: <%= request.getUserPrincipal() %><br><br>
<p><a href="secure/index.jsp">Secure page</a>
<p><a href="secure/extreme/index.jsp">Extremely secure page</a>
<p><a href="secure/index.jsp">Secure page</a></p>
<p><a href="secure/extreme/index.jsp">Extremely secure page</a></p>
</body>
</html>

29
samples/tutorial/src/main/webapp/secure/index.jsp
Unescape View File

@ -1,12 +1,33 @@ @@ -1,12 +1,33 @@
<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
<html>
<body>
<h1>Secure Page</h1>
<p>
This is a protected page. You can get to me if you've been remembered,
or if you've authenticated this session.<br><br>
or if you've authenticated this session.
</p>
<sec:authorize ifAllGranted="ROLE_SUPERVISOR">
You are a supervisor! You can therefore see the <a href="extreme/index.jsp">extremely secure page</a>.<br/><br/>
</sec:authorize>
<%if (request.isUserInRole("ROLE_SUPERVISOR")) { %>
You are a supervisor! You can therefore see the <a href="extreme/index.jsp">extremely secure page</a>.<br><br>
<% } %>
<h3>Properties obtained using &lt;sec:authentication /&gt; tag</h3>
<table border="1">
<tr><th>Tag</th><th>Value</th></tr>
<tr>
<td>&lt;sec:authentication property='name' /&gt;</td><td><sec:authentication property="name"/></td>
</tr>
<tr>
<td>&lt;sec:authentication property='principal.username' /&gt;</td><td><sec:authentication property="principal.username"/></td>
</tr>
<tr>
<td>&lt;sec:authentication property='principal.enabled' /&gt;</td><td><sec:authentication property="principal.enabled"/></td>
</tr>
<tr>
<td>&lt;sec:authentication property='principal.accountNonLocked' /&gt;</td><td><sec:authentication property="principal.accountNonLocked"/></td>
</tr>
</table>
<p><a href="../">Home</a>

Write Preview
Loading…
Cancel
Save