From 197ddb3cd1731ce7df4f320840930ff76be434c4 Mon Sep 17 00:00:00 2001
From: Rob Winch <rwinch@gopivotal.com>
Date: Tue, 7 Jul 2015 22:46:31 -0500
Subject: [PATCH] SEC-3029: Fix Compatibility with Spring 4.2.x

---
 .../acls/jdbc/JdbcMutableAclService.java      |  8 ++---
 ...ageBrokerSecurityBeanDefinitionParser.java | 29 +++++++++++++------
 ...balMethodSecurityConfigurationTests.groovy |  3 +-
 .../provisioning/JdbcUserDetailsManager.java  |  2 +-
 .../JdbcUserDetailsManagerTests.java          |  3 +-
 .../main/java/sample/dms/DocumentDaoImpl.java |  2 +-
 .../src/test/java/DmsIntegrationTests.java    |  4 +--
 .../test/java/SecureDmsIntegrationTests.java  | 27 ++++++++++-------
 ...ractSessionFixationProtectionStrategy.java |  3 ++
 9 files changed, 51 insertions(+), 30 deletions(-)

diff --git a/acl/src/main/java/org/springframework/security/acls/jdbc/JdbcMutableAclService.java b/acl/src/main/java/org/springframework/security/acls/jdbc/JdbcMutableAclService.java
index 7ca8ba3f90..f2197a68bc 100644
--- a/acl/src/main/java/org/springframework/security/acls/jdbc/JdbcMutableAclService.java
+++ b/acl/src/main/java/org/springframework/security/acls/jdbc/JdbcMutableAclService.java
@@ -192,7 +192,7 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
 			jdbcTemplate.update(insertClass, type);
 			Assert.isTrue(TransactionSynchronizationManager.isSynchronizationActive(),
 					"Transaction must be running");
-			return new Long(jdbcTemplate.queryForLong(classIdentityQuery));
+			return jdbcTemplate.queryForObject(classIdentityQuery, Long.class);
 		}
 
 		return null;
@@ -252,7 +252,7 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
 			jdbcTemplate.update(insertSid, Boolean.valueOf(sidIsPrincipal), sidName);
 			Assert.isTrue(TransactionSynchronizationManager.isSynchronizationActive(),
 					"Transaction must be running");
-			return new Long(jdbcTemplate.queryForLong(sidIdentityQuery));
+			return jdbcTemplate.queryForObject(sidIdentityQuery, Long.class);
 		}
 
 		return null;
@@ -332,8 +332,8 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
 	 */
 	protected Long retrieveObjectIdentityPrimaryKey(ObjectIdentity oid) {
 		try {
-			return new Long(jdbcTemplate.queryForLong(selectObjectIdentityPrimaryKey,
-					oid.getType(), oid.getIdentifier()));
+			return jdbcTemplate.queryForObject(selectObjectIdentityPrimaryKey, Long.class,
+					oid.getType(), oid.getIdentifier());
 		}
 		catch (DataAccessException notFound) {
 			return null;
diff --git a/config/src/main/java/org/springframework/security/config/websocket/WebSocketMessageBrokerSecurityBeanDefinitionParser.java b/config/src/main/java/org/springframework/security/config/websocket/WebSocketMessageBrokerSecurityBeanDefinitionParser.java
index 5f8e731d84..ef835a9981 100644
--- a/config/src/main/java/org/springframework/security/config/websocket/WebSocketMessageBrokerSecurityBeanDefinitionParser.java
+++ b/config/src/main/java/org/springframework/security/config/websocket/WebSocketMessageBrokerSecurityBeanDefinitionParser.java
@@ -15,12 +15,22 @@
  */
 package org.springframework.security.config.websocket;
 
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
+import java.util.Comparator;
+import java.util.List;
+import java.util.Map;
+
 import org.springframework.beans.BeansException;
 import org.springframework.beans.PropertyValue;
-import org.springframework.beans.factory.config.*;
-import org.springframework.beans.factory.support.*;
+import org.springframework.beans.factory.config.BeanDefinition;
+import org.springframework.beans.factory.config.BeanReference;
+import org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
+import org.springframework.beans.factory.config.RuntimeBeanReference;
+import org.springframework.beans.factory.support.BeanDefinitionBuilder;
+import org.springframework.beans.factory.support.BeanDefinitionRegistry;
+import org.springframework.beans.factory.support.BeanDefinitionRegistryPostProcessor;
+import org.springframework.beans.factory.support.ManagedList;
+import org.springframework.beans.factory.support.ManagedMap;
+import org.springframework.beans.factory.support.RootBeanDefinition;
 import org.springframework.beans.factory.xml.BeanDefinitionParser;
 import org.springframework.beans.factory.xml.ParserContext;
 import org.springframework.beans.factory.xml.XmlReaderContext;
@@ -43,10 +53,6 @@ import org.springframework.util.StringUtils;
 import org.springframework.util.xml.DomUtils;
 import org.w3c.dom.Element;
 
-import java.util.Comparator;
-import java.util.List;
-import java.util.Map;
-
 /**
  * Parses Spring Security's websocket namespace support. A simple example is:
  *
@@ -208,6 +214,11 @@ public final class WebSocketMessageBrokerSecurityBeanDefinitionParser implements
 	static class MessageSecurityPostProcessor implements
 			BeanDefinitionRegistryPostProcessor {
 
+		/**
+		 * This is not available prior to Spring 4.2
+		 */
+		private static final String WEB_SOCKET_AMMH_CLASS_NAME = "org.springframework.web.socket.messaging.WebSocketAnnotationMethodMessageHandler";
+
 		private static final String CLIENT_INBOUND_CHANNEL_BEAN_ID = "clientInboundChannel";
 
 		private static final String INTERCEPTORS_PROP = "interceptors";
@@ -231,7 +242,7 @@ public final class WebSocketMessageBrokerSecurityBeanDefinitionParser implements
 				BeanDefinition bd = registry.getBeanDefinition(beanName);
 				String beanClassName = bd.getBeanClassName();
 				if (beanClassName.equals(SimpAnnotationMethodMessageHandler.class
-						.getName())) {
+						.getName()) || beanClassName.equals(WEB_SOCKET_AMMH_CLASS_NAME)) {
 					PropertyValue current = bd.getPropertyValues().getPropertyValue(
 							CUSTOM_ARG_RESOLVERS_PROP);
 					ManagedList<Object> argResolvers = new ManagedList<Object>();
diff --git a/config/src/test/groovy/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfigurationTests.groovy b/config/src/test/groovy/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfigurationTests.groovy
index 6f11b74d93..15ee30e1ca 100644
--- a/config/src/test/groovy/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfigurationTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfigurationTests.groovy
@@ -44,6 +44,7 @@ import org.springframework.security.authentication.UsernamePasswordAuthenticatio
 import org.springframework.security.authentication.event.AuthenticationSuccessEvent
 import org.springframework.security.config.annotation.BaseSpringSpec
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder
+import org.springframework.security.config.method.TestPermissionEvaluator;
 import org.springframework.security.core.Authentication
 import org.springframework.security.core.authority.AuthorityUtils
 import org.springframework.security.core.context.SecurityContextHolder
@@ -250,7 +251,7 @@ public class GlobalMethodSecurityConfigurationTests extends BaseSpringSpec {
 
 	@EnableGlobalMethodSecurity(prePostEnabled = true)
 	public static class MultiPermissionEvaluatorConfig extends GlobalMethodSecurityConfiguration {
-		static PermissionEvaluator PE
+		static PermissionEvaluator PE = new TestPermissionEvaluator()
 
 		@Override
 		protected void configure(AuthenticationManagerBuilder auth) throws Exception {
diff --git a/core/src/main/java/org/springframework/security/provisioning/JdbcUserDetailsManager.java b/core/src/main/java/org/springframework/security/provisioning/JdbcUserDetailsManager.java
index 6ad20fc24d..12bfa13a00 100644
--- a/core/src/main/java/org/springframework/security/provisioning/JdbcUserDetailsManager.java
+++ b/core/src/main/java/org/springframework/security/provisioning/JdbcUserDetailsManager.java
@@ -375,7 +375,7 @@ public class JdbcUserDetailsManager extends JdbcDaoImpl implements UserDetailsMa
 	}
 
 	private int findGroupId(String group) {
-		return getJdbcTemplate().queryForInt(findGroupIdSql, group);
+		return getJdbcTemplate().queryForObject(findGroupIdSql, Integer.class, group);
 	}
 
 	public void setAuthenticationManager(AuthenticationManager authenticationManager) {
diff --git a/core/src/test/java/org/springframework/security/provisioning/JdbcUserDetailsManagerTests.java b/core/src/test/java/org/springframework/security/provisioning/JdbcUserDetailsManagerTests.java
index d890e062ce..b0f6b24353 100644
--- a/core/src/test/java/org/springframework/security/provisioning/JdbcUserDetailsManagerTests.java
+++ b/core/src/test/java/org/springframework/security/provisioning/JdbcUserDetailsManagerTests.java
@@ -250,7 +250,8 @@ public class JdbcUserDetailsManagerTests {
 
 		assertEquals(
 				0,
-				template.queryForInt("select id from groups where group_name = 'GROUP_X'"));
+				(int) template.queryForObject("select id from groups where group_name = 'GROUP_X'",
+						Integer.class));
 	}
 
 	@Test
diff --git a/samples/dms-xml/src/main/java/sample/dms/DocumentDaoImpl.java b/samples/dms-xml/src/main/java/sample/dms/DocumentDaoImpl.java
index 603acc6dee..d79c6931ef 100755
--- a/samples/dms-xml/src/main/java/sample/dms/DocumentDaoImpl.java
+++ b/samples/dms-xml/src/main/java/sample/dms/DocumentDaoImpl.java
@@ -30,7 +30,7 @@ public class DocumentDaoImpl extends JdbcDaoSupport implements DocumentDao {
 	private Long obtainPrimaryKey() {
 		Assert.isTrue(TransactionSynchronizationManager.isSynchronizationActive(),
 				"Transaction must be running");
-		return new Long(getJdbcTemplate().queryForLong(SELECT_IDENTITY));
+		return getJdbcTemplate().queryForObject(SELECT_IDENTITY, Long.class);
 	}
 
 	public void create(AbstractElement element) {
diff --git a/samples/dms-xml/src/test/java/DmsIntegrationTests.java b/samples/dms-xml/src/test/java/DmsIntegrationTests.java
index d355f19bf1..bb7fc74503 100755
--- a/samples/dms-xml/src/test/java/DmsIntegrationTests.java
+++ b/samples/dms-xml/src/test/java/DmsIntegrationTests.java
@@ -40,8 +40,8 @@ public class DmsIntegrationTests extends AbstractTransactionalJUnit4SpringContex
 
 	@Test
 	public void testBasePopulation() {
-		assertEquals(9, jdbcTemplate.queryForInt("select count(id) from DIRECTORY"));
-		assertEquals(90, jdbcTemplate.queryForInt("select count(id) from FILE"));
+		assertEquals(9, (int) jdbcTemplate.queryForObject("select count(id) from DIRECTORY", Integer.class));
+		assertEquals(90, (int) jdbcTemplate.queryForObject("select count(id) from FILE", Integer.class));
 		assertEquals(3, documentDao.findElements(Directory.ROOT_DIRECTORY).length);
 	}
 
diff --git a/samples/dms-xml/src/test/java/SecureDmsIntegrationTests.java b/samples/dms-xml/src/test/java/SecureDmsIntegrationTests.java
index 5c6976cda9..42db15302d 100755
--- a/samples/dms-xml/src/test/java/SecureDmsIntegrationTests.java
+++ b/samples/dms-xml/src/test/java/SecureDmsIntegrationTests.java
@@ -15,18 +15,23 @@ public class SecureDmsIntegrationTests extends DmsIntegrationTests {
 
 	@Test
 	public void testBasePopulation() {
-		assertEquals(9, jdbcTemplate.queryForInt("select count(id) from DIRECTORY"));
-		assertEquals(90, jdbcTemplate.queryForInt("select count(id) from FILE"));
-		assertEquals(4, jdbcTemplate.queryForInt("select count(id) from ACL_SID")); // 3
-																					// users
-																					// + 1
-																					// role
-		assertEquals(2, jdbcTemplate.queryForInt("select count(id) from ACL_CLASS")); // Directory
-																						// and
-																						// File
+		assertEquals(9,
+				(int) jdbcTemplate.queryForObject("select count(id) from DIRECTORY", Integer.class));
+		assertEquals(90,
+				(int) jdbcTemplate.queryForObject("select count(id) from FILE", Integer.class));
+		assertEquals(4,
+				(int) jdbcTemplate.queryForObject("select count(id) from ACL_SID", Integer.class));	// 3
+																							// users
+																							// + 1
+																							// role
+		assertEquals(2,
+				(int) jdbcTemplate.queryForObject("select count(id) from ACL_CLASS", Integer.class)); // Directory
+																							// and
+																							// File
 		assertEquals(100,
-				jdbcTemplate.queryForInt("select count(id) from ACL_OBJECT_IDENTITY"));
-		assertEquals(115, jdbcTemplate.queryForInt("select count(id) from ACL_ENTRY"));
+				(int) jdbcTemplate.queryForObject("select count(id) from ACL_OBJECT_IDENTITY", Integer.class));
+		assertEquals(115,
+				(int) jdbcTemplate.queryForObject("select count(id) from ACL_ENTRY", Integer.class));
 	}
 
 	public void testMarissaRetrieval() {
diff --git a/web/src/main/java/org/springframework/security/web/authentication/session/AbstractSessionFixationProtectionStrategy.java b/web/src/main/java/org/springframework/security/web/authentication/session/AbstractSessionFixationProtectionStrategy.java
index 2c4610a838..64538494f5 100644
--- a/web/src/main/java/org/springframework/security/web/authentication/session/AbstractSessionFixationProtectionStrategy.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/session/AbstractSessionFixationProtectionStrategy.java
@@ -149,6 +149,9 @@ abstract class AbstractSessionFixationProtectionStrategy implements
 	protected static final class NullEventPublisher implements ApplicationEventPublisher {
 		public void publishEvent(ApplicationEvent event) {
 		}
+
+		public void publishEvent(Object event) {
+		}
 	}
 
 }
\ No newline at end of file