GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

SEC-1450: Replace use of ClassUtils.getMostSpecificMethod() in AbstractFallbackMethodDefinitionSource with AopUtils.getMostSpecificMethod() equivalent. 

Ensures protect-pointcut expressions match methods with generic parameters.
3.0.x
Luke Taylor 16 years ago
parent
e518adbef1
commit
4c8e9e2d7e
2 changed files with 29 additions and 4 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 29
      config/src/test/java/org/springframework/security/config/method/GlobalMethodSecurityBeanDefinitionParserTests.java
  2. 4
      core/src/main/java/org/springframework/security/access/method/AbstractFallbackMethodSecurityMetadataSource.java

29
config/src/test/java/org/springframework/security/config/method/GlobalMethodSecurityBeanDefinitionParserTests.java
Unescape View File

@ -16,6 +16,8 @@ import org.springframework.context.ApplicationContext;
import org.springframework.context.support.AbstractXmlApplicationContext; import org.springframework.context.support.AbstractXmlApplicationContext;
import org.springframework.context.support.StaticApplicationContext; import org.springframework.context.support.StaticApplicationContext;
import org.springframework.security.access.AccessDeniedException; import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.SecurityConfig;
import org.springframework.security.access.annotation.BusinessService; import org.springframework.security.access.annotation.BusinessService;
import org.springframework.security.access.intercept.AfterInvocationProviderManager; import org.springframework.security.access.intercept.AfterInvocationProviderManager;
import org.springframework.security.access.intercept.RunAsManagerImpl; import org.springframework.security.access.intercept.RunAsManagerImpl;
@ -30,6 +32,7 @@ import org.springframework.security.authentication.UsernamePasswordAuthenticatio
import org.springframework.security.config.ConfigTestUtils; import org.springframework.security.config.ConfigTestUtils;
import org.springframework.security.config.PostProcessedMockUserDetailsService; import org.springframework.security.config.PostProcessedMockUserDetailsService;
import org.springframework.security.config.util.InMemoryXmlApplicationContext; import org.springframework.security.config.util.InMemoryXmlApplicationContext;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.authority.AuthorityUtils; import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UserDetailsService;
@ -166,7 +169,7 @@ public class GlobalMethodSecurityBeanDefinitionParserTests {
" 'execution(* org.springframework.security.access.annotation.BusinessService.*(..)) " + " 'execution(* org.springframework.security.access.annotation.BusinessService.*(..)) " +
" and not execution(* org.springframework.security.access.annotation.BusinessService.someOther(String)))' " + " and not execution(* org.springframework.security.access.annotation.BusinessService.someOther(String)))' " +
" access='ROLE_USER'/>" + " access='ROLE_USER'/>" +
"</global-method-security>" + ConfigTestUtils.AUTH_PROVIDER_XML "</global-method-security>" + AUTH_PROVIDER_XML
); );
target = (BusinessService) appContext.getBean("target"); target = (BusinessService) appContext.getBean("target");
// String method should not be protected // String method should not be protected
@ -283,6 +286,20 @@ public class GlobalMethodSecurityBeanDefinitionParserTests {
AUTH_PROVIDER_XML); AUTH_PROVIDER_XML);
} }
// SEC-1450
@Test(expected=AuthenticationException.class)
@SuppressWarnings("unchecked")
public void genericsAreMatchedByProtectPointcut() throws Exception {
setContext(
"<b:bean id='target' class='org.springframework.security.config.method.GlobalMethodSecurityBeanDefinitionParserTests$ConcreteFoo'/>" +
"<global-method-security>" +
" <protect-pointcut expression='execution(* org..*Foo.foo(..))' access='ROLE_USER'/>" +
"</global-method-security>" + AUTH_PROVIDER_XML
);
Foo foo = (Foo) appContext.getBean("target");
foo.foo(new SecurityConfig("A"));
}
@Test @Test
public void runAsManagerIsSetCorrectly() throws Exception { public void runAsManagerIsSetCorrectly() throws Exception {
StaticApplicationContext parent = new StaticApplicationContext(); StaticApplicationContext parent = new StaticApplicationContext();
@ -305,6 +322,14 @@ public class GlobalMethodSecurityBeanDefinitionParserTests {
private void setContext(String context, ApplicationContext parent) { private void setContext(String context, ApplicationContext parent) {
appContext = new InMemoryXmlApplicationContext(context, parent); appContext = new InMemoryXmlApplicationContext(context, parent);
} }
}
interface Foo<T extends ConfigAttribute> {
void foo(T action);
}
public static class ConcreteFoo implements Foo<SecurityConfig> {
public void foo(SecurityConfig action) {
}
}
}

4
core/src/main/java/org/springframework/security/access/method/AbstractFallbackMethodSecurityMetadataSource.java
Unescape View File

@ -3,8 +3,8 @@ package org.springframework.security.access.method;
import java.lang.reflect.Method; import java.lang.reflect.Method;
import java.util.Collection; import java.util.Collection;
import org.springframework.aop.support.AopUtils;
import org.springframework.security.access.ConfigAttribute; import org.springframework.security.access.ConfigAttribute;
import org.springframework.util.ClassUtils;
/** /**
* Abstract implementation of {@link MethodSecurityMetadataSource} that supports both Spring AOP and AspectJ and * Abstract implementation of {@link MethodSecurityMetadataSource} that supports both Spring AOP and AspectJ and
@ -29,7 +29,7 @@ public abstract class AbstractFallbackMethodSecurityMetadataSource extends Abstr
public Collection<ConfigAttribute> getAttributes(Method method, Class<?> targetClass) { public Collection<ConfigAttribute> getAttributes(Method method, Class<?> targetClass) {
// The method may be on an interface, but we need attributes from the target class. // The method may be on an interface, but we need attributes from the target class.
// If the target class is null, the method will be unchanged. // If the target class is null, the method will be unchanged.
Method specificMethod = ClassUtils.getMostSpecificMethod(method, targetClass); Method specificMethod = AopUtils.getMostSpecificMethod(method, targetClass);
// First try is the method in the target class. // First try is the method in the target class.
Collection<ConfigAttribute> attr = findAttributes(specificMethod, targetClass); Collection<ConfigAttribute> attr = findAttributes(specificMethod, targetClass);
if (attr != null) { if (attr != null) {

Write Preview
Loading…
Cancel
Save