SEC-1584: Added namespace support for injecting custom HttpFirewall instance into FilterChainProxy.

config/convert_schema.sh

@@ -3,9 +3,9 @@
 pushd src/main/resources/org/springframework/security/config/
 
 echo "Converting rnc file to xsd ..."
-java -jar ~/bin/trang.jar spring-security-3.0.3.rnc spring-security-3.0.3.xsd
+java -jar ~/bin/trang.jar spring-security-3.0.4.rnc spring-security-3.0.4.xsd
 
 echo "Applying XSL transformation to xsd ..."
-xsltproc --output spring-security-3.0.3.xsd spring-security.xsl spring-security-3.0.3.xsd
+xsltproc --output spring-security-3.0.4.xsd spring-security.xsl spring-security-3.0.4.xsd
 
 popd

config/src/main/java/org/springframework/security/config/Elements.java

@@ -50,4 +50,5 @@ public abstract class Elements {
     @Deprecated
     public static final String FILTER_INVOCATION_DEFINITION_SOURCE = "filter-invocation-definition-source";
     public static final String LDAP_PASSWORD_COMPARE = "password-compare";
+    public static final String HTTP_FIREWALL = "http-firewall";
 }

config/src/main/java/org/springframework/security/config/SecurityNamespaceHandler.java

@@ -15,6 +15,7 @@ import org.springframework.security.config.authentication.JdbcUserServiceBeanDef
 import org.springframework.security.config.authentication.UserServiceBeanDefinitionParser;
 import org.springframework.security.config.http.FilterChainMapBeanDefinitionDecorator;
 import org.springframework.security.config.http.FilterInvocationSecurityMetadataSourceParser;
+import org.springframework.security.config.http.HttpFirewallBeanDefinitionParser;
 import org.springframework.security.config.http.HttpSecurityBeanDefinitionParser;
 import org.springframework.security.config.ldap.LdapProviderBeanDefinitionParser;
 import org.springframework.security.config.ldap.LdapServerBeanDefinitionParser;
@@ -119,6 +120,7 @@ public final class SecurityNamespaceHandler implements NamespaceHandler {
         // Only load the web-namespace parsers if the web classes are available
         if (ClassUtils.isPresent("org.springframework.security.web.FilterChainProxy", getClass().getClassLoader())) {
             parsers.put(Elements.HTTP, new HttpSecurityBeanDefinitionParser());
+            parsers.put(Elements.HTTP_FIREWALL, new HttpFirewallBeanDefinitionParser());
             parsers.put(Elements.FILTER_INVOCATION_DEFINITION_SOURCE, new FilterInvocationSecurityMetadataSourceParser());
             parsers.put(Elements.FILTER_SECURITY_METADATA_SOURCE, new FilterInvocationSecurityMetadataSourceParser());
             filterChainMapBDD = new FilterChainMapBeanDefinitionDecorator();

config/src/main/java/org/springframework/security/config/http/HttpFirewallBeanDefinitionParser.java

@@ -0,0 +1,39 @@
+package org.springframework.security.config.http;
+
+import org.springframework.beans.BeanMetadataElement;
+import org.springframework.beans.factory.config.BeanDefinition;
+import org.springframework.beans.factory.config.RuntimeBeanReference;
+import org.springframework.beans.factory.support.BeanDefinitionBuilder;
+import org.springframework.beans.factory.support.ManagedMap;
+import org.springframework.beans.factory.support.RootBeanDefinition;
+import org.springframework.beans.factory.xml.BeanDefinitionParser;
+import org.springframework.beans.factory.xml.ParserContext;
+import org.springframework.security.config.BeanIds;
+import org.springframework.util.StringUtils;
+import org.w3c.dom.Element;
+
+import java.util.*;
+
+/**
+ * Injects the supplied {@code HttpFirewall} bean reference into the {@code FilterChainProxy}.
+ *
+ * @author Luke Taylor
+ */
+public class HttpFirewallBeanDefinitionParser implements BeanDefinitionParser {
+
+    @Override
+    public BeanDefinition parse(Element element, ParserContext pc) {
+        String ref = element.getAttribute("ref");
+
+        if (!StringUtils.hasText(ref)) {
+            pc.getReaderContext().error("ref attribute is required", pc.extractSource(element));
+        }
+
+        BeanDefinitionBuilder injector = BeanDefinitionBuilder.rootBeanDefinition(HttpFirewallInjectionBeanPostProcessor.class);
+        injector.addConstructorArgValue(ref);
+
+        pc.getReaderContext().registerWithGeneratedName(injector.getBeanDefinition());
+
+        return null;
+    }
+}

config/src/main/java/org/springframework/security/config/http/HttpFirewallInjectionBeanPostProcessor.java

@@ -0,0 +1,40 @@
+package org.springframework.security.config.http;
+
+import org.springframework.beans.BeansException;
+import org.springframework.beans.factory.BeanFactory;
+import org.springframework.beans.factory.BeanFactoryAware;
+import org.springframework.beans.factory.config.BeanPostProcessor;
+import org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
+import org.springframework.security.config.BeanIds;
+import org.springframework.security.web.FilterChainProxy;
+import org.springframework.security.web.firewall.HttpFirewall;
+
+/**
+ * @author Luke Taylor
+ */
+public class HttpFirewallInjectionBeanPostProcessor implements BeanPostProcessor, BeanFactoryAware {
+    private ConfigurableListableBeanFactory beanFactory;
+    private String ref;
+
+    public HttpFirewallInjectionBeanPostProcessor(String ref) {
+        this.ref = ref;
+    }
+
+    public Object postProcessBeforeInitialization(Object bean, String beanName) throws BeansException {
+        if (BeanIds.FILTER_CHAIN_PROXY.equals(beanName)) {
+            HttpFirewall fw = (HttpFirewall) beanFactory.getBean(ref);
+            ((FilterChainProxy)bean).setFirewall(fw);
+        }
+
+        return bean;
+    }
+
+    public Object postProcessAfterInitialization(Object bean, String beanName) throws BeansException {
+        return bean;
+    }
+
+
+    public void setBeanFactory(BeanFactory beanFactory) throws BeansException {
+        this.beanFactory = (ConfigurableListableBeanFactory) beanFactory;
+    }
+}

config/src/main/resources/META-INF/spring.schemas

@@ -1,5 +1,6 @@
-http\://www.springframework.org/schema/security/spring-security.xsd=org/springframework/security/config/spring-security-3.0.3.xsd
+http\://www.springframework.org/schema/security/spring-security.xsd=org/springframework/security/config/spring-security-3.0.4.xsd
 http\://www.springframework.org/schema/security/spring-security-3.0.xsd=org/springframework/security/config/spring-security-3.0.xsd
+http\://www.springframework.org/schema/security/spring-security-3.0.4.xsd=org/springframework/security/config/spring-security-3.0.4.xsd
 http\://www.springframework.org/schema/security/spring-security-3.0.3.xsd=org/springframework/security/config/spring-security-3.0.3.xsd
 http\://www.springframework.org/schema/security/spring-security-2.0.xsd=org/springframework/security/config/spring-security-2.0.xsd
 http\://www.springframework.org/schema/security/spring-security-2.0.1.xsd=org/springframework/security/config/spring-security-2.0.1.xsd

config/src/main/resources/org/springframework/security/config/spring-security-3.0.4.rnc

@@ -245,6 +245,9 @@ protect-pointcut.attlist &=
     ## Access configuration attributes list that applies to all methods matching the pointcut, e.g. "ROLE_A,ROLE_B"
     attribute access {xsd:token}
 
+http-firewall =
+    ## Allows a custom instance of HttpFirewall to be injected into the FilterChainProxy created by the namespace.
+    element http-firewall {ref}
 
 http =
     ## Container element for HTTP security configuration
@@ -628,5 +631,3 @@ position =
 
 
 named-security-filter = "FIRST" | "CHANNEL_FILTER" | "CONCURRENT_SESSION_FILTER" | "SECURITY_CONTEXT_FILTER" | "LOGOUT_FILTER" | "X509_FILTER" | "PRE_AUTH_FILTER" | "CAS_FILTER" | "FORM_LOGIN_FILTER" | "OPENID_FILTER" |"BASIC_AUTH_FILTER" | "SERVLET_API_SUPPORT_FILTER" | "REMEMBER_ME_FILTER" | "ANONYMOUS_FILTER" | "EXCEPTION_TRANSLATION_FILTER" | "SESSION_MANAGEMENT_FILTER" | "FILTER_SECURITY_INTERCEPTOR" | "SWITCH_USER_FILTER" | "LAST"
-
-

config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java

@@ -80,6 +80,7 @@ import org.springframework.security.web.authentication.www.BasicAuthenticationFi
 import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
 import org.springframework.security.web.context.SaveContextOnUpdateOrErrorResponseWrapper;
 import org.springframework.security.web.context.SecurityContextPersistenceFilter;
+import org.springframework.security.web.firewall.DefaultHttpFirewall;
 import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
 import org.springframework.security.web.savedrequest.RequestCacheAwareFilter;
 import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter;
@@ -1251,6 +1252,18 @@ public class HttpSecurityBeanDefinitionParserTests {
         fcp.doFilter(request, new MockHttpServletResponse(), new MockFilterChain());
     }
 
+    @Test
+    public void httpFirewallInjectionIsSupported() throws Exception {
+        setContext(
+                "<http-firewall ref='fw'/>" +
+                "<http>" +
+                "   <form-login />" +
+                "</http>" +
+                "<b:bean id='fw' class='" + DefaultHttpFirewall.class.getName() +"'/>" +
+                AUTH_PROVIDER_XML);
+        FilterChainProxy fcp = (FilterChainProxy) appContext.getBean(BeanIds.FILTER_CHAIN_PROXY);
+        assertSame(appContext.getBean("fw"), FieldUtils.getFieldValue(fcp, "firewall"));
+    }
 
     private void setContext(String context) {
         appContext = new InMemoryXmlApplicationContext(context);

config/src/test/java/org/springframework/security/config/util/InMemoryXmlApplicationContext.java

@@ -22,11 +22,11 @@ public class InMemoryXmlApplicationContext extends AbstractXmlApplicationContext
     Resource inMemoryXml;
 
     public InMemoryXmlApplicationContext(String xml) {
-        this(xml, "3.0.3", null);
+        this(xml, "3.0.4", null);
     }
 
     public InMemoryXmlApplicationContext(String xml, ApplicationContext parent) {
-        this(xml, "3.0.3", parent);
+        this(xml, "3.0.4", parent);
     }
 
     public InMemoryXmlApplicationContext(String xml, String secVersion, ApplicationContext parent) {

web/src/main/java/org/springframework/security/web/FilterChainProxy.java

@@ -304,6 +304,10 @@ public class FilterChainProxy extends GenericFilterBean {
         return matcher;
     }
 
+    public void setFirewall(HttpFirewall firewall) {
+        this.firewall = firewall;
+    }
+
     /**
      * If set to 'true', the query string will be stripped from the request URL before
      * attempting to find a matching filter chain. This is the default value.