SEC-1493: Added namespace support.

16 years ago · 9a2d0c2cb5
5 changed files with 33 additions and 0 deletions
--- a/config/src/main/java/org/springframework/security/config/authentication/AuthenticationManagerBeanDefinitionParser.java
+++ b/config/src/main/java/org/springframework/security/config/authentication/AuthenticationManagerBeanDefinitionParser.java
@ -35,6 +35,7 @@ import org.w3c.dom.NodeList;
				@@ -35,6 +35,7 @@ import org.w3c.dom.NodeList;
 public class AuthenticationManagerBeanDefinitionParser implements BeanDefinitionParser {
    private static final String ATT_ALIAS = "alias";
    private static final String ATT_REF = "ref";
+    private static final String ATT_ERASE_CREDENTIALS = "erase-credentials";

    public BeanDefinition parse(Element element, ParserContext pc) {
        Assert.state(!pc.getRegistry().containsBeanDefinition(BeanIds.AUTHENTICATION_MANAGER),
@ -72,6 +73,11 @@ public class AuthenticationManagerBeanDefinitionParser implements BeanDefinition
				@@ -72,6 +73,11 @@ public class AuthenticationManagerBeanDefinitionParser implements BeanDefinition
        }

        providerManagerBldr.addPropertyValue("providers", providers);
+
+        if ("true".equals(element.getAttribute(ATT_ERASE_CREDENTIALS))) {
+            providerManagerBldr.addPropertyValue("eraseCredentialsAfterAuthentication", true);
+        }
+
        // Add the default event publisher
        BeanDefinition publisher = new RootBeanDefinition(DefaultAuthenticationEventPublisher.class);
        String id = pc.getReaderContext().generateBeanName(publisher);
--- a/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java
+++ b/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java
@ -12,6 +12,7 @@ import org.apache.commons.logging.LogFactory;
				@@ -12,6 +12,7 @@ import org.apache.commons.logging.LogFactory;
 import org.springframework.beans.BeanMetadataElement;
 import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.beans.factory.config.BeanReference;
+import org.springframework.beans.factory.config.MethodInvokingFactoryBean;
 import org.springframework.beans.factory.config.RuntimeBeanReference;
 import org.springframework.beans.factory.parsing.BeanComponentDefinition;
 import org.springframework.beans.factory.parsing.CompositeComponentDefinition;
@ -166,6 +167,10 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
				@@ -166,6 +167,10 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
        BeanDefinitionBuilder authManager = BeanDefinitionBuilder.rootBeanDefinition(ProviderManager.class);
        authManager.addPropertyValue("parent", new RootBeanDefinition(AuthenticationManagerFactoryBean.class));
        authManager.addPropertyValue("providers", authenticationProviders);
+        RootBeanDefinition clearCredentials = new RootBeanDefinition(MethodInvokingFactoryBean.class);
+        clearCredentials.getPropertyValues().addPropertyValue("targetObject", new RootBeanDefinition(AuthenticationManagerFactoryBean.class));
+        clearCredentials.getPropertyValues().addPropertyValue("targetMethod", "isEraseCredentialsAfterAuthentication");
+        authManager.addPropertyValue("eraseCredentialsAfterAuthentication", clearCredentials);

        if (concurrencyController != null) {
            authManager.addPropertyValue("sessionController", concurrencyController);
--- a/config/src/main/resources/org/springframework/security/config/spring-security-3.0.3.rnc
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.0.3.rnc
@ -544,6 +544,9 @@ authentication-manager =
				@@ -544,6 +544,9 @@ authentication-manager =
 authman.attlist &=
    ## The alias you wish to use for the AuthenticationManager bean
    attribute alias {xsd:ID}?
+authman.attlist &=
+    ## If set to true, the AuthenticationManger will attempt to clear any credentials data in the returned Authentication object, once the user has been authenticated. Defaults to false.
+    attribute erase-credentials {boolean}?

 authentication-provider =
    ## Indicates that the contained user-service should be used as an authentication source.
--- a/config/src/main/resources/org/springframework/security/config/spring-security-3.0.3.xsd
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.0.3.xsd
@ -1201,6 +1201,11 @@
				@@ -1201,6 +1201,11 @@
        <xs:documentation>The alias you wish to use for the AuthenticationManager bean</xs:documentation>
      </xs:annotation>
    </xs:attribute>
+    <xs:attribute name="erase-credentials" type="security:boolean">
+      <xs:annotation>
+        <xs:documentation>If set to true, the AuthenticationManger will attempt to clear any credentials data in the returned Authentication object, once the user has been authenticated. Defaults to false.</xs:documentation>
+      </xs:annotation>
+    </xs:attribute>
  </xs:attributeGroup>
  
  <xs:attributeGroup name="ap.attlist">
--- a/config/src/test/java/org/springframework/security/config/authentication/AuthenticationManagerBeanDefinitionParserTests.java
+++ b/config/src/test/java/org/springframework/security/config/authentication/AuthenticationManagerBeanDefinitionParserTests.java
@ -53,6 +53,20 @@ public class AuthenticationManagerBeanDefinitionParserTests {
				@@ -53,6 +53,20 @@ public class AuthenticationManagerBeanDefinitionParserTests {
        assertEquals(1, listener.events.size());
    }

+    @Test
+    public void credentialsAreClearedByDefault() throws Exception {
+        setContext(CONTEXT, "3.1");
+        ProviderManager pm = (ProviderManager) appContext.getBeansOfType(ProviderManager.class).values().toArray()[0];
+        assertTrue(pm.isEraseCredentialsAfterAuthentication());
+    }
+
+    @Test
+    public void clearCredentialsPropertyIsRespected() throws Exception {
+        setContext("<authentication-manager erase-credentials='false'/>", "3.1");
+        ProviderManager pm = (ProviderManager) appContext.getBeansOfType(ProviderManager.class).values().toArray()[0];
+        assertFalse(pm.isEraseCredentialsAfterAuthentication());
+    }
+
    private void setContext(String context, String version) {
        appContext = new InMemoryXmlApplicationContext(context, version, null);
    }