From b7041ed00e1d644fa7906c5a75268706aa2ad626 Mon Sep 17 00:00:00 2001 From: Rob Winch Date: Sat, 14 Dec 2013 14:39:52 -0600 Subject: [PATCH] SEC-2436: Add @EnableWebMvcSecurity --- .../web/configuration/EnableWebSecurity.java | 2 +- .../SpringWebMvcImportSelector.java | 39 ------------------- .../configuration/EnableWebMvcSecurity.java | 37 ++++++++++++++++++ .../WebMvcSecurityConfiguration.java | 6 ++- .../configurers/CsrfConfigurerTests.groovy | 3 +- docs/guides/src/asciidoc/hellomvc.asc | 17 +++++++- .../samples/config/SecurityConfig.java | 4 +- .../samples/config/SecurityConfig.java | 4 +- .../samples/config/SecurityConfig.java | 4 +- .../samples/config/SecurityConfig.java | 4 +- .../samples/config/SecurityConfig.java | 4 +- .../samples/config/SecurityConfig.java | 4 +- .../samples/config/SecurityConfig.java | 4 +- .../samples/config/SecurityConfig.java | 4 +- .../samples/config/SecurityConfig.java | 4 +- .../samples/config/SecurityConfig.java | 4 +- .../samples/config/SecurityConfig.java | 4 +- 17 files changed, 82 insertions(+), 66 deletions(-) delete mode 100644 config/src/main/java/org/springframework/security/config/annotation/web/configuration/SpringWebMvcImportSelector.java create mode 100644 config/src/main/java/org/springframework/security/config/annotation/web/servlet/configuration/EnableWebMvcSecurity.java rename config/src/main/java/org/springframework/security/config/annotation/web/{ => servlet}/configuration/WebMvcSecurityConfiguration.java (88%) diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/EnableWebSecurity.java b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/EnableWebSecurity.java index 260f368399..6584668613 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/EnableWebSecurity.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/EnableWebSecurity.java @@ -77,7 +77,7 @@ import org.springframework.security.config.annotation.web.WebSecurityConfigurer; @Retention(value=java.lang.annotation.RetentionPolicy.RUNTIME) @Target(value={java.lang.annotation.ElementType.TYPE}) @Documented -@Import({WebSecurityConfiguration.class,ObjectPostProcessorConfiguration.class,AuthenticationConfiguration.class, SpringWebMvcImportSelector.class}) +@Import({WebSecurityConfiguration.class,ObjectPostProcessorConfiguration.class,AuthenticationConfiguration.class}) public @interface EnableWebSecurity { /** diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/SpringWebMvcImportSelector.java b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/SpringWebMvcImportSelector.java deleted file mode 100644 index 5d430b7bf6..0000000000 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/SpringWebMvcImportSelector.java +++ /dev/null @@ -1,39 +0,0 @@ -/* - * Copyright 2002-2013 the original author or authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.springframework.security.config.annotation.web.configuration; - -import org.springframework.context.annotation.ImportSelector; -import org.springframework.core.type.AnnotationMetadata; -import org.springframework.util.ClassUtils; - -/** - * Used by {@link EnableWebSecurity} to conditionaly import - * {@link WebMvcSecurityConfiguration} when the DispatcherServlet is present on the - * classpath. - * - * @author Rob Winch - * @since 3.2 - */ -class SpringWebMvcImportSelector implements ImportSelector { - - /* (non-Javadoc) - * @see org.springframework.context.annotation.ImportSelector#selectImports(org.springframework.core.type.AnnotationMetadata) - */ - public String[] selectImports(AnnotationMetadata importingClassMetadata) { - boolean webmvcPresent = ClassUtils.isPresent("org.springframework.web.servlet.DispatcherServlet", getClass().getClassLoader()); - return webmvcPresent ? new String[] {"org.springframework.security.config.annotation.web.configuration.WebMvcSecurityConfiguration"} : new String[] {}; - } -} diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/servlet/configuration/EnableWebMvcSecurity.java b/config/src/main/java/org/springframework/security/config/annotation/web/servlet/configuration/EnableWebMvcSecurity.java new file mode 100644 index 0000000000..29cd283024 --- /dev/null +++ b/config/src/main/java/org/springframework/security/config/annotation/web/servlet/configuration/EnableWebMvcSecurity.java @@ -0,0 +1,37 @@ +/* + * Copyright 2002-2013 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.springframework.security.config.annotation.web.servlet.configuration; + +import java.lang.annotation.Documented; +import java.lang.annotation.Retention; +import java.lang.annotation.Target; + +import org.springframework.context.annotation.Import; + + +/** + * Add this annotation to an {@code @Configuration} class to have the Spring Security + * configuration integrate with Spring MVC. + * + * @author Rob Winch + * @since 3.2 + */ +@Retention(value=java.lang.annotation.RetentionPolicy.RUNTIME) +@Target(value={java.lang.annotation.ElementType.TYPE}) +@Documented +@Import(WebMvcSecurityConfiguration.class) +public @interface EnableWebMvcSecurity { +} diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebMvcSecurityConfiguration.java b/config/src/main/java/org/springframework/security/config/annotation/web/servlet/configuration/WebMvcSecurityConfiguration.java similarity index 88% rename from config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebMvcSecurityConfiguration.java rename to config/src/main/java/org/springframework/security/config/annotation/web/servlet/configuration/WebMvcSecurityConfiguration.java index f6aa886575..01c3d54665 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebMvcSecurityConfiguration.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/servlet/configuration/WebMvcSecurityConfiguration.java @@ -13,12 +13,13 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -package org.springframework.security.config.annotation.web.configuration; +package org.springframework.security.config.annotation.web.servlet.configuration; import java.util.List; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; +import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.web.bind.support.AuthenticationPrincipalArgumentResolver; import org.springframework.security.web.servlet.support.csrf.CsrfRequestDataValueProcessor; import org.springframework.web.method.support.HandlerMethodArgumentResolver; @@ -38,7 +39,8 @@ import org.springframework.web.servlet.support.RequestDataValueProcessor; * @since 3.2 */ @Configuration -class WebMvcSecurityConfiguration extends WebMvcConfigurerAdapter { +@EnableWebSecurity +public class WebMvcSecurityConfiguration extends WebMvcConfigurerAdapter { @Override public void addArgumentResolvers( diff --git a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/CsrfConfigurerTests.groovy b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/CsrfConfigurerTests.groovy index 8aba928683..270ee6cdd4 100644 --- a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/CsrfConfigurerTests.groovy +++ b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/CsrfConfigurerTests.groovy @@ -25,6 +25,7 @@ import org.springframework.security.config.annotation.authentication.builders.Au import org.springframework.security.config.annotation.web.builders.HttpSecurity import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter +import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity; import org.springframework.security.web.access.AccessDeniedHandler import org.springframework.security.web.csrf.CsrfFilter import org.springframework.security.web.csrf.CsrfTokenRepository @@ -70,7 +71,7 @@ class CsrfConfigurerTests extends BaseSpringSpec { } @Configuration - @EnableWebSecurity + @EnableWebMvcSecurity static class CsrfAppliedDefaultConfig extends WebSecurityConfigurerAdapter { @Override diff --git a/docs/guides/src/asciidoc/hellomvc.asc b/docs/guides/src/asciidoc/hellomvc.asc index 36e224a989..a24ab5ba7a 100644 --- a/docs/guides/src/asciidoc/hellomvc.asc +++ b/docs/guides/src/asciidoc/hellomvc.asc @@ -110,10 +110,25 @@ We can view the user name, but how are we able to log out? Below you can see how ---- + +If you try to log out right now the request will fail. The reason is that we have not enabled the Spring MVC integration. Update our configuration to use the `@EnableWebMvcSecurity` annotation instead. + +.src/main/java/org/springframework/security/samples/config/SecurityConfig.java +[source,java] +---- +import org.springframework.security.config.annotation.web.servlet.configuration.*; + +@Configuration +@EnableWebMvcSecurity +public class SecurityConfig extends WebSecurityConfigurerAdapter { +---- + In order to help protect against http://en.wikipedia.org/wiki/Cross-site_request_forgery[CSRF attacks], by default, Spring Security Java Configuration log out requires: * the HTTP method must be a POST -* the CSRF token must be added to the request. Since we are using Thymeleaf, the CSRF token is automatically added as a hidden input for you (view the source to see it). If you were not using Spring MVC or Thymeleaf, you can access the CsrfToken on the ServletRequest using the attribute _csrf +* the CSRF token must be added to the request. Since we have used `@EnableWebMvcSecurity` and are using Thymeleaf, the CSRF token is automatically added as a hidden input for you (view the source to see it). If you were not using Spring MVC taglibs or Thymeleaf, you can access the CsrfToken on the ServletRequest using the attribute _csrf + +NOTE: `@EnableWebMvcSecurity` also adds `@EnableWebSecurity`, so there is no need to add both. Click the button and see that the application logs you out successfully. diff --git a/samples/concurrency-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java b/samples/concurrency-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java index 0e4921bf19..6b95989baf 100644 --- a/samples/concurrency-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java +++ b/samples/concurrency-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java @@ -5,11 +5,11 @@ import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity; @Configuration -@EnableWebSecurity +@EnableWebMvcSecurity @EnableGlobalMethodSecurity(prePostEnabled=true) public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired diff --git a/samples/form-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java b/samples/form-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java index 8f6c4826e3..688865b815 100644 --- a/samples/form-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java +++ b/samples/form-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java @@ -4,11 +4,11 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity; @Configuration -@EnableWebSecurity +@EnableWebMvcSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override diff --git a/samples/hellojs-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java b/samples/hellojs-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java index 3468c6fd39..956811496f 100644 --- a/samples/hellojs-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java +++ b/samples/hellojs-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java @@ -3,11 +3,11 @@ package org.springframework.security.samples.config; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; -import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity; @Configuration -@EnableWebSecurity +@EnableWebMvcSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired diff --git a/samples/hellomvc-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java b/samples/hellomvc-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java index 3468c6fd39..956811496f 100644 --- a/samples/hellomvc-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java +++ b/samples/hellomvc-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java @@ -3,11 +3,11 @@ package org.springframework.security.samples.config; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; -import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity; @Configuration -@EnableWebSecurity +@EnableWebMvcSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired diff --git a/samples/inmemory-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java b/samples/inmemory-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java index 4027943cd8..1d9da6257f 100644 --- a/samples/inmemory-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java +++ b/samples/inmemory-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java @@ -3,11 +3,11 @@ package org.springframework.security.samples.config; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; -import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity; @Configuration -@EnableWebSecurity +@EnableWebMvcSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired diff --git a/samples/jdbc-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java b/samples/jdbc-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java index 6851308cdd..0733c92e9e 100644 --- a/samples/jdbc-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java +++ b/samples/jdbc-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java @@ -6,11 +6,11 @@ import javax.sql.DataSource; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; -import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity; @Configuration -@EnableWebSecurity +@EnableWebMvcSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private DataSource dataSource; diff --git a/samples/ldap-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java b/samples/ldap-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java index f766e10251..3aede27a57 100644 --- a/samples/ldap-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java +++ b/samples/ldap-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java @@ -3,11 +3,11 @@ package org.springframework.security.samples.config; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; -import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity; @Configuration -@EnableWebSecurity +@EnableWebMvcSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired public void registerGlobalAuthentication( diff --git a/samples/openid-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java b/samples/openid-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java index 38e04b83d5..96ca12561f 100644 --- a/samples/openid-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java +++ b/samples/openid-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java @@ -2,12 +2,12 @@ package org.springframework.security.samples.config; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity; import org.springframework.security.samples.security.CustomUserDetailsService; @Configuration -@EnableWebSecurity +@EnableWebMvcSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { diff --git a/samples/preauth-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java b/samples/preauth-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java index 7c3e6339d0..337b181c2c 100644 --- a/samples/preauth-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java +++ b/samples/preauth-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java @@ -2,11 +2,11 @@ package org.springframework.security.samples.config; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity; @Configuration -@EnableWebSecurity +@EnableWebMvcSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override diff --git a/samples/rememberme-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java b/samples/rememberme-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java index 61b2da98e4..1e670554fb 100644 --- a/samples/rememberme-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java +++ b/samples/rememberme-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java @@ -4,11 +4,11 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity; @Configuration -@EnableWebSecurity +@EnableWebMvcSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired diff --git a/samples/x509-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java b/samples/x509-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java index 6d58ca7d70..8d4e3d388f 100644 --- a/samples/x509-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java +++ b/samples/x509-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java @@ -4,11 +4,11 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity; @Configuration -@EnableWebSecurity +@EnableWebMvcSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired