SEC-1152: Changes to add anonymous filter to default namespace configuration and added enabled flag to allow overriding of the behaviour.

17 years ago · cef089376c
4 changed files with 1634 additions and 1591 deletions
--- a/config/src/main/java/org/springframework/security/config/HttpSecurityBeanDefinitionParser.java
+++ b/config/src/main/java/org/springframework/security/config/HttpSecurityBeanDefinitionParser.java
@ -204,7 +204,8 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
				@@ -204,7 +204,8 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
        boolean autoConfig = "true".equals(element.getAttribute(ATT_AUTO_CONFIG));

        Element anonymousElt = DomUtils.getChildElementByTagName(element, Elements.ANONYMOUS);
-        if (anonymousElt != null || autoConfig) {
+
+        if (anonymousElt == null || !"false".equals(anonymousElt.getAttribute("enabled"))) {
            new AnonymousBeanDefinitionParser().parse(anonymousElt, parserContext);
        }

--- a/config/src/main/resources/org/springframework/security/config/spring-security-3.0.rnc
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.0.rnc
@ -429,6 +429,10 @@ anonymous.attlist &=
				@@ -429,6 +429,10 @@ anonymous.attlist &=
 anonymous.attlist &=
    ## The granted authority that should be assigned to the anonymous request. Commonly this is used to assign the anonymous request particular roles, which can subsequently be used in authorization decisions. If unset, defaults to "ROLE_ANONYMOUS".
    attribute granted-authority {xsd:token}?
+anonymous.attlist &=
+    ## With the default namespace setup, the anonymous "authentication" facility is automatically enabled. You can disable it using this property. 
+    attribute enabled {boolean}?
+

 port-mappings = 
    ## Defines the list of mappings between http and https ports for use in redirects
--- a/config/src/main/resources/org/springframework/security/config/spring-security-3.0.xsd
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.0.xsd
--- a/config/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java
+++ b/config/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java
@ -1,6 +1,7 @@
				@@ -1,6 +1,7 @@
 package org.springframework.security.config;

 import static org.junit.Assert.*;
+import static org.hamcrest.Matchers.*;
 import static org.springframework.security.config.ConfigTestUtils.AUTH_PROVIDER_XML;
 import static org.springframework.security.config.HttpSecurityBeanDefinitionParser.*;

@ -122,15 +123,9 @@ public class HttpSecurityBeanDefinitionParserTests {
				@@ -122,15 +123,9 @@ public class HttpSecurityBeanDefinitionParserTests {
        assertTrue(filters.next() instanceof LogoutFilter);
        Object authProcFilter = filters.next();
        assertTrue(authProcFilter instanceof AuthenticationProcessingFilter);
-        // Check RememberMeServices has been set on AuthenticationProcessingFilter
-        //Object rms = FieldUtils.getFieldValue(authProcFilter, "rememberMeServices");
-        //assertNotNull(rms);
-        //assertTrue(rms instanceof RememberMeServices);
-        //assertFalse(rms instanceof NullRememberMeServices);
        assertTrue(filters.next() instanceof DefaultLoginPageGeneratingFilter);
        assertTrue(filters.next() instanceof BasicProcessingFilter);
        assertTrue(filters.next() instanceof SecurityContextHolderAwareRequestFilter);
-        //assertTrue(filters.next() instanceof RememberMeProcessingFilter);
        assertTrue(filters.next() instanceof AnonymousProcessingFilter);
        assertTrue(filters.next() instanceof ExceptionTranslationFilter);
        assertTrue(filters.next() instanceof SessionFixationProtectionFilter);
@ -200,6 +195,27 @@ public class HttpSecurityBeanDefinitionParserTests {
				@@ -200,6 +195,27 @@ public class HttpSecurityBeanDefinitionParserTests {
        assertEquals(Boolean.TRUE, FieldUtils.getFieldValue(filter, "successHandler.alwaysUseDefaultTargetUrl"));
    }

+    // SEC-1152
+    @Test
+    public void anonymousFilterIsAddedByDefault() throws Exception {
+        setContext(
+                "<http>" +
+                "   <form-login />" +
+                "</http>" + AUTH_PROVIDER_XML);
+        assertThat(getFilters("/anything").get(4), instanceOf(AnonymousProcessingFilter.class));
+    }
+
+    @Test
+    public void anonymousFilterIsRemovedIfDisabledFlagSet() throws Exception {
+        setContext(
+                "<http>" +
+                "   <form-login />" +
+                "   <anonymous enabled='false'/>" +
+                "</http>" + AUTH_PROVIDER_XML);
+        assertThat(getFilters("/anything").get(4), not(instanceOf(AnonymousProcessingFilter.class)));
+    }
+
+
    @Test(expected=BeanCreationException.class)
    public void invalidLoginPageIsDetected() throws Exception {
        setContext(