diff --git a/core/src/main/java/org/springframework/security/config/AbstractUserDetailsServiceBeanDefinitionParser.java b/core/src/main/java/org/springframework/security/config/AbstractUserDetailsServiceBeanDefinitionParser.java
index 7bf5bc7969..70ecb4dfe2 100644
--- a/core/src/main/java/org/springframework/security/config/AbstractUserDetailsServiceBeanDefinitionParser.java
+++ b/core/src/main/java/org/springframework/security/config/AbstractUserDetailsServiceBeanDefinitionParser.java
@@ -21,6 +21,12 @@ public class AbstractUserDetailsServiceBeanDefinitionParser extends AbstractSing
return id;
}
+ // If it's nested in a parent auth-provider, generate an id automatically
+ if(Elements.AUTHENTICATION_PROVIDER.equals(element.getParentNode().getNodeName())) {
+ return parserContext.getReaderContext().generateBeanName(definition);
+ }
+
+ // If top level, use the default name or throw an exception if already used
if (parserContext.getRegistry().containsBeanDefinition(BeanIds.USER_DETAILS_SERVICE)) {
throw new SecurityConfigurationException("No id supplied in <" + element.getNodeName() + "> and another " +
"bean is already registered as " + BeanIds.USER_DETAILS_SERVICE);
diff --git a/core/src/main/java/org/springframework/security/config/ApacheDSContainer.java b/core/src/main/java/org/springframework/security/config/ApacheDSContainer.java
index 8181762124..584f09895d 100644
--- a/core/src/main/java/org/springframework/security/config/ApacheDSContainer.java
+++ b/core/src/main/java/org/springframework/security/config/ApacheDSContainer.java
@@ -28,7 +28,7 @@ import java.io.IOException;
/**
* Provides lifecycle services for the embedded apacheDS server defined by the supplied configuration.
- * Used by {@link LdapBeanDefinitionParser}. An instance will be stored in the application context for
+ * Used by {@link LdapServerBeanDefinitionParser}. An instance will be stored in the application context for
* each embedded server instance. It will start the server when the context is initialized and shut it down when
* it is closed. It is intended for temporary embedded use and will not retain changes across start/stop boundaries. The
* working directory is deleted on shutdown.
@@ -40,8 +40,6 @@ import java.io.IOException;
* prior to attempting to start it again.
*
*
- *
- *
* @author Luke Taylor
* @version $Id$
*/
@@ -54,10 +52,12 @@ class ApacheDSContainer implements InitializingBean, DisposableBean, Lifecycle,
private ContextSource contextSource;
private boolean running;
+ private String ldifResources;
- public ApacheDSContainer(MutableServerStartupConfiguration configuration, ContextSource contextSource) {
- this.configuration = configuration;
+ public ApacheDSContainer(MutableServerStartupConfiguration config, ContextSource contextSource, String ldifs) {
+ this.configuration = config;
this.contextSource = contextSource;
+ this.ldifResources = ldifs;
}
public void afterPropertiesSet() throws Exception {
@@ -98,7 +98,7 @@ class ApacheDSContainer implements InitializingBean, DisposableBean, Lifecycle,
public void setWorkingDirectory(File workingDir) {
Assert.notNull(workingDir);
- logger.info("Setting working directory for LDAP: " + workingDir.getAbsolutePath());
+ logger.info("Setting working directory for LDAP_PROVIDER: " + workingDir.getAbsolutePath());
if (workingDir.exists()) {
throw new IllegalArgumentException("The specified working directory '" + workingDir.getAbsolutePath() +
@@ -151,7 +151,7 @@ class ApacheDSContainer implements InitializingBean, DisposableBean, Lifecycle,
private void importLdifs() throws IOException, NamingException {
// Import any ldif files
- Resource[] ldifs = ctxt.getResources("classpath*:*.ldif");
+ Resource[] ldifs = ctxt.getResources(ldifResources);
// Note that we can't just import using the ServerContext returned
// from starting Apace DS, apparently because of the long-running issue DIRSERVER-169.
diff --git a/core/src/main/java/org/springframework/security/config/AuthenticationProviderBeanDefinitionParser.java b/core/src/main/java/org/springframework/security/config/AuthenticationProviderBeanDefinitionParser.java
index 52130f2bf9..6470cfa304 100644
--- a/core/src/main/java/org/springframework/security/config/AuthenticationProviderBeanDefinitionParser.java
+++ b/core/src/main/java/org/springframework/security/config/AuthenticationProviderBeanDefinitionParser.java
@@ -19,8 +19,7 @@ import org.w3c.dom.Element;
* @version $Id$
*/
class AuthenticationProviderBeanDefinitionParser implements BeanDefinitionParser {
- private static String ATT_REF = "ref";
- static final String ATT_DATA_SOURCE = "data-source";
+ private static String ATT_USER_DETAILS_REF = "user-service-ref";
public BeanDefinition parse(Element element, ParserContext parserContext) {
RootBeanDefinition authProvider = new RootBeanDefinition(DaoAuthenticationProvider.class);
@@ -28,12 +27,17 @@ class AuthenticationProviderBeanDefinitionParser implements BeanDefinitionParser
Element passwordEncoderElt = DomUtils.getChildElementByTagName(element, Elements.PASSWORD_ENCODER);
if (passwordEncoderElt != null) {
- //TODO: Parse password encoder object and add to dao provider
+ PasswordEncoderParser pep = new PasswordEncoderParser(passwordEncoderElt, parserContext);
+ authProvider.getPropertyValues().addPropertyValue("passwordEncoder", pep.getPasswordEncoder());
+
+ if (pep.getSaltSource() != null) {
+ authProvider.getPropertyValues().addPropertyValue("saltSource", pep.getSaltSource());
+ }
}
ConfigUtils.getRegisteredProviders(parserContext).add(authProvider);
- String ref = element.getAttribute(ATT_REF);
+ String ref = element.getAttribute(ATT_USER_DETAILS_REF);
Element userServiceElt = DomUtils.getChildElementByTagName(element, Elements.USER_SERVICE);
Element jdbcUserServiceElt = DomUtils.getChildElementByTagName(element, Elements.JDBC_USER_SERVICE);
@@ -57,7 +61,7 @@ class AuthenticationProviderBeanDefinitionParser implements BeanDefinitionParser
userDetailsService = new UserServiceBeanDefinitionParser().parse(userServiceElt, parserContext);
} else {
throw new SecurityConfigurationException(Elements.AUTHENTICATION_PROVIDER
- + " requireds a UserDetailsService" );
+ + " requires a UserDetailsService" );
}
authProvider.getPropertyValues().addPropertyValue("userDetailsService", userDetailsService);
diff --git a/core/src/main/java/org/springframework/security/config/BeanIds.java b/core/src/main/java/org/springframework/security/config/BeanIds.java
index 18a0553845..73a20dc260 100644
--- a/core/src/main/java/org/springframework/security/config/BeanIds.java
+++ b/core/src/main/java/org/springframework/security/config/BeanIds.java
@@ -10,8 +10,9 @@ public abstract class BeanIds {
/** Package protected as end users shouldn't really be using this BFPP directly */
static final String INTERCEPT_METHODS_BEAN_FACTORY_POST_PROCESSOR = "_interceptMethodsBeanfactoryPP";
+ static final String CONTEXT_SOURCE_SETTING_POST_PROCESSOR = "_contextSettingPostProcessor";
- public static final String JDBC_USER_DETAILS_MANAGER = "_jdbcUserDetailsManager";
+ public static final String JDBC_USER_DETAILS_MANAGER = "_jdbcUserDetailsManager";
public static final String USER_DETAILS_SERVICE = "_userDetailsService";
public static final String ANONYMOUS_PROCESSING_FILTER = "_anonymousProcessingFilter";
public static final String ANONYMOUS_AUTHENTICATION_PROVIDER = "_anonymousAuthenticationProvider";
@@ -39,5 +40,6 @@ public abstract class BeanIds {
public static final String METHOD_DEFINITION_SOURCE_ADVISOR = "_methodDefinitionSourceAdvisor";
public static final String SECURITY_ANNOTATION_ATTRIBUTES = "_securityAnnotationAttributes";
public static final String METHOD_DEFINITION_ATTRIBUTES = "_methodDefinitionAttributes";
-
+ public static final String EMBEDDED_APACHE_DS = "_apacheDirectoryServerContainer";
+ public static final String CONTEXT_SOURCE = "_securityContextSource";
}
diff --git a/core/src/main/java/org/springframework/security/config/Elements.java b/core/src/main/java/org/springframework/security/config/Elements.java
index e7f8607164..cad1483fbe 100644
--- a/core/src/main/java/org/springframework/security/config/Elements.java
+++ b/core/src/main/java/org/springframework/security/config/Elements.java
@@ -14,8 +14,9 @@ abstract class Elements {
public static final String INTERCEPT_METHODS = "intercept-methods";
public static final String AUTHENTICATION_PROVIDER = "authentication-provider";
public static final String HTTP = "http";
- public static final String LDAP = "ldap";
- public static final String PROTECT = "protect";
+ public static final String LDAP_PROVIDER = "ldap-authentication-provider";
+ public static final String LDAP_SERVER = "ldap-server";
+ public static final String PROTECT = "protect";
public static final String CONCURRENT_SESSIONS = "concurrent-session-control";
public static final String LOGOUT = "logout";
public static final String FORM_LOGIN = "form-login";
diff --git a/core/src/main/java/org/springframework/security/config/LdapProviderBeanDefinitionParser.java b/core/src/main/java/org/springframework/security/config/LdapProviderBeanDefinitionParser.java
new file mode 100644
index 0000000000..129586d5a6
--- /dev/null
+++ b/core/src/main/java/org/springframework/security/config/LdapProviderBeanDefinitionParser.java
@@ -0,0 +1,103 @@
+package org.springframework.security.config;
+
+import org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator;
+import org.springframework.security.ldap.SpringSecurityContextSource;
+import org.springframework.security.providers.ldap.LdapAuthenticationProvider;
+import org.springframework.security.providers.ldap.authenticator.BindAuthenticator;
+import org.springframework.security.intercept.method.aopalliance.MethodSecurityInterceptor;
+import org.springframework.security.ui.rememberme.RememberMeServices;
+import org.springframework.beans.factory.config.BeanDefinition;
+import org.springframework.beans.factory.config.BeanFactoryPostProcessor;
+import org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
+import org.springframework.beans.factory.config.RuntimeBeanReference;
+import org.springframework.beans.factory.support.RootBeanDefinition;
+import org.springframework.beans.factory.support.BeanDefinitionRegistry;
+import org.springframework.beans.factory.xml.BeanDefinitionParser;
+import org.springframework.beans.factory.xml.ParserContext;
+import org.springframework.beans.BeansException;
+import org.springframework.core.Ordered;
+import org.springframework.ldap.core.ContextSource;
+import org.springframework.util.StringUtils;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.w3c.dom.Element;
+
+import java.util.Map;
+
+/**
+ * Experimental "security:ldap" namespace configuration.
+ *
+ *
+ * @author Luke Taylor
+ * @version $Id$
+ * @since 2.0
+ */
+public class LdapProviderBeanDefinitionParser implements BeanDefinitionParser {
+ private Log logger = LogFactory.getLog(getClass());
+
+ private static final String ATT_AUTH_TYPE = "auth-type";
+ private static final String ATT_SERVER = "server-ref";
+
+ private static final String OPT_DEFAULT_DN_PATTERN = "uid={0},ou=people";
+ private static final String DEFAULT_GROUP_CONTEXT = "ou=groups";
+
+
+ public BeanDefinition parse(Element elt, ParserContext parserContext) {
+ String server = elt.getAttribute(ATT_SERVER);
+
+ if (!StringUtils.hasText(server)) {
+ server = BeanIds.CONTEXT_SOURCE;
+ }
+
+ RuntimeBeanReference contextSource = new RuntimeBeanReference(server);
+
+ RootBeanDefinition bindAuthenticator = new RootBeanDefinition(BindAuthenticator.class);
+ bindAuthenticator.getConstructorArgumentValues().addGenericArgumentValue(contextSource);
+ bindAuthenticator.getPropertyValues().addPropertyValue("userDnPatterns", new String[] {OPT_DEFAULT_DN_PATTERN});
+ RootBeanDefinition authoritiesPopulator = new RootBeanDefinition(DefaultLdapAuthoritiesPopulator.class);
+ authoritiesPopulator.getConstructorArgumentValues().addGenericArgumentValue(contextSource);
+ authoritiesPopulator.getConstructorArgumentValues().addGenericArgumentValue(DEFAULT_GROUP_CONTEXT);
+
+ RootBeanDefinition ldapProvider = new RootBeanDefinition(LdapAuthenticationProvider.class);
+ ldapProvider.getConstructorArgumentValues().addGenericArgumentValue(bindAuthenticator);
+ ldapProvider.getConstructorArgumentValues().addGenericArgumentValue(authoritiesPopulator);
+
+ registerPostProcessorIfNecessary(parserContext.getRegistry());
+
+ ConfigUtils.getRegisteredProviders(parserContext).add(ldapProvider);
+
+ return null;
+ }
+
+ // Todo: Move to utility class when we add ldap-user-service, as this check will be needed even if no
+ // provider is added.
+ private static class ContextSourceSettingPostProcessor implements BeanFactoryPostProcessor, Ordered {
+
+ public void postProcessBeanFactory(ConfigurableListableBeanFactory bf) throws BeansException {
+ Map beans = bf.getBeansOfType(SpringSecurityContextSource.class);
+
+ if (beans.size() == 0) {
+ throw new SecurityConfigurationException("No SpringSecurityContextSource instances found. Have you " +
+ "added an <" + Elements.LDAP_SERVER + " /> element to your application context?");
+ } else if (beans.size() > 1) {
+ throw new SecurityConfigurationException("More than one SpringSecurityContextSource instance found. " +
+ "Please specify a specific server id when configuring your <" + Elements.LDAP_PROVIDER + ">");
+ }
+ }
+
+ public int getOrder() {
+ return LOWEST_PRECEDENCE;
+ }
+
+ }
+
+ public void registerPostProcessorIfNecessary(BeanDefinitionRegistry registry) {
+ if (registry.containsBeanDefinition(BeanIds.CONTEXT_SOURCE_SETTING_POST_PROCESSOR)) {
+ return;
+ }
+
+ registry.registerBeanDefinition(BeanIds.CONTEXT_SOURCE_SETTING_POST_PROCESSOR,
+ new RootBeanDefinition(LdapProviderBeanDefinitionParser.ContextSourceSettingPostProcessor.class));
+ }
+}
diff --git a/core/src/main/java/org/springframework/security/config/LdapServerBeanDefinitionParser.java b/core/src/main/java/org/springframework/security/config/LdapServerBeanDefinitionParser.java
new file mode 100644
index 0000000000..6e7b86366f
--- /dev/null
+++ b/core/src/main/java/org/springframework/security/config/LdapServerBeanDefinitionParser.java
@@ -0,0 +1,166 @@
+package org.springframework.security.config;
+
+import org.springframework.security.ldap.DefaultSpringSecurityContextSource;
+import org.springframework.beans.factory.xml.BeanDefinitionParser;
+import org.springframework.beans.factory.xml.ParserContext;
+import org.springframework.beans.factory.xml.AbstractBeanDefinitionParser;
+import org.springframework.beans.factory.config.BeanDefinition;
+import org.springframework.beans.factory.support.RootBeanDefinition;
+import org.springframework.ldap.core.DirContextAdapter;
+import org.springframework.util.StringUtils;
+import org.springframework.util.Assert;
+
+import org.w3c.dom.Element;
+import org.apache.directory.server.configuration.MutableServerStartupConfiguration;
+import org.apache.directory.server.core.partition.impl.btree.MutableBTreePartitionConfiguration;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import javax.naming.NamingException;
+import java.util.HashSet;
+
+/**
+ * @author Luke Taylor
+ * @version $Id$
+ */
+public class LdapServerBeanDefinitionParser implements BeanDefinitionParser {
+ private Log logger = LogFactory.getLog(getClass());
+
+ /** Defines the Url of the ldap server to use. If not specified, an embedded apache DS instance will be created */
+ private static final String ATT_URL = "url";
+
+ private static final String ATT_PRINCIPAL = "manager-dn";
+ private static final String ATT_PASSWORD = "manager-password";
+
+ // Properties which apply to embedded server only - when no Url is set
+
+ /** sets the configuration suffix (default is "dc=springframework,dc=org"). */
+ public static final String ATT_ROOT_SUFFIX = "root";
+ private static final String OPT_DEFAULT_ROOT_SUFFIX = "dc=springframework,dc=org";
+ /**
+ * Optionally defines an ldif resource to be loaded. Otherwise an attempt will be made to load all ldif files
+ * found on the classpath.
+ */
+ public static final String ATT_LDIF_FILE = "ldif";
+ private static final String OPT_DEFAULT_LDIF_FILE = "classpath*:*.ldif";
+
+ /** Defines the port the LDAP_PROVIDER server should run on */
+ public static final String ATT_PORT = "port";
+ public static final String OPT_DEFAULT_PORT = "33389";
+
+
+ public BeanDefinition parse(Element elt, ParserContext parserContext) {
+ String url = elt.getAttribute(ATT_URL);
+
+ RootBeanDefinition contextSource;
+
+ if (!StringUtils.hasText(url)) {
+ contextSource = createEmbeddedServer(elt, parserContext);
+ } else {
+ contextSource = new RootBeanDefinition(DefaultSpringSecurityContextSource.class);
+ contextSource.getConstructorArgumentValues().addIndexedArgumentValue(0, url);
+ }
+
+ String managerDn = elt.getAttribute(ATT_PRINCIPAL);
+ String managerPassword = elt.getAttribute(ATT_PASSWORD);
+
+ if (StringUtils.hasText(managerDn)) {
+ Assert.hasText(managerPassword, "You must specify the " + ATT_PASSWORD +
+ " if you supply a " + managerDn);
+
+ contextSource.getPropertyValues().addPropertyValue("userDn", managerDn);
+ contextSource.getPropertyValues().addPropertyValue("password", managerPassword);
+ }
+
+ String id = elt.getAttribute(AbstractBeanDefinitionParser.ID_ATTRIBUTE);
+
+ String contextSourceId = StringUtils.hasText(id) ? id : BeanIds.CONTEXT_SOURCE;
+
+ parserContext.getRegistry().registerBeanDefinition(contextSourceId, contextSource);
+
+ return null;
+ }
+
+ /**
+ * Will be called if no url attribute is supplied.
+ *
+ * Registers beans to create an embedded apache directory server.
+ *
+ * @param element
+ * @param parserContext
+ *
+ * @return the BeanDefinition for the ContextSource for the embedded server.
+ *
+ * @see ApacheDSContainer
+ */
+ private RootBeanDefinition createEmbeddedServer(Element element, ParserContext parserContext) {
+ MutableServerStartupConfiguration configuration = new MutableServerStartupConfiguration();
+ MutableBTreePartitionConfiguration partition = new MutableBTreePartitionConfiguration();
+
+ partition.setName("springsecurity");
+
+ DirContextAdapter rootContext = new DirContextAdapter();
+ rootContext.setAttributeValues("objectClass", new String[] {"top", "domain", "extensibleObject"});
+ rootContext.setAttributeValue("dc", "springsecurity");
+
+ partition.setContextEntry(rootContext.getAttributes());
+
+ String suffix = element.getAttribute(ATT_ROOT_SUFFIX);
+
+ if (!StringUtils.hasText(suffix)) {
+ suffix = OPT_DEFAULT_ROOT_SUFFIX;
+ }
+
+ try {
+ partition.setSuffix(suffix);
+ } catch (NamingException e) {
+ parserContext.getReaderContext().error("Failed to set root name suffix to " + suffix, element, e);
+ }
+
+ HashSet partitions = new HashSet(1);
+ partitions.add(partition);
+
+ String port = element.getAttribute(ATT_PORT);
+
+ if (!StringUtils.hasText(port)) {
+ port = OPT_DEFAULT_PORT;
+ }
+
+ configuration.setLdapPort(Integer.parseInt(port));
+
+ // We shut down the server ourself when the app context is closed so we don't need
+ // the extra shutdown hook from apache DS itself.
+ configuration.setShutdownHookEnabled(false);
+ configuration.setExitVmOnShutdown(false);
+ configuration.setContextPartitionConfigurations(partitions);
+
+ String url = "ldap://127.0.0.1:" + port + "/" + suffix;
+
+ RootBeanDefinition contextSource = new RootBeanDefinition(DefaultSpringSecurityContextSource.class);
+ contextSource.getConstructorArgumentValues().addIndexedArgumentValue(0, url);
+ contextSource.getPropertyValues().addPropertyValue("userDn", "uid=admin,ou=system");
+ contextSource.getPropertyValues().addPropertyValue("password", "secret");
+
+ RootBeanDefinition apacheContainer = new RootBeanDefinition(ApacheDSContainer.class);
+ apacheContainer.getConstructorArgumentValues().addGenericArgumentValue(configuration);
+ apacheContainer.getConstructorArgumentValues().addGenericArgumentValue(contextSource);
+
+ String ldifs = element.getAttribute(ATT_LDIF_FILE);
+ if (!StringUtils.hasText(ldifs)) {
+ ldifs = OPT_DEFAULT_LDIF_FILE;
+ }
+
+ apacheContainer.getConstructorArgumentValues().addGenericArgumentValue(ldifs);
+
+ logger.info("Embedded LDAP server bean created for URL: " + url);
+
+ if (parserContext.getRegistry().containsBeanDefinition(BeanIds.EMBEDDED_APACHE_DS)) {
+ parserContext.getReaderContext().error("Only one embedded server bean is allowed per application context",
+ element);
+ }
+
+ parserContext.getRegistry().registerBeanDefinition(BeanIds.EMBEDDED_APACHE_DS, apacheContainer);
+
+ return contextSource;
+ }
+}
diff --git a/core/src/main/java/org/springframework/security/config/SecurityNamespaceHandler.java b/core/src/main/java/org/springframework/security/config/SecurityNamespaceHandler.java
index 2e11d16af7..ce3ff270aa 100644
--- a/core/src/main/java/org/springframework/security/config/SecurityNamespaceHandler.java
+++ b/core/src/main/java/org/springframework/security/config/SecurityNamespaceHandler.java
@@ -13,7 +13,8 @@ public class SecurityNamespaceHandler extends NamespaceHandlerSupport {
public void init() {
// Parsers
- registerBeanDefinitionParser(Elements.LDAP, new LdapBeanDefinitionParser());
+ registerBeanDefinitionParser(Elements.LDAP_PROVIDER, new LdapProviderBeanDefinitionParser());
+ registerBeanDefinitionParser(Elements.LDAP_SERVER, new LdapServerBeanDefinitionParser());
registerBeanDefinitionParser(Elements.HTTP, new HttpSecurityBeanDefinitionParser());
registerBeanDefinitionParser(Elements.USER_SERVICE, new UserServiceBeanDefinitionParser());
registerBeanDefinitionParser(Elements.JDBC_USER_SERVICE, new JdbcUserServiceBeanDefinitionParser());
diff --git a/core/src/main/java/org/springframework/security/util/InMemoryResource.java b/core/src/main/java/org/springframework/security/util/InMemoryResource.java
index dab9bda1c9..eb27be8f66 100644
--- a/core/src/main/java/org/springframework/security/util/InMemoryResource.java
+++ b/core/src/main/java/org/springframework/security/util/InMemoryResource.java
@@ -32,27 +32,31 @@ import java.io.InputStream;
public class InMemoryResource extends AbstractResource {
//~ Instance fields ================================================================================================
- private ByteArrayInputStream in;
+ private byte[] source;
private String description;
//~ Constructors ===================================================================================================
+ public InMemoryResource(String source) {
+ this(source.getBytes());
+ }
+
public InMemoryResource(byte[] source) {
this(source, null);
}
public InMemoryResource(byte[] source, String description) {
- in = new ByteArrayInputStream(source);
+ this.source = source;
this.description = description;
}
//~ Methods ========================================================================================================
public String getDescription() {
- return (description == null) ? in.toString() : description;
+ return description;
}
public InputStream getInputStream() throws IOException {
- return in;
+ return new ByteArrayInputStream(source);
}
}
diff --git a/core/src/main/java/org/springframework/security/util/InMemoryXmlApplicationContext.java b/core/src/main/java/org/springframework/security/util/InMemoryXmlApplicationContext.java
new file mode 100644
index 0000000000..b0bbfa229c
--- /dev/null
+++ b/core/src/main/java/org/springframework/security/util/InMemoryXmlApplicationContext.java
@@ -0,0 +1,38 @@
+package org.springframework.security.util;
+
+import org.springframework.context.support.AbstractXmlApplicationContext;
+import org.springframework.core.io.Resource;
+
+/**
+ * @author Luke Taylor
+ * @version $Id$
+ */
+public class InMemoryXmlApplicationContext extends AbstractXmlApplicationContext {
+ private static final String BEANS_OPENING =
+ "\n";
+ private static final String BEANS_CLOSE = "\n";
+
+ Resource inMemoryXml;
+
+ public InMemoryXmlApplicationContext(String xml) {
+ this(xml, true);
+ }
+
+ public InMemoryXmlApplicationContext(String xml, boolean addBeansTags) {
+ String fullXml = addBeansTags ? BEANS_OPENING + xml + BEANS_CLOSE : xml;
+ inMemoryXml = new InMemoryResource(fullXml);
+ refresh();
+ }
+
+ protected Resource[] getConfigResources() {
+ return new Resource[] {inMemoryXml};
+ }
+
+ public static void main(String[] args) {
+ new InMemoryXmlApplicationContext("");
+ }
+}
diff --git a/core/src/main/resources/org/springframework/security/config/spring-security-2.0.rnc b/core/src/main/resources/org/springframework/security/config/spring-security-2.0.rnc
index 69b97e3717..f60363374b 100644
--- a/core/src/main/resources/org/springframework/security/config/spring-security-2.0.rnc
+++ b/core/src/main/resources/org/springframework/security/config/spring-security-2.0.rnc
@@ -6,28 +6,23 @@ datatypes xsd = "http://www.w3.org/2001/XMLSchema-datatypes"
default namespace = "http://www.springframework.org/schema/security"
-start = http | ldap
+start = http | ldap-server | authentication-provider | ldap-authentication-provider | user-service
hash =
## Defines the hashing algorithm used on user passwords. We recommend strongly against using MD4, as it is a very weak hashing algorithm.
attribute hash {"sha" | "md5" | "md4" | "{sha}" | "{ssha}"}
-
base64 =
## Whether a string should be base64 encoded
attribute base64 {"true" | "false"}
-
path-type =
## Defines the type of pattern used to specify URL paths (either JDK 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if unspecified.
attribute path-type {"ant" | "regex"}
-
port =
## Specifies an IP port number. Used to configure an embedded LDAP server, for example.
attribute port { xsd:integer }
-
url =
## Specifies a URL.
attribute url { xsd:string }
-
id =
## A bean identifier, used for referring to the bean elsewhere in the context.
attribute id {xsd:ID}
@@ -49,28 +44,41 @@ system-wide =
attribute system-wide {xsd:string}
-ldap =
- ## Sets up an ldap authentication provider, optionally with an embedded ldap server
- element ldap {ldap.attlist, empty}
-ldap.attlist &=
- ## The url indicates the server location. If omitted, an embedded server will be started, optionally with the configured port number.
- (url | port)?
+ldap-server =
+ ## Defines an LDAP server location or starts an embedded server. The url indicates the location of a remote server. If no url is given, an embedded server will be started, listening on the supplied port number. The port is optional and defaults to 33389. A Spring LDAP ContextSource bean will be registered for the server with the id supplied.
+ element ldap-server {ldap-server.attlist}
+ldap-server.attlist &= id?
+ldap-server.attlist &= (url | port)?
+ldap-server.attlist &=
+ ## Username (DN) of the "manager" user identity which will be used to authenticate to a (non-embedded) LDAP server. If omitted, anonymous access will be used.
+ attribute manager-dn {xsd:string}?
+ ## The password for the manager DN.
+ldap-server.attlist &=
+ attribute manager-password {xsd:string}?
+ldap-server.attlist &=
+ ## Explicitly specifies an ldif file resource to load into an embedded LDAP server
+ attribute ldif { xsd:string }?
+ldap-server.attlist &=
+ ## Optional root suffix for the embedded LDAP server. Default is "dc=springframework,dc=org"
+ attribute root { xsd:string }?
+
+
+ldap-authentication-provider =
+ ## Sets up an ldap authentication provider
+ element ldap-authentication-provider {ldap-ap.attlist, empty}
+ldap-ap.attlist &=
+ ## The server to authenticate against.
+ attribute server-ref {xsd:IDREF}?
-ldap.attlist &=
- ## Explicitly specify an ldif file resource to load into the embedded server
- [ a:defaultValue = "classpath*:*.ldif" ] attribute ldif { xsd:string }?
intercept-methods =
## Can be used inside a bean definition to add a security interceptor to the bean and set up access configuration attributes for the bean's methods
element intercept-methods {intercept-methods.attlist, protect+}
-
intercept-methods.attlist = empty
-
protect =
## Defines a protected method and the access control configuration attributes that apply to it
element protect {protect.attlist, empty}
-
protect.attlist &=
## A method name
attribute method {xsd:string}
@@ -82,7 +90,6 @@ protect.attlist &=
annotation-driven =
## Activates security annotation scanning. All beans registered in the Spring application context will be scanned for Spring Security annotations. Where found, the beans will automatically be proxied and security authorization applied to the methods accordingly. Please ensure you have the spring-security-tiger-XXX.jar on your classpath.
element annotation-driven {annotation-driven.attlist}
-
annotation-driven.attlist = empty
@@ -106,7 +113,7 @@ http.attlist &=
attribute servlet-api-provision {"true" | "false"}?
http.attlist &=
## Optional attribute specifying the ID of the AccessDecisionManager implementation which should be used for authorizing HTTP requests.
- attribute access-decision-manager {xsd:string}?
+ attribute access-decision-manager {xsd:IDREF}?
http.attlist &=
## Optional attribute specifying the realm name that will be used for all authentication features that require a realm name (eg BASIC and Digest authentication). If unspecified, defaults to "Spring Security Application".
attribute realm {xsd:string}?
@@ -189,7 +196,7 @@ concurrent-sessions.attlist &=
remember-me =
element remember-me {remember-me.attlist}
remember-me.attlist &=
- (attribute key {xsd:string} | (attribute token-repository {xsd:string} | attribute data-source {xsd:string}))
+ (attribute key {xsd:string} | (attribute token-repository {xsd:IDREF} | attribute data-source {xsd:string}))
anonymous =
## Adds support for automatically granting all anonymous web requests a particular principal identity and a corresponding granted authority.
@@ -205,16 +212,18 @@ anonymous.attlist &=
attribute granted-authority {xsd:string}?
authentication-provider =
- ## Indicates that the contained user-service should be used as an authentication source. May either refer to an external UserDetailsService bean by id (using the "ref" attribute) or contain a child element which creates the service.
- element authentication-provider {(ref | (user-service | jdbc-user-service)) & password-encoder}
-ap.attlist &=
- attribute ref {xsd:IDREF}
+ ## Indicates that the contained user-service should be used as an authentication source.
+ element authentication-provider {ap.attlist & (user-service | jdbc-user-service) & password-encoder}
+ap.attlist &=
+ ## Specifies a reference to a separately configured UserDetailsService from which to obtain authentication data.
+ attribute user-service-ref {xsd:IDREF}?
user-service =
+ ## Creates an in-memory UserDetailsService from a properties file or a list of "user" child elements.
element user-service {id? & (properties-file | (user*))}
properties-file =
- attribute properties {xsd:string}*
-
+ attribute properties {xsd:string}?
+
user =
## Represents a user in the application.
element user {user.attlist, empty}
@@ -228,6 +237,7 @@ user.attlist &=
## One of more authorities granted to the user. Separate authorities with a comma (but no space). For example, "ROLE_USER,ROLE_ADMINISTRATOR"
attribute authorities {xsd:string}
+
jdbc-user-service =
## Causes creation of a JDBC-based UserDetailsService.
element jdbc-user-service {id? & jdbc-user-service.attlist}
diff --git a/core/src/main/resources/org/springframework/security/config/spring-security-2.0.xsd b/core/src/main/resources/org/springframework/security/config/spring-security-2.0.xsd
index 5fe8afc80f..30aa097127 100644
--- a/core/src/main/resources/org/springframework/security/config/spring-security-2.0.xsd
+++ b/core/src/main/resources/org/springframework/security/config/spring-security-2.0.xsd
@@ -138,15 +138,20 @@
-
+
- Sets up an ldap authentication provider, optionally with an embedded ldap server
+ Defines an LDAP server location or starts an embedded server. The url indicates the location of a remote server. If no url is given, an embedded server will be started, listening on the supplied port number. The port is optional and defaults to 33389. A Spring LDAP ContextSource bean will be registered for the server with the id supplied.
-
+
-
+
+
+
+ A bean identifier, used for referring to the bean elsewhere in the context.
+
+
Specifies a URL.
@@ -157,9 +162,35 @@
Specifies an IP port number. Used to configure an embedded LDAP server, for example.
-
+
- Explicitly specify an ldif file resource to load into the embedded server
+ Username (DN) of the "manager" user identity which will be used to authenticate to a (non-embedded) LDAP server. If omitted, anonymous access will be used.
+
+
+
+
+
+ Explicitly specifies an ldif file resource to load into an embedded LDAP server
+
+
+
+
+ Optional root suffix for the embedded LDAP server. Default is "dc=springframework,dc=org"
+
+
+
+
+
+ Sets up an ldap authentication provider
+
+
+
+
+
+
+
+
+ The server to authenticate against.
@@ -273,7 +304,7 @@
-
+
Optional attribute specifying the ID of the AccessDecisionManager implementation which should be used for authorizing HTTP requests.
@@ -445,7 +476,7 @@
-
+
@@ -475,7 +506,7 @@
- Indicates that the contained user-service should be used as an authentication source. May either refer to an external UserDetailsService bean by id (using the "ref" attribute) or contain a child element which creates the service.
+ Indicates that the contained user-service should be used as an authentication source.
@@ -485,17 +516,20 @@
-
-
- Defines a reference to a Spring bean id.
-
-
+
-
+
+
+ Specifies a reference to a separately configured UserDetailsService from which to obtain authentication data.
+
+
+
+ Creates an in-memory UserDetailsService from a properties file or a list of "user" child elements.
+
diff --git a/core/src/test/java/org/springframework/security/config/AuthenticationProviderBeanDefinitionParserTests.java b/core/src/test/java/org/springframework/security/config/AuthenticationProviderBeanDefinitionParserTests.java
new file mode 100644
index 0000000000..7a6b1c7629
--- /dev/null
+++ b/core/src/test/java/org/springframework/security/config/AuthenticationProviderBeanDefinitionParserTests.java
@@ -0,0 +1,49 @@
+package org.springframework.security.config;
+
+import org.springframework.security.providers.ProviderManager;
+import org.springframework.security.providers.UsernamePasswordAuthenticationToken;
+import org.springframework.security.providers.AuthenticationProvider;
+import org.springframework.context.support.ClassPathXmlApplicationContext;
+import org.springframework.beans.BeansException;
+
+import org.junit.BeforeClass;
+import org.junit.AfterClass;
+import org.junit.Test;
+
+import java.util.List;
+
+/**
+ * @author Luke Taylor
+ * @version $Id$
+ */
+public class AuthenticationProviderBeanDefinitionParserTests {
+ private static ClassPathXmlApplicationContext appContext;
+
+ @BeforeClass
+ public static void loadContext() {
+ try {
+ appContext = new ClassPathXmlApplicationContext("org/springframework/security/config/auth-provider.xml");
+ } catch (BeansException e) {
+ e.printStackTrace();
+ }
+ }
+
+ @AfterClass
+ public static void closeAppContext() {
+ if (appContext != null) {
+ appContext.close();
+ }
+ }
+
+ @Test
+ public void configuredProvidersAllAuthenticateUser() {
+ List providers =
+ ((ProviderManager)appContext.getBean(BeanIds.AUTHENTICATION_MANAGER)).getProviders();
+
+ UsernamePasswordAuthenticationToken bob = new UsernamePasswordAuthenticationToken("bob", "bobspassword");
+
+ for (AuthenticationProvider provider : providers) {
+ provider.authenticate(bob);
+ }
+ }
+}
diff --git a/core/src/test/java/org/springframework/security/config/LdapProviderBeanDefinitionParserTests.java b/core/src/test/java/org/springframework/security/config/LdapProviderBeanDefinitionParserTests.java
new file mode 100644
index 0000000000..38d79cee80
--- /dev/null
+++ b/core/src/test/java/org/springframework/security/config/LdapProviderBeanDefinitionParserTests.java
@@ -0,0 +1,49 @@
+package org.springframework.security.config;
+
+import org.springframework.security.providers.ProviderManager;
+import org.springframework.security.providers.UsernamePasswordAuthenticationToken;
+import org.springframework.security.providers.ldap.LdapAuthenticationProvider;
+import org.springframework.security.Authentication;
+import org.springframework.security.util.InMemoryXmlApplicationContext;
+import org.springframework.security.userdetails.ldap.LdapUserDetailsImpl;
+import static org.junit.Assert.*;
+import org.junit.Test;
+import org.junit.After;
+
+
+/**
+ * @author luke
+ * @version $Id$
+ */
+public class LdapProviderBeanDefinitionParserTests {
+ InMemoryXmlApplicationContext appCtx;
+
+ @After
+ public void closeAppContext() {
+ if (appCtx != null) {
+ appCtx.close();
+ appCtx = null;
+ }
+ }
+
+ @Test
+ public void simpleProviderAuthenticatesCorrectly() {
+ appCtx = new InMemoryXmlApplicationContext(" ");
+
+ ProviderManager authManager = (ProviderManager) appCtx.getBean(BeanIds.AUTHENTICATION_MANAGER);
+
+ assertEquals(1, authManager.getProviders().size());
+
+ LdapAuthenticationProvider provider = (LdapAuthenticationProvider) authManager.getProviders().get(0);
+ Authentication auth = provider.authenticate(new UsernamePasswordAuthenticationToken("ben", "benspassword"));
+ LdapUserDetailsImpl ben = (LdapUserDetailsImpl) auth.getPrincipal();
+
+ assertEquals(2, ben.getAuthorities().length);
+ }
+
+ @Test(expected = SecurityConfigurationException.class)
+ public void missingServerEltCausesConfigException() {
+ appCtx = new InMemoryXmlApplicationContext("");
+ }
+
+}
diff --git a/core/src/test/java/org/springframework/security/config/LdapServerBeanDefinitionParserTests.java b/core/src/test/java/org/springframework/security/config/LdapServerBeanDefinitionParserTests.java
new file mode 100644
index 0000000000..c2d1712c9a
--- /dev/null
+++ b/core/src/test/java/org/springframework/security/config/LdapServerBeanDefinitionParserTests.java
@@ -0,0 +1,66 @@
+package org.springframework.security.config;
+
+import org.springframework.security.util.InMemoryXmlApplicationContext;
+import org.springframework.security.ldap.SpringSecurityContextSource;
+
+import org.springframework.ldap.core.support.BaseLdapPathContextSource;
+import org.springframework.ldap.core.LdapTemplate;
+
+import org.junit.Test;
+import org.junit.After;
+
+/**
+ * @author Luke Taylor
+ * @version $Id$
+ */
+public class LdapServerBeanDefinitionParserTests {
+ InMemoryXmlApplicationContext appCtx;
+
+ @After
+ public void closeAppContext() {
+ if (appCtx != null) {
+ appCtx.close();
+ appCtx = null;
+ }
+ }
+
+ @Test
+ public void embeddedServerCreationContainsExpectedContextSourceAndData() {
+ appCtx = new InMemoryXmlApplicationContext("");
+
+ SpringSecurityContextSource contextSource = (SpringSecurityContextSource) appCtx.getBean(BeanIds.CONTEXT_SOURCE);
+
+ // Check data is loaded
+ LdapTemplate template = new LdapTemplate(contextSource);
+ template.lookup("uid=ben,ou=people");
+ }
+
+ @Test
+ public void useOfUrlAttributeCreatesCorrectContextSource() {
+ // Create second "server" with a url pointing at embedded one
+ appCtx = new InMemoryXmlApplicationContext("" +
+ "");
+
+ // Check the default context source is still there.
+ appCtx.getBean(BeanIds.CONTEXT_SOURCE);
+
+ SpringSecurityContextSource contextSource = (SpringSecurityContextSource) appCtx.getBean("blah");
+
+ // Check data is loaded as before
+ LdapTemplate template = new LdapTemplate(contextSource);
+ template.lookup("uid=ben,ou=people");
+ }
+
+ @Test
+ public void loadingSpecificLdifFileIsSuccessful() {
+ appCtx = new InMemoryXmlApplicationContext(
+ "");
+ SpringSecurityContextSource contextSource = (SpringSecurityContextSource) appCtx.getBean(BeanIds.CONTEXT_SOURCE);
+
+ LdapTemplate template = new LdapTemplate(contextSource);
+ template.lookup("uid=pg,ou=gorillas");
+ }
+
+
+
+}
diff --git a/core/src/test/java/org/springframework/security/ldap/AbstractLdapIntegrationTests.java b/core/src/test/java/org/springframework/security/ldap/AbstractLdapIntegrationTests.java
index 40248af79a..937739033d 100644
--- a/core/src/test/java/org/springframework/security/ldap/AbstractLdapIntegrationTests.java
+++ b/core/src/test/java/org/springframework/security/ldap/AbstractLdapIntegrationTests.java
@@ -14,6 +14,7 @@
*/
package org.springframework.security.ldap;
+import org.springframework.security.config.BeanIds;
import org.springframework.ldap.core.ContextSource;
import org.springframework.ldap.core.DistinguishedName;
import org.springframework.core.io.ClassPathResource;
@@ -42,7 +43,6 @@ import java.util.Set;
*/
public abstract class AbstractLdapIntegrationTests {
private static ClassPathXmlApplicationContext appContext;
- private boolean dirty = false;
protected AbstractLdapIntegrationTests() {
}
@@ -77,19 +77,9 @@ public abstract class AbstractLdapIntegrationTests {
public void onSetUp() throws Exception {
}
- /** Reloads the server data file */
- protected void setDirty() {
- dirty = true;
- }
@After
public final void reloadServerDataIfDirty() throws Exception {
-// if (!dirty) {
-// return;
-// }
-
-// closeContext();
-// loadContext();
ClassPathResource ldifs = new ClassPathResource("test-server.ldif");
if (!ldifs.getFile().exists()) {
@@ -111,7 +101,7 @@ public abstract class AbstractLdapIntegrationTests {
}
public SpringSecurityContextSource getContextSource() {
- return (SpringSecurityContextSource) appContext.getBean("contextSource");
+ return (SpringSecurityContextSource) appContext.getBean(BeanIds.CONTEXT_SOURCE);
}
/**
diff --git a/core/src/test/resources/org/springframework/security/config/auth-provider.xml b/core/src/test/resources/org/springframework/security/config/auth-provider.xml
new file mode 100644
index 0000000000..8598cb05bb
--- /dev/null
+++ b/core/src/test/resources/org/springframework/security/config/auth-provider.xml
@@ -0,0 +1,37 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/core/src/test/resources/org/springframework/security/config/http-security.xml b/core/src/test/resources/org/springframework/security/config/http-security.xml
index c724377644..c9d7001492 100644
--- a/core/src/test/resources/org/springframework/security/config/http-security.xml
+++ b/core/src/test/resources/org/springframework/security/config/http-security.xml
@@ -32,7 +32,7 @@ http://www.springframework.org/schema/security http://www.springframework.org/sc
-
+
diff --git a/core/src/test/resources/org/springframework/security/config/ldap-embedded-default.xml b/core/src/test/resources/org/springframework/security/config/ldap-embedded-default.xml
index 64ade8e596..0167a56150 100644
--- a/core/src/test/resources/org/springframework/security/config/ldap-embedded-default.xml
+++ b/core/src/test/resources/org/springframework/security/config/ldap-embedded-default.xml
@@ -1,13 +1,13 @@
-
-
-
+
-
\ No newline at end of file
+
+
\ No newline at end of file
diff --git a/core/src/test/resources/org/springframework/security/ldap/ldapIntegrationTestContext.xml b/core/src/test/resources/org/springframework/security/ldap/ldapIntegrationTestContext.xml
index 6103b0e9dc..cc9f92086a 100644
--- a/core/src/test/resources/org/springframework/security/ldap/ldapIntegrationTestContext.xml
+++ b/core/src/test/resources/org/springframework/security/ldap/ldapIntegrationTestContext.xml
@@ -5,7 +5,7 @@
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">
-
+
diff --git a/core/src/test/resources/test-server2.xldif b/core/src/test/resources/test-server2.xldif
new file mode 100644
index 0000000000..b80e0b4d4b
--- /dev/null
+++ b/core/src/test/resources/test-server2.xldif
@@ -0,0 +1,16 @@
+dn: ou=gorillas,dc=monkeymachine,dc=co,dc=uk
+objectclass: top
+objectclass: organizationalUnit
+ou: gorillas
+
+dn: uid=pg,ou=gorillas,dc=monkeymachine,dc=co,dc=uk
+objectclass: top
+objectclass: person
+objectclass: organizationalPerson
+objectclass: inetOrgPerson
+cn: Pierre
+sn: Gorille
+uid: pg
+userPassword: password
+
+