GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

SEC-1448: Fixed failure to resolve generic method argument names in MethodSecurityEvaluationContext. 

Changed to use AopUtils.getMostSpecificMethod() when obtaining the method on which the parameter resolution should be performed. Also added better error handling and log warning when parameter names cannot be resolved. The exception will then be a SpEL one, rather than a NPE.
3.0.x
Luke Taylor 16 years ago
parent
0d198d42ae
commit
eda60b72b1
2 changed files with 37 additions and 5 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 23
      config/src/test/java/org/springframework/security/config/method/GlobalMethodSecurityBeanDefinitionParserTests.java
  2. 19
      core/src/main/java/org/springframework/security/access/expression/method/MethodSecurityEvaluationContext.java

23
config/src/test/java/org/springframework/security/config/method/GlobalMethodSecurityBeanDefinitionParserTests.java
Unescape View File

@ -24,6 +24,7 @@ import org.springframework.security.access.intercept.RunAsManagerImpl;
import org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor; import org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor;
import org.springframework.security.access.intercept.aopalliance.MethodSecurityMetadataSourceAdvisor; import org.springframework.security.access.intercept.aopalliance.MethodSecurityMetadataSourceAdvisor;
import org.springframework.security.access.prepost.PostInvocationAdviceProvider; import org.springframework.security.access.prepost.PostInvocationAdviceProvider;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter; import org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter;
import org.springframework.security.access.vote.AffirmativeBased; import org.springframework.security.access.vote.AffirmativeBased;
import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException; import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
@ -43,6 +44,8 @@ import org.springframework.security.util.FieldUtils;
* @author Luke Taylor * @author Luke Taylor
*/ */
public class GlobalMethodSecurityBeanDefinitionParserTests { public class GlobalMethodSecurityBeanDefinitionParserTests {
private final UsernamePasswordAuthenticationToken bob = new UsernamePasswordAuthenticationToken("bob","bobspassword");
private AbstractXmlApplicationContext appContext; private AbstractXmlApplicationContext appContext;
private BusinessService target; private BusinessService target;
@ -234,7 +237,7 @@ public class GlobalMethodSecurityBeanDefinitionParserTests {
"<global-method-security pre-post-annotations='enabled'/>" + "<global-method-security pre-post-annotations='enabled'/>" +
"<b:bean id='target' class='org.springframework.security.access.annotation.ExpressionProtectedBusinessServiceImpl'/>" + "<b:bean id='target' class='org.springframework.security.access.annotation.ExpressionProtectedBusinessServiceImpl'/>" +
AUTH_PROVIDER_XML); AUTH_PROVIDER_XML);
SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken("bob","bobspassword")); SecurityContextHolder.getContext().setAuthentication(bob);
target = (BusinessService) appContext.getBean("target"); target = (BusinessService) appContext.getBean("target");
target.someAdminMethod(); target.someAdminMethod();
} }
@ -245,7 +248,7 @@ public class GlobalMethodSecurityBeanDefinitionParserTests {
"<global-method-security pre-post-annotations='enabled'/>" + "<global-method-security pre-post-annotations='enabled'/>" +
"<b:bean id='target' class='org.springframework.security.access.annotation.ExpressionProtectedBusinessServiceImpl'/>" + "<b:bean id='target' class='org.springframework.security.access.annotation.ExpressionProtectedBusinessServiceImpl'/>" +
AUTH_PROVIDER_XML); AUTH_PROVIDER_XML);
SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken("bob","bobspassword")); SecurityContextHolder.getContext().setAuthentication(bob);
target = (BusinessService) appContext.getBean("target"); target = (BusinessService) appContext.getBean("target");
List<String> arg = new ArrayList<String>(); List<String> arg = new ArrayList<String>();
arg.add("joe"); arg.add("joe");
@ -264,7 +267,7 @@ public class GlobalMethodSecurityBeanDefinitionParserTests {
"<global-method-security pre-post-annotations='enabled'/>" + "<global-method-security pre-post-annotations='enabled'/>" +
"<b:bean id='target' class='org.springframework.security.access.annotation.ExpressionProtectedBusinessServiceImpl'/>" + "<b:bean id='target' class='org.springframework.security.access.annotation.ExpressionProtectedBusinessServiceImpl'/>" +
AUTH_PROVIDER_XML); AUTH_PROVIDER_XML);
SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken("bob","bobspassword")); SecurityContextHolder.getContext().setAuthentication(bob);
target = (BusinessService) appContext.getBean("target"); target = (BusinessService) appContext.getBean("target");
Object[] arg = new String[] {"joe", "bob", "sam"}; Object[] arg = new String[] {"joe", "bob", "sam"};
Object[] result = target.methodReturningAnArray(arg); Object[] result = target.methodReturningAnArray(arg);
@ -300,6 +303,19 @@ public class GlobalMethodSecurityBeanDefinitionParserTests {
foo.foo(new SecurityConfig("A")); foo.foo(new SecurityConfig("A"));
} }
// SEC-1448
@Test
@SuppressWarnings("unchecked")
public void genericsMethodArgumentNamesAreResolved() throws Exception {
setContext(
"<b:bean id='target' class='" + ConcreteFoo.class.getName() + "'/>" +
"<global-method-security pre-post-annotations='enabled'/>" + AUTH_PROVIDER_XML
);
SecurityContextHolder.getContext().setAuthentication(bob);
Foo foo = (Foo) appContext.getBean("target");
foo.foo(new SecurityConfig("A"));
}
@Test @Test
public void runAsManagerIsSetCorrectly() throws Exception { public void runAsManagerIsSetCorrectly() throws Exception {
StaticApplicationContext parent = new StaticApplicationContext(); StaticApplicationContext parent = new StaticApplicationContext();
@ -328,6 +344,7 @@ public class GlobalMethodSecurityBeanDefinitionParserTests {
} }
public static class ConcreteFoo implements Foo<SecurityConfig> { public static class ConcreteFoo implements Foo<SecurityConfig> {
@PreAuthorize("#action.attribute == 'A'")
public void foo(SecurityConfig action) { public void foo(SecurityConfig action) {
} }
} }

19
core/src/main/java/org/springframework/security/access/expression/method/MethodSecurityEvaluationContext.java
Unescape View File

@ -3,11 +3,13 @@ package org.springframework.security.access.expression.method;
import java.lang.reflect.Method; import java.lang.reflect.Method;
import org.aopalliance.intercept.MethodInvocation; import org.aopalliance.intercept.MethodInvocation;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.aop.support.AopUtils;
import org.springframework.core.LocalVariableTableParameterNameDiscoverer; import org.springframework.core.LocalVariableTableParameterNameDiscoverer;
import org.springframework.core.ParameterNameDiscoverer; import org.springframework.core.ParameterNameDiscoverer;
import org.springframework.expression.spel.support.StandardEvaluationContext; import org.springframework.expression.spel.support.StandardEvaluationContext;
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
import org.springframework.util.ClassUtils;
/** /**
* Internal security-specific EvaluationContext implementation which lazily adds the * Internal security-specific EvaluationContext implementation which lazily adds the
@ -18,6 +20,8 @@ import org.springframework.util.ClassUtils;
* @since 3.0 * @since 3.0
*/ */
class MethodSecurityEvaluationContext extends StandardEvaluationContext { class MethodSecurityEvaluationContext extends StandardEvaluationContext {
private static Log logger = LogFactory.getLog(MethodSecurityEvaluationContext.class);
private ParameterNameDiscoverer parameterNameDiscoverer; private ParameterNameDiscoverer parameterNameDiscoverer;
private boolean argumentsAdded; private boolean argumentsAdded;
private MethodInvocation mi; private MethodInvocation mi;
@ -58,10 +62,21 @@ class MethodSecurityEvaluationContext extends StandardEvaluationContext {
private void addArgumentsAsVariables() { private void addArgumentsAsVariables() {
Object[] args = mi.getArguments(); Object[] args = mi.getArguments();
if (args.length == 0) {
return;
}
Object targetObject = mi.getThis(); Object targetObject = mi.getThis();
Method method = ClassUtils.getMostSpecificMethod(mi.getMethod(), targetObject.getClass()); Method method = AopUtils.getMostSpecificMethod(mi.getMethod(), targetObject.getClass());
String[] paramNames = parameterNameDiscoverer.getParameterNames(method); String[] paramNames = parameterNameDiscoverer.getParameterNames(method);
if (paramNames == null) {
logger.warn("Unable to resolve method parameter names for method: " + method
+ ". Debug symbol information is required if you are using parameter names in expressions.");
return;
}
for(int i=0; i < args.length; i++) { for(int i=0; i < args.length; i++) {
super.setVariable(paramNames[i], args[i]); super.setVariable(paramNames[i], args[i]);
} }

Write Preview
Loading…
Cancel
Save