Spring Security
  1. Spring Security
  2. SEC-1256

Cannot use bean configuration to configure a FilterSecurityMetadataSource with SpEL expressions due to hard-coded "false" value in code

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.0 M2
    • Fix Version/s: 3.0.0 RC1
    • Component/s: Namespace
    • Labels:
      None

      Description

      I ran into this as I was trying to configure a Spring Sec stack without the security namespace in place. In 3.0.0M2 there is a hard-coded "false" for useExpressions in the FilterInvocationSecurityMetadataSourceBeanDefinitionParser, at the following line (on or about line 47):

      LinkedHashMap<RequestKey, List<ConfigAttribute>> requestMap =
      HttpSecurityBeanDefinitionParser.parseInterceptUrlsForFilterInvocationRequestMap(interceptUrls,
      convertPathsToLowerCase, false, parserContext);

      I believe this code should be augmented to look for the "use-expressions" attribute on the <sec:filter-security-metadata-source> element. The resultant code would look something like the following (note, I haven't been able to get a compilable version of Spring Sec from source, otherwise I'd supply a patch ):

      boolean useExpressions = false;
      if(StringUtils.hasLength(element.getAttribute(HttpSecurityBeanDefinitionParser.ATT_USE_EXPRESSIONS)))

      { useExpressions = Boolean.parseBoolean(element.getAttribute(HttpSecurityBeanDefinitionParser.ATT_USE_EXPRESSIONS)); }

      LinkedHashMap<RequestKey, List<ConfigAttribute>> requestMap =
      HttpSecurityBeanDefinitionParser.parseInterceptUrlsForFilterInvocationRequestMap(interceptUrls,
      convertPathsToLowerCase, useExpressions, parserContext);

      Note also that in order to use this code patch you'll have to expand the visibility of the constant reference ATT_USE_EXPRESSIONS.

      Since I can't verify that SpEL access declarations work with this fix (although they should), I can't guarantee this is all-inclusive, but hopefully it'll be close!

      Sample bean definition (although you probably don't need it):

      <bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
      <property name="authenticationManager" ref="customAuthenticationManager"/>
      <property name="accessDecisionManager" ref="affirmativeBased"/>
      <property name="securityMetadataSource">
      <security:filter-security-metadata-source use-expressions="true">
      <security:intercept-url pattern="/login.do" access="permitAll"/>
      <security:intercept-url pattern="/home.do" access="permitAll"/>
      <security:intercept-url pattern="/account/*.do" access="hasRole('ROLE_USER') and fullyAuthenticated"/>
      <security:intercept-url pattern="/*" access="hasRole('ROLE_USER')"/>
      </security:filter-security-metadata-source>
      </property>
      </bean>

      You needn't worry about analyzing the expressions for correctness - I've verified they work already using the standard <http use-expressions="true"> format. Thanks for reviewing the bug!

        Activity

        Hide
        Luke Taylor added a comment -

        Thanks for the report, Peter.

        The build should always be working fine (check http://build.springsource.org/browse/SEC-TRUNK). If you have a problem compiling then please report it separately, giving details of the error.

        Show
        Luke Taylor added a comment - Thanks for the report, Peter. The build should always be working fine (check http://build.springsource.org/browse/SEC-TRUNK ). If you have a problem compiling then please report it separately, giving details of the error.
        Hide
        Luke Taylor added a comment -

        Should be fixed. Also requires that the correct FilterSecurityMetadataSource bean class be selected, depending on whether expressions are enabled or not.

        Show
        Luke Taylor added a comment - Should be fixed. Also requires that the correct FilterSecurityMetadataSource bean class be selected, depending on whether expressions are enabled or not.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Peter Mularien
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: