[SWS-559] Upgrade Spring Security to 3.0.2 Created: 27/Aug/09  Updated: 04/May/12  Resolved: 19/May/10

Status: Closed
Project: Spring Web Services
Component/s: None
Affects Version/s: None
Fix Version/s: 2.0 M2

Type: Task Priority: Major
Reporter: Nick Padgett Assignee: Tareq Abedrabbo
Resolution: Complete Votes: 12
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: Text File spring-ws-2.0-spring-security-3.0.2-with_x509.patch     Text File spring-ws-2.0-spring-security-3.0.2.patch    
Issue Links:
Duplicate
is duplicated by SWS-606 SpringPlainTextPasswordValidationCall... Closed
is duplicated by SWS-611 SpringCertificateValidationCallbackHa... Closed

 Description   

I'd like to upgrade to spring security 3.0.0.M1, but spring ws security does not have support for it yet.



 Comments   
Comment by Nick Padgett [ 15/Oct/09 ]

Spring 3.0.0.RC1 now.

Comment by Nick Padgett [ 27/Feb/10 ]

Spring Security 3.0.2 is now out.

Comment by Aleksander Adamowski [ 09/Mar/10 ]

Here's a patch that does most of the trivial work updating artifact version numbers in POMs and class FQDNs in sources.

There's still the non trivial issue stemming from the fact that the deprecated class X509AuthenticationToken was in use and it has been removed in 3.0:

[INFO] -------------------------------------------------------------
[ERROR] COMPILATION ERROR :
[INFO] -------------------------------------------------------------
[ERROR] spring-ws/trunk/security/src/main/java/org/springframework/ws/soap/security/xwss/callback/SpringCertificateValidationCallbackHandler.java:[31,50] package org.springframework.security.providers.x509 does not exist

[ERROR] spring-ws/trunk/security/src/main/java/org/springframework/ws/soap/security/xwss/callback/SpringCertificateValidationCallbackHandler.java:[99,63] cannot find symbol
symbol : class X509AuthenticationToken
location: class org.springframework.ws.soap.security.xwss.callback.SpringCertificateValidationCallbackHandler.SpringSecurityCertificateValidator

[INFO] 2 errors
[INFO] -------------------------------------------------------------
[INFO] ------------------------------------------------------------------------
[ERROR] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Compilation failure

spring-ws/trunk/security/src/main/java/org/springframework/ws/soap/security/xwss/callback/SpringCertificateValidationCallbackHandler.java:[31,50] package org.springframework.security.providers.x509 does not exist

spring-ws/trunk/security/src/main/java/org/springframework/ws/soap/security/xwss/callback/SpringCertificateValidationCallbackHandler.java:[99,63] cannot find symbol
symbol : class X509AuthenticationToken
location: class org.springframework.ws.soap.security.xwss.callback.SpringCertificateValidationCallbackHandler.SpringSecurityCertificateValidator

Comment by Aleksander Adamowski [ 09/Mar/10 ]

BTW, most of the hard work on updating class FQDNs has been done using the Spring API Updater script: http://code.google.com/p/spring-api-updater/

You might find it useful in other migrations to Spring 3.0 and possibly contribute enhancements to it.

Comment by Arjen Poutsma [ 09/Mar/10 ]

Thanks! I really appreciate it.

We will take a look at the X509AuthenticationToken issue for 2.0 M2.

Comment by Aleksander Adamowski [ 09/Mar/10 ]

This is how I understand the X509AuthenticationToken issue:

1) X509AuthenticationToken and the whole org.acegisecurity.providers.x509 has been deprecated in Spring 2.0, probably because the only significant consumer of their API was Spring-WS (at least, Google Code Search doesn't find any others),
2) The replacement, X509AuthenticationFilter seems to be built around the servlet infrastructure and seems to assume that we're dealing with HTTPS - which is not the case in Spring-WS:

    private X509Certificate extractClientCertificate(HttpServletRequest request) {
      X509Certificate[] certs = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");

3) Spring-WS still needs X509AuthenticationToken ot a substitute thereof for its proper operation.

From 1, 2 and 3 it seems to me that X509AuthenticationToken code should not be thrown out, but should find its new home in the sources of Spring-WS, which have been its sole consumer to date.

Comment by Aleksander Adamowski [ 27/Apr/10 ]

Attaching a patch with the X.509 classes from Spring Security 2 migrated into Spring-WS 2.

This version of Spring-WS 2 makes my Spring-WS 1.5 application that employs WS-Security with certificates work again.

Comment by Tareq Abedrabbo [ 19/May/10 ]

Done. Thanks for the patch!

Comment by Arjen Poutsma [ 04/May/12 ]

Closing old issues

Generated at Tue Dec 12 18:06:20 UTC 2017 using JIRA 6.4.14#64029-sha1:ae256fe0fbb912241490ff1cecfb323ea0905ca5.