This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git
The following commit(s) were added to refs/heads/master by this push:
new 9ec71a3 fediz-idp: adopt to Spring Security 4.x
new 79796b0 Merge pull request #40 from amarkevich/spring-security-4
9ec71a3 is described below
commit 9ec71a3a7b9aba5d4cdb1830b9710cf5abd0fa8f
Author: Alexey Markevich <[email protected]>
AuthorDate: Tue Apr 30 10:56:05 2019 +0300
fediz-idp: adopt to Spring Security 4.x
---
services/idp-core/pom.xml | 4 ----
.../webapp/WEB-INF/config/idp-core-servlet.xml | 8 +++-----
.../WEB-INF/config/security-clientcert-config.xml | 2 +-
.../webapp/WEB-INF/config/security-krb-config.xml | 2 +-
.../webapp/WEB-INF/config/security-rs-config.xml | 5 +++--
.../webapp/WEB-INF/config/security-up-config.xml | 23 +++++++++++-----------
.../src/main/webapp/WEB-INF/security-config.xml | 15 ++++++++++----
.../test/resources/realma/security-up-config.xml | 2 +-
.../src/test/resources/realmb/security-config.xml | 7 ++++++-
.../src/test/resources/realmb/security-config.xml | 7 ++++++-
.../src/test/resources/realmb/security-config.xml | 7 ++++++-
11 files changed, 50 insertions(+), 32 deletions(-)
diff --git a/services/idp-core/pom.xml b/services/idp-core/pom.xml
index f65466e..dd15c51 100644
--- a/services/idp-core/pom.xml
+++ b/services/idp-core/pom.xml
@@ -29,10 +29,6 @@
<name>Apache Fediz IDP Core</name>
<packaging>jar</packaging>
- <properties>
- <spring.security.version>3.2.10.RELEASE</spring.security.version>
- </properties>
-
<dependencies>
<dependency>
<groupId>junit</groupId>
diff --git a/services/idp/src/main/webapp/WEB-INF/config/idp-core-servlet.xml
b/services/idp/src/main/webapp/WEB-INF/config/idp-core-servlet.xml
index 3d62ad9..e810912 100644
--- a/services/idp/src/main/webapp/WEB-INF/config/idp-core-servlet.xml
+++ b/services/idp/src/main/webapp/WEB-INF/config/idp-core-servlet.xml
@@ -92,14 +92,12 @@
</bean>
<bean id="accessDecisionManager"
class="org.springframework.security.access.vote.AffirmativeBased">
- <property name="decisionVoters">
+ <constructor-arg>
<list>
- <bean
class="org.springframework.security.access.vote.RoleVoter">
- <property name="rolePrefix" value="ROLE_" />
- </bean>
+ <bean
class="org.springframework.security.access.vote.RoleVoter" />
<bean
class="org.springframework.security.access.vote.AuthenticatedVoter" />
</list>
- </property>
+ </constructor-arg>
</bean>
</beans>
diff --git
a/services/idp/src/main/webapp/WEB-INF/config/security-clientcert-config.xml
b/services/idp/src/main/webapp/WEB-INF/config/security-clientcert-config.xml
index 80e77db..5167004 100644
--- a/services/idp/src/main/webapp/WEB-INF/config/security-clientcert-config.xml
+++ b/services/idp/src/main/webapp/WEB-INF/config/security-clientcert-config.xml
@@ -25,7 +25,7 @@
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
http://www.springframework.org/schema/security
- http://www.springframework.org/schema/security/spring-security-3.2.xsd
+ http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util-4.3.xsd
">
diff --git
a/services/idp/src/main/webapp/WEB-INF/config/security-krb-config.xml
b/services/idp/src/main/webapp/WEB-INF/config/security-krb-config.xml
index 98e82a0..df797c0 100644
--- a/services/idp/src/main/webapp/WEB-INF/config/security-krb-config.xml
+++ b/services/idp/src/main/webapp/WEB-INF/config/security-krb-config.xml
@@ -24,7 +24,7 @@
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
http://www.springframework.org/schema/security
- http://www.springframework.org/schema/security/spring-security-3.2.xsd
+ http://www.springframework.org/schema/security/spring-security.xsd
">
<!-- DISABLE in production as it might log confidential information about
the user -->
diff --git a/services/idp/src/main/webapp/WEB-INF/config/security-rs-config.xml
b/services/idp/src/main/webapp/WEB-INF/config/security-rs-config.xml
index c01a630..b691ae1 100644
--- a/services/idp/src/main/webapp/WEB-INF/config/security-rs-config.xml
+++ b/services/idp/src/main/webapp/WEB-INF/config/security-rs-config.xml
@@ -24,13 +24,14 @@
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
http://www.springframework.org/schema/security
- http://www.springframework.org/schema/security/spring-security-3.2.xsd
+ http://www.springframework.org/schema/security/spring-security.xsd
">
<!-- DISABLE in production as it might log confidential information about
the user -->
<!-- <security:debug /> -->
<security:http pattern="/services/rs/**" use-expressions="true"
authentication-manager-ref="restAuthenticationManager">
+ <security:csrf disabled="true"/>
<security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" />
<security:custom-filter after="SERVLET_API_SUPPORT_FILTER"
ref="entitlementsEnricher" />
<security:intercept-url pattern="/services/rs/**"
access="isAuthenticated()" />
@@ -56,7 +57,7 @@
<security:salt-source user-property="username" />
</security:password-encoder>
-->
- <security:user-service properties="classpath:/users.properties" />
+ <security:user-service properties="classpath:/users.properties" />
</security:authentication-provider>
<security:authentication-provider ref="stsUPAuthProvider" />
</security:authentication-manager>
diff --git a/services/idp/src/main/webapp/WEB-INF/config/security-up-config.xml
b/services/idp/src/main/webapp/WEB-INF/config/security-up-config.xml
index 458a869..7e4b769 100644
--- a/services/idp/src/main/webapp/WEB-INF/config/security-up-config.xml
+++ b/services/idp/src/main/webapp/WEB-INF/config/security-up-config.xml
@@ -24,7 +24,7 @@
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
http://www.springframework.org/schema/security
- http://www.springframework.org/schema/security/spring-security-3.2.xsd
+ http://www.springframework.org/schema/security/spring-security.xsd
">
<!-- DISABLE in production as it might log confidential information about
the user -->
@@ -47,11 +47,11 @@
username-parameter="username"
password-parameter="password"
/-->
- <security:logout logout-url="/federation/up/logout"
- logout-success-url="/federation/up/login?out"
- delete-cookies="FEDIZ_HOME_REALM,JSESSIONID"
- invalidate-session="true"
- />
+ <security:logout logout-url="/federation/up/logout"
+ logout-success-url="/federation/up/login?out"
+ delete-cookies="FEDIZ_HOME_REALM,JSESSIONID"
+ invalidate-session="true"
+ />
<security:headers>
<security:content-type-options />
@@ -62,6 +62,7 @@
<!-- HTTP/BA entry point for SAML SSO -->
<security:http pattern="/saml/up/**" use-expressions="true">
+ <security:csrf disabled="true"/>
<security:intercept-url requires-channel="https"
pattern="/saml/up/login*" access="isAuthenticated()" />
<security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" />
<security:custom-filter after="SERVLET_API_SUPPORT_FILTER"
ref="entitlementsEnricher" />
@@ -74,11 +75,11 @@
username-parameter="username"
password-parameter="password"
/-->
- <security:logout logout-url="/saml/up/logout"
- logout-success-url="/saml/up/login?out"
- delete-cookies="FEDIZ_HOME_REALM,JSESSIONID"
- invalidate-session="true"
- />
+ <security:logout logout-url="/saml/up/logout"
+ logout-success-url="/saml/up/login?out"
+ delete-cookies="FEDIZ_HOME_REALM,JSESSIONID"
+ invalidate-session="true"
+ />
<security:headers>
<security:content-type-options />
diff --git a/services/idp/src/main/webapp/WEB-INF/security-config.xml
b/services/idp/src/main/webapp/WEB-INF/security-config.xml
index a270050..fb66646 100644
--- a/services/idp/src/main/webapp/WEB-INF/security-config.xml
+++ b/services/idp/src/main/webapp/WEB-INF/security-config.xml
@@ -27,7 +27,7 @@
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-4.3.xsd
http://www.springframework.org/schema/security
- http://www.springframework.org/schema/security/spring-security-3.2.xsd
+ http://www.springframework.org/schema/security/spring-security.xsd
">
<context:property-placeholder location="classpath:realm.properties" />
@@ -46,6 +46,11 @@
<!-- The user has no role during the login phase of WS-Federation -->
<security:global-method-security pre-post-annotations="enabled" />
+ <!-- Remove the ROLE_ prefix -->
+ <bean id="grantedAuthorityDefaults"
class="org.springframework.security.config.core.GrantedAuthorityDefaults">
+ <constructor-arg value="" />
+ </bean>
+
<!-- Redirects to a dedicated http config -->
<bean id="fedizEntryPoint"
class="org.apache.cxf.fediz.service.idp.FedizEntryPoint">
<property name="realm" value="${realm-uri}" />
@@ -54,6 +59,7 @@
<!-- Main entry point for WS-Federation -->
<security:http pattern="/federation" use-expressions="true"
entry-point-ref="fedizEntryPoint">
+ <security:csrf disabled="true"/>
<security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" />
<security:custom-filter after="SERVLET_API_SUPPORT_FILTER"
ref="entitlementsEnricher" />
<security:intercept-url
pattern="/FederationMetadata/2007-06/FederationMetadata.xml"
access="isAnonymous() or isAuthenticated()" />
@@ -68,6 +74,7 @@
<!-- Main entry point for SAML SSO -->
<security:http pattern="/saml" use-expressions="true"
entry-point-ref="fedizEntryPoint">
+ <security:csrf disabled="true"/>
<security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" />
<security:custom-filter after="SERVLET_API_SUPPORT_FILTER"
ref="entitlementsEnricher" />
@@ -77,13 +84,13 @@
<security:xss-protection />
</security:headers>
</security:http>
-
- <security:authentication-manager alias="authenticationManagers">
+
+ <security:authentication-manager alias="authenticationManagers"
id="authenticationManagers">
<security:authentication-provider ref="stsUPAuthProvider" />
<security:authentication-provider ref="stsKrbAuthProvider" />
<security:authentication-provider ref="stsClientCertAuthProvider" />
</security:authentication-manager>
-
+
<bean id="entitlementsEnricher"
class="org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements"
/>
diff --git a/systests/custom/src/test/resources/realma/security-up-config.xml
b/systests/custom/src/test/resources/realma/security-up-config.xml
index 6038bdd..dd381bf 100644
--- a/systests/custom/src/test/resources/realma/security-up-config.xml
+++ b/systests/custom/src/test/resources/realma/security-up-config.xml
@@ -28,7 +28,7 @@
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-4.3.xsd
http://www.springframework.org/schema/security
- http://www.springframework.org/schema/security/spring-security-3.2.xsd
+ http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util-4.3.xsd
">
diff --git
a/systests/federation/samlsso/src/test/resources/realmb/security-config.xml
b/systests/federation/samlsso/src/test/resources/realmb/security-config.xml
index 866d2e9..c549ef6 100644
--- a/systests/federation/samlsso/src/test/resources/realmb/security-config.xml
+++ b/systests/federation/samlsso/src/test/resources/realmb/security-config.xml
@@ -27,7 +27,7 @@
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-4.3.xsd
http://www.springframework.org/schema/security
- http://www.springframework.org/schema/security/spring-security-3.2.xsd
+ http://www.springframework.org/schema/security/spring-security.xsd
">
<context:property-placeholder location="classpath:realm.properties"/>
@@ -41,6 +41,11 @@
<!-- The user has no role during the login phase of WS-Federation -->
<security:global-method-security pre-post-annotations="enabled"/>
+ <!-- Remove the ROLE_ prefix -->
+ <bean id="grantedAuthorityDefaults"
class="org.springframework.security.config.core.GrantedAuthorityDefaults">
+ <constructor-arg value="" />
+ </bean>
+
<security:http pattern="/services/rs/**" use-expressions="true"
authentication-manager-ref="restAuthenticationManager">
<security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
<security:custom-filter after="SERVLET_API_SUPPORT_FILTER"
ref="entitlementsEnricher" />
diff --git
a/systests/federation/unknown-subject/src/test/resources/realmb/security-config.xml
b/systests/federation/unknown-subject/src/test/resources/realmb/security-config.xml
index 866d2e9..c549ef6 100644
---
a/systests/federation/unknown-subject/src/test/resources/realmb/security-config.xml
+++
b/systests/federation/unknown-subject/src/test/resources/realmb/security-config.xml
@@ -27,7 +27,7 @@
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-4.3.xsd
http://www.springframework.org/schema/security
- http://www.springframework.org/schema/security/spring-security-3.2.xsd
+ http://www.springframework.org/schema/security/spring-security.xsd
">
<context:property-placeholder location="classpath:realm.properties"/>
@@ -41,6 +41,11 @@
<!-- The user has no role during the login phase of WS-Federation -->
<security:global-method-security pre-post-annotations="enabled"/>
+ <!-- Remove the ROLE_ prefix -->
+ <bean id="grantedAuthorityDefaults"
class="org.springframework.security.config.core.GrantedAuthorityDefaults">
+ <constructor-arg value="" />
+ </bean>
+
<security:http pattern="/services/rs/**" use-expressions="true"
authentication-manager-ref="restAuthenticationManager">
<security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
<security:custom-filter after="SERVLET_API_SUPPORT_FILTER"
ref="entitlementsEnricher" />
diff --git
a/systests/federation/wsfed/src/test/resources/realmb/security-config.xml
b/systests/federation/wsfed/src/test/resources/realmb/security-config.xml
index 866d2e9..c549ef6 100644
--- a/systests/federation/wsfed/src/test/resources/realmb/security-config.xml
+++ b/systests/federation/wsfed/src/test/resources/realmb/security-config.xml
@@ -27,7 +27,7 @@
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-4.3.xsd
http://www.springframework.org/schema/security
- http://www.springframework.org/schema/security/spring-security-3.2.xsd
+ http://www.springframework.org/schema/security/spring-security.xsd
">
<context:property-placeholder location="classpath:realm.properties"/>
@@ -41,6 +41,11 @@
<!-- The user has no role during the login phase of WS-Federation -->
<security:global-method-security pre-post-annotations="enabled"/>
+ <!-- Remove the ROLE_ prefix -->
+ <bean id="grantedAuthorityDefaults"
class="org.springframework.security.config.core.GrantedAuthorityDefaults">
+ <constructor-arg value="" />
+ </bean>
+
<security:http pattern="/services/rs/**" use-expressions="true"
authentication-manager-ref="restAuthenticationManager">
<security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
<security:custom-filter after="SERVLET_API_SUPPORT_FILTER"
ref="entitlementsEnricher" />
