attempting to allow make use of SPEL

13 years ago · dbd563f3f2
parent f0c949fd09
commit dbd563f3f2
6 changed files with 36 additions and 7 deletions
--- a/openid-connect-server/.springBeans
+++ b/openid-connect-server/.springBeans
@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <beansProjectDescription>
 	<version>1</version>
-	<pluginVersion><![CDATA[2.8.1.201111220115-RELEASE]]></pluginVersion>
+	<pluginVersion><![CDATA[2.9.2.201205070117-RELEASE]]></pluginVersion>
 	<configSuffixes>
 		<configSuffix><![CDATA[xml]]></configSuffix>
 	</configSuffixes>
@ -12,6 +12,7 @@
 		<config>src/main/webapp/WEB-INF/local-config.xml</config>
 		<config>src/main/webapp/WEB-INF/data-context.xml</config>
 		<config>src/main/webapp/WEB-INF/crypto-config.xml</config>
+		<config>src/main/webapp/WEB-INF/application-context.xml</config>
 	</configs>
 	<configSets>
 	</configSets>
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/UserInfoEndpoint.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/UserInfoEndpoint.java
@ -63,7 +63,7 @@ public class UserInfoEndpoint {
 	 * @throws UsernameNotFoundException		if the user does not exist or cannot be found
 	 * @throws UnknownUserInfoSchemaException	if an unknown schema is used
 	 */
-	@PreAuthorize("hasRole('ROLE_USER')") // TODO: need to add the check for the "openid" scope, which is REQUIRED
+	@PreAuthorize("hasRole('ROLE_USER') and #oauth2.hasScope('openid')") // TODO: need to add the check for the "openid" scope, which is REQUIRED
 	@RequestMapping(value="/userinfo", method= {RequestMethod.GET, RequestMethod.POST})
 	public String getInfo(Principal p, @RequestParam("schema") String schema, Model model) {

--- a/openid-connect-server/src/main/webapp/WEB-INF/application-context.xml
+++ b/openid-connect-server/src/main/webapp/WEB-INF/application-context.xml
@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+
+</beans>
--- a/openid-connect-server/src/main/webapp/WEB-INF/tags/topbar.tag
+++ b/openid-connect-server/src/main/webapp/WEB-INF/tags/topbar.tag
@ -20,7 +20,7 @@
                
                	<security:authentication property="authorities" var="roles"/>

-                    <security:authorize ifAnyGranted="ROLE_USER">
+                    <security:authorize access="hasRole('ROLE_USER')">
                        Logged in as <a href="#"><%= request.getUserPrincipal().getName() %></a>
                    </security:authorize>
                </p>
--- a/openid-connect-server/src/main/webapp/WEB-INF/user-context.xml
+++ b/openid-connect-server/src/main/webapp/WEB-INF/user-context.xml
@ -13,7 +13,14 @@
 		http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.1.xsd">


-	<security:global-method-security pre-post-annotations="enabled" proxy-target-class="true" authentication-manager-ref="authenticationManager"/>
+	<security:global-method-security pre-post-annotations="enabled" proxy-target-class="true" authentication-manager-ref="authenticationManager">
+		<!--you could also wire in the expression handler up at the layer of the http filters. See https://jira.springsource.org/browse/SEC-1452 -->
+		<security:expression-handler ref="oauthExpressionHandler" />
+	</security:global-method-security>
+
+	<oauth2:expression-handler id="oauthExpressionHandler" />
+
+	<oauth2:web-expression-handler id="oauthWebExpressionHandler" />

 	<security:authentication-manager alias="authenticationManager">
 		<security:authentication-provider>
@ -29,11 +36,12 @@
 		</security:authentication-provider>
 	</security:authentication-manager>
 		
-	<security:http auto-config="true" disable-url-rewriting="true"> <!-- authentication-manager-ref="springSecurityAuthenticationManager" -->
-		<security:intercept-url pattern="/oauth/**" access="ROLE_USER" />
-		<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
+	<security:http auto-config="true" disable-url-rewriting="true" use-expressions="true"> <!-- authentication-manager-ref="springSecurityAuthenticationManager" -->
+		<security:intercept-url pattern="/oauth/**" access="hasRole('ROLE_USER')" />
+		<security:intercept-url pattern="/**" access="permitAll" />
 		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
 		<security:anonymous />
+		<security:expression-handler ref="oauthWebExpressionHandler" />
 	</security:http>	

 </beans>
--- a/openid-connect-server/src/main/webapp/WEB-INF/web.xml
+++ b/openid-connect-server/src/main/webapp/WEB-INF/web.xml
@ -3,6 +3,19 @@
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">

+	<!-- The definition of the Root Spring Container shared by all Servlets and Filters -->
+	<context-param>
+		<param-name>contextConfigLocation</param-name>
+		<param-value>
+			/WEB-INF/application-context.xml
+		</param-value>
+	</context-param>
+	
+	<!-- Creates the Spring Container shared by all Servlets and Filters -->
+	<listener>
+		<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
+	</listener>
+	
 	<!-- filter through Spring Security -->

 	<filter>