spring-security升级到4.2.8.RELEASE

bsteker · Jan 10, 2019 · 00421a5 · 00421a5
1 parent f22aa20
commit 00421a5
Show file tree

Hide file tree

Showing 7 changed files with 47 additions and 34 deletions.
diff --git a/bdf2-core/pom.xml b/bdf2-core/pom.xml
@@ -5,19 +5,21 @@
 		<artifactId>bdf2-parent</artifactId>
 		<version>2.0.5-SNAPSHOT</version>
 	</parent>
-	<version>2.1.0-SNAPSHOT</version>
+	<version>2.2.0-SNAPSHOT</version>
 	<artifactId>bdf2-core</artifactId>
 	<properties>
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 		<addon.name>bdf2-core</addon.name>
 		<addon.depends>bdf2-orm</addon.depends>
 		<addon.configurer>com.bstek.bdf2.core.context.CoreContextLocationConfigurer</addon.configurer>
+		<spring.version>4.3.19.RELEASE</spring.version>
+		<spring.security.version>4.2.8.RELEASE</spring.security.version>
 	</properties>
 	<dependencies>
 		<dependency>
 			<groupId>com.bstek.bdf2</groupId>
 			<artifactId>bdf2-orm-hibernate3</artifactId>
-			<version>2.1.0-SNAPSHOT</version>
+			<version>2.2.0-SNAPSHOT</version>
 			<exclusions>
 				<exclusion>
 					<groupId>org.slf4j</groupId>
@@ -28,12 +30,12 @@
 		<dependency>
 			<groupId>org.springframework.security</groupId>
 			<artifactId>spring-security-config</artifactId>
-			<version>3.1.4.RELEASE</version>
+			<version>${spring.security.version}</version>
 		</dependency>
 		<dependency>
 			<groupId>org.springframework.security</groupId>
 			<artifactId>spring-security-cas</artifactId>
-			<version>3.1.4.RELEASE</version>
+			<version>${spring.security.version}</version>
 		</dependency>
 		<dependency>
 			<groupId>com.google.code</groupId>
@@ -43,21 +45,20 @@
 		<dependency>
 		  <groupId>com.bstek.dorado</groupId>
 		  <artifactId>dorado-intro</artifactId>
-		  <version>0.2.1</version>
+		  <version>0.2.4</version>
 		</dependency>
 	</dependencies>
 	<dependencyManagement>
 		<dependencies>
 			<dependency>
 				<groupId>org.springframework</groupId>
 				<artifactId>spring-framework-bom</artifactId>
-				<version>4.3.0.RELEASE</version>
+				<version>${spring.version}</version>
 				<type>pom</type>
 				<scope>import</scope>
 			</dependency>
 		</dependencies>
 	</dependencyManagement>
-
 	<scm>
 		<developerConnection>scm:svn:http://svn.bsdn.org/bdf/trunk/bdf2/bdf2-core/</developerConnection>
 	</scm>	

diff --git a/bdf2-core/src/main/java/com/bstek/bdf2/core/security/decision/UrlAccessDecisionManager.java b/bdf2-core/src/main/java/com/bstek/bdf2/core/security/decision/UrlAccessDecisionManager.java
@@ -23,20 +23,19 @@
 public class UrlAccessDecisionManager extends
 		AbstractAccessDecisionManager {
 	public static final String BEAN_ID="bdf2.accessDecisionManager";
-	@SuppressWarnings("rawtypes")
 	public UrlAccessDecisionManager(
-			List<AccessDecisionVoter> decisionVoters) {
+			List<AccessDecisionVoter<? extends Object>> decisionVoters) {
 		super(decisionVoters);
 	}
 
-	@SuppressWarnings("unchecked")
+	@SuppressWarnings({ "unchecked", "rawtypes" })
 	public void decide(Authentication authentication, Object object,Collection<ConfigAttribute> configAttributes)throws AccessDeniedException, InsufficientAuthenticationException {
 		if((authentication.getPrincipal() instanceof IUser)){
 			IUser loginUser=(IUser)authentication.getPrincipal();
 			if(loginUser.isAdministrator())return;			
 		}
 		int result=10;
-		for (AccessDecisionVoter<Object> voter : getDecisionVoters()) {
+		for (AccessDecisionVoter voter : getDecisionVoters()) {
 			result = voter.vote(authentication, object, configAttributes);
 			if(result==AccessDecisionVoter.ACCESS_ABSTAIN){
 				continue;

diff --git a/...ore/src/main/java/com/bstek/bdf2/core/security/filter/BasicLoginAuthenticationFilter.java b/...ore/src/main/java/com/bstek/bdf2/core/security/filter/BasicLoginAuthenticationFilter.java
@@ -8,6 +8,7 @@
 
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
 import org.springframework.security.web.util.UrlUtils;
 
@@ -16,8 +17,8 @@
  * @since 2013-3-6
  */
 public class BasicLoginAuthenticationFilter extends BasicAuthenticationFilter {
-	public BasicLoginAuthenticationFilter(AuthenticationManager authenticationManager){
-		super(authenticationManager);
+	public BasicLoginAuthenticationFilter(AuthenticationManager authenticationManager, AuthenticationEntryPoint authenticationEntryPoint){
+		super(authenticationManager, authenticationEntryPoint);
 	}
 	@Override
 	protected void onSuccessfulAuthentication(HttpServletRequest request,

diff --git a/...-core/src/main/java/com/bstek/bdf2/core/security/filter/CasLoginAuthenticationFilter.java b/...-core/src/main/java/com/bstek/bdf2/core/security/filter/CasLoginAuthenticationFilter.java
@@ -9,6 +9,7 @@
 
 import org.springframework.security.cas.web.CasAuthenticationFilter;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
 
 import com.bstek.bdf2.core.business.IUser;
 import com.bstek.bdf2.core.context.ContextHolder;
@@ -26,21 +27,21 @@ public class CasLoginAuthenticationFilter extends CasAuthenticationFilter {
 	private IPositionService positionService;
 	private IGroupService groupService;
 	@Override
-	@Deprecated
-	protected void successfulAuthentication(HttpServletRequest request,
-			HttpServletResponse response, Authentication authResult)
-			throws IOException, ServletException {
-		super.successfulAuthentication(request, response, authResult);
-		HttpSession session=request.getSession();
-		IUser loginUser=(IUser)authResult.getPrincipal();
-		if(loginUser instanceof DefaultUser){
-			DefaultUser u=(DefaultUser)loginUser;
-			u.setDepts(deptService.loadUserDepts(u.getUsername()));
-			u.setPositions(positionService.loadUserPositions(u.getUsername()));
-			u.setGroups(groupService.loadUserGroups(u.getUsername()));
-		}
-		session.setAttribute(ContextHolder.LOGIN_USER_SESSION_KEY, loginUser);
-		session.setAttribute(ContextHolder.USER_LOGIN_WAY_KEY, "cas");
+	public Authentication attemptAuthentication(final HttpServletRequest request,
+			final HttpServletResponse response) throws AuthenticationException,
+			IOException {
+				Authentication authResult = super.attemptAuthentication(request, response);
+				HttpSession session=request.getSession();
+				IUser loginUser=(IUser)authResult.getPrincipal();
+				if(loginUser instanceof DefaultUser){
+					DefaultUser u=(DefaultUser)loginUser;
+					u.setDepts(deptService.loadUserDepts(u.getUsername()));
+					u.setPositions(positionService.loadUserPositions(u.getUsername()));
+					u.setGroups(groupService.loadUserGroups(u.getUsername()));
+				}
+				session.setAttribute(ContextHolder.LOGIN_USER_SESSION_KEY, loginUser);
+				session.setAttribute(ContextHolder.USER_LOGIN_WAY_KEY, "cas");
+				return authResult;
 	}
 	public IDeptService getDeptService() {
 		return deptService;

diff --git a/.../main/java/com/bstek/bdf2/core/security/session/ConcurrentSessionControlStrategyImpl.java b/.../main/java/com/bstek/bdf2/core/security/session/ConcurrentSessionControlStrategyImpl.java
@@ -4,10 +4,10 @@
 
 import org.springframework.security.core.session.SessionInformation;
 import org.springframework.security.core.session.SessionRegistry;
-import org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy;
+import org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy;
 import org.springframework.security.web.authentication.session.SessionAuthenticationException;
 
-public class ConcurrentSessionControlStrategyImpl extends ConcurrentSessionControlStrategy {
+public class ConcurrentSessionControlStrategyImpl extends ConcurrentSessionControlAuthenticationStrategy {
 	public ConcurrentSessionControlStrategyImpl(SessionRegistry sessionRegistry) {
 		super(sessionRegistry);
 	}

diff --git a/bdf2-core/src/main/resources/com/bstek/bdf2/core/config/bdf2-security-configs.xml b/bdf2-core/src/main/resources/com/bstek/bdf2/core/config/bdf2-security-configs.xml
@@ -4,8 +4,8 @@
 	xsi:schemaLocation="http://www.springframework.org/schema/beans
            http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
            http://www.springframework.org/schema/security
-           http://www.springframework.org/schema/security/spring-security-3.1.xsd">
-	<http entry-point-ref="bdf2.authenticationEntryPoint" access-denied-page="${bdf2.accessDeniedPage}">
+           http://www.springframework.org/schema/security/spring-security-4.2.xsd">
+	<http entry-point-ref="bdf2.authenticationEntryPoint">
 		<custom-filter ref="bdf2.contextFilter" after="SECURITY_CONTEXT_FILTER" />
 		<custom-filter ref="bdf2.logoutFilter" position="LOGOUT_FILTER" />
 		<custom-filter ref="bdf2.preAuthenticatedProcessingFilter" position="PRE_AUTH_FILTER" />
@@ -16,13 +16,22 @@
 		<custom-filter ref="bdf2.basicAuthenticationFilter" position="BASIC_AUTH_FILTER" />
 		<custom-filter ref="bdf2.rememberMeLoginFilter" position="REMEMBER_ME_FILTER" />
 		<anonymous key="doesNotMatter" />
+		<csrf disabled="true"/>
+		<headers>
+            <frame-options policy="SAMEORIGIN"></frame-options>
+        </headers>
+		<access-denied-handler ref="bdf2.accessDeniedHandler"/>  
 		<session-management session-authentication-strategy-ref="${bdf2.loginCreateSessionStrategy}"></session-management>
 		<custom-filter ref="bdf2.controllerFilter" after="SESSION_MANAGEMENT_FILTER" />
 		<custom-filter ref="bdf2.filterSecurityInterceptor" before="FILTER_SECURITY_INTERCEPTOR" />
 	</http>
 
 	<!-- This filter handles a Single Logout Request from the CAS Server -->
 	<beans:bean id="singleLogoutFilter" class="org.jasig.cas.client.session.SingleSignOutFilter" />
+
+	<beans:bean id="bdf2.accessDeniedHandler" class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
+  		<beans:property name="errorPage" value="${bdf2.accessDeniedPage}"/>
+	</beans:bean>
 
 	<authentication-manager alias="bdf2.authenticationManager">
 		<authentication-provider ref="bdf2.casAuthenticationProvider" />
@@ -48,7 +57,7 @@
 	<beans:bean id="bdf2.concurrentSessionControlStrategy" class="com.bstek.bdf2.core.security.session.ConcurrentSessionControlStrategyImpl">
 		<beans:constructor-arg name="sessionRegistry" ref="bdf2.sessionRegistry" />
 		<beans:property name="maximumSessions" value="${bdf2.securityMaximumSessions}" />
-		<beans:property name="alwaysCreateSession" value="${bdf2.alwaysCreateSessionForLogin}" />
+		<!-- <beans:property name="alwaysCreateSession" value="${bdf2.alwaysCreateSessionForLogin}" /> -->
 	</beans:bean>
 
 	<beans:bean id="bdf2.rememberMeLoginFilter" class="com.bstek.bdf2.core.security.filter.RememberMeLoginFilter">
@@ -199,7 +208,7 @@
 
 	<beans:bean id="bdf2.basicAuthenticationFilter" class="com.bstek.bdf2.core.security.filter.BasicLoginAuthenticationFilter">
 		<beans:constructor-arg name="authenticationManager" ref="bdf2.authenticationManager"></beans:constructor-arg>
-		<beans:property name="authenticationEntryPoint" ref="bdf2.basicAuthenticationEntryPoint" />
+		<beans:constructor-arg name="authenticationEntryPoint" ref="bdf2.basicAuthenticationEntryPoint"></beans:constructor-arg>
 	</beans:bean>
 
 	<beans:bean id="bdf2.authenticationEntryPoint" class="com.bstek.bdf2.core.security.MultiAuthenticationEntryPoint">

diff --git a/bdf2-orm-hibernate4/.gitignore b/bdf2-orm-hibernate4/.gitignore
@@ -0,0 +1,2 @@
+/target/
+.settings/