← Back to team overview

dhis2-devs team mailing list archive

[Branch ~dhis2-devs-core/dhis2/trunk] Rev 19127: downgrade to spring sec 3.2.7 for now, it has some issues with @PreAuthorize() Spring-EL expressions

 

------------------------------------------------------------
revno: 19127
committer: Morten Olav Hansen <mortenoh@xxxxxxxxx>
branch nick: dhis2
timestamp: Mon 2015-05-11 14:10:34 +0700
message:
  downgrade to spring sec 3.2.7 for now, it has some issues with @PreAuthorize() Spring-EL expressions
removed:
  dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/security/bpp/
  dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/security/bpp/DefaultRolesPrefixPostProcessor.java
modified:
  dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/event/TrackedEntityInstanceController.java
  dhis-2/dhis-web/dhis-web-api/src/main/resources/META-INF/dhis/servlet.xml
  dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/security.xml
  dhis-2/dhis-web/dhis-web-ohie/src/main/resources/META-INF/dhis/webapi-ohie.xml
  dhis-2/pom.xml


--
lp:dhis2
https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk

Your team DHIS 2 developers is subscribed to branch lp:dhis2.
To unsubscribe from this branch go to https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk/+edit-subscription
=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/event/TrackedEntityInstanceController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/event/TrackedEntityInstanceController.java	2015-05-11 06:02:29 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/event/TrackedEntityInstanceController.java	2015-05-11 07:10:34 +0000
@@ -78,7 +78,7 @@
  */
 @Controller
 @RequestMapping( value = TrackedEntityInstanceSchemaDescriptor.API_ENDPOINT )
-@PreAuthorize( "hasRole('ALL') or hasRole('F_TRACKED_ENTITY_INSTANCE_SEARCH')" )
+@PreAuthorize( "hasAnyRole('ALL', 'F_TRACKED_ENTITY_INSTANCE_SEARCH')" )
 public class TrackedEntityInstanceController
 {
     @Autowired

=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/resources/META-INF/dhis/servlet.xml'
--- dhis-2/dhis-web/dhis-web-api/src/main/resources/META-INF/dhis/servlet.xml	2015-05-11 04:36:57 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/resources/META-INF/dhis/servlet.xml	2015-05-11 07:10:34 +0000
@@ -6,7 +6,7 @@
   xmlns:sec="http://www.springframework.org/schema/security";
   xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.1.xsd
     http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
-    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd
+    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
     http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.1.xsd";>
 
   <sec:global-method-security pre-post-annotations="enabled" />

=== removed directory 'dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/security/bpp'
=== removed file 'dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/security/bpp/DefaultRolesPrefixPostProcessor.java'
--- dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/security/bpp/DefaultRolesPrefixPostProcessor.java	2015-05-11 06:17:00 +0000
+++ dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/security/bpp/DefaultRolesPrefixPostProcessor.java	1970-01-01 00:00:00 +0000
@@ -1,100 +0,0 @@
-package org.hisp.dhis.security.bpp;
-
-/*
- * Copyright (c) 2004-2015, University of Oslo
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- * Redistributions of source code must retain the above copyright notice, this
- * list of conditions and the following disclaimer.
- *
- * Redistributions in binary form must reproduce the above copyright notice,
- * this list of conditions and the following disclaimer in the documentation
- * and/or other materials provided with the distribution.
- * Neither the name of the HISP project nor the names of its contributors may
- * be used to endorse or promote products derived from this software without
- * specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
- * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
- * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-import org.springframework.beans.BeansException;
-import org.springframework.beans.FatalBeanException;
-import org.springframework.beans.factory.config.BeanPostProcessor;
-import org.springframework.core.PriorityOrdered;
-import org.springframework.security.access.annotation.Jsr250MethodSecurityMetadataSource;
-import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler;
-import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
-import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter;
-
-import javax.servlet.ServletException;
-
-/**
- * From spring security 4.x, all roles are automatically pre-pended with ROLE_, we need to remove
- * this to probably support our authorities (ALL vs ROLE_ALL etc)
- *
- * @author Morten Olav Hansen <mortenoh@xxxxxxxxx>
- */
-public class DefaultRolesPrefixPostProcessor implements BeanPostProcessor, PriorityOrdered
-{
-    @Override
-    public Object postProcessAfterInitialization( Object bean, String beanName )
-        throws BeansException
-    {
-        // remove this if you are not using JSR-250
-        if ( bean instanceof Jsr250MethodSecurityMetadataSource )
-        {
-            ((Jsr250MethodSecurityMetadataSource) bean).setDefaultRolePrefix( null );
-        }
-
-        if ( bean instanceof DefaultMethodSecurityExpressionHandler )
-        {
-            ((DefaultMethodSecurityExpressionHandler) bean).setDefaultRolePrefix( null );
-        }
-
-        if ( bean instanceof DefaultWebSecurityExpressionHandler )
-        {
-            ((DefaultWebSecurityExpressionHandler) bean).setDefaultRolePrefix( null );
-        }
-
-        if ( bean instanceof SecurityContextHolderAwareRequestFilter )
-        {
-            SecurityContextHolderAwareRequestFilter filter = (SecurityContextHolderAwareRequestFilter) bean;
-            filter.setRolePrefix( "" );
-
-            try
-            {
-                filter.afterPropertiesSet();
-            }
-            catch ( ServletException e )
-            {
-                throw new FatalBeanException( e.getMessage(), e );
-            }
-        }
-
-        return bean;
-    }
-
-    @Override
-    public Object postProcessBeforeInitialization( Object bean, String beanName )
-        throws BeansException
-    {
-        return bean;
-    }
-
-    @Override
-    public int getOrder()
-    {
-        return PriorityOrdered.HIGHEST_PRECEDENCE;
-    }
-}

=== modified file 'dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/security.xml'
--- dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/security.xml	2015-05-11 06:17:00 +0000
+++ dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/security.xml	2015-05-11 07:10:34 +0000
@@ -2,7 +2,7 @@
 <beans xmlns="http://www.springframework.org/schema/beans"; xmlns:sec="http://www.springframework.org/schema/security";
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
   xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
-    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd";>
+    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd";>
 
   <bean id="mappedRedirectStrategy" class="org.hisp.dhis.security.MappedRedirectStrategy">
     <property name="redirectMap">
@@ -65,14 +65,12 @@
       login-page="/dhis-web-commons/security/login.action"
       authentication-success-handler-ref="defaultAuthenticationSuccessHandler" />
 
-    <sec:headers defaults-disabled="true">
+    <sec:headers>
       <sec:content-type-options />
       <sec:frame-options />
       <sec:xss-protection />
     </sec:headers>
 
-    <sec:csrf disabled="true" />
-
     <sec:http-basic />
     <sec:logout logout-url="/dhis-web-commons-security/logout.action" />
     <sec:intercept-url pattern="/dhis-web-commons/i18nJavaScript.action" access="permitAll()" />
@@ -353,6 +351,4 @@
 
   <bean id="appsSystemAuthoritiesProvider" class="org.hisp.dhis.security.authority.AppsSystemAuthoritiesProvider" />
 
-  <bean class="org.hisp.dhis.security.bpp.DefaultRolesPrefixPostProcessor" />
-
 </beans>

=== modified file 'dhis-2/dhis-web/dhis-web-ohie/src/main/resources/META-INF/dhis/webapi-ohie.xml'
--- dhis-2/dhis-web/dhis-web-ohie/src/main/resources/META-INF/dhis/webapi-ohie.xml	2015-05-11 04:36:57 +0000
+++ dhis-2/dhis-web/dhis-web-ohie/src/main/resources/META-INF/dhis/webapi-ohie.xml	2015-05-11 07:10:34 +0000
@@ -7,7 +7,7 @@
   xsi:schemaLocation="
     http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
     http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.1.xsd
-    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd
+    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
     http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.1.xsd";>
 
   <sec:global-method-security pre-post-annotations="enabled" />

=== modified file 'dhis-2/pom.xml'
--- dhis-2/pom.xml	2015-05-11 05:13:35 +0000
+++ dhis-2/pom.xml	2015-05-11 07:10:34 +0000
@@ -1008,7 +1008,7 @@
     <rootDir></rootDir>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <spring.version>4.1.6.RELEASE</spring.version>
-    <spring.security.version>4.0.1.RELEASE</spring.security.version>
+    <spring.security.version>3.2.7.RELEASE</spring.security.version>
     <struts.version>2.3.16.3</struts.version>
     <hibernate.version>4.2.0.Final</hibernate.version>
     <hibernate-validator.version>4.3.1.Final</hibernate-validator.version>