SEC-2783: XML Configuration Defaults Should Match JavaConfig

* j_username -> username
* j_password -> password
* j_spring_security_check -> login
* j_spring_cas_security_check -> login/cas
* j_spring_cas_security_proxyreceptor -> login/cas/proxyreceptor
* j_spring_openid_security_login -> login/openid
* j_spring_security_switch_user -> login/impersonate
* j_spring_security_exit_user -> logout/impersonate
* login_error -> error
* use-expressions=true by default

Author: Rob Winch

cas/src/main/java/org/springframework/security/cas/ServiceProperties.java

@@ -60,7 +60,7 @@ public void afterPropertiesSet() throws Exception {
      * This service is the callback URL belonging to the local Spring Security System for Spring secured application.
      * For example,
      * <pre>
-     * https://www.mycompany.com/application/j_spring_cas_security_check
+     * https://www.mycompany.com/application/login/cas
      * </pre>
      *
      * @return the URL of the service the user is authenticating to

cas/src/main/java/org/springframework/security/cas/web/CasAuthenticationFilter.java

@@ -51,7 +51,7 @@
  * presented in the <code>ticket</code> request parameter.
  * <p>
  * This filter monitors the <code>service</code> URL so it can
- * receive the service ticket and process it. By default this filter processes the URL <tt>/j_spring_cas_security_check</tt>.
+ * receive the service ticket and process it. By default this filter processes the URL <tt>/login/cas</tt>.
  * When processing this URL, the value of {@link ServiceProperties#getService()} is used as the <tt>service</tt> when validating
  * the <code>ticket</code>. This means that it is important that {@link ServiceProperties#getService()} specifies the same value
  * as the <tt>filterProcessesUrl</tt>.
@@ -92,7 +92,7 @@
  * <pre>
  * &lt;b:bean id=&quot;serviceProperties&quot;
  *     class=&quot;org.springframework.security.cas.ServiceProperties&quot;
- *     p:service=&quot;https://service.example.com/cas-sample/j_spring_cas_security_check&quot;
+ *     p:service=&quot;https://service.example.com/cas-sample/login/cas&quot;
  *     p:authenticateAllArtifacts=&quot;true&quot;/&gt;
  * &lt;b:bean id=&quot;casEntryPoint&quot;
  *     class=&quot;org.springframework.security.cas.web.CasAuthenticationEntryPoint&quot;
@@ -102,7 +102,7 @@
  *     p:authenticationManager-ref=&quot;authManager&quot;
  *     p:serviceProperties-ref=&quot;serviceProperties&quot;
  *     p:proxyGrantingTicketStorage-ref=&quot;pgtStorage&quot;
- *     p:proxyReceptorUrl=&quot;/j_spring_cas_security_proxyreceptor&quot;&gt;
+ *     p:proxyReceptorUrl=&quot;/login/cas/proxyreceptor&quot;&gt;
  *     &lt;b:property name=&quot;authenticationDetailsSource&quot;&gt;
  *         &lt;b:bean class=&quot;org.springframework.security.cas.web.authentication.ServiceAuthenticationDetailsSource&quot;/&gt;
  *     &lt;/b:property&gt;
@@ -129,7 +129,7 @@
  *         &lt;b:bean
  *             class=&quot;org.jasig.cas.client.validation.Cas20ProxyTicketValidator&quot;
  *             p:acceptAnyProxy=&quot;true&quot;
- *             p:proxyCallbackUrl=&quot;https://service.example.com/cas-sample/j_spring_cas_security_proxyreceptor&quot;
+ *             p:proxyCallbackUrl=&quot;https://service.example.com/cas-sample/login/cas/proxyreceptor&quot;
  *             p:proxyGrantingTicketStorage-ref=&quot;pgtStorage&quot;&gt;
  *             &lt;b:constructor-arg value=&quot;https://login.example.org/cas&quot; /&gt;
  *         &lt;/b:bean&gt;
@@ -188,7 +188,7 @@ public class CasAuthenticationFilter extends AbstractAuthenticationProcessingFil
     //~ Constructors ===================================================================================================
 
     public CasAuthenticationFilter() {
-        super("/j_spring_cas_security_check");
+        super("/login/cas");
         setAuthenticationFailureHandler(new SimpleUrlAuthenticationFailureHandler());
     }
 

cas/src/main/java/org/springframework/security/cas/web/authentication/DefaultServiceAuthenticationDetails.java

@@ -1,12 +1,12 @@
 /*
  * Copyright 2011 the original author or authors.
- * 
+ *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
- * 
+ *
  *      http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -135,7 +135,7 @@ static Pattern createArtifactPattern(String artifactParameterName) {
 
     /**
      * Gets the port from the casServiceURL ensuring to return the proper value if the default port is being used.
-     * @param casServiceUrl the casServerUrl to be used (i.e. "https://example.com/context/j_spring_security_cas_check")
+     * @param casServiceUrl the casServerUrl to be used (i.e. "https://example.com/context/login/cas")
      * @return the port that is configured for the casServerUrl
      */
     private static int getServicePort(URL casServiceUrl) {

cas/src/test/java/org/springframework/security/cas/authentication/AbstractStatelessTicketCacheTests.java

@@ -19,7 +19,7 @@ public abstract class AbstractStatelessTicketCacheTests {
 
     protected CasAuthenticationToken getToken() {
         List<String> proxyList = new ArrayList<String>();
-        proxyList.add("https://localhost/newPortal/j_spring_cas_security_check");
+        proxyList.add("https://localhost/newPortal/login/cas");
 
         User user = new User("rod", "password", true, true, true, true, AuthorityUtils.createAuthorityList("ROLE_ONE", "ROLE_TWO"));
         final Assertion assertion = new AssertionImpl("rod");

cas/src/test/java/org/springframework/security/cas/web/CasAuthenticationEntryPointTests.java

@@ -69,7 +69,7 @@ public void testGettersSetters() {
     public void testNormalOperationWithRenewFalse() throws Exception {
         ServiceProperties sp = new ServiceProperties();
         sp.setSendRenew(false);
-        sp.setService("https://mycompany.com/bigWebApp/j_spring_cas_security_check");
+        sp.setService("https://mycompany.com/bigWebApp/login/cas");
 
         CasAuthenticationEntryPoint ep = new CasAuthenticationEntryPoint();
         ep.setLoginUrl("https://cas/login");
@@ -84,14 +84,14 @@ public void testNormalOperationWithRenewFalse() throws Exception {
         ep.commence(request, response, null);
 
         assertEquals("https://cas/login?service="
-            + URLEncoder.encode("https://mycompany.com/bigWebApp/j_spring_cas_security_check", "UTF-8"),
+            + URLEncoder.encode("https://mycompany.com/bigWebApp/login/cas", "UTF-8"),
             response.getRedirectedUrl());
     }
 
     public void testNormalOperationWithRenewTrue() throws Exception {
         ServiceProperties sp = new ServiceProperties();
         sp.setSendRenew(true);
-        sp.setService("https://mycompany.com/bigWebApp/j_spring_cas_security_check");
+        sp.setService("https://mycompany.com/bigWebApp/login/cas");
 
         CasAuthenticationEntryPoint ep = new CasAuthenticationEntryPoint();
         ep.setLoginUrl("https://cas/login");
@@ -105,7 +105,7 @@ public void testNormalOperationWithRenewTrue() throws Exception {
         ep.afterPropertiesSet();
         ep.commence(request, response, null);
         assertEquals("https://cas/login?service="
-            + URLEncoder.encode("https://mycompany.com/bigWebApp/j_spring_cas_security_check", "UTF-8") + "&renew=true",
+            + URLEncoder.encode("https://mycompany.com/bigWebApp/login/cas", "UTF-8") + "&renew=true",
             response.getRedirectedUrl());
     }
 }

cas/src/test/java/org/springframework/security/cas/web/CasAuthenticationFilterTests.java

@@ -71,7 +71,7 @@ public void testGettersSetters() {
     @Test
     public void testNormalOperation() throws Exception {
         MockHttpServletRequest request = new MockHttpServletRequest();
-        request.setServletPath("/j_spring_cas_security_check");
+        request.setServletPath("/login/cas");
         request.addParameter("ticket", "ST-0-ER94xMJmn6pha35CQRoZ");
 
         CasAuthenticationFilter filter = new CasAuthenticationFilter();

config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java

@@ -948,8 +948,8 @@ public AnonymousConfigurer<HttpSecurity> anonymous() throws Exception {
      *                 .antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
      *                 .and()
      *             .formLogin()
-     *                    .usernameParameter("j_username") // default is username
-     *                    .passwordParameter("j_password") // default is password
+     *                    .usernameParameter("username") // default is username
+     *                    .passwordParameter("password") // default is password
      *                    .loginPage("/authentication/login") // default is /login with an HTTP get
      *                    .failureUrl("/authentication/login?failed") // default is /login?error
      *                    .loginProcessingUrl("/authentication/login/process"); // default is /login with an HTTP post

config/src/main/java/org/springframework/security/config/authentication/AuthenticationManagerFactoryBean.java

@@ -6,8 +6,13 @@
 import org.springframework.beans.factory.FactoryBean;
 import org.springframework.beans.factory.NoSuchBeanDefinitionException;
 import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.authentication.ProviderManager;
+import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
 import org.springframework.security.config.BeanIds;
+import org.springframework.security.core.userdetails.UserDetailsService;
+
+import java.util.Arrays;
 
 /**
  * Factory bean for the namespace AuthenticationManager, which allows a more meaningful error message
@@ -28,6 +33,13 @@ public AuthenticationManager getObject() throws Exception {
              return (AuthenticationManager) bf.getBean(BeanIds.AUTHENTICATION_MANAGER);
         } catch (NoSuchBeanDefinitionException e) {
             if (BeanIds.AUTHENTICATION_MANAGER.equals(e.getBeanName())) {
+                try {
+                    UserDetailsService uds = bf.getBean(UserDetailsService.class);
+                    DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+                    provider.setUserDetailsService(uds);
+                    provider.afterPropertiesSet();
+                    return new ProviderManager(Arrays.<AuthenticationProvider>asList(provider));
+                } catch(NoSuchBeanDefinitionException noUds) {}
                 throw new NoSuchBeanDefinitionException(BeanIds.AUTHENTICATION_MANAGER, MISSING_BEAN_ERROR_MESSAGE);
             }
             throw e;

config/src/main/java/org/springframework/security/config/http/AuthenticationConfigBuilder.java

@@ -130,12 +130,12 @@ final class AuthenticationConfigBuilder {
     private String loginProcessingUrl;
     private String openidLoginProcessingUrl;
 
-    public AuthenticationConfigBuilder(Element element, ParserContext pc, SessionCreationPolicy sessionPolicy,
+    public AuthenticationConfigBuilder(Element element, boolean forceAutoConfig, ParserContext pc, SessionCreationPolicy sessionPolicy,
             BeanReference requestCache, BeanReference authenticationManager, BeanReference sessionStrategy, BeanReference portMapper, BeanReference portResolver, BeanMetadataElement csrfLogoutHandler) {
         this.httpElt = element;
         this.pc = pc;
         this.requestCache = requestCache;
-        autoConfig = "true".equals(element.getAttribute(ATT_AUTO_CONFIG));
+        autoConfig = forceAutoConfig | "true".equals(element.getAttribute(ATT_AUTO_CONFIG));
         this.allowSessionCreation = sessionPolicy != SessionCreationPolicy.NEVER
                 && sessionPolicy != SessionCreationPolicy.STATELESS;
         this.portMapper = portMapper;
@@ -193,7 +193,7 @@ void createFormLoginFilter(BeanReference sessionStrategy, BeanReference authMana
         RootBeanDefinition formFilter = null;
 
         if (formLoginElt != null || autoConfig) {
-            FormLoginBeanDefinitionParser parser = new FormLoginBeanDefinitionParser("/j_spring_security_check",
+            FormLoginBeanDefinitionParser parser = new FormLoginBeanDefinitionParser("/login", "POST",
                     AUTHENTICATION_PROCESSING_FILTER_CLASS, requestCache, sessionStrategy, allowSessionCreation, portMapper, portResolver);
 
             parser.parse(formLoginElt, pc);
@@ -218,7 +218,7 @@ void createOpenIDLoginFilter(BeanReference sessionStrategy, BeanReference authMa
         RootBeanDefinition openIDFilter = null;
 
         if (openIDLoginElt != null) {
-            FormLoginBeanDefinitionParser parser = new FormLoginBeanDefinitionParser("/j_spring_openid_security_check",
+            FormLoginBeanDefinitionParser parser = new FormLoginBeanDefinitionParser("/login/openid", null,
                     OPEN_ID_AUTHENTICATION_PROCESSING_FILTER_CLASS, requestCache, sessionStrategy, allowSessionCreation, portMapper, portResolver);
 
             parser.parse(openIDLoginElt, pc);
@@ -492,7 +492,11 @@ void createLoginPageFilterIfNeeded() {
     void createLogoutFilter() {
         Element logoutElt = DomUtils.getChildElementByTagName(httpElt, Elements.LOGOUT);
         if (logoutElt != null || autoConfig) {
-            LogoutBeanDefinitionParser logoutParser = new LogoutBeanDefinitionParser(rememberMeServicesId, csrfLogoutHandler);
+            String formLoginPage = getLoginFormUrl(formEntryPoint);
+            if(formLoginPage == null) {
+                formLoginPage = DefaultLoginPageGeneratingFilter.DEFAULT_LOGIN_PAGE_URL;
+            }
+            LogoutBeanDefinitionParser logoutParser = new LogoutBeanDefinitionParser(formLoginPage,rememberMeServicesId, csrfLogoutHandler);
             logoutFilter = logoutParser.parse(logoutElt, pc);
             logoutHandlers = logoutParser.getLogoutHandlers();
         }

config/src/main/java/org/springframework/security/config/http/FilterInvocationSecurityMetadataSourceParser.java

@@ -48,7 +48,7 @@ public BeanDefinition parse(Element element, ParserContext parserContext) {
             }
         }
 
-        BeanDefinition mds = createSecurityMetadataSource(interceptUrls, element, parserContext);
+        BeanDefinition mds = createSecurityMetadataSource(interceptUrls, false, element, parserContext);
 
         String id = element.getAttribute(AbstractBeanDefinitionParser.ID_ATTRIBUTE);
 
@@ -60,16 +60,16 @@ public BeanDefinition parse(Element element, ParserContext parserContext) {
         return mds;
     }
 
-    static RootBeanDefinition createSecurityMetadataSource(List<Element> interceptUrls, Element elt, ParserContext pc) {
-        MatcherType matcherType = MatcherType.fromElement(elt);
-        boolean useExpressions = isUseExpressions(elt);
+    static RootBeanDefinition createSecurityMetadataSource(List<Element> interceptUrls, boolean addAllAuth, Element httpElt, ParserContext pc) {
+        MatcherType matcherType = MatcherType.fromElement(httpElt);
+        boolean useExpressions = isUseExpressions(httpElt);
 
         ManagedMap<BeanDefinition, BeanDefinition> requestToAttributesMap = parseInterceptUrlsForFilterInvocationRequestMap(
-                matcherType, interceptUrls, useExpressions, pc);
+                matcherType, interceptUrls, useExpressions, addAllAuth, pc);
         BeanDefinitionBuilder fidsBuilder;
 
         if (useExpressions) {
-            Element expressionHandlerElt = DomUtils.getChildElementByTagName(elt, Elements.EXPRESSION_HANDLER);
+            Element expressionHandlerElt = DomUtils.getChildElementByTagName(httpElt, Elements.EXPRESSION_HANDLER);
             String expressionHandlerRef = expressionHandlerElt == null ? null : expressionHandlerElt.getAttribute("ref");
 
             if (StringUtils.hasText(expressionHandlerRef)) {
@@ -86,7 +86,7 @@ static RootBeanDefinition createSecurityMetadataSource(List<Element> interceptUr
             fidsBuilder.addConstructorArgValue(requestToAttributesMap);
         }
 
-        fidsBuilder.getRawBeanDefinition().setSource(pc.extractSource(elt));
+        fidsBuilder.getRawBeanDefinition().setSource(pc.extractSource(httpElt));
 
         return (RootBeanDefinition) fidsBuilder.getBeanDefinition();
     }
@@ -100,12 +100,13 @@ static String registerDefaultExpressionHandler(ParserContext pc) {
     }
 
     static boolean isUseExpressions(Element elt) {
-        return "true".equals(elt.getAttribute(ATT_USE_EXPRESSIONS));
+        String useExpressions = elt.getAttribute(ATT_USE_EXPRESSIONS);
+        return !StringUtils.hasText(useExpressions) || "true".equals(useExpressions);
     }
 
     private static ManagedMap<BeanDefinition, BeanDefinition>
         parseInterceptUrlsForFilterInvocationRequestMap(MatcherType matcherType,
-                List<Element> urlElts, boolean useExpressions, ParserContext parserContext) {
+                List<Element> urlElts, boolean useExpressions, boolean addAuthenticatedAll, ParserContext parserContext) {
 
         ManagedMap<BeanDefinition, BeanDefinition> filterInvocationDefinitionMap = new ManagedMap<BeanDefinition, BeanDefinition>();
 
@@ -147,6 +148,15 @@ static boolean isUseExpressions(Element elt) {
             filterInvocationDefinitionMap.put(matcher, attributeBuilder.getBeanDefinition());
         }
 
+        if(addAuthenticatedAll && filterInvocationDefinitionMap.isEmpty()) {
+
+            BeanDefinition matcher = matcherType.createMatcher("/**", null);
+            BeanDefinitionBuilder attributeBuilder = BeanDefinitionBuilder.rootBeanDefinition(SecurityConfig.class);
+            attributeBuilder.addConstructorArgValue(new String[] { "authenticated" });
+            attributeBuilder.setFactoryMethod("createList");
+            filterInvocationDefinitionMap.put(matcher, attributeBuilder.getBeanDefinition());
+        }
+
         return filterInvocationDefinitionMap;
     }
 

config/src/main/java/org/springframework/security/config/http/FormLoginBeanDefinitionParser.java

@@ -66,11 +66,13 @@ public class FormLoginBeanDefinitionParser {
     private RootBeanDefinition filterBean;
     private RootBeanDefinition entryPointBean;
     private String loginPage;
+    private String loginMethod;
     private String loginProcessingUrl;
 
-    FormLoginBeanDefinitionParser(String defaultLoginProcessingUrl, String filterClassName,
+    FormLoginBeanDefinitionParser(String defaultLoginProcessingUrl, String loginMethod, String filterClassName,
             BeanReference requestCache, BeanReference sessionStrategy, boolean allowSessionCreation, BeanReference portMapper, BeanReference portResolver) {
         this.defaultLoginProcessingUrl = defaultLoginProcessingUrl;
+        this.loginMethod = loginMethod;
         this.filterClassName = filterClassName;
         this.requestCache = requestCache;
         this.sessionStrategy = sessionStrategy;
@@ -153,6 +155,9 @@ private RootBeanDefinition createFilterBean(String loginUrl, String defaultTarge
 
         BeanDefinitionBuilder matcherBuilder = BeanDefinitionBuilder.rootBeanDefinition("org.springframework.security.web.util.matcher.AntPathRequestMatcher");
         matcherBuilder.addConstructorArgValue(loginUrl);
+        if(loginMethod != null) {
+            matcherBuilder.addConstructorArgValue("POST");
+        }
 
         filterBuilder.addPropertyValue("requiresAuthenticationRequestMatcher", matcherBuilder.getBeanDefinition());
 

config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java

@@ -133,10 +133,12 @@ class HttpConfigurationBuilder {
     private CsrfBeanDefinitionParser csrfParser;
 
     private BeanDefinition invalidSession;
+    private boolean addAllAuth;
 
-    public HttpConfigurationBuilder(Element element, ParserContext pc,
+    public HttpConfigurationBuilder(Element element, boolean addAllAuth, ParserContext pc,
             BeanReference portMapper, BeanReference portResolver, BeanReference authenticationManager) {
         this.httpElt = element;
+        this.addAllAuth = addAllAuth;
         this.pc = pc;
         this.portMapper = portMapper;
         this.portResolver = portResolver;
@@ -583,7 +585,7 @@ private void createRequestCacheFilter() {
 
     private void createFilterSecurityInterceptor(BeanReference authManager) {
         boolean useExpressions = FilterInvocationSecurityMetadataSourceParser.isUseExpressions(httpElt);
-        RootBeanDefinition securityMds = FilterInvocationSecurityMetadataSourceParser.createSecurityMetadataSource(interceptUrls, httpElt, pc);
+        RootBeanDefinition securityMds = FilterInvocationSecurityMetadataSourceParser.createSecurityMetadataSource(interceptUrls, addAllAuth, httpElt, pc);
 
         RootBeanDefinition accessDecisionMgr;
         ManagedList<BeanDefinition> voters =  new ManagedList<BeanDefinition>(2);