updated to Spring Security 4

phasenraum2010 · phasenraum2010 · commit 68538923e091 · 2015-12-10T13:47:31.000+01:00
diff --git a/pom.xml b/pom.xml
@@ -8,9 +8,9 @@
 	<url>http://shadowfax.fritz.box/p/greenshop</url>
 	<properties>
 		<java-version>1.8</java-version>
-		<org.springframework-version>4.1.7.RELEASE</org.springframework-version>
-		<spring.integration.version>4.1.6.RELEASE</spring.integration.version>
-		<spring.security.version>3.2.8.RELEASE</spring.security.version>
+		<org.springframework-version>4.2.3.RELEASE</org.springframework-version>
+		<spring.integration.version>4.2.3.RELEASE</spring.integration.version>
+		<spring.security.version>4.0.3.RELEASE</spring.security.version>
 		<org.aspectj-version>1.6.12</org.aspectj-version>
 		<org.slf4j-version>1.7.6</org.slf4j-version>
 		<maven.scm.version>1.9.4</maven.scm.version>
diff --git a/src/main/resources/security-context.xml b/src/main/resources/security-context.xml
@@ -14,10 +14,6 @@
         http://www.springframework.org/schema/security/spring-security.xsd">
         
 	<!-- Spring security -->
-	
-	<!-- 
-	http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html
-	 -->
     
     <security:http pattern="/resources/**" security="none"/>
     <security:http pattern="/product/**" security="none"/>
@@ -27,13 +23,18 @@
 
 	<security:http pattern="/admin/**"
 				   authentication-manager-ref="authenticationManagerAdmin"
-				   use-expressions='true'>
+				   use-expressions="true"
+				   disable-url-rewriting="false"
+				   auto-config="false">
+		<security:headers disabled="true"/>
+		<security:csrf disabled="true"/>
 		<security:intercept-url pattern="/admin/login*" access="permitAll"/>
 		<security:intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
 		<security:form-login
 				login-page="/admin/login"
 				authentication-failure-url="/admin/login?login_error=1"
-				default-target-url="/admin/"/>
+				default-target-url="/admin/"
+				login-processing-url="/admin/j_spring_security_check"/>
 		<security:logout
 				logout-url="/admin/j_spring_security_logout"
 				logout-success-url="/admin/"
@@ -44,7 +45,11 @@
 
     <security:http pattern="/**"
 				   authentication-manager-ref="authenticationManagerCustomer"
-				   use-expressions='true'>
+				   use-expressions='true'
+				   disable-url-rewriting="false"
+				   auto-config="false">
+		<security:headers disabled="true"/>
+		<security:csrf disabled="true"/>
     	<security:intercept-url pattern="/" access="permitAll"/>
     	<security:intercept-url pattern="/product/**" access="permitAll"/>
     	<security:intercept-url pattern="/manufacturer/**" access="permitAll"/>
@@ -61,7 +66,8 @@
     	<security:form-login 
     		login-page="/login"
     		authentication-failure-url="/login?login_error=1" 
-            authentication-success-handler-ref="populateBasketAfterLogin"/>
+            authentication-success-handler-ref="populateBasketAfterLogin"
+			login-processing-url="/j_spring_security_check"/>
     	<security:logout
 				logout-url="/j_spring_security_logout"
 				invalidate-session="true" delete-cookies="JSESSIONID" />
@@ -79,17 +85,23 @@
     		<security:password-encoder hash="md5"/>
     	</security:authentication-provider>
   	</security:authentication-manager>
-  	
+
+	<security:global-method-security pre-post-annotations="enabled" />
+
   	<bean id="authenticationFilterCustomer"
 		  class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
   		<property name="authenticationManager" ref="authenticationManagerCustomer"/>
   		<property name="filterProcessesUrl" value="/j_spring_security_check"/>
+		<property name="usernameParameter" value="j_username"/>
+		<property name="passwordParameter" value="j_password"/>
 	</bean>
 
 	<bean id="authenticationFilterAdmin"
 		  class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
 		<property name="authenticationManager" ref="authenticationManagerAdmin"/>
 		<property name="filterProcessesUrl" value="/admin/j_spring_security_check"/>
+		<property name="usernameParameter" value="j_username"/>
+		<property name="passwordParameter" value="j_password"/>
 	</bean>
 
 </beans>
diff --git a/src/main/webapp/WEB-INF/jsp/admin/login.jsp b/src/main/webapp/WEB-INF/jsp/admin/login.jsp
@@ -14,7 +14,8 @@
                     <td class="infoBoxHeading"><strong>Administrator Login</strong></td>
                 </tr>
             </table>
-            <form name="login" action='<c:url value="/admin/j_spring_security_check"/>' method="post">
+            <c:url var="loginUrl" value="/admin/j_spring_security_check" />
+            <form action="${loginUrl}" method="post">
                 <table border="0" width="100%" cellspacing="0" cellpadding="2">
                     <tr>
                         <td class="infoBoxContent">Username:<br /><input type="text" name="j_username" /></td>
diff --git a/src/main/webapp/WEB-INF/web.xml b/src/main/webapp/WEB-INF/web.xml
@@ -44,12 +44,14 @@
 	  <filter-name>springSecurityFilterChain</filter-name>
 	  <url-pattern>/*</url-pattern>
 	</filter-mapping>
-	
+
+	<!--
 	<listener>
     	<listener-class>
       		org.springframework.security.web.session.HttpSessionEventPublisher
     	</listener-class>
   	</listener>
+-->
 
 	<!-- Processes application requests -->
 	<servlet>
