Add remaining methods from ExpressionUrlAuthorizationConfigurer to AuthorizeHttpRequestsConfigurer

.github/actions/algolia-config.json

@@ -0,0 +1,20 @@
+{
+  "index_name": "security-docs",
+  "start_urls": [
+    "https://docs.spring.io/spring-security/reference/"
+  ],
+  "selectors": {
+    "lvl0": {
+      "selector": "//nav[@class='crumbs']//li[@class='crumb'][last()-1]",
+      "type": "xpath",
+      "global": true,
+      "default_value": "Home"
+    },
+    "lvl1": ".doc h1",
+    "lvl2": ".doc h2",
+    "lvl3": ".doc h3",
+    "lvl4": ".doc h4",
+    "text": ".doc p, .doc td.content, .doc th.tableblock"
+  }
+}
+

.github/actions/algolia-deploy.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+HOST="$1"
+HOST_PATH="$2"
+SSH_PRIVATE_KEY="$3"
+SSH_KNOWN_HOST="$4"
+
+
+if [ "$#" -ne 4 ]; then
+  echo -e "not enough arguments USAGE:\n\n$0 \$HOST \$HOST_PATH \$SSH_PRIVATE_KEY \$SSH_KNOWN_HOSTS \n\n" >&2
+  exit 1
+fi
+
+# Use a non-default path to avoid overriding when testing locally
+SSH_PRIVATE_KEY_PATH=~/.ssh/github-actions-docs
+install -m 600 -D /dev/null "$SSH_PRIVATE_KEY_PATH"
+echo "$SSH_PRIVATE_KEY" > "$SSH_PRIVATE_KEY_PATH"
+echo "$SSH_KNOWN_HOST" > ~/.ssh/known_hosts
+rsync --delete -avze "ssh -i $SSH_PRIVATE_KEY_PATH" docs/build/site/ "$HOST:$HOST_PATH"
+rm -f "$SSH_PRIVATE_KEY_PATH"

.github/actions/algolia-docsearch-scraper.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+###
+# Docs
+# config.json https://docsearch.algolia.com/docs/config-file
+# Run the crawler https://docsearch.algolia.com/docs/run-your-own/#run-the-crawl-from-the-docker-image
+
+### USAGE
+if [ "$#" -ne 3 ]; then
+  echo -e "not enough arguments USAGE:\n\n$0 \$ALGOLIA_APPLICATION_ID \$ALGOLIA_API_KEY \$CONFIG_FILE\n\n" >&2
+  exit 1
+fi
+
+# Script Parameters
+APPLICATION_ID=$1
+API_KEY=$2
+CONFIG_FILE=$3
+
+#### Script
+script_dir=$(dirname $0)
+docker run -e "APPLICATION_ID=$APPLICATION_ID" -e "API_KEY=$API_KEY" -e "CONFIG=$(cat $CONFIG_FILE | jq -r tostring)" algolia/docsearch-scraper

.github/actions/dispatch.sh

@@ -1,5 +1,5 @@
 REPOSITORY_REF="$1"
 TOKEN="$2"
 
-curl -H "Accept: application/vnd.github.everest-preview+json" -H "Authorization: token ${TOKEN}" --request POST  --data '{"event_type": "request-build"}' https://api.github.com/repos/${REPOSITORY_REF}/dispatches
-echo "Requested Build for $REPOSITORY_REF"
+curl -H "Accept: application/vnd.github.everest-preview+json" -H "Authorization: token ${TOKEN}" --request POST  --data '{"event_type": "request-build-reference"}' https://api.github.com/repos/${REPOSITORY_REF}/dispatches
+echo "Requested Build for $REPOSITORY_REF"

.github/workflows/algolia-index.yml

@@ -0,0 +1,16 @@
+name: Update Algolia Index
+
+on:
+  schedule:
+    - cron: '0 10 * * *' # Once per day at 10am UTC
+  workflow_dispatch: # Manual trigger
+
+jobs:
+  update:
+    name: Update Algolia Index
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Source
+        uses: actions/checkout@v2
+      - name: Update Index
+        run: ${GITHUB_WORKSPACE}/.github/actions/algolia-docsearch-scraper.sh "${{ secrets.ALGOLIA_APPLICATION_ID }}" "${{ secrets.ALGOLIA_WRITE_API_KEY }}" "${GITHUB_WORKSPACE}/.github/actions/algolia-config.json"

.github/workflows/build-reference.yml → .github/workflows/antora-generate.yml

@@ -1,9 +1,11 @@
-name: reference
+name: Generate Antora Files and Request Build
 
 on:
+  workflow_dispatch:
   push:
     branches-ignore:
       - 'gh-pages'
+    tags: '**'
 
 env:
   GH_ACTIONS_REPO_TOKEN: ${{ secrets.GH_ACTIONS_REPO_TOKEN }}
@@ -27,4 +29,4 @@ jobs:
           repository-name: "spring-io/spring-generated-docs"
           token: ${{ secrets.GH_ACTIONS_REPO_TOKEN }}
       - name: Dispatch Build Request
-        run: ${GITHUB_WORKSPACE}/.github/actions/dispatch.sh 'spring-io/spring-reference' "$GH_ACTIONS_REPO_TOKEN"
+        run: ${GITHUB_WORKSPACE}/.github/actions/dispatch.sh 'spring-projects/spring-security' "$GH_ACTIONS_REPO_TOKEN"

.github/workflows/backport-bot.yml

@@ -0,0 +1,26 @@
+name: Backport Bot
+
+on:
+  issues:
+    types: [labeled]
+  pull_request:
+    types: [labeled]
+  push:
+    branches:
+      - '*.x'
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-java@v3
+        with:
+          distribution: 'temurin'
+          java-version: '17'
+      - name: Download BackportBot
+        run: wget https://github.com/spring-io/backport-bot/releases/download/latest/backport-bot-0.0.1-SNAPSHOT.jar
+      - name: Backport
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_EVENT: ${{ toJSON(github.event) }}
+        run: java -jar backport-bot-0.0.1-SNAPSHOT.jar --github.accessToken="$GITHUB_TOKEN" --github.event_name "$GITHUB_EVENT_NAME" --github.event "$GITHUB_EVENT"

.github/workflows/continuous-integration-workflow.yml

@@ -95,11 +95,15 @@ jobs:
           mkdir -p ~/.gradle
           echo 'systemProp.user.name=spring-builds+github' >> ~/.gradle/gradle.properties
       - name: Check samples project
+        env:
+          LOCAL_REPOSITORY_PATH: ${{ github.workspace }}/build/publications/repos
+          SAMPLES_INIT_SCRIPT: ${{ github.workspace }}/build/includeRepo/spring-security-ci.gradle
         run: |
           export GRADLE_ENTERPRISE_CACHE_USERNAME="$GRADLE_ENTERPRISE_CACHE_USER"
           export GRADLE_ENTERPRISE_CACHE_PASSWORD="$GRADLE_ENTERPRISE_CACHE_PASSWORD"
           export GRADLE_ENTERPRISE_ACCESS_KEY="$GRADLE_ENTERPRISE_SECRET_ACCESS_KEY"
-          ./gradlew checkSamples --stacktrace
+          ./gradlew publishMavenJavaPublicationToLocalRepository
+          ./gradlew checkSamples -PsamplesInitScript="$SAMPLES_INIT_SCRIPT" -PlocalRepositoryPath="$LOCAL_REPOSITORY_PATH" --stacktrace
   check_tangles:
     name: Check for Package Tangles
     needs: [ prerequisites ]

.github/workflows/deploy-reference.yml

@@ -0,0 +1,33 @@
+name: Build & Deploy Reference
+
+on:
+  repository_dispatch:
+    types: request-build-reference
+  schedule:
+    - cron: '0 10 * * *' # Once per day at 10am UTC
+  workflow_dispatch: # Manual trigger
+
+jobs:
+  deploy:
+    name: deploy
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up JDK 11
+        uses: actions/setup-java@v2
+        with:
+          java-version: '11'
+          distribution: 'adopt'
+          cache: gradle
+      - name: Validate Gradle wrapper
+        uses: gradle/wrapper-validation-action@e6e38bacfdf1a337459f332974bb2327a31aaf4b
+      - name: Build with Gradle
+        run: ./gradlew :spring-security-docs:antora --stacktrace
+      - name: Cleanup Gradle Cache
+        # Remove some files from the Gradle cache, so they aren't cached by GitHub Actions.
+        # Restoring these files from a GitHub Actions cache might cause problems for future builds.
+        run: |
+          rm -f ~/.gradle/caches/modules-2/modules-2.lock
+          rm -f ~/.gradle/caches/modules-2/gc.properties
+      - name: Deploy
+        run: ${GITHUB_WORKSPACE}/.github/actions/algolia-deploy.sh "${{ secrets.DOCS_USERNAME }}@${{ secrets.DOCS_HOST }}" "/opt/www/domains/spring.io/docs/htdocs/spring-security/reference/" "${{ secrets.DOCS_SSH_KEY }}" "${{ secrets.DOCS_SSH_HOST_KEY }}"

.sdkmanrc

@@ -0,0 +1,6 @@
+# Use sdkman to run "sdk env" to initialize with correct JDK version
+# Enable auto-env through the sdkman_auto_env config
+# See https://sdkman.io/usage#config
+# A summary is to add the following to ~/.sdkman/etc/config
+# sdkman_auto_env=true
+java=11.0.14-tem

RELEASE.adoc

@@ -78,6 +78,16 @@ Alternatively, you can manually check using https://github.com/spring-projects/s
 
 Update the version number in `gradle.properties` for the release, for example `5.5.0-M1`, `5.5.0-RC1`, `5.5.0`
 
+= Update Antora Version
+
+You will need to update the antora.yml version.
+If you are unsure of what the values should be, the following task will instruct you what the expected values are:
+
+[source,bash]
+----
+./gradlew :spring-security-docs:antoraCheckVersion
+----
+
 = Build Locally
 
 Run the build using
@@ -119,7 +129,7 @@ git push origin 5.4.0-RC1
 
 == 7. Update to Next Development Version
 
-* Update `gradle.properties` version to next `+SNAPSHOT+` version and then push
+* Update `gradle.properties` version to next `+SNAPSHOT+` version, update antora.yml, and then push
 
 == 8. Update version on project page
 

acl/src/main/java/org/springframework/security/acls/jdbc/BasicLookupStrategy.java

@@ -42,7 +42,7 @@
 import org.springframework.security.acls.domain.DefaultPermissionFactory;
 import org.springframework.security.acls.domain.DefaultPermissionGrantingStrategy;
 import org.springframework.security.acls.domain.GrantedAuthoritySid;
-import org.springframework.security.acls.domain.ObjectIdentityImpl;
+import org.springframework.security.acls.domain.ObjectIdentityRetrievalStrategyImpl;
 import org.springframework.security.acls.domain.PermissionFactory;
 import org.springframework.security.acls.domain.PrincipalSid;
 import org.springframework.security.acls.model.AccessControlEntry;
@@ -51,6 +51,7 @@
 import org.springframework.security.acls.model.MutableAcl;
 import org.springframework.security.acls.model.NotFoundException;
 import org.springframework.security.acls.model.ObjectIdentity;
+import org.springframework.security.acls.model.ObjectIdentityGenerator;
 import org.springframework.security.acls.model.Permission;
 import org.springframework.security.acls.model.PermissionGrantingStrategy;
 import org.springframework.security.acls.model.Sid;
@@ -73,8 +74,8 @@
  * one in <tt>lookupObjectIdentities</tt>. These are built from the same select and "order
  * by" clause, using a different where clause in each case. In order to use custom schema
  * or column names, each of these SQL clauses can be customized, but they must be
- * consistent with each other and with the expected result set generated by the the
- * default values.
+ * consistent with each other and with the expected result set generated by the default
+ * values.
  *
  * @author Ben Alex
  */
@@ -109,6 +110,8 @@ public class BasicLookupStrategy implements LookupStrategy {
 
 	private final AclAuthorizationStrategy aclAuthorizationStrategy;
 
+	private ObjectIdentityGenerator objectIdentityGenerator;
+
 	private PermissionFactory permissionFactory = new DefaultPermissionFactory();
 
 	private final AclCache aclCache;
@@ -162,6 +165,7 @@ public BasicLookupStrategy(DataSource dataSource, AclCache aclCache,
 		this.aclCache = aclCache;
 		this.aclAuthorizationStrategy = aclAuthorizationStrategy;
 		this.grantingStrategy = grantingStrategy;
+		this.objectIdentityGenerator = new ObjectIdentityRetrievalStrategyImpl();
 		this.aclClassIdUtils = new AclClassIdUtils();
 		this.fieldAces.setAccessible(true);
 		this.fieldAcl.setAccessible(true);
@@ -488,6 +492,11 @@ public final void setAclClassIdSupported(boolean aclClassIdSupported) {
 		}
 	}
 
+	public final void setObjectIdentityGenerator(ObjectIdentityGenerator objectIdentityGenerator) {
+		Assert.notNull(objectIdentityGenerator, "objectIdentityGenerator cannot be null");
+		this.objectIdentityGenerator = objectIdentityGenerator;
+	}
+
 	public final void setConversionService(ConversionService conversionService) {
 		this.aclClassIdUtils = new AclClassIdUtils(conversionService);
 	}
@@ -569,7 +578,8 @@ private void convertCurrentResultIntoObject(Map<Serializable, Acl> acls, ResultS
 				// target id type, e.g. UUID.
 				Serializable identifier = (Serializable) rs.getObject("object_id_identity");
 				identifier = BasicLookupStrategy.this.aclClassIdUtils.identifierFrom(identifier, rs);
-				ObjectIdentity objectIdentity = new ObjectIdentityImpl(rs.getString("class"), identifier);
+				ObjectIdentity objectIdentity = BasicLookupStrategy.this.objectIdentityGenerator
+						.createObjectIdentity(identifier, rs.getString("class"));
 
 				Acl parentAcl = null;
 				long parentAclId = rs.getLong("parent_object");

acl/src/main/java/org/springframework/security/acls/jdbc/JdbcAclService.java

@@ -31,11 +31,12 @@
 import org.springframework.core.convert.ConversionService;
 import org.springframework.jdbc.core.JdbcOperations;
 import org.springframework.jdbc.core.JdbcTemplate;
-import org.springframework.security.acls.domain.ObjectIdentityImpl;
+import org.springframework.security.acls.domain.ObjectIdentityRetrievalStrategyImpl;
 import org.springframework.security.acls.model.Acl;
 import org.springframework.security.acls.model.AclService;
 import org.springframework.security.acls.model.NotFoundException;
 import org.springframework.security.acls.model.ObjectIdentity;
+import org.springframework.security.acls.model.ObjectIdentityGenerator;
 import org.springframework.security.acls.model.Sid;
 import org.springframework.util.Assert;
 
@@ -81,6 +82,8 @@ public class JdbcAclService implements AclService {
 
 	private AclClassIdUtils aclClassIdUtils;
 
+	private ObjectIdentityGenerator objectIdentityGenerator;
+
 	public JdbcAclService(DataSource dataSource, LookupStrategy lookupStrategy) {
 		this(new JdbcTemplate(dataSource), lookupStrategy);
 	}
@@ -91,6 +94,7 @@ public JdbcAclService(JdbcOperations jdbcOperations, LookupStrategy lookupStrate
 		this.jdbcOperations = jdbcOperations;
 		this.lookupStrategy = lookupStrategy;
 		this.aclClassIdUtils = new AclClassIdUtils();
+		this.objectIdentityGenerator = new ObjectIdentityRetrievalStrategyImpl();
 	}
 
 	@Override
@@ -105,7 +109,7 @@ private ObjectIdentity mapObjectIdentityRow(ResultSet rs) throws SQLException {
 		String javaType = rs.getString("class");
 		Serializable identifier = (Serializable) rs.getObject("obj_id");
 		identifier = this.aclClassIdUtils.identifierFrom(identifier, rs);
-		return new ObjectIdentityImpl(javaType, identifier);
+		return this.objectIdentityGenerator.createObjectIdentity(identifier, javaType);
 	}
 
 	@Override
@@ -165,6 +169,11 @@ public void setConversionService(ConversionService conversionService) {
 		this.aclClassIdUtils = new AclClassIdUtils(conversionService);
 	}
 
+	public void setObjectIdentityGenerator(ObjectIdentityGenerator objectIdentityGenerator) {
+		Assert.notNull(objectIdentityGenerator, "objectIdentityGenerator cannot be null");
+		this.objectIdentityGenerator = objectIdentityGenerator;
+	}
+
 	protected boolean isAclClassIdSupported() {
 		return this.aclClassIdSupported;
 	}

acl/src/test/java/org/springframework/security/acls/jdbc/AbstractBasicLookupStrategyTests.java

@@ -318,4 +318,13 @@ public void testCreateGrantedAuthority() {
 		assertThat(((GrantedAuthoritySid) result).getGrantedAuthority()).isEqualTo("sid");
 	}
 
+	@Test
+	public void setObjectIdentityGeneratorWhenNullThenThrowsIllegalArgumentException() {
+		// @formatter:off
+		assertThatIllegalArgumentException()
+				.isThrownBy(() -> this.strategy.setObjectIdentityGenerator(null))
+				.withMessage("objectIdentityGenerator cannot be null");
+		// @formatter:on
+	}
+
 }

acl/src/test/java/org/springframework/security/acls/jdbc/JdbcAclServiceTests.java

@@ -45,6 +45,7 @@
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
+import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.anyList;
 import static org.mockito.ArgumentMatchers.anyString;
@@ -170,6 +171,26 @@ public void findChildrenOfIdTypeUUID() {
 				.isEqualTo(UUID.fromString("25d93b3f-c3aa-4814-9d5e-c7c96ced7762"));
 	}
 
+	@Test
+	public void setObjectIdentityGeneratorWhenNullThenThrowsIllegalArgumentException() {
+		assertThatIllegalArgumentException()
+				.isThrownBy(() -> this.aclServiceIntegration.setObjectIdentityGenerator(null))
+				.withMessage("objectIdentityGenerator cannot be null");
+	}
+
+	@Test
+	public void findChildrenWhenObjectIdentityGeneratorSetThenUsed() {
+		this.aclServiceIntegration
+				.setObjectIdentityGenerator((id, type) -> new ObjectIdentityImpl(type, "prefix:" + id));
+
+		ObjectIdentity objectIdentity = new ObjectIdentityImpl("location", "US");
+		this.aclServiceIntegration.setAclClassIdSupported(true);
+		List<ObjectIdentity> objectIdentities = this.aclServiceIntegration.findChildren(objectIdentity);
+		assertThat(objectIdentities.size()).isEqualTo(1);
+		assertThat(objectIdentities.get(0).getType()).isEqualTo("location");
+		assertThat(objectIdentities.get(0).getIdentifier()).isEqualTo("prefix:US-PAL");
+	}
+
 	class MockLongIdDomainObject {
 
 		private Object id;

aspects/spring-security-aspects.gradle

@@ -27,7 +27,3 @@ sourceSets.test.aspectj.srcDir "src/test/java"
 sourceSets.test.java.srcDirs = files()
 
 compileAspectj.ajcOptions.outxmlfile = "META-INF/aop.xml"
-
-aspectj {
-	version = aspectjVersion
-}