SEC-1584: Additional integration tests.

itest/context/src/test/java/org/springframework/security/integration/HttpPathParameterStrippingTests.java

@@ -0,0 +1,65 @@
+package org.springframework.security.integration;
+
+import static org.junit.Assert.assertEquals;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.mock.web.MockFilterChain;
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.mock.web.MockHttpSession;
+import org.springframework.security.authentication.TestingAuthenticationToken;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.FilterChainProxy;
+import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+
+import javax.servlet.http.HttpSession;
+
+@ContextConfiguration(locations={"/http-path-param-stripping-app-context.xml"})
+@RunWith(SpringJUnit4ClassRunner.class)
+public class HttpPathParameterStrippingTests {
+
+    @Autowired
+    private FilterChainProxy fcp;
+
+    @Test
+    public void securedFilterChainCannotBeBypassedByAddingPathParameters() throws Exception {
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        request.setPathInfo("/secured;x=y/admin.html");
+        request.setSession(createAuthenticatedSession("ROLE_USER"));
+        MockHttpServletResponse response = new MockHttpServletResponse();
+        fcp.doFilter(request, response, new MockFilterChain());
+        assertEquals(403, response.getStatus());
+    }
+
+    @Test
+    public void adminFilePatternCannotBeBypassedByAddingPathParameters() throws Exception {
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        request.setServletPath("/secured/admin.html;x=user.html");
+        request.setSession(createAuthenticatedSession("ROLE_USER"));
+        MockHttpServletResponse response = new MockHttpServletResponse();
+        fcp.doFilter(request, response, new MockFilterChain());
+        assertEquals(403, response.getStatus());
+
+        // Try with pathInfo
+        request = new MockHttpServletRequest();
+        request.setServletPath("/secured");
+        request.setPathInfo("/admin.html;x=user.html");
+        request.setSession(createAuthenticatedSession("ROLE_USER"));
+        response = new MockHttpServletResponse();
+        fcp.doFilter(request, response, new MockFilterChain());
+        assertEquals(403, response.getStatus());
+    }
+
+    public HttpSession createAuthenticatedSession(String... roles) {
+        MockHttpSession session = new MockHttpSession();
+        SecurityContextHolder.getContext().setAuthentication(new TestingAuthenticationToken("bob", "bobspassword", roles));
+        session.setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, SecurityContextHolder.getContext());
+        SecurityContextHolder.clearContext();
+        return session;
+    }
+
+}

itest/context/src/test/resources/http-path-param-stripping-app-context.xml

@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+  -
+  -->
+
+<b:beans xmlns="http://www.springframework.org/schema/security"
+    xmlns:b="http://www.springframework.org/schema/beans"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
+                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
+
+    <http pattern="/secured/**">
+        <intercept-url pattern="/secured/*user.html" access="ROLE_USER" />
+        <intercept-url pattern="/secured/admin.html" access="ROLE_ADMIN" />
+        <intercept-url pattern="/secured/user/**" access="ROLE_USER" />
+        <intercept-url pattern="/secured/admin/*" access="ROLE_ADMIN" />
+        <intercept-url pattern="/**" access="ROLE_NO_ACCESS" />
+        <form-login />
+    </http>
+
+    <http pattern="/**" security="none" />
+
+    <authentication-manager alias="authenticationManager">
+        <authentication-provider>
+            <user-service id="userService">
+                <user name="notused" password="notused" authorities="ROLE_0,ROLE_1"/>
+            </user-service>
+        </authentication-provider>
+    </authentication-manager>
+
+</b:beans>