SEC-1412: Modify DefaultSavedRequest to ignore If-Not-Matched header.

The browser (or at least Firefox) does not send it after a redirect, and it causes problems with Spring's ShallowEtagHeaderFilter if it is stored and returned by the saved request.
16 years ago · 14ae36ac3b
2 changed files with 15 additions and 0 deletions
--- a/web/src/main/java/org/springframework/security/web/savedrequest/DefaultSavedRequest.java
+++ b/web/src/main/java/org/springframework/security/web/savedrequest/DefaultSavedRequest.java
@ -54,6 +54,8 @@ public class DefaultSavedRequest implements SavedRequest {
				@@ -54,6 +54,8 @@ public class DefaultSavedRequest implements SavedRequest {

    public static final String SPRING_SECURITY_SAVED_REQUEST_KEY = "SPRING_SECURITY_SAVED_REQUEST_KEY";

+    private static final String HEADER_IF_NONE_MATCH = "If-None-Match";
+
    //~ Instance fields ================================================================================================

    private ArrayList<SavedCookie> cookies = new ArrayList<SavedCookie>();
@ -92,6 +94,10 @@ public class DefaultSavedRequest implements SavedRequest {
				@@ -92,6 +94,10 @@ public class DefaultSavedRequest implements SavedRequest {

        while (names.hasMoreElements()) {
            String name = names.nextElement();
+            // Skip If-None-Match header. SEC-1412.
+            if (HEADER_IF_NONE_MATCH.equalsIgnoreCase(name)) {
+                continue;
+            }
            Enumeration<String> values = request.getHeaders(name);

            while (values.hasMoreElements()) {
--- a/web/src/test/java/org/springframework/security/web/savedrequest/DefaultSavedRequestTests.java
+++ b/web/src/test/java/org/springframework/security/web/savedrequest/DefaultSavedRequestTests.java
@ -21,6 +21,15 @@ public class DefaultSavedRequestTests {
				@@ -21,6 +21,15 @@ public class DefaultSavedRequestTests {
        assertEquals("Mozilla", saved.getHeaderValues("user-agent").get(0));
    }

+    // SEC-1412
+    @Test
+    public void discardsIfNoneMatchHeader() throws Exception {
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        request.addHeader("If-None-Match", "somehashvalue");
+        DefaultSavedRequest saved = new DefaultSavedRequest(request, new MockPortResolver(8080, 8443));
+        assertTrue(saved.getHeaderValues("if-none-match").isEmpty());
+    }
+
    // TODO: Why are parameters case insensitive. I think this is a mistake
    @Test
    public void parametersAreCaseInsensitive() throws Exception {