From 14ae36ac3bdc60b311e242b636bdbd02460f07ea Mon Sep 17 00:00:00 2001
From: Luke Taylor <luke.taylor@springsource.com>
Date: Thu, 18 Feb 2010 00:02:57 +0000
Subject: [PATCH] SEC-1412: Modify DefaultSavedRequest to ignore If-Not-Matched
 header.

The browser (or at least Firefox) does not send it after a redirect, and it causes problems with Spring's ShallowEtagHeaderFilter if it is stored and returned by the saved request.
---
 .../security/web/savedrequest/DefaultSavedRequest.java   | 6 ++++++
 .../web/savedrequest/DefaultSavedRequestTests.java       | 9 +++++++++
 2 files changed, 15 insertions(+)

diff --git a/web/src/main/java/org/springframework/security/web/savedrequest/DefaultSavedRequest.java b/web/src/main/java/org/springframework/security/web/savedrequest/DefaultSavedRequest.java
index 10c39bbb38..f49a470a38 100644
--- a/web/src/main/java/org/springframework/security/web/savedrequest/DefaultSavedRequest.java
+++ b/web/src/main/java/org/springframework/security/web/savedrequest/DefaultSavedRequest.java
@@ -54,6 +54,8 @@ public class DefaultSavedRequest implements SavedRequest {
 
     public static final String SPRING_SECURITY_SAVED_REQUEST_KEY = "SPRING_SECURITY_SAVED_REQUEST_KEY";
 
+    private static final String HEADER_IF_NONE_MATCH = "If-None-Match";
+
     //~ Instance fields ================================================================================================
 
     private ArrayList<SavedCookie> cookies = new ArrayList<SavedCookie>();
@@ -92,6 +94,10 @@ public class DefaultSavedRequest implements SavedRequest {
 
         while (names.hasMoreElements()) {
             String name = names.nextElement();
+            // Skip If-None-Match header. SEC-1412.
+            if (HEADER_IF_NONE_MATCH.equalsIgnoreCase(name)) {
+                continue;
+            }
             Enumeration<String> values = request.getHeaders(name);
 
             while (values.hasMoreElements()) {
diff --git a/web/src/test/java/org/springframework/security/web/savedrequest/DefaultSavedRequestTests.java b/web/src/test/java/org/springframework/security/web/savedrequest/DefaultSavedRequestTests.java
index f5b5f1f76d..2c1913df16 100644
--- a/web/src/test/java/org/springframework/security/web/savedrequest/DefaultSavedRequestTests.java
+++ b/web/src/test/java/org/springframework/security/web/savedrequest/DefaultSavedRequestTests.java
@@ -21,6 +21,15 @@ public class DefaultSavedRequestTests {
         assertEquals("Mozilla", saved.getHeaderValues("user-agent").get(0));
     }
 
+    // SEC-1412
+    @Test
+    public void discardsIfNoneMatchHeader() throws Exception {
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        request.addHeader("If-None-Match", "somehashvalue");
+        DefaultSavedRequest saved = new DefaultSavedRequest(request, new MockPortResolver(8080, 8443));
+        assertTrue(saved.getHeaderValues("if-none-match").isEmpty());
+    }
+
     // TODO: Why are parameters case insensitive. I think this is a mistake
     @Test
     public void parametersAreCaseInsensitive() throws Exception {