SEC-1143: Fixed by using BeanDefinitionRegistry.isBeanNameInUse() instead of containsBeanDefinition() to check for the SessionRegistry availability. The former picks up the alias registration of the standard bean Id for user's bean Id.

17 years ago · 39cc865a36
3 changed files with 10 additions and 4 deletions
--- a/config/src/main/java/org/springframework/security/config/FormLoginBeanDefinitionParser.java
+++ b/config/src/main/java/org/springframework/security/config/FormLoginBeanDefinitionParser.java
@ -111,7 +111,7 @@ public class FormLoginBeanDefinitionParser implements BeanDefinitionParser {
				@@ -111,7 +111,7 @@ public class FormLoginBeanDefinitionParser implements BeanDefinitionParser {
                    new RuntimeBeanReference(BeanIds.REMEMBER_ME_SERVICES) );
        }

-        if (pc.getRegistry().containsBeanDefinition(BeanIds.SESSION_REGISTRY)) {
+        if (pc.getRegistry().isBeanNameInUse(BeanIds.SESSION_REGISTRY)) {
            filterBean.getPropertyValues().addPropertyValue("sessionRegistry",
                    new RuntimeBeanReference(BeanIds.SESSION_REGISTRY));
        }
--- a/config/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java
+++ b/config/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java
@ -511,16 +511,20 @@ public class HttpSecurityBeanDefinitionParserTests {
				@@ -511,16 +511,20 @@ public class HttpSecurityBeanDefinitionParserTests {
                "<b:bean id='seshRegistry' class='" + SessionRegistryImpl.class.getName() + "'/>" +
                AUTH_PROVIDER_XML);
        Object sessionRegistry = appContext.getBean("seshRegistry");
-        Object sessionRegistryFromFilter = FieldUtils.getFieldValue(
+        Object sessionRegistryFromConcurrencyFilter = FieldUtils.getFieldValue(
                appContext.getBean(BeanIds.CONCURRENT_SESSION_FILTER),"sessionRegistry");
+        Object sessionRegistryFromFormLoginFilter = FieldUtils.getFieldValue(
+                appContext.getBean(BeanIds.FORM_LOGIN_FILTER),"sessionRegistry");
        Object sessionRegistryFromController = FieldUtils.getFieldValue(
                appContext.getBean(BeanIds.CONCURRENT_SESSION_CONTROLLER),"sessionRegistry");
        Object sessionRegistryFromFixationFilter = FieldUtils.getFieldValue(
                appContext.getBean(BeanIds.SESSION_FIXATION_PROTECTION_FILTER),"sessionRegistry");

-        assertSame(sessionRegistry, sessionRegistryFromFilter);
+        assertSame(sessionRegistry, sessionRegistryFromConcurrencyFilter);
        assertSame(sessionRegistry, sessionRegistryFromController);
        assertSame(sessionRegistry, sessionRegistryFromFixationFilter);
+        // SEC-1143
+        assertSame(sessionRegistry, sessionRegistryFromFormLoginFilter);
    }

    @Test(expected=BeanDefinitionParsingException.class)
--- a/core/src/main/java/org/springframework/security/util/FieldUtils.java
+++ b/core/src/main/java/org/springframework/security/util/FieldUtils.java
@ -91,7 +91,9 @@ public final class FieldUtils {
				@@ -91,7 +91,9 @@ public final class FieldUtils {
            field = getField(componentClass, nestedFields[i]);
            field.setAccessible(true);
            value = field.get(value);
-            componentClass = value.getClass();
+            if (value != null) {
+                componentClass = value.getClass();
+            }
        }

        return value;