From 39cc865a3696b4954d83aa315ba4a0a08613bcbd Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Tue, 28 Apr 2009 12:08:48 +0000 Subject: [PATCH] SEC-1143: Fixed by using BeanDefinitionRegistry.isBeanNameInUse() instead of containsBeanDefinition() to check for the SessionRegistry availability. The former picks up the alias registration of the standard bean Id for user's bean Id. --- .../security/config/FormLoginBeanDefinitionParser.java | 2 +- .../config/HttpSecurityBeanDefinitionParserTests.java | 8 ++++++-- .../org/springframework/security/util/FieldUtils.java | 4 +++- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/config/src/main/java/org/springframework/security/config/FormLoginBeanDefinitionParser.java b/config/src/main/java/org/springframework/security/config/FormLoginBeanDefinitionParser.java index 18c975d0a4..d7a82350de 100644 --- a/config/src/main/java/org/springframework/security/config/FormLoginBeanDefinitionParser.java +++ b/config/src/main/java/org/springframework/security/config/FormLoginBeanDefinitionParser.java @@ -111,7 +111,7 @@ public class FormLoginBeanDefinitionParser implements BeanDefinitionParser { new RuntimeBeanReference(BeanIds.REMEMBER_ME_SERVICES) ); } - if (pc.getRegistry().containsBeanDefinition(BeanIds.SESSION_REGISTRY)) { + if (pc.getRegistry().isBeanNameInUse(BeanIds.SESSION_REGISTRY)) { filterBean.getPropertyValues().addPropertyValue("sessionRegistry", new RuntimeBeanReference(BeanIds.SESSION_REGISTRY)); } diff --git a/config/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java b/config/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java index 749a2de8e0..556187abf2 100644 --- a/config/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java +++ b/config/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java @@ -511,16 +511,20 @@ public class HttpSecurityBeanDefinitionParserTests { "" + AUTH_PROVIDER_XML); Object sessionRegistry = appContext.getBean("seshRegistry"); - Object sessionRegistryFromFilter = FieldUtils.getFieldValue( + Object sessionRegistryFromConcurrencyFilter = FieldUtils.getFieldValue( appContext.getBean(BeanIds.CONCURRENT_SESSION_FILTER),"sessionRegistry"); + Object sessionRegistryFromFormLoginFilter = FieldUtils.getFieldValue( + appContext.getBean(BeanIds.FORM_LOGIN_FILTER),"sessionRegistry"); Object sessionRegistryFromController = FieldUtils.getFieldValue( appContext.getBean(BeanIds.CONCURRENT_SESSION_CONTROLLER),"sessionRegistry"); Object sessionRegistryFromFixationFilter = FieldUtils.getFieldValue( appContext.getBean(BeanIds.SESSION_FIXATION_PROTECTION_FILTER),"sessionRegistry"); - assertSame(sessionRegistry, sessionRegistryFromFilter); + assertSame(sessionRegistry, sessionRegistryFromConcurrencyFilter); assertSame(sessionRegistry, sessionRegistryFromController); assertSame(sessionRegistry, sessionRegistryFromFixationFilter); + // SEC-1143 + assertSame(sessionRegistry, sessionRegistryFromFormLoginFilter); } @Test(expected=BeanDefinitionParsingException.class) diff --git a/core/src/main/java/org/springframework/security/util/FieldUtils.java b/core/src/main/java/org/springframework/security/util/FieldUtils.java index 55cf07d98d..877e12722d 100644 --- a/core/src/main/java/org/springframework/security/util/FieldUtils.java +++ b/core/src/main/java/org/springframework/security/util/FieldUtils.java @@ -91,7 +91,9 @@ public final class FieldUtils { field = getField(componentClass, nestedFields[i]); field.setAccessible(true); value = field.get(value); - componentClass = value.getClass(); + if (value != null) { + componentClass = value.getClass(); + } } return value;