OPEN - issue SEC-825: Query string isn't beig stripped from URLs when ant matcher is in use (regression issue)

http://jira.springframework.org/browse/SEC-825. Make sure the property is set on DefaultFilterInvocationDefinitionSource when ant paths are in use.

core/src/main/java/org/springframework/security/config/HttpSecurityBeanDefinitionParser.java

@@ -276,8 +276,11 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
             builder.addPropertyValue("observeOncePerRequest", Boolean.FALSE);
         }
         
-        builder.addPropertyValue("objectDefinitionSource", 
+        DefaultFilterInvocationDefinitionSource fids = 
-                new DefaultFilterInvocationDefinitionSource(matcher, filterInvocationDefinitionMap));
+            new DefaultFilterInvocationDefinitionSource(matcher, filterInvocationDefinitionMap);
+        fids.setStripQueryStringFromUrls(matcher instanceof AntUrlPathMatcher);
+        
+        builder.addPropertyValue("objectDefinitionSource", fids);
         pc.getRegistry().registerBeanDefinition(BeanIds.FILTER_SECURITY_INTERCEPTOR, builder.getBeanDefinition());
         ConfigUtils.addHttpFilter(pc, new RuntimeBeanReference(BeanIds.FILTER_SECURITY_INTERCEPTOR));
     }
@@ -288,7 +291,7 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
                 new RuntimeBeanReference(BeanIds.CHANNEL_DECISION_MANAGER));
         DefaultFilterInvocationDefinitionSource channelFilterInvDefSource =
             new DefaultFilterInvocationDefinitionSource(matcher, channelRequestMap);
-        
+        channelFilterInvDefSource.setStripQueryStringFromUrls(matcher instanceof AntUrlPathMatcher);
         
         channelFilter.getPropertyValues().addPropertyValue("filterInvocationDefinitionSource",
                 channelFilterInvDefSource);

core/src/main/java/org/springframework/security/intercept/web/DefaultFilterInvocationDefinitionSource.java

@@ -78,7 +78,7 @@ public class DefaultFilterInvocationDefinitionSource implements FilterInvocation
     DefaultFilterInvocationDefinitionSource(UrlMatcher urlMatcher) {
         this.urlMatcher = urlMatcher;
     }
-
+    
     /**
      * Builds the internal request map from the supplied map. The key elements should be of type {@link RequestKey},
      * which contains a URL path and an optional HTTP method (may be null). The path stored in the key will depend on 
@@ -252,7 +252,7 @@ public class DefaultFilterInvocationDefinitionSource implements FilterInvocation
         return urlMatcher.requiresLowerCaseUrl();
     }
 
-    protected void setStripQueryStringFromUrls(boolean stripQueryStringFromUrls) {
+    public void setStripQueryStringFromUrls(boolean stripQueryStringFromUrls) {
         this.stripQueryStringFromUrls = stripQueryStringFromUrls;
     }
 }

core/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java

@@ -83,6 +83,7 @@ public class HttpSecurityBeanDefinitionParserTests {
         List filterList = getFilters("/anyurl");
 
         checkAutoConfigFilters(filterList);
+        assertEquals(true, FieldUtils.getFieldValue(filterList.get(10), "objectDefinitionSource.stripQueryStringFromUrls"));
     }
 
     @Test(expected=BeanDefinitionParsingException.class)
@@ -137,7 +138,9 @@ public class HttpSecurityBeanDefinitionParserTests {
                 "    </http>" + AUTH_PROVIDER_XML);
         assertEquals(0, getFilters("/imlowercase").size());
         // This will be matched by the default pattern ".*"
-        checkAutoConfigFilters(getFilters("/ImCaughtByTheUniversalMatchPattern"));
+        List allFilters = getFilters("/ImCaughtByTheUniversalMatchPattern");
+        checkAutoConfigFilters(allFilters);
+        assertEquals(false, FieldUtils.getFieldValue(allFilters.get(10), "objectDefinitionSource.stripQueryStringFromUrls"));
     }
 
     @Test