Fix NPE requestMatchers().mvcMatchers

Fixes gh-3969
10 years ago · 7d1344fca8
2 changed files with 162 additions and 6 deletions
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurerAdapter.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurerAdapter.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2013 the original author or authors.
+ * Copyright 2002-2016 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -18,8 +18,10 @@ package org.springframework.security.config.annotation.web.configuration;
 import java.lang.reflect.Field;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import org.apache.commons.logging.Log;
@ -174,12 +176,10 @@ public abstract class WebSecurityConfigurerAdapter implements
 		AuthenticationManager authenticationManager = authenticationManager();
 		authenticationBuilder.parentAuthenticationManager(authenticationManager);
 		Map<Class<? extends Object>, Object> sharedObjects = createSharedObjects();
 		http = new HttpSecurity(objectPostProcessor, authenticationBuilder,
-				localConfigureAuthenticationBldr.getSharedObjects());
+				sharedObjects);
 		http.setSharedObject(UserDetailsService.class, userDetailsService());
 		http.setSharedObject(ApplicationContext.class, context);
 		http.setSharedObject(ContentNegotiationStrategy.class, contentNegotiationStrategy);
 		http.setSharedObject(AuthenticationTrustResolver.class, trustResolver);
 		if (!disableDefaults) {
 			// @formatter:off
 			http
@ -375,6 +375,21 @@ public abstract class WebSecurityConfigurerAdapter implements
 		this.authenticationConfiguration = authenticationConfiguration;
 	}
 	/**
 	 * Creates the shared objects
 	 *
 	 * @return the shared Objects
 	 */
 	private Map<Class<? extends Object>, Object> createSharedObjects() {
 		Map<Class<? extends Object>, Object> sharedObjects = new HashMap<Class<? extends Object>, Object>();
 		sharedObjects.putAll(localConfigureAuthenticationBldr.getSharedObjects());
 		sharedObjects.put(UserDetailsService.class, userDetailsService());
 		sharedObjects.put(ApplicationContext.class, context);
 		sharedObjects.put(ContentNegotiationStrategy.class, contentNegotiationStrategy);
 		sharedObjects.put(AuthenticationTrustResolver.class, trustResolver);
 		return sharedObjects;
 	}
 	/**
 	 * Delays the use of the {@link UserDetailsService} from the
 	 * {@link AuthenticationManagerBuilder} to ensure that it has been fully configured.
@ -489,4 +504,5 @@ public abstract class WebSecurityConfigurerAdapter implements
 			}
 		}
 	}
 }
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpSecurityRequestMatchersTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpSecurityRequestMatchersTests.java
@ -0,0 +1,140 @@
 /*
 * Copyright 2002-2016 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package org.springframework.security.config.annotation.web.configurers;
 import javax.servlet.http.HttpServletResponse;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.mock.web.MockFilterChain;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.mock.web.MockServletContext;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.web.FilterChainProxy;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
 import org.springframework.web.servlet.config.annotation.EnableWebMvc;
 import static org.assertj.core.api.Assertions.assertThat;
 /**
 * @author Rob Winch
 *
 */
 public class HttpSecurityRequestMatchersTests {
 	AnnotationConfigWebApplicationContext context;
 	MockHttpServletRequest request;
 	MockHttpServletResponse response;
 	MockFilterChain chain;
 	@Autowired
 	FilterChainProxy springSecurityFilterChain;
 	@Before
 	public void setup() {
 		this.request = new MockHttpServletRequest();
 		this.request.setMethod("GET");
 		this.response = new MockHttpServletResponse();
 		this.chain = new MockFilterChain();
 	}
 	@After
 	public void cleanup() {
 		if (this.context != null) {
 			this.context.close();
 		}
 	}
 	@Test
 	public void requestMatchersMvcMatcher() throws Exception {
 		loadConfig(RequestMatchersMvcMatcherConfig.class);
 		this.request.setServletPath("/path");
 		this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
 		assertThat(this.response.getStatus())
 				.isEqualTo(HttpServletResponse.SC_UNAUTHORIZED);
 		setup();
 		this.request.setServletPath("/path.html");
 		this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
 		assertThat(this.response.getStatus())
 				.isEqualTo(HttpServletResponse.SC_UNAUTHORIZED);
 		setup();
 		this.request.setServletPath("/path/");
 		this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
 		assertThat(this.response.getStatus())
 				.isEqualTo(HttpServletResponse.SC_UNAUTHORIZED);
 	}
 	@EnableWebSecurity
 	@Configuration
 	@EnableWebMvc
 	static class RequestMatchersMvcMatcherConfig extends WebSecurityConfigurerAdapter {
 		@Override
 		protected void configure(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
 				.requestMatchers()
 					.mvcMatchers("/path")
 					.and()
 				.httpBasic().and()
 				.authorizeRequests()
 					.anyRequest().denyAll();
 			// @formatter:on
 		}
 		@Override
 		protected void configure(AuthenticationManagerBuilder auth) throws Exception {
 			// @formatter:off
 			auth
 				.inMemoryAuthentication();
 			// @formatter:on
 		}
 		@RestController
 		static class PathController {
 			@RequestMapping("/path")
 			public String path() {
 				return "path";
 			}
 		}
 	}
 	public void loadConfig(Class<?>... configs) {
 		this.context = new AnnotationConfigWebApplicationContext();
 		this.context.register(configs);
 		this.context.setServletContext(new MockServletContext());
 		this.context.refresh();
 		this.context.getAutowireCapableBeanFactory().autowireBean(this);
 	}
 }