GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

SEC-3135: antMatchers now allows method and no pattern 

Previously, antMatchers(POST).authenticated() was not allowed. Instead
users had to use antMatchers(POST, "/**").authenticated().

Now we default the patterns to be "/**" if it is null or empty.
pull/260/head
Rob Winch 10 years ago
parent
72213b5c69
commit
8663ac4173
2 changed files with 90 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 4
      config/src/main/java/org/springframework/security/config/annotation/web/AbstractRequestMatcherRegistry.java
  2. 86
      config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeRequestsTests.java

4
config/src/main/java/org/springframework/security/config/annotation/web/AbstractRequestMatcherRegistry.java
Unescape View File

@ -25,6 +25,7 @@ import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.AnyRequestMatcher; import org.springframework.security.web.util.matcher.AnyRequestMatcher;
import org.springframework.security.web.util.matcher.RegexRequestMatcher; import org.springframework.security.web.util.matcher.RegexRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.ObjectUtils;
/** /**
* A base class for registering {@link RequestMatcher}'s. For example, it might allow for * A base class for registering {@link RequestMatcher}'s. For example, it might allow for
@ -151,6 +152,9 @@ public abstract class AbstractRequestMatcherRegistry<C> {
public static List<RequestMatcher> antMatchers(HttpMethod httpMethod, public static List<RequestMatcher> antMatchers(HttpMethod httpMethod,
String... antPatterns) { String... antPatterns) {
String method = httpMethod == null ? null : httpMethod.toString(); String method = httpMethod == null ? null : httpMethod.toString();
if(ObjectUtils.isEmpty(antPatterns)) {
antPatterns = new String[] { "/**" };
}
List<RequestMatcher> matchers = new ArrayList<RequestMatcher>(); List<RequestMatcher> matchers = new ArrayList<RequestMatcher>();
for (String pattern : antPatterns) { for (String pattern : antPatterns) {
matchers.add(new AntPathRequestMatcher(pattern, method)); matchers.add(new AntPathRequestMatcher(pattern, method));

86
config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeRequestsTests.java
Unescape View File

@ -0,0 +1,86 @@
/*
* Copyright 2002-2015 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.config.annotation.web.configurers;
import static org.fest.assertions.Assertions.*;
import javax.servlet.http.HttpServletResponse;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpMethod;
import org.springframework.mock.web.MockFilterChain;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.FilterChainProxy;
import org.springframework.test.context.ContextConfiguration;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import org.springframework.test.context.web.WebAppConfiguration;
/**
* @author Rob Winch
*
*/
@RunWith(SpringJUnit4ClassRunner.class)
@ContextConfiguration
@WebAppConfiguration
public class AuthorizeRequestsTests {
@Autowired
MockHttpServletRequest request;
@Autowired
MockHttpServletResponse response;
MockFilterChain chain;
@Autowired
FilterChainProxy springSecurityFilterChain;
@Before
public void setup() {
chain = new MockFilterChain();
}
// SEC-3135
@Test
public void antMatchersMethodAndNoPatterns() throws Exception {
request.setMethod("POST");
springSecurityFilterChain.doFilter(request, response, chain);
assertThat(response.getStatus()).isEqualTo(HttpServletResponse.SC_FORBIDDEN);
}
@EnableWebSecurity
static class Config extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers(HttpMethod.POST).denyAll();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication();
}
}
}
Write Preview
Loading…
Cancel
Save