SEC-1662: Cater for the case where a user uses two <http> elements without patterns and the RequestMatcher does not have two arguments.

15 years ago · 866615ceaa
2 changed files with 21 additions and 4 deletions
--- a/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java
+++ b/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java
@ -273,8 +273,11 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
				@@ -273,8 +273,11 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
            for (BeanDefinition matcherBean : filterChainMap.keySet()) {
                if (existingFilterChainMap.containsKey(matcherBean)) {
                    Map<Integer,ValueHolder> args = matcherBean.getConstructorArgumentValues().getIndexedArgumentValues();
+                    String matcherError = args.size() == 2 ? args.get(0).getValue() + ", " +args.get(1).getValue() :
+                            matcherBean.toString();
                    pc.getReaderContext().error("The filter chain map already contains this request matcher ["
-                            + args.get(0).getValue() + ", " +args.get(1).getValue() + "]", source);
+                            + matcherError + "]. If you are using multiple <http> namespace elements, you must use a 'pattern' attribute" +
+                            " to define the request patterns to which they apply.", source);
                }
            }
            existingFilterChainMap.putAll(filterChainMap);
--- a/config/src/test/groovy/org/springframework/security/config/http/MultiHttpBlockConfigTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/http/MultiHttpBlockConfigTests.groovy
@ -29,12 +29,12 @@ class MultiHttpBlockConfigTests extends AbstractHttpConfigTests {
				@@ -29,12 +29,12 @@ class MultiHttpBlockConfigTests extends AbstractHttpConfigTests {
        (filterChains.keySet() as List)[0].pattern == '/stateless/**'
    }

-    def duplicatePatternsAreRejected () {
+    def duplicateHttpElementsAreRejected () {
        when: "Two <http> elements are used"
-        xml.http(pattern: '/stateless/**', 'create-session': 'stateless') {
+        xml.http('create-session': 'stateless') {
            'http-basic'()
        }
-        xml.http(pattern: '/stateless/**') {
+        xml.http() {
            'form-login'()
        }
        createAppContext()
@ -42,6 +42,20 @@ class MultiHttpBlockConfigTests extends AbstractHttpConfigTests {
				@@ -42,6 +42,20 @@ class MultiHttpBlockConfigTests extends AbstractHttpConfigTests {
        thrown(BeanDefinitionParsingException)
    }

+  def duplicatePatternsAreRejected () {
+      when: "Two <http> elements with the same pattern are used"
+      xml.http(pattern: '/stateless/**', 'create-session': 'stateless') {
+          'http-basic'()
+      }
+      xml.http(pattern: '/stateless/**') {
+          'form-login'()
+      }
+      createAppContext()
+      then:
+      thrown(BeanDefinitionParsingException)
+  }
+
+
    def namedFilterChainIsExposedAsABean () {
        xml.http(name: 'basic', pattern: '/basic/**', 'create-session': 'stateless') {
            'http-basic'()