GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

OPEN - issue SEC-934: security:intercept-url throws NPE if defined twice with the same url 

http://jira.springframework.org/browse/SEC-934. Added log warning when the same url is used multiple times.
2.0.x
Luke Taylor 18 years ago
parent
f6ff958411
commit
d4c105d8ba
3 changed files with 36 additions and 4 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 10
      core/src/main/java/org/springframework/security/config/HttpSecurityBeanDefinitionParser.java
  2. 12
      core/src/main/java/org/springframework/security/intercept/web/RequestKey.java
  3. 18
      core/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java

10
core/src/main/java/org/springframework/security/config/HttpSecurityBeanDefinitionParser.java
Unescape View File

@ -50,7 +50,7 @@ import org.w3c.dom.Element; @@ -50,7 +50,7 @@ import org.w3c.dom.Element;
* @version $Id$
*/
public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
protected final Log logger = LogFactory.getLog(getClass());
static final Log logger = LogFactory.getLog(HttpSecurityBeanDefinitionParser.class);
static final String ATT_REALM = "realm";
static final String DEF_REALM = "Spring Security Application";
@ -605,7 +605,13 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser { @@ -605,7 +605,13 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
// Convert the comma-separated list of access attributes to a ConfigAttributeDefinition
if (StringUtils.hasText(access)) {
editor.setAsText(access);
filterInvocationDefinitionMap.put(new RequestKey(path, method), editor.getValue());
Object key = new RequestKey(path, method);
if (filterInvocationDefinitionMap.containsKey(key)) {
logger.warn("Duplicate URL defined: " + key + ". The original attribute values will be overwritten");
}
filterInvocationDefinitionMap.put(key, editor.getValue());
}
}

12
core/src/main/java/org/springframework/security/intercept/web/RequestKey.java
Unescape View File

@ -54,4 +54,16 @@ public class RequestKey { @@ -54,4 +54,16 @@ public class RequestKey {
return method.equals(key.method);
}
public String toString() {
StringBuffer sb = new StringBuffer(url.length() + 7);
sb.append("[");
if (method != null) {
sb.append(method).append(",");
}
sb.append(url);
sb.append("]");
return sb.toString();
}
}

18
core/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java
Unescape View File

@ -608,7 +608,6 @@ public class HttpSecurityBeanDefinitionParserTests { @@ -608,7 +608,6 @@ public class HttpSecurityBeanDefinitionParserTests {
@Test
public void settingCreateSessionToAlwaysSetsFilterPropertiesCorrectly() throws Exception {
// Protected, no anonymous filter configured.
setContext("<http auto-config='true' create-session='always'/>" + AUTH_PROVIDER_XML);
assertEquals(Boolean.TRUE, FieldUtils.getFieldValue(appContext.getBean(BeanIds.HTTP_SESSION_CONTEXT_INTEGRATION_FILTER), "forceEagerSessionCreation"));
assertEquals(Boolean.TRUE, FieldUtils.getFieldValue(appContext.getBean(BeanIds.HTTP_SESSION_CONTEXT_INTEGRATION_FILTER), "allowSessionCreation"));
@ -616,12 +615,27 @@ public class HttpSecurityBeanDefinitionParserTests { @@ -616,12 +615,27 @@ public class HttpSecurityBeanDefinitionParserTests {
@Test
public void settingCreateSessionToNeverSetsFilterPropertiesCorrectly() throws Exception {
// Protected, no anonymous filter configured.
setContext("<http auto-config='true' create-session='never'/>" + AUTH_PROVIDER_XML);
assertEquals(Boolean.FALSE, FieldUtils.getFieldValue(appContext.getBean(BeanIds.HTTP_SESSION_CONTEXT_INTEGRATION_FILTER), "forceEagerSessionCreation"));
assertEquals(Boolean.FALSE, FieldUtils.getFieldValue(appContext.getBean(BeanIds.HTTP_SESSION_CONTEXT_INTEGRATION_FILTER), "allowSessionCreation"));
}
/* SEC-934 */
@Test
public void supportsTwoIdenticalInterceptUrls() {
setContext(
"<http auto-config='true'>" +
" <intercept-url pattern='/someurl' access='ROLE_A'/>" +
" <intercept-url pattern='/someurl' access='ROLE_B'/>" +
"</http>" + AUTH_PROVIDER_XML);
FilterSecurityInterceptor fis = (FilterSecurityInterceptor) appContext.getBean(BeanIds.FILTER_SECURITY_INTERCEPTOR);
FilterInvocationDefinitionSource fids = fis.getObjectDefinitionSource();
ConfigAttributeDefinition attrDef = fids.getAttributes(createFilterinvocation("/someurl", null));
assertEquals(1, attrDef.getConfigAttributes().size());
assertTrue(attrDef.contains(new SecurityConfig("ROLE_B")));
}
private void setContext(String context) {
appContext = new InMemoryXmlApplicationContext(context);
}

Write Preview
Loading…
Cancel
Save