From d4c105d8ba89aeff2a270a90109be08d83c738d7 Mon Sep 17 00:00:00 2001
From: Luke Taylor <luke.taylor@springsource.com>
Date: Wed, 30 Jul 2008 15:03:47 +0000
Subject: [PATCH] OPEN - issue SEC-934: security:intercept-url throws NPE if
 defined twice with the same url
 http://jira.springframework.org/browse/SEC-934. Added log warning when the
 same url is used multiple times.

---
 .../HttpSecurityBeanDefinitionParser.java      | 10 ++++++++--
 .../security/intercept/web/RequestKey.java     | 12 ++++++++++++
 .../HttpSecurityBeanDefinitionParserTests.java | 18 ++++++++++++++++--
 3 files changed, 36 insertions(+), 4 deletions(-)

diff --git a/core/src/main/java/org/springframework/security/config/HttpSecurityBeanDefinitionParser.java b/core/src/main/java/org/springframework/security/config/HttpSecurityBeanDefinitionParser.java
index 92d0d5f55e..317be2f9a3 100644
--- a/core/src/main/java/org/springframework/security/config/HttpSecurityBeanDefinitionParser.java
+++ b/core/src/main/java/org/springframework/security/config/HttpSecurityBeanDefinitionParser.java
@@ -50,7 +50,7 @@ import org.w3c.dom.Element;
  * @version $Id$
  */
 public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
-	protected final Log logger = LogFactory.getLog(getClass());
+	static final Log logger = LogFactory.getLog(HttpSecurityBeanDefinitionParser.class);
 
     static final String ATT_REALM = "realm";
     static final String DEF_REALM = "Spring Security Application";
@@ -605,7 +605,13 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
             // Convert the comma-separated list of access attributes to a ConfigAttributeDefinition
             if (StringUtils.hasText(access)) {
                 editor.setAsText(access);
-                filterInvocationDefinitionMap.put(new RequestKey(path, method), editor.getValue());
+                Object key = new RequestKey(path, method);
+                
+                if (filterInvocationDefinitionMap.containsKey(key)) {
+                	logger.warn("Duplicate URL defined: " + key + ". The original attribute values will be overwritten");
+                }
+                
+                filterInvocationDefinitionMap.put(key, editor.getValue());
             }
         }
         
diff --git a/core/src/main/java/org/springframework/security/intercept/web/RequestKey.java b/core/src/main/java/org/springframework/security/intercept/web/RequestKey.java
index 44b4528ba2..aed8977461 100644
--- a/core/src/main/java/org/springframework/security/intercept/web/RequestKey.java
+++ b/core/src/main/java/org/springframework/security/intercept/web/RequestKey.java
@@ -54,4 +54,16 @@ public class RequestKey {
 
         return method.equals(key.method);        
     }
+
+	public String toString() {
+		StringBuffer sb = new StringBuffer(url.length() + 7);
+		sb.append("[");
+		if (method != null) {
+			sb.append(method).append(",");
+		}
+		sb.append(url);
+		sb.append("]");
+		
+		return sb.toString();
+	}
 }
diff --git a/core/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java b/core/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java
index b6c1ad5c2f..4b9da90188 100644
--- a/core/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java
+++ b/core/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java
@@ -608,7 +608,6 @@ public class HttpSecurityBeanDefinitionParserTests {
 
     @Test
     public void settingCreateSessionToAlwaysSetsFilterPropertiesCorrectly() throws Exception {
-        // Protected, no anonymous filter configured.
         setContext("<http auto-config='true' create-session='always'/>" + AUTH_PROVIDER_XML);
         assertEquals(Boolean.TRUE, FieldUtils.getFieldValue(appContext.getBean(BeanIds.HTTP_SESSION_CONTEXT_INTEGRATION_FILTER), "forceEagerSessionCreation"));
         assertEquals(Boolean.TRUE, FieldUtils.getFieldValue(appContext.getBean(BeanIds.HTTP_SESSION_CONTEXT_INTEGRATION_FILTER), "allowSessionCreation"));        
@@ -616,12 +615,27 @@ public class HttpSecurityBeanDefinitionParserTests {
 
     @Test
     public void settingCreateSessionToNeverSetsFilterPropertiesCorrectly() throws Exception {
-        // Protected, no anonymous filter configured.
         setContext("<http auto-config='true' create-session='never'/>" + AUTH_PROVIDER_XML);
         assertEquals(Boolean.FALSE, FieldUtils.getFieldValue(appContext.getBean(BeanIds.HTTP_SESSION_CONTEXT_INTEGRATION_FILTER), "forceEagerSessionCreation"));
         assertEquals(Boolean.FALSE, FieldUtils.getFieldValue(appContext.getBean(BeanIds.HTTP_SESSION_CONTEXT_INTEGRATION_FILTER), "allowSessionCreation"));        
     }    
     
+    /* SEC-934 */
+    @Test
+    public void supportsTwoIdenticalInterceptUrls() {
+        setContext(
+                "<http auto-config='true'>" +
+                "    <intercept-url pattern='/someurl' access='ROLE_A'/>" +
+                "    <intercept-url pattern='/someurl' access='ROLE_B'/>" +
+                "</http>" + AUTH_PROVIDER_XML);
+        FilterSecurityInterceptor fis = (FilterSecurityInterceptor) appContext.getBean(BeanIds.FILTER_SECURITY_INTERCEPTOR);
+
+        FilterInvocationDefinitionSource fids = fis.getObjectDefinitionSource();
+        ConfigAttributeDefinition attrDef = fids.getAttributes(createFilterinvocation("/someurl", null));
+        assertEquals(1, attrDef.getConfigAttributes().size());
+        assertTrue(attrDef.contains(new SecurityConfig("ROLE_B")));
+    }
+    
     private void setContext(String context) {
         appContext = new InMemoryXmlApplicationContext(context);
     }