SEC-2072: <security:anonymous> granted-authority supports multiple authorities again

13 years ago · e3f53908af
2 changed files with 18 additions and 1 deletions
--- a/config/src/main/java/org/springframework/security/config/http/AuthenticationConfigBuilder.java
+++ b/config/src/main/java/org/springframework/security/config/http/AuthenticationConfigBuilder.java
@ -534,7 +534,7 @@ final class AuthenticationConfigBuilder {
				@@ -534,7 +534,7 @@ final class AuthenticationConfigBuilder {
        anonymousFilter = new RootBeanDefinition(AnonymousAuthenticationFilter.class);
        anonymousFilter.getConstructorArgumentValues().addIndexedArgumentValue(0, key);
        anonymousFilter.getConstructorArgumentValues().addIndexedArgumentValue(1, username);
-        anonymousFilter.getConstructorArgumentValues().addIndexedArgumentValue(2, AuthorityUtils.createAuthorityList(grantedAuthority));
+        anonymousFilter.getConstructorArgumentValues().addIndexedArgumentValue(2, AuthorityUtils.commaSeparatedStringToAuthorityList(grantedAuthority));
        anonymousFilter.setSource(source);

        RootBeanDefinition anonymousProviderBean = new RootBeanDefinition(AnonymousAuthenticationProvider.class);
--- a/config/src/test/groovy/org/springframework/security/config/http/MiscHttpConfigTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/http/MiscHttpConfigTests.groovy
@ -212,6 +212,23 @@ class MiscHttpConfigTests extends AbstractHttpConfigTests {
				@@ -212,6 +212,23 @@ class MiscHttpConfigTests extends AbstractHttpConfigTests {
        'anonymity' == filter.authorities[0].authority
    }

+    def anonymousSupportsMultipleGrantedAuthorities() {
+        xml.http {
+            'form-login'()
+            'anonymous'(username: 'joe', 'granted-authority':'ROLE_INVITADO,ROLE_PROFILE_INVITADO,ROLE_GRUPO_PUBLICO', key: 'customKey')
+        }
+        createAppContext()
+
+        AnonymousAuthenticationFilter filter = getFilter(AnonymousAuthenticationFilter);
+        def providers = appContext.getBeansOfType(AuthenticationManager).values()*.providers.flatten()
+
+        expect:
+        'customKey' == providers.find { it instanceof AnonymousAuthenticationProvider }.key
+        'customKey' == filter.key
+        'joe' == filter.principal
+        ['ROLE_INVITADO','ROLE_PROFILE_INVITADO','ROLE_GRUPO_PUBLICO'] == filter.authorities*.authority
+    }
+
    def httpMethodMatchIsSupported() {
        httpAutoConfig {
            interceptUrl '/secure*', 'DELETE', 'ROLE_SUPERVISOR'