From 021abb73694c5bbc68dc71c37f06f0ed1db00227 Mon Sep 17 00:00:00 2001
From: Luke Taylor
+ * It strips any parameters from the "path" section of the request URL (such as the
+ * jsessionid parameter in http://host/myapp/index.html;jsessionid=blah)
+ * before matching against the filterProcessesUrl
property.
*
*
* Subclasses may override for special requirements, such as Tapestry @@ -360,8 +347,15 @@ public abstract class AbstractProcessingFilter implements Filter, */ protected boolean requiresAuthentication(HttpServletRequest request, HttpServletResponse response) { - return request.getRequestURL().toString().endsWith(request - .getContextPath() + filterProcessesUrl); + String uri = request.getRequestURI(); + int pathParamIndex = uri.indexOf(';'); + + if(pathParamIndex > 0) { + // strip everything after the first semi-colon + uri = uri.substring(0, pathParamIndex); + } + + return uri.endsWith(request.getContextPath() + filterProcessesUrl); } protected void successfulAuthentication(HttpServletRequest request, diff --git a/core/src/test/java/org/acegisecurity/ui/AbstractProcessingFilterTests.java b/core/src/test/java/org/acegisecurity/ui/AbstractProcessingFilterTests.java index 5f87c73a48..8705ebe443 100644 --- a/core/src/test/java/org/acegisecurity/ui/AbstractProcessingFilterTests.java +++ b/core/src/test/java/org/acegisecurity/ui/AbstractProcessingFilterTests.java @@ -41,6 +41,7 @@ import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; import java.io.IOException; import java.util.Properties; @@ -242,6 +243,16 @@ public class AbstractProcessingFilterTests extends TestCase { .getPrincipal().toString()); } + public void testDefaultProcessesFilterUrlWithPathParameter() { + MockHttpServletRequest request = createMockRequest(); + MockHttpServletResponse response = new MockHttpServletResponse(); + MockAbstractProcessingFilter filter = new MockAbstractProcessingFilter(); + filter.setFilterProcessesUrl("/j_acegi_security_check"); + + request.setRequestURI("/mycontext/j_acegi_security_check;jsessionid=I8MIONOSTHOR"); + assertTrue(filter.requiresAuthentication(request, response)); + } + public void testStartupDetectsInvalidAuthenticationFailureUrl() throws Exception { AbstractProcessingFilter filter = new MockAbstractProcessingFilter(); @@ -307,7 +318,7 @@ public class AbstractProcessingFilterTests extends TestCase { } } - public void testSuccessLoginThenFailureLoginResultsInSessionLoosingToken() + public void testSuccessLoginThenFailureLoginResultsInSessionLosingToken() throws Exception { // Setup our HTTP request MockHttpServletRequest request = createMockRequest(); @@ -451,6 +462,10 @@ public class AbstractProcessingFilterTests extends TestCase { this.exceptionToThrow = exceptionToThrow; } + public boolean requiresAuthentication(HttpServletRequest request, HttpServletResponse response) { + return super.requiresAuthentication(request, response); + } + private MockAbstractProcessingFilter() { super(); }