SEC-2919: DefaultLoginPageGeneratingFilter disabled when login-page specified

2025-06-25 13:32:30 +00:00 · 2015-04-17 10:29:01 -05:00 · 2015-04-17 10:29:01 -05:00 · 052bd32f40
commit 052bd32f40
parent 5689383ab1
3 changed files with 30 additions and 2 deletions
--- a/config/src/main/java/org/springframework/security/config/http/AuthenticationConfigBuilder.java
+++ b/config/src/main/java/org/springframework/security/config/http/AuthenticationConfigBuilder.java
@ -131,6 +131,10 @@ final class AuthenticationConfigBuilder {
 	private String loginProcessingUrl;
 	private String openidLoginProcessingUrl;

+	private String formLoginPage;
+
+	private String openIDLoginPage;
+
 	public AuthenticationConfigBuilder(Element element, boolean forceAutoConfig,
 			ParserContext pc, SessionCreationPolicy sessionPolicy,
 			BeanReference requestCache, BeanReference authenticationManager,
@ -212,6 +216,7 @@ final class AuthenticationConfigBuilder {
 			formFilter = parser.getFilterBean();
 			formEntryPoint = parser.getEntryPointBean();
 			loginProcessingUrl = parser.getLoginProcessingUrl();
+			formLoginPage = parser.getLoginPage();
 		}

 		if (formFilter != null) {
@ -242,6 +247,7 @@ final class AuthenticationConfigBuilder {
 			openIDFilter = parser.getFilterBean();
 			openIDEntryPoint = parser.getEntryPointBean();
 			openidLoginProcessingUrl = parser.getLoginProcessingUrl();
+			openIDLoginPage = parser.getLoginPage();

 			List<Element> attrExElts = DomUtils.getChildElementsByTagName(openIDLoginElt,
 					Elements.OPENID_ATTRIBUTE_EXCHANGE);
@ -527,8 +533,6 @@ final class AuthenticationConfigBuilder {

 	void createLoginPageFilterIfNeeded() {
 		boolean needLoginPage = formFilterId != null || openIDFilterId != null;
-		String formLoginPage = getLoginFormUrl(formEntryPoint);
-		String openIDLoginPage = getLoginFormUrl(openIDEntryPoint);

 		// If no login page has been defined, add in the default page generator.
 		if (needLoginPage && formLoginPage == null && openIDLoginPage == null) {
--- a/config/src/test/groovy/org/springframework/security/config/http/FormLoginConfigTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/http/FormLoginConfigTests.groovy
@ -6,6 +6,7 @@ import org.springframework.security.web.access.ExceptionTranslationFilter
 import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
 import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
+import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
 import org.springframework.test.util.ReflectionTestUtils;
 import org.springframework.util.ReflectionUtils;

@ -104,4 +105,15 @@ class FormLoginConfigTests extends AbstractHttpConfigTests {
 		apf.usernameParameter == 'xname';
 		apf.passwordParameter == 'xpass'
 	}
+
+	def 'SEC-2919: DefaultLoginGeneratingFilter should not be present if login-page="/login"'() {
+		when:
+		xml.http() {
+			'form-login'('login-page':'/login')
+		}
+		createAppContext()
+
+		then:
+		getFilter(DefaultLoginPageGeneratingFilter) == null
+	}
 }
--- a/config/src/test/groovy/org/springframework/security/config/http/HttpOpenIDConfigTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/http/HttpOpenIDConfigTests.groovy
@ -151,4 +151,16 @@ class OpenIDConfigTests extends AbstractHttpConfigTests {
 		attributes[1].required
 		attributes[1].getCount() == 2
 	}
+
+	def 'SEC-2919: DefaultLoginGeneratingFilter should not be present if login-page="/login"'() {
+		when:
+		xml.http() {
+			'openid-login'('login-page':'/login')
+		}
+		createAppContext()
+
+		then:
+		getFilter(DefaultLoginPageGeneratingFilter) == null
+	}
+
 }