Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-27 22:32:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

SEC-2919: DefaultLoginPageGeneratingFilter disabled when login-page specified

Browse Source
This commit is contained in:
Rob Winch 2015-04-17 10:29:01 -05:00
parent 5689383ab1
commit 052bd32f40
3 changed files with 30 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
config/src/main/java/org/springframework/security/config/http/AuthenticationConfigBuilder.java
View File

@ -131,6 +131,10 @@ final class AuthenticationConfigBuilder {
private String loginProcessingUrl; private String loginProcessingUrl;
private String openidLoginProcessingUrl; private String openidLoginProcessingUrl;
private String formLoginPage;
private String openIDLoginPage;
public AuthenticationConfigBuilder(Element element, boolean forceAutoConfig, public AuthenticationConfigBuilder(Element element, boolean forceAutoConfig,
ParserContext pc, SessionCreationPolicy sessionPolicy, ParserContext pc, SessionCreationPolicy sessionPolicy,
BeanReference requestCache, BeanReference authenticationManager, BeanReference requestCache, BeanReference authenticationManager,
@ -212,6 +216,7 @@ final class AuthenticationConfigBuilder {
formFilter = parser.getFilterBean(); formFilter = parser.getFilterBean();
formEntryPoint = parser.getEntryPointBean(); formEntryPoint = parser.getEntryPointBean();
loginProcessingUrl = parser.getLoginProcessingUrl(); loginProcessingUrl = parser.getLoginProcessingUrl();
formLoginPage = parser.getLoginPage();
} }
if (formFilter != null) { if (formFilter != null) {
@ -242,6 +247,7 @@ final class AuthenticationConfigBuilder {
openIDFilter = parser.getFilterBean(); openIDFilter = parser.getFilterBean();
openIDEntryPoint = parser.getEntryPointBean(); openIDEntryPoint = parser.getEntryPointBean();
openidLoginProcessingUrl = parser.getLoginProcessingUrl(); openidLoginProcessingUrl = parser.getLoginProcessingUrl();
openIDLoginPage = parser.getLoginPage();
List<Element> attrExElts = DomUtils.getChildElementsByTagName(openIDLoginElt, List<Element> attrExElts = DomUtils.getChildElementsByTagName(openIDLoginElt,
Elements.OPENID_ATTRIBUTE_EXCHANGE); Elements.OPENID_ATTRIBUTE_EXCHANGE);
@ -527,8 +533,6 @@ final class AuthenticationConfigBuilder {
void createLoginPageFilterIfNeeded() { void createLoginPageFilterIfNeeded() {
boolean needLoginPage = formFilterId != null || openIDFilterId != null; boolean needLoginPage = formFilterId != null || openIDFilterId != null;
String formLoginPage = getLoginFormUrl(formEntryPoint);
String openIDLoginPage = getLoginFormUrl(openIDEntryPoint);
// If no login page has been defined, add in the default page generator. // If no login page has been defined, add in the default page generator.
if (needLoginPage && formLoginPage == null && openIDLoginPage == null) { if (needLoginPage && formLoginPage == null && openIDLoginPage == null) {

12
config/src/test/groovy/org/springframework/security/config/http/FormLoginConfigTests.groovy
View File

@ -6,6 +6,7 @@ import org.springframework.security.web.access.ExceptionTranslationFilter
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler; import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler; import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
import org.springframework.test.util.ReflectionTestUtils; import org.springframework.test.util.ReflectionTestUtils;
import org.springframework.util.ReflectionUtils; import org.springframework.util.ReflectionUtils;
@ -104,4 +105,15 @@ class FormLoginConfigTests extends AbstractHttpConfigTests {
apf.usernameParameter == 'xname'; apf.usernameParameter == 'xname';
apf.passwordParameter == 'xpass' apf.passwordParameter == 'xpass'
} }
def 'SEC-2919: DefaultLoginGeneratingFilter should not be present if login-page="/login"'() {
when:
xml.http() {
'form-login'('login-page':'/login')
}
createAppContext()
then:
getFilter(DefaultLoginPageGeneratingFilter) == null
}
} }

12
config/src/test/groovy/org/springframework/security/config/http/HttpOpenIDConfigTests.groovy
View File

@ -151,4 +151,16 @@ class OpenIDConfigTests extends AbstractHttpConfigTests {
attributes[1].required attributes[1].required
attributes[1].getCount() == 2 attributes[1].getCount() == 2
} }
def 'SEC-2919: DefaultLoginGeneratingFilter should not be present if login-page="/login"'() {
when:
xml.http() {
'openid-login'('login-page':'/login')
}
createAppContext()
then:
getFilter(DefaultLoginPageGeneratingFilter) == null
}
} }