From 0fd2c48dfbe8b8e5abcd7629e78f050b49b571cd Mon Sep 17 00:00:00 2001
From: Luke Taylor <luke.taylor@springsource.com>
Date: Sun, 3 Oct 2010 22:48:58 +0100
Subject: [PATCH] SEC-1584: Additional integration tests.

---
 .../HttpPathParameterStrippingTests.java      | 65 +++++++++++++++++++
 .../http-path-param-stripping-app-context.xml | 32 +++++++++
 2 files changed, 97 insertions(+)
 create mode 100644 itest/context/src/test/java/org/springframework/security/integration/HttpPathParameterStrippingTests.java
 create mode 100644 itest/context/src/test/resources/http-path-param-stripping-app-context.xml

diff --git a/itest/context/src/test/java/org/springframework/security/integration/HttpPathParameterStrippingTests.java b/itest/context/src/test/java/org/springframework/security/integration/HttpPathParameterStrippingTests.java
new file mode 100644
index 0000000000..b84da3d786
--- /dev/null
+++ b/itest/context/src/test/java/org/springframework/security/integration/HttpPathParameterStrippingTests.java
@@ -0,0 +1,65 @@
+package org.springframework.security.integration;
+
+import static org.junit.Assert.assertEquals;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.mock.web.MockFilterChain;
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.mock.web.MockHttpSession;
+import org.springframework.security.authentication.TestingAuthenticationToken;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.FilterChainProxy;
+import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+
+import javax.servlet.http.HttpSession;
+
+@ContextConfiguration(locations={"/http-path-param-stripping-app-context.xml"})
+@RunWith(SpringJUnit4ClassRunner.class)
+public class HttpPathParameterStrippingTests {
+
+    @Autowired
+    private FilterChainProxy fcp;
+
+    @Test
+    public void securedFilterChainCannotBeBypassedByAddingPathParameters() throws Exception {
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        request.setPathInfo("/secured;x=y/admin.html");
+        request.setSession(createAuthenticatedSession("ROLE_USER"));
+        MockHttpServletResponse response = new MockHttpServletResponse();
+        fcp.doFilter(request, response, new MockFilterChain());
+        assertEquals(403, response.getStatus());
+    }
+
+    @Test
+    public void adminFilePatternCannotBeBypassedByAddingPathParameters() throws Exception {
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        request.setServletPath("/secured/admin.html;x=user.html");
+        request.setSession(createAuthenticatedSession("ROLE_USER"));
+        MockHttpServletResponse response = new MockHttpServletResponse();
+        fcp.doFilter(request, response, new MockFilterChain());
+        assertEquals(403, response.getStatus());
+
+        // Try with pathInfo
+        request = new MockHttpServletRequest();
+        request.setServletPath("/secured");
+        request.setPathInfo("/admin.html;x=user.html");
+        request.setSession(createAuthenticatedSession("ROLE_USER"));
+        response = new MockHttpServletResponse();
+        fcp.doFilter(request, response, new MockFilterChain());
+        assertEquals(403, response.getStatus());
+    }
+
+    public HttpSession createAuthenticatedSession(String... roles) {
+        MockHttpSession session = new MockHttpSession();
+        SecurityContextHolder.getContext().setAuthentication(new TestingAuthenticationToken("bob", "bobspassword", roles));
+        session.setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, SecurityContextHolder.getContext());
+        SecurityContextHolder.clearContext();
+        return session;
+    }
+
+}
diff --git a/itest/context/src/test/resources/http-path-param-stripping-app-context.xml b/itest/context/src/test/resources/http-path-param-stripping-app-context.xml
new file mode 100644
index 0000000000..4ea30cfb1c
--- /dev/null
+++ b/itest/context/src/test/resources/http-path-param-stripping-app-context.xml
@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+  -
+  -->
+
+<b:beans xmlns="http://www.springframework.org/schema/security"
+    xmlns:b="http://www.springframework.org/schema/beans"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
+                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
+
+    <http pattern="/secured/**">
+        <intercept-url pattern="/secured/*user.html" access="ROLE_USER" />
+        <intercept-url pattern="/secured/admin.html" access="ROLE_ADMIN" />
+        <intercept-url pattern="/secured/user/**" access="ROLE_USER" />
+        <intercept-url pattern="/secured/admin/*" access="ROLE_ADMIN" />
+        <intercept-url pattern="/**" access="ROLE_NO_ACCESS" />
+        <form-login />
+    </http>
+
+    <http pattern="/**" security="none" />
+
+    <authentication-manager alias="authenticationManager">
+        <authentication-provider>
+            <user-service id="userService">
+                <user name="notused" password="notused" authorities="ROLE_0,ROLE_1"/>
+            </user-service>
+        </authentication-provider>
+    </authentication-manager>
+
+</b:beans>