SEC-2368: DebugFilter outputs headers and HTTP method

2025-05-30 00:32:14 +00:00 · 2013-10-17 14:49:45 -05:00 · 2013-10-17 14:49:45 -05:00 · 15a63c58a7
commit 15a63c58a7
parent 604c26eb0d
2 changed files with 58 additions and 5 deletions
--- a/web/src/main/java/org/springframework/security/web/debug/DebugFilter.java
+++ b/web/src/main/java/org/springframework/security/web/debug/DebugFilter.java
@ -48,10 +48,11 @@ public final class DebugFilter implements Filter {
        HttpServletResponse response = (HttpServletResponse) srvltResponse;

        List<Filter> filters = getFilters(request);
-        logger.info("Request received for '" + UrlUtils.buildRequestUrl(request) + "':\n\n" +
+        logger.info("Request received for " + request.getMethod() + " '" + UrlUtils.buildRequestUrl(request) + "':\n\n" +
                request + "\n\n" +
                "servletPath:" + request.getServletPath() + "\n" +
-                "pathInfo:" + request.getPathInfo() + "\n\n" +
+                "pathInfo:" + request.getPathInfo() + "\n" +
+                "headers: \n" + formatHeaders(request) + "\n\n" +
                formatFilters(filters));

        if (request.getAttribute(ALREADY_FILTERED_ATTR_NAME) == null) {
@ -73,6 +74,25 @@ public final class DebugFilter implements Filter {
        }
    }

+    String formatHeaders(HttpServletRequest request) {
+        StringBuilder sb = new StringBuilder();
+        Enumeration<String> eHeaderNames = request.getHeaderNames();
+        while(eHeaderNames.hasMoreElements()) {
+            String headerName = eHeaderNames.nextElement();
+            sb.append(headerName);
+            sb.append(": ");
+            Enumeration<String> eHeaderValues = request.getHeaders(headerName);
+            while(eHeaderValues.hasMoreElements()) {
+                sb.append(eHeaderValues.nextElement());
+                if(eHeaderValues.hasMoreElements()) {
+                    sb.append(", ");
+                }
+            }
+            sb.append("\n");
+        }
+        return sb.toString();
+    }
+
    String formatFilters(List<Filter> filters) {
        StringBuilder sb = new StringBuilder();
        sb.append("Security filter chain: ");
--- a/web/src/test/java/org/springframework/security/web/debug/DebugFilterTest.java
+++ b/web/src/test/java/org/springframework/security/web/debug/DebugFilterTest.java
@ -1,5 +1,6 @@
 package org.springframework.security.web.debug;

+import static org.fest.assertions.Assertions.assertThat;
 import static org.junit.Assert.assertEquals;
 import static org.mockito.Matchers.anyString;
 import static org.mockito.Matchers.eq;
@ -7,6 +8,8 @@ import static org.mockito.Mockito.never;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;

+import java.util.Collections;
+
 import javax.servlet.FilterChain;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletRequestWrapper;
@ -21,10 +24,8 @@ import org.mockito.Mock;
 import org.powermock.core.classloader.annotations.PrepareOnlyThisForTest;
 import org.powermock.modules.junit4.PowerMockRunner;
 import org.powermock.reflect.internal.WhiteboxImpl;
+import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.security.web.FilterChainProxy;
-import org.springframework.security.web.debug.DebugFilter;
-import org.springframework.security.web.debug.DebugRequestWrapper;
-import org.springframework.security.web.debug.Logger;

 /**
 *
@ -36,6 +37,9 @@ import org.springframework.security.web.debug.Logger;
 public class DebugFilterTest {
    @Captor
    private ArgumentCaptor<HttpServletRequest> requestCaptor;
+    @Captor
+    private ArgumentCaptor<String> logCaptor;
+
    @Mock
    private HttpServletRequest request;
    @Mock
@ -53,6 +57,7 @@ public class DebugFilterTest {

    @Before
    public void setUp() {
+        when(request.getHeaderNames()).thenReturn(Collections.enumeration(Collections.<String>emptyList()));
        when(request.getServletPath()).thenReturn("/login");
        filter = new DebugFilter(fcp);
        WhiteboxImpl.setInternalState(filter, Logger.class, logger);
@ -92,4 +97,32 @@ public class DebugFilterTest {

        verify(fcp).doFilter(fireWalledRequest, response, filterChain);
    }
+
+    @Test
+    public void doFilterLogsProperly() throws Exception {
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        request.setMethod("GET");
+        request.setServletPath("/path");
+        request.setPathInfo("/");
+        request.addHeader("A", "A Value");
+        request.addHeader("A", "Another Value");
+        request.addHeader("B", "B Value");
+
+        filter.doFilter(request, response, filterChain);
+
+        verify(logger).info(logCaptor.capture());
+
+        assertThat(logCaptor.getValue()).isEqualTo("Request received for GET '/path/':\n" +
+                "\n" +
+                request + "\n" +
+                "\n" +
+                "servletPath:/path\n" +
+                "pathInfo:/\n" +
+                "headers: \n" +
+                "A: A Value, Another Value\n" +
+                "B: B Value\n" +
+                "\n" +
+                "\n" +
+                "Security filter chain: no match");
+    }
 }