Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix for SEC-522. Strip query parameters from logout URL before doing comparison with filterProcessesUrl.

This commit is contained in:
Luke Taylor 2007-08-27 17:14:23 +00:00
parent 82599a72ba
commit 1c72b7989e
2 changed files with 46 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
core/src/main/java/org/acegisecurity/ui/logout/LogoutFilter.java
View File

@ -133,10 +133,17 @@ public class LogoutFilter implements Filter {
int pathParamIndex = uri.indexOf(';');
if (pathParamIndex > 0) {
// strip everything after the first semi-colon
// strip everything from the first semi-colon
uri = uri.substring(0, pathParamIndex);
}
int queryParamIndex = uri.indexOf('?');
if (queryParamIndex > 0) {
// strip everything from the first question mark
uri = uri.substring(0, queryParamIndex);
}
if ("".equals(request.getContextPath())) {
return uri.endsWith(filterProcessesUrl);
}

38
core/src/test/java/org/acegisecurity/ui/logout/LogoutHandlerTests.java Normal file
View File

@ -0,0 +1,38 @@
package org.acegisecurity.ui.logout;
import junit.framework.TestCase;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
/**
* @author Luke Taylor
* @version $Id$
*/
public class LogoutHandlerTests extends TestCase {
LogoutFilter filter;
protected void setUp() throws Exception {
filter = new LogoutFilter("/success", new LogoutHandler[] {new SecurityContextLogoutHandler()});
}
public void testRequiresLogoutUrlWorksWithPathParams() {
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletResponse response = new MockHttpServletResponse();
request.setRequestURI("/j_acegi_logout;someparam=blah?otherparam=blah");
assertTrue(filter.requiresLogout(request, response));
}
public void testRequiresLogoutUrlWorksWithQueryParams() {
MockHttpServletRequest request = new MockHttpServletRequest();
request.setContextPath("/context");
MockHttpServletResponse response = new MockHttpServletResponse();
request.setRequestURI("/context/j_acegi_logout?param=blah");
assertTrue(filter.requiresLogout(request, response));
}
}