Fix for SEC-522. Strip query parameters from logout URL before doing comparison with filterProcessesUrl.
This commit is contained in:
parent
82599a72ba
commit
1c72b7989e
|
@ -133,10 +133,17 @@ public class LogoutFilter implements Filter {
|
|||
int pathParamIndex = uri.indexOf(';');
|
||||
|
||||
if (pathParamIndex > 0) {
|
||||
// strip everything after the first semi-colon
|
||||
// strip everything from the first semi-colon
|
||||
uri = uri.substring(0, pathParamIndex);
|
||||
}
|
||||
|
||||
int queryParamIndex = uri.indexOf('?');
|
||||
|
||||
if (queryParamIndex > 0) {
|
||||
// strip everything from the first question mark
|
||||
uri = uri.substring(0, queryParamIndex);
|
||||
}
|
||||
|
||||
if ("".equals(request.getContextPath())) {
|
||||
return uri.endsWith(filterProcessesUrl);
|
||||
}
|
||||
|
|
|
@ -0,0 +1,38 @@
|
|||
package org.acegisecurity.ui.logout;
|
||||
|
||||
import junit.framework.TestCase;
|
||||
|
||||
import org.springframework.mock.web.MockHttpServletRequest;
|
||||
import org.springframework.mock.web.MockHttpServletResponse;
|
||||
|
||||
/**
|
||||
* @author Luke Taylor
|
||||
* @version $Id$
|
||||
*/
|
||||
public class LogoutHandlerTests extends TestCase {
|
||||
LogoutFilter filter;
|
||||
|
||||
protected void setUp() throws Exception {
|
||||
filter = new LogoutFilter("/success", new LogoutHandler[] {new SecurityContextLogoutHandler()});
|
||||
}
|
||||
|
||||
public void testRequiresLogoutUrlWorksWithPathParams() {
|
||||
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
|
||||
request.setRequestURI("/j_acegi_logout;someparam=blah?otherparam=blah");
|
||||
|
||||
assertTrue(filter.requiresLogout(request, response));
|
||||
}
|
||||
|
||||
public void testRequiresLogoutUrlWorksWithQueryParams() {
|
||||
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||
request.setContextPath("/context");
|
||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
|
||||
request.setRequestURI("/context/j_acegi_logout?param=blah");
|
||||
|
||||
assertTrue(filter.requiresLogout(request, response));
|
||||
}
|
||||
|
||||
}
|
Loading…
Reference in New Issue