Fix for SEC-522. Strip query parameters from logout URL before doing comparison with filterProcessesUrl.

This commit is contained in:
Luke Taylor 2007-08-27 17:14:23 +00:00
parent 82599a72ba
commit 1c72b7989e
2 changed files with 46 additions and 1 deletions

View File

@ -133,10 +133,17 @@ public class LogoutFilter implements Filter {
int pathParamIndex = uri.indexOf(';');
if (pathParamIndex > 0) {
// strip everything after the first semi-colon
// strip everything from the first semi-colon
uri = uri.substring(0, pathParamIndex);
}
int queryParamIndex = uri.indexOf('?');
if (queryParamIndex > 0) {
// strip everything from the first question mark
uri = uri.substring(0, queryParamIndex);
}
if ("".equals(request.getContextPath())) {
return uri.endsWith(filterProcessesUrl);
}

View File

@ -0,0 +1,38 @@
package org.acegisecurity.ui.logout;
import junit.framework.TestCase;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
/**
* @author Luke Taylor
* @version $Id$
*/
public class LogoutHandlerTests extends TestCase {
LogoutFilter filter;
protected void setUp() throws Exception {
filter = new LogoutFilter("/success", new LogoutHandler[] {new SecurityContextLogoutHandler()});
}
public void testRequiresLogoutUrlWorksWithPathParams() {
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletResponse response = new MockHttpServletResponse();
request.setRequestURI("/j_acegi_logout;someparam=blah?otherparam=blah");
assertTrue(filter.requiresLogout(request, response));
}
public void testRequiresLogoutUrlWorksWithQueryParams() {
MockHttpServletRequest request = new MockHttpServletRequest();
request.setContextPath("/context");
MockHttpServletResponse response = new MockHttpServletResponse();
request.setRequestURI("/context/j_acegi_logout?param=blah");
assertTrue(filter.requiresLogout(request, response));
}
}