SEC-1404: Use a factory method to convert the path to lower case for use in the filter-chain map.

Delays the conversion till after palceholders have been substituted, preventing the placeholder from being converted (or the value not being converted).
2010-02-10 23:49:26 +00:00 · 2010-02-10 23:49:26 +00:00 · 2173029216
parent d2413cf237
commit 2173029216
2 changed files with 19 additions and 23 deletions
--- a/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java
+++ b/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java
@ -83,8 +83,7 @@ class HttpConfigurationBuilder {
    private final List<Element> interceptUrls;

    // Use ManagedMap to allow placeholder resolution
-    private List<String> emptyFilterChainPaths;
-    private ManagedMap<String, List<BeanMetadataElement>> filterChainMap;
+    private ManagedMap<BeanDefinition, List<BeanMetadataElement>> filterChainMap;

    private BeanDefinition cpf;
    private BeanDefinition securityContextPersistenceFilter;
@ -97,7 +96,6 @@ class HttpConfigurationBuilder {
    private String portMapperName;
    private BeanReference fsi;

-
    public HttpConfigurationBuilder(Element element, ParserContext pc, UrlMatcher matcher, String portMapperName) {
        this.httpElt = element;
        this.pc = pc;
@ -111,8 +109,7 @@ class HttpConfigurationBuilder {
    }

    void parseInterceptUrlsForEmptyFilterChains() {
-        emptyFilterChainPaths = new ArrayList<String>();
-        filterChainMap = new ManagedMap<String, List<BeanMetadataElement>>();
+        filterChainMap = new ManagedMap<BeanDefinition, List<BeanMetadataElement>>();

        for (Element urlElt : interceptUrls) {
            String path = urlElt.getAttribute(ATT_PATH_PATTERN);
@ -121,9 +118,10 @@ class HttpConfigurationBuilder {
                pc.getReaderContext().error("path attribute cannot be empty or null", urlElt);
            }

-            if (convertPathsToLowerCase) {
-                path = path.toLowerCase();
-            }
+            BeanDefinitionBuilder pathBean = BeanDefinitionBuilder.rootBeanDefinition(HttpConfigurationBuilder.class);
+            pathBean.setFactoryMethod("createPath");
+            pathBean.addConstructorArgValue(path);
+            pathBean.addConstructorArgValue(convertPathsToLowerCase);

            String filters = urlElt.getAttribute(ATT_FILTERS);

@ -133,14 +131,17 @@ class HttpConfigurationBuilder {
                            "filters attribute", urlElt);
                }

-                emptyFilterChainPaths.add(path);
-
                List<BeanMetadataElement> noFilters = Collections.emptyList();
-                filterChainMap.put(path, noFilters);
+                filterChainMap.put(pathBean.getBeanDefinition(), noFilters);
            }
        }
    }

+    // Needed to account for placeholders
+    static String createPath(String path, boolean lowerCase) {
+        return lowerCase ? path.toLowerCase() : path;
+    }
+
    void createSecurityContextPersistenceFilter() {
        BeanDefinitionBuilder scpf = BeanDefinitionBuilder.rootBeanDefinition(SecurityContextPersistenceFilter.class);

@ -463,8 +464,8 @@ class HttpConfigurationBuilder {
        return allowSessionCreation;
    }

-    List<String> getEmptyFilterChainPaths() {
-        return emptyFilterChainPaths;
+    public ManagedMap<BeanDefinition, List<BeanMetadataElement>> getFilterChainMap() {
+        return filterChainMap;
    }

    List<OrderDecorator> getFilters() {
--- a/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java
+++ b/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java
@ -135,18 +135,13 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
            filterChain.add(od.bean);
        }

-        ManagedMap<String, List<BeanMetadataElement>> filterChainMap = new ManagedMap<String, List<BeanMetadataElement>>();
-
-        for (String path : httpBldr.getEmptyFilterChainPaths()) {
-            filterChainMap.put(path, NO_FILTERS);
-        }
-
-        filterChainMap.put(matcher.getUniversalMatchPattern(), filterChain);
+        ManagedMap<BeanDefinition, List<BeanMetadataElement>> filterChainMap = httpBldr.getFilterChainMap();
+        BeanDefinition universalMatch = new RootBeanDefinition(String.class);
+        universalMatch.getConstructorArgumentValues().addGenericArgumentValue(matcher.getUniversalMatchPattern());
+        filterChainMap.put(universalMatch, filterChain);

        registerFilterChainProxy(pc, filterChainMap, matcher, source);

-
-
        pc.popAndRegisterContainingComponent();
        return null;
    }
@ -252,7 +247,7 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
        return customFilters;
    }

-    private void registerFilterChainProxy(ParserContext pc, Map<String, List<BeanMetadataElement>> filterChainMap, UrlMatcher matcher, Object source) {
+    private void registerFilterChainProxy(ParserContext pc, Map<BeanDefinition, List<BeanMetadataElement>> filterChainMap, UrlMatcher matcher, Object source) {
        if (pc.getRegistry().containsBeanDefinition(BeanIds.FILTER_CHAIN_PROXY)) {
            pc.getReaderContext().error("Duplicate <http> element detected", source);
        }