SEC-1404: Use a factory method to convert the path to lower case for use in the filter-chain map.

Delays the conversion till after palceholders have been substituted, preventing the placeholder from being converted (or the value not being converted).
2025-07-08 11:32:47 +00:00 · 2010-02-10 23:49:26 +00:00 · 2010-02-10 23:49:26 +00:00 · 2173029216
commit 2173029216
parent d2413cf237
2 changed files with 19 additions and 23 deletions
--- a/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java
+++ b/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java
@ -83,8 +83,7 @@ class HttpConfigurationBuilder {
    private final List<Element> interceptUrls;
    // Use ManagedMap to allow placeholder resolution
-    private List<String> emptyFilterChainPaths;
+    private ManagedMap<BeanDefinition, List<BeanMetadataElement>> filterChainMap;
    private ManagedMap<String, List<BeanMetadataElement>> filterChainMap;
    private BeanDefinition cpf;
    private BeanDefinition securityContextPersistenceFilter;
@ -97,7 +96,6 @@ class HttpConfigurationBuilder {
    private String portMapperName;
    private BeanReference fsi;
    public HttpConfigurationBuilder(Element element, ParserContext pc, UrlMatcher matcher, String portMapperName) {
        this.httpElt = element;
        this.pc = pc;
@ -111,8 +109,7 @@ class HttpConfigurationBuilder {
    }
    void parseInterceptUrlsForEmptyFilterChains() {
-        emptyFilterChainPaths = new ArrayList<String>();
+        filterChainMap = new ManagedMap<BeanDefinition, List<BeanMetadataElement>>();
        filterChainMap = new ManagedMap<String, List<BeanMetadataElement>>();
        for (Element urlElt : interceptUrls) {
            String path = urlElt.getAttribute(ATT_PATH_PATTERN);
@ -121,9 +118,10 @@ class HttpConfigurationBuilder {
                pc.getReaderContext().error("path attribute cannot be empty or null", urlElt);
            }
-            if (convertPathsToLowerCase) {
+            BeanDefinitionBuilder pathBean = BeanDefinitionBuilder.rootBeanDefinition(HttpConfigurationBuilder.class);
-                path = path.toLowerCase();
+            pathBean.setFactoryMethod("createPath");
-            }
+            pathBean.addConstructorArgValue(path);
            pathBean.addConstructorArgValue(convertPathsToLowerCase);
            String filters = urlElt.getAttribute(ATT_FILTERS);
@ -133,14 +131,17 @@ class HttpConfigurationBuilder {
                            "filters attribute", urlElt);
                }
                emptyFilterChainPaths.add(path);
                List<BeanMetadataElement> noFilters = Collections.emptyList();
-                filterChainMap.put(path, noFilters);
+                filterChainMap.put(pathBean.getBeanDefinition(), noFilters);
            }
        }
    }
    // Needed to account for placeholders
    static String createPath(String path, boolean lowerCase) {
        return lowerCase ? path.toLowerCase() : path;
    }
    void createSecurityContextPersistenceFilter() {
        BeanDefinitionBuilder scpf = BeanDefinitionBuilder.rootBeanDefinition(SecurityContextPersistenceFilter.class);
@ -463,8 +464,8 @@ class HttpConfigurationBuilder {
        return allowSessionCreation;
    }
-    List<String> getEmptyFilterChainPaths() {
+    public ManagedMap<BeanDefinition, List<BeanMetadataElement>> getFilterChainMap() {
-        return emptyFilterChainPaths;
+        return filterChainMap;
    }
    List<OrderDecorator> getFilters() {
--- a/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java
+++ b/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java
@ -135,18 +135,13 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
            filterChain.add(od.bean);
        }
-        ManagedMap<String, List<BeanMetadataElement>> filterChainMap = new ManagedMap<String, List<BeanMetadataElement>>();
+        ManagedMap<BeanDefinition, List<BeanMetadataElement>> filterChainMap = httpBldr.getFilterChainMap();
-
+        BeanDefinition universalMatch = new RootBeanDefinition(String.class);
-        for (String path : httpBldr.getEmptyFilterChainPaths()) {
+        universalMatch.getConstructorArgumentValues().addGenericArgumentValue(matcher.getUniversalMatchPattern());
-            filterChainMap.put(path, NO_FILTERS);
+        filterChainMap.put(universalMatch, filterChain);
        }
        filterChainMap.put(matcher.getUniversalMatchPattern(), filterChain);
        registerFilterChainProxy(pc, filterChainMap, matcher, source);
        pc.popAndRegisterContainingComponent();
        return null;
    }
@ -252,7 +247,7 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
        return customFilters;
    }
-    private void registerFilterChainProxy(ParserContext pc, Map<String, List<BeanMetadataElement>> filterChainMap, UrlMatcher matcher, Object source) {
+    private void registerFilterChainProxy(ParserContext pc, Map<BeanDefinition, List<BeanMetadataElement>> filterChainMap, UrlMatcher matcher, Object source) {
        if (pc.getRegistry().containsBeanDefinition(BeanIds.FILTER_CHAIN_PROXY)) {
            pc.getReaderContext().error("Duplicate <http> element detected", source);
        }