SEC-3170: Polish

* Prevent a null LogoutHandler from being set when RememberMeServices does not implement LogoutHandler * Fix test which invoked Mock from outside spock which failed * Add explicit test for adding null LogoutHandler to RememberMeConfigurer
2015-12-15 09:34:34 -06:00 · 2015-12-15 09:34:34 -06:00 · 337f1885ea
parent b28c62a6fe
commit 337f1885ea
2 changed files with 18 additions and 7 deletions
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/RememberMeConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/RememberMeConfigurer.java
@ -230,7 +230,7 @@ public final class RememberMeConfigurer<H extends HttpSecurityBuilder<H>> extend
 		RememberMeServices rememberMeServices = getRememberMeServices(http, key);
 		http.setSharedObject(RememberMeServices.class, rememberMeServices);
 		LogoutConfigurer<H> logoutConfigurer = http.getConfigurer(LogoutConfigurer.class);
-		if (logoutConfigurer != null) {
+		if (logoutConfigurer != null && logoutHandler != null) {
 			logoutConfigurer.addLogoutHandler(logoutHandler);
 		}

--- a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/LogoutConfigurerTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/LogoutConfigurerTests.groovy
@ -23,6 +23,7 @@ import org.springframework.security.config.annotation.authentication.builders.Au
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
+import org.springframework.security.config.annotation.web.configurers.LogoutConfigurerTests.RememberMeNoLogoutHandler;
 import org.springframework.security.web.authentication.RememberMeServices
 import org.springframework.security.web.authentication.logout.LogoutFilter

@ -114,24 +115,34 @@ class LogoutConfigurerTests extends BaseSpringSpec {
 		}
 	}

-	def "SEC-3170: LogoutConfigurer allows null LogoutHandler"() {
-		when:
+	def "SEC-3170: LogoutConfigurer RememberMeService not LogoutHandler"() {
+		setup:
+			RememberMeNoLogoutHandler.REMEMBER_ME = Mock(RememberMeServices)
 			loadConfig(RememberMeNoLogoutHandler)
-			request.method = "GET"
+			request.method = "POST"
 			request.servletPath = "/logout"
+		when:
 			findFilter(LogoutFilter).doFilter(request,response,chain)
 		then:
-			thrown(BeanCreationException)
+			response.redirectedUrl == "/login?logout"
+	}
+
+	def "SEC-3170: LogoutConfigurer prevents null LogoutHandler"() {
+		when:
+			new LogoutConfigurer().addLogoutHandler(null)
+		then:
+			thrown(IllegalArgumentException)
 	}

 	@EnableWebSecurity
 	static class RememberMeNoLogoutHandler extends WebSecurityConfigurerAdapter {
+		static RememberMeServices REMEMBER_ME

 		@Override
 		protected void configure(HttpSecurity http) throws Exception {
 			http
 					.rememberMe()
-					.rememberMeServices(Mock(RememberMeServices))
+					.rememberMeServices(REMEMBER_ME)
 		}
 	}
 }