SEC-1980: Prevent parser warning when URL's in configuration start with #

Previously a warning would be logged to the parser when a URL was
configured with a SpEL expression. These changes prevent warnings from
being logged when using SpEL for URL configuration.

config/src/main/java/org/springframework/security/config/http/WebConfigUtils.java

@@ -1,3 +1,18 @@
+/*
+ * Copyright 2002-2012 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package org.springframework.security.config.http;
 
 import org.springframework.beans.factory.xml.ParserContext;
@@ -26,10 +41,10 @@ abstract class WebConfigUtils {
 
     /**
      * Checks the value of an XML attribute which represents a redirect URL.
-     * If not empty or starting with "$" (potential placeholder), "/" or "http" it will raise an error.
+     * If not empty or starting with "$" (potential placeholder), or starting with "#" (potential SpEL), "/" or "http" it will raise an error.
      */
     static void validateHttpRedirect(String url, ParserContext pc, Object source) {
-        if (!StringUtils.hasText(url) || UrlUtils.isValidRedirectUrl(url) || url.startsWith("$")) {
+        if (!StringUtils.hasText(url) || UrlUtils.isValidRedirectUrl(url) || url.startsWith("$") || url.startsWith("#")) {
             return;
         }
         pc.getReaderContext().warning(url + " is not a valid redirect URL (must start with '/' or http(s))", source);

config/src/test/groovy/org/springframework/security/config/http/FormLoginConfigTests.groovy

@@ -2,6 +2,7 @@ package org.springframework.security.config.http
 
 import org.springframework.beans.factory.BeanCreationException
 import org.springframework.security.util.FieldUtils
+import org.springframework.security.web.access.ExceptionTranslationFilter
 import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
 import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
@@ -32,6 +33,26 @@ class FormLoginConfigTests extends AbstractHttpConfigTests {
         FieldUtils.getFieldValue(filter, 'successHandler.alwaysUseDefaultTargetUrl');
     }
 
+    def 'form-login attributes support SpEL'() {
+        setup:
+        def spelUrl = '#{T(org.springframework.security.config.http.WebConfigUtilsTest).URL}'
+        def expectedUrl = WebConfigUtilsTest.URL
+        when:
+        xml.http {
+            'form-login'('default-target-url': spelUrl , 'authentication-failure-url': spelUrl, 'login-page': spelUrl)
+        }
+        createAppContext()
+        def unPwdFilter = getFilter(UsernamePasswordAuthenticationFilter)
+        def exTransFilter = getFilter(ExceptionTranslationFilter)
+
+        then:
+        unPwdFilter.successHandler.defaultTargetUrl == expectedUrl
+        unPwdFilter
+        FieldUtils.getFieldValue(unPwdFilter, 'successHandler.defaultTargetUrl') == expectedUrl
+        FieldUtils.getFieldValue(unPwdFilter, 'failureHandler.defaultFailureUrl') == expectedUrl
+        FieldUtils.getFieldValue(exTransFilter, 'authenticationEntryPoint.loginFormUrl') == expectedUrl
+    }
+
     def invalidLoginPageIsDetected() {
         when:
         xml.http {

config/src/test/java/org/springframework/security/config/http/WebConfigUtilsTest.java

@@ -0,0 +1,42 @@
+/*
+ * Copyright 2002-2012 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.config.http;
+
+import static org.mockito.Mockito.verifyZeroInteractions;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.powermock.core.classloader.annotations.PrepareOnlyThisForTest;
+import org.powermock.modules.junit4.PowerMockRunner;
+import org.springframework.beans.factory.xml.ParserContext;
+
+
+@RunWith(PowerMockRunner.class)
+@PrepareOnlyThisForTest(ParserContext.class)
+public class WebConfigUtilsTest {
+    public final static String URL = "/url";
+
+    @Mock
+    private ParserContext parserContext;
+
+    // SEC-1980
+    @Test
+    public void validateHttpRedirectSpELNoParserWarning() {
+        WebConfigUtils.validateHttpRedirect("#{T(org.springframework.security.config.http.WebConfigUtilsTest).URL}", parserContext, "fakeSource");
+        verifyZeroInteractions(parserContext);
+    }
+}