Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-24 04:52:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

SEC-1540: Apply patch to support HTTP method matching for requires-channel namespace attribute.

Browse Source
This commit is contained in:
Luke Taylor 2010-08-18 13:17:21 +01:00
parent a1b124def5
commit 45674a16ea
3 changed files with 24 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java
View File

@ -396,6 +396,11 @@ class HttpConfigurationBuilder {
BeanDefinition requestKey = new RootBeanDefinition(RequestKey.class);
requestKey.getConstructorArgumentValues().addGenericArgumentValue(path);
String method = urlElt.getAttribute(ATT_HTTP_METHOD);
if(StringUtils.hasText(method)) {
requestKey.getConstructorArgumentValues().addGenericArgumentValue(method);
}
RootBeanDefinition channelAttributes = new RootBeanDefinition(ChannelAttributeFactory.class);
channelAttributes.getConstructorArgumentValues().addGenericArgumentValue(requiredChannel);
channelAttributes.setFactoryMethodName("createChannelAttributes");

1
config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java
View File

@ -56,6 +56,7 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
static final String OPT_FILTERS_NONE = "none";
static final String ATT_REQUIRES_CHANNEL = "requires-channel";
static final String ATT_HTTP_METHOD = "method";
private static final String ATT_LOWERCASE_COMPARISONS = "lowercase-comparisons";

18
config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java
View File

@ -85,6 +85,7 @@ import org.springframework.security.web.savedrequest.RequestCacheAwareFilter;
import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter;
import org.springframework.security.web.session.ConcurrentSessionFilter;
import org.springframework.security.web.session.SessionManagementFilter;
import org.springframework.test.util.ReflectionTestUtils;
import org.springframework.util.ReflectionUtils;
/**
@ -407,6 +408,23 @@ public class HttpSecurityBeanDefinitionParserTests {
assertTrue(attrs.contains(new SecurityConfig("ROLE_B")));
}
@Test
public void httpMethodMatchIsSupportedForRequiresChannel() throws Exception {
setContext(
" <http auto-config='true'>" +
" <intercept-url pattern='/anyurl'/>" +
" <intercept-url pattern='/anyurl' method='GET' access='ROLE_ADMIN' requires-channel='https' />" +
" </http>" + AUTH_PROVIDER_XML);
ChannelProcessingFilter filter = getFilter(ChannelProcessingFilter.class);
FilterInvocationSecurityMetadataSource fids = (FilterInvocationSecurityMetadataSource)FieldUtils.getFieldValue(filter,"securityMetadataSource");
Collection<ConfigAttribute> attrs = fids.getAttributes(createFilterinvocation("/anyurl", "GET"));
assertEquals(1, attrs.size());
attrs = fids.getAttributes(createFilterinvocation("/anyurl", "POST"));
assertEquals(null, attrs);
}
@Test
public void oncePerRequestAttributeIsSupported() throws Exception {
setContext("<http once-per-request='false'><http-basic /></http>" + AUTH_PROVIDER_XML);