From 5640eb0511a2bb4890076d3b7e66a09cadd699b7 Mon Sep 17 00:00:00 2001
From: Ben Alex <ben.alex@springsource.com>
Date: Tue, 14 Nov 2006 01:55:44 +0000
Subject: [PATCH] SEC-378: Use trim instead of replacement for space removal.

---
 .../java/org/acegisecurity/taglibs/authz/AuthorizeTag.java  | 2 +-
 .../org/acegisecurity/taglibs/authz/AuthorizeTagTests.java  | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/core/src/main/java/org/acegisecurity/taglibs/authz/AuthorizeTag.java b/core/src/main/java/org/acegisecurity/taglibs/authz/AuthorizeTag.java
index 40fe691a7f..23ca483e80 100644
--- a/core/src/main/java/org/acegisecurity/taglibs/authz/AuthorizeTag.java
+++ b/core/src/main/java/org/acegisecurity/taglibs/authz/AuthorizeTag.java
@@ -150,7 +150,7 @@ public class AuthorizeTag extends TagSupport {
 
             // Remove the role's whitespace characters without depending on JDK 1.4+ 
             // Includes space, tab, new line, carriage return and form feed. 
-            String role = StringUtils.replace(authority, " ", "");
+            String role = authority.trim(); // trim, don't use spaces, as per SEC-378
             role = StringUtils.replace(role, "\t", "");
             role = StringUtils.replace(role, "\r", "");
             role = StringUtils.replace(role, "\n", "");
diff --git a/core/src/test/java/org/acegisecurity/taglibs/authz/AuthorizeTagTests.java b/core/src/test/java/org/acegisecurity/taglibs/authz/AuthorizeTagTests.java
index 26792f52e0..6bf6888f87 100644
--- a/core/src/test/java/org/acegisecurity/taglibs/authz/AuthorizeTagTests.java
+++ b/core/src/test/java/org/acegisecurity/taglibs/authz/AuthorizeTagTests.java
@@ -47,7 +47,7 @@ public class AuthorizeTagTests extends TestCase {
 
         currentUser = new TestingAuthenticationToken("abc", "123",
                 new GrantedAuthority[] {
-                    new GrantedAuthorityImpl("ROLE_SUPERVISOR"), new GrantedAuthorityImpl("ROLE_TELLER"),
+                    new GrantedAuthorityImpl("ROLE SUPERVISOR"), new GrantedAuthorityImpl("ROLE_TELLER"),
                 });
 
         SecurityContextHolder.getContext().setAuthentication(currentUser);
@@ -80,7 +80,7 @@ public class AuthorizeTagTests extends TestCase {
     }
 
     public void testOutputsBodyWhenAllGranted() throws JspException {
-        authorizeTag.setIfAllGranted("ROLE_SUPERVISOR,ROLE_TELLER");
+        authorizeTag.setIfAllGranted("ROLE SUPERVISOR,ROLE_TELLER");
         assertEquals("allows request - all required roles granted on principal", Tag.EVAL_BODY_INCLUDE,
             authorizeTag.doStartTag());
     }
@@ -107,7 +107,7 @@ public class AuthorizeTagTests extends TestCase {
 
     public void testSkipsBodyWhenMissingAnAllGranted()
         throws JspException {
-        authorizeTag.setIfAllGranted("ROLE_SUPERVISOR,ROLE_TELLER,ROLE_BANKER");
+        authorizeTag.setIfAllGranted("ROLE SUPERVISOR,ROLE_TELLER,ROLE_BANKER");
         assertEquals("prevents request - missing ROLE_BANKER on principal", Tag.SKIP_BODY, authorizeTag.doStartTag());
     }