From 59b69f6f486feb88b01874cd2f7e2ac497941f95 Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Tue, 16 Mar 2010 02:22:36 +0000 Subject: [PATCH] SEC-1434: Remove use of BeanDefinition of type java.lang.String which causes problems in Google App Engine. This results in the method BeanUtils.findEditorByConvention attempting to get hold of the system classloader which isn't allowed by the security manager in GAE. --- .../security/config/http/HttpConfigurationBuilder.java | 6 +++--- .../config/http/HttpSecurityBeanDefinitionParser.java | 8 +++----- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java b/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java index d60f75671e..70d4f75e78 100644 --- a/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java +++ b/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java @@ -83,7 +83,7 @@ class HttpConfigurationBuilder { private final List interceptUrls; // Use ManagedMap to allow placeholder resolution - private ManagedMap> filterChainMap; + private ManagedMap> filterChainMap; private BeanDefinition cpf; private BeanDefinition securityContextPersistenceFilter; @@ -109,7 +109,7 @@ class HttpConfigurationBuilder { } void parseInterceptUrlsForEmptyFilterChains() { - filterChainMap = new ManagedMap>(); + filterChainMap = new ManagedMap>(); for (Element urlElt : interceptUrls) { String path = urlElt.getAttribute(ATT_PATH_PATTERN); @@ -464,7 +464,7 @@ class HttpConfigurationBuilder { return allowSessionCreation; } - public ManagedMap> getFilterChainMap() { + public ManagedMap> getFilterChainMap() { return filterChainMap; } diff --git a/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java b/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java index 1cec9f698b..a58fb35661 100644 --- a/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java +++ b/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java @@ -135,10 +135,8 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser { filterChain.add(od.bean); } - ManagedMap> filterChainMap = httpBldr.getFilterChainMap(); - BeanDefinition universalMatch = new RootBeanDefinition(String.class); - universalMatch.getConstructorArgumentValues().addGenericArgumentValue(matcher.getUniversalMatchPattern()); - filterChainMap.put(universalMatch, filterChain); + ManagedMap> filterChainMap = httpBldr.getFilterChainMap(); + filterChainMap.put(matcher.getUniversalMatchPattern(), filterChain); registerFilterChainProxy(pc, filterChainMap, matcher, source); @@ -247,7 +245,7 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser { return customFilters; } - private void registerFilterChainProxy(ParserContext pc, Map> filterChainMap, UrlMatcher matcher, Object source) { + private void registerFilterChainProxy(ParserContext pc, Map> filterChainMap, UrlMatcher matcher, Object source) { if (pc.getRegistry().containsBeanDefinition(BeanIds.FILTER_CHAIN_PROXY)) { pc.getReaderContext().error("Duplicate element detected", source); }