Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SEC-1540: Fix to add HTTP-method specific support for namespace requires-channel attribute.

This commit is contained in:
Luke Taylor 2010-08-18 13:01:16 +01:00
parent 3c02989d67
commit 5f6bcc0e1e
2 changed files with 35 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
config/src/main/java/org/springframework/security/config/http/MatcherType.java
View File

@ -35,7 +35,7 @@ public enum MatcherType {
}
BeanDefinition createMatcher(String path, String method) {
if ("/**".equals(path)) {
if ("/**".equals(path) && method == null) {
return new RootBeanDefinition(AnyRequestMatcher.class);
}

34
config/src/test/groovy/org/springframework/security/config/http/MiscHttpConfigTests.groovy
View File

@ -170,6 +170,40 @@ class MiscHttpConfigTests extends AbstractHttpConfigTests {
attrs.contains(new SecurityConfig("ROLE_B"))
}
def httpMethodMatchIsSupportedForRequiresChannel() {
httpAutoConfig {
'intercept-url'(pattern: '/anyurl')
'intercept-url'(pattern: '/anyurl', 'method':'GET',access: 'ROLE_ADMIN', 'requires-channel': 'https')
}
createAppContext()
def fids = getFilter(ChannelProcessingFilter).getSecurityMetadataSource();
def attrs = fids.getAttributes(createFilterinvocation("/anyurl", "GET"));
def attrsPost = fids.getAttributes(createFilterinvocation("/anyurl", "POST"));
expect:
attrs.size() == 1
attrs.contains(new SecurityConfig("REQUIRES_SECURE_CHANNEL"))
attrsPost == null
}
def httpMethodMatchIsSupportedForRequiresChannelAny() {
httpAutoConfig {
'intercept-url'(pattern: '/**')
'intercept-url'(pattern: '/**', 'method':'GET',access: 'ROLE_ADMIN', 'requires-channel': 'https')
}
createAppContext()
def fids = getFilter(ChannelProcessingFilter).getSecurityMetadataSource();
def attrs = fids.getAttributes(createFilterinvocation("/anyurl", "GET"));
def attrsPost = fids.getAttributes(createFilterinvocation("/anyurl", "POST"));
expect:
attrs.size() == 1
attrs.contains(new SecurityConfig("REQUIRES_SECURE_CHANNEL"))
attrsPost == null
}
def oncePerRequestAttributeIsSupported() {
xml.http('once-per-request': 'false') {
'http-basic'()