Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SEC-3020: SecurityContextHolderAwareRequestWrapper conditional rolePrefix 

Previously SecurityContextHolderAwareRequestWrapper always prefixed with
rolePrefix. This meant the defaults would never return true for a role
that started with the prefix (i.e. ROLE_).

We no longer apply the rolePrefix if the value passed in already starts
with rolePrefix.
This commit is contained in:
Rob Winch 2015-07-16 14:33:33 -05:00
parent 2d448658cd
commit 76a2fb9488
2 changed files with 30 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
web/src/main/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestWrapper.java
View File

@ -150,7 +150,7 @@ public class SecurityContextHolderAwareRequestWrapper extends HttpServletRequest
private boolean isGranted(String role) {
Authentication auth = getAuthentication();
if (rolePrefix != null) {
if (rolePrefix != null && role != null && !role.startsWith(rolePrefix)) {
role = rolePrefix + role;
}

29
web/src/test/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestWrapperTests.java
View File

@ -114,4 +114,33 @@ public class SecurityContextHolderAwareRequestWrapperTests extends TestCase {
assertFalse(wrapper.isUserInRole("ROLE_FOOBAR")); // principal is null, so reject
assertNull(wrapper.getUserPrincipal());
}
public void testRolePrefix() {
Authentication auth = new TestingAuthenticationToken("user", "koala", "ROLE_HELLO",
"ROLE_FOOBAR");
SecurityContextHolder.getContext().setAuthentication(auth);
MockHttpServletRequest request = new MockHttpServletRequest();
SecurityContextHolderAwareRequestWrapper wrapper = new SecurityContextHolderAwareRequestWrapper(
request, "ROLE_");
assertTrue(wrapper.isUserInRole("HELLO"));
assertTrue(wrapper.isUserInRole("FOOBAR"));
}
// SEC-3020
public void testRolePrefixNotAppliedIfRoleStartsWith() {
Authentication auth = new TestingAuthenticationToken("user", "koala", "ROLE_HELLO",
"ROLE_FOOBAR");
SecurityContextHolder.getContext().setAuthentication(auth);
MockHttpServletRequest request = new MockHttpServletRequest();
SecurityContextHolderAwareRequestWrapper wrapper = new SecurityContextHolderAwareRequestWrapper(
request, "ROLE_");
assertTrue(wrapper.isUserInRole("ROLE_HELLO"));
assertTrue(wrapper.isUserInRole("ROLE_FOOBAR"));
}
}