From 85955015f70eebb4c7fd2185a9132ae51e4ce327 Mon Sep 17 00:00:00 2001 From: Pascal Gehl Date: Sun, 1 Mar 2015 14:56:48 -0500 Subject: [PATCH] SEC-2888 AntPathRequestMatcher ignores variables in pattern when pattern finishes with /** --- .../util/matcher/AntPathRequestMatcher.java | 7 ++++--- .../matcher/AntPathRequestMatcherTests.java | 20 +++++++++++++++++++ 2 files changed, 24 insertions(+), 3 deletions(-) diff --git a/web/src/main/java/org/springframework/security/web/util/matcher/AntPathRequestMatcher.java b/web/src/main/java/org/springframework/security/web/util/matcher/AntPathRequestMatcher.java index 7d4c7f3c20..dbc4500315 100644 --- a/web/src/main/java/org/springframework/security/web/util/matcher/AntPathRequestMatcher.java +++ b/web/src/main/java/org/springframework/security/web/util/matcher/AntPathRequestMatcher.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2012 the original author or authors. + * Copyright 2002-2015 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at @@ -102,8 +102,9 @@ public final class AntPathRequestMatcher implements RequestMatcher { pattern = pattern.toLowerCase(); } - // If the pattern ends with {@code /**} and has no other wildcards, then optimize to a sub-path match - if (pattern.endsWith(MATCH_ALL) && pattern.indexOf('?') == -1 && + // If the pattern ends with {@code /**} and has no other wildcards or path variables, then optimize to a sub-path match + // TODO: use spring-framework AntPathMatcher.VARIABLE_PATTERN instead. + if (pattern.endsWith(MATCH_ALL) && (pattern.indexOf('?') == -1 && pattern.indexOf('{') == -1 && pattern.indexOf('}') == -1) && pattern.indexOf("*") == pattern.length() - 2) { matcher = new SubpathMatcher(pattern.substring(0, pattern.length() - 3)); } else { diff --git a/web/src/test/java/org/springframework/security/web/util/matcher/AntPathRequestMatcherTests.java b/web/src/test/java/org/springframework/security/web/util/matcher/AntPathRequestMatcherTests.java index 766768856e..c85979e35f 100644 --- a/web/src/test/java/org/springframework/security/web/util/matcher/AntPathRequestMatcherTests.java +++ b/web/src/test/java/org/springframework/security/web/util/matcher/AntPathRequestMatcherTests.java @@ -71,6 +71,26 @@ public class AntPathRequestMatcherTests { assertTrue(matcher.matches(createRequest("/blah/blah"))); assertFalse(matcher.matches(createRequest("/blah/bleh"))); assertTrue(matcher.matches(createRequest("/blah/aaa/blah/bbb"))); + + matcher = new AntPathRequestMatcher("/{id}/blAh/**"); + assertTrue(matcher.matches(createRequest("/1234/blah"))); + assertFalse(matcher.matches(createRequest("/4567/bleh"))); + assertTrue(matcher.matches(createRequest("/paskos/blah/"))); + assertTrue(matcher.matches(createRequest("/12345/blah/xxx"))); + assertFalse(matcher.matches(createRequest("/12345/blaha"))); + assertFalse(matcher.matches(createRequest("/paskos/bleh/"))); + + } + + @Test + public void trailingWildcardWithVariableMatchesCorrectly() { + AntPathRequestMatcher matcher = new AntPathRequestMatcher("/{id}/blAh/**"); + assertTrue(matcher.matches(createRequest("/1234/blah"))); + assertFalse(matcher.matches(createRequest("/4567/bleh"))); + assertTrue(matcher.matches(createRequest("/paskos/blah/"))); + assertTrue(matcher.matches(createRequest("/12345/blah/xxx"))); + assertFalse(matcher.matches(createRequest("/12345/blaha"))); + assertFalse(matcher.matches(createRequest("/paskos/bleh/"))); } @Test