Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-25 13:32:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

SEC-2888 AntPathRequestMatcher ignores variables in pattern when pattern

Browse Source 
finishes with /**
This commit is contained in:
Pascal Gehl 2015-03-01 14:56:48 -05:00 committed by Rob Winch
parent e776a1fd35
commit 85955015f7
2 changed files with 24 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
web/src/main/java/org/springframework/security/web/util/matcher/AntPathRequestMatcher.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2012 the original author or authors. * Copyright 2002-2015 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at * the License. You may obtain a copy of the License at
@ -102,8 +102,9 @@ public final class AntPathRequestMatcher implements RequestMatcher {
pattern = pattern.toLowerCase(); pattern = pattern.toLowerCase();
} }
// If the pattern ends with {@code /**} and has no other wildcards, then optimize to a sub-path match // If the pattern ends with {@code /**} and has no other wildcards or path variables, then optimize to a sub-path match
if (pattern.endsWith(MATCH_ALL) && pattern.indexOf('?') == -1 && // TODO: use spring-framework AntPathMatcher.VARIABLE_PATTERN instead.
if (pattern.endsWith(MATCH_ALL) && (pattern.indexOf('?') == -1 && pattern.indexOf('{') == -1 && pattern.indexOf('}') == -1) &&
pattern.indexOf("*") == pattern.length() - 2) { pattern.indexOf("*") == pattern.length() - 2) {
matcher = new SubpathMatcher(pattern.substring(0, pattern.length() - 3)); matcher = new SubpathMatcher(pattern.substring(0, pattern.length() - 3));
} else { } else {

20
web/src/test/java/org/springframework/security/web/util/matcher/AntPathRequestMatcherTests.java
View File

@ -71,6 +71,26 @@ public class AntPathRequestMatcherTests {
assertTrue(matcher.matches(createRequest("/blah/blah"))); assertTrue(matcher.matches(createRequest("/blah/blah")));
assertFalse(matcher.matches(createRequest("/blah/bleh"))); assertFalse(matcher.matches(createRequest("/blah/bleh")));
assertTrue(matcher.matches(createRequest("/blah/aaa/blah/bbb"))); assertTrue(matcher.matches(createRequest("/blah/aaa/blah/bbb")));
matcher = new AntPathRequestMatcher("/{id}/blAh/**");
assertTrue(matcher.matches(createRequest("/1234/blah")));
assertFalse(matcher.matches(createRequest("/4567/bleh")));
assertTrue(matcher.matches(createRequest("/paskos/blah/")));
assertTrue(matcher.matches(createRequest("/12345/blah/xxx")));
assertFalse(matcher.matches(createRequest("/12345/blaha")));
assertFalse(matcher.matches(createRequest("/paskos/bleh/")));
}
@Test
public void trailingWildcardWithVariableMatchesCorrectly() {
AntPathRequestMatcher matcher = new AntPathRequestMatcher("/{id}/blAh/**");
assertTrue(matcher.matches(createRequest("/1234/blah")));
assertFalse(matcher.matches(createRequest("/4567/bleh")));
assertTrue(matcher.matches(createRequest("/paskos/blah/")));
assertTrue(matcher.matches(createRequest("/12345/blah/xxx")));
assertFalse(matcher.matches(createRequest("/12345/blaha")));
assertFalse(matcher.matches(createRequest("/paskos/bleh/")));
} }
@Test @Test