Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-29 15:22:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

SEC-2656: Fix <frame-options> with whitelist strategy

Browse Source
This commit is contained in:
Mirko Zeibig 2014-06-17 23:25:30 +02:00 committed by Rob Winch
parent fb1f2dc888
commit 85a37bdc02
2 changed files with 21 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
config/src/main/java/org/springframework/security/config/http/HeadersBeanDefinitionParser.java
View File

@ -208,7 +208,7 @@ public class HeadersBeanDefinitionParser implements BeanDefinitionParser {
} }
String fromParameter = getAttribute(frameElt, ATT_FROM_PARAMETER, "from"); String fromParameter = getAttribute(frameElt, ATT_FROM_PARAMETER, "from");
allowFromStrategy.addPropertyValue("allowFromParameterName", fromParameter); allowFromStrategy.addPropertyValue("allowFromParameterName", fromParameter);
builder.addConstructorArgValue(allowFromStrategy); builder.addConstructorArgValue(allowFromStrategy.getBeanDefinition());
} }
} else { } else {
parserContext.getReaderContext().error("One of 'strategy' and 'strategy-ref' must be set.", parserContext.getReaderContext().error("One of 'strategy' and 'strategy-ref' must be set.",

20
config/src/test/groovy/org/springframework/security/config/http/HttpHeadersConfigTests.groovy
View File

@ -172,6 +172,26 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
assertHeaders(response, ['X-Frame-Options':'ALLOW-FROM https://example.com']) assertHeaders(response, ['X-Frame-Options':'ALLOW-FROM https://example.com'])
} }
def 'http headers frame-options ALLOW-FROM with whitelist strategy'() {
when:
httpAutoConfig {
'headers'() {
'frame-options'(policy : 'ALLOW-FROM', strategy: 'whitelist', value : 'https://example.com')
}
}
createAppContext()
def hf = getFilter(HeaderWriterFilter)
MockHttpServletResponse response = new MockHttpServletResponse()
def request = new MockHttpServletRequest()
request.setParameter("from", "https://example.com");
hf.doFilter(request, response, new MockFilterChain())
then:
assertHeaders(response, ['X-Frame-Options':'ALLOW-FROM https://example.com'])
}
def 'http headers header a=b'() { def 'http headers header a=b'() {
when: when:
httpAutoConfig { httpAutoConfig {