From 866615ceaa807052c95186ec234b6db8b0e0dc25 Mon Sep 17 00:00:00 2001
From: Luke Taylor <luke.taylor@springsource.com>
Date: Wed, 26 Jan 2011 16:39:50 +0000
Subject: [PATCH] SEC-1662: Cater for the case where a user uses two <http>
 elements without patterns and the RequestMatcher does not have two arguments.

---
 .../HttpSecurityBeanDefinitionParser.java     |  5 ++++-
 .../http/MultiHttpBlockConfigTests.groovy     | 20 ++++++++++++++++---
 2 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java b/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java
index 12d818a878..b4506c5b0f 100644
--- a/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java
+++ b/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java
@@ -273,8 +273,11 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
             for (BeanDefinition matcherBean : filterChainMap.keySet()) {
                 if (existingFilterChainMap.containsKey(matcherBean)) {
                     Map<Integer,ValueHolder> args = matcherBean.getConstructorArgumentValues().getIndexedArgumentValues();
+                    String matcherError = args.size() == 2 ? args.get(0).getValue() + ", " +args.get(1).getValue() :
+                            matcherBean.toString();
                     pc.getReaderContext().error("The filter chain map already contains this request matcher ["
-                            + args.get(0).getValue() + ", " +args.get(1).getValue() + "]", source);
+                            + matcherError + "]. If you are using multiple <http> namespace elements, you must use a 'pattern' attribute" +
+                            " to define the request patterns to which they apply.", source);
                 }
             }
             existingFilterChainMap.putAll(filterChainMap);
diff --git a/config/src/test/groovy/org/springframework/security/config/http/MultiHttpBlockConfigTests.groovy b/config/src/test/groovy/org/springframework/security/config/http/MultiHttpBlockConfigTests.groovy
index ce3abe71dc..3ce549797d 100644
--- a/config/src/test/groovy/org/springframework/security/config/http/MultiHttpBlockConfigTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/http/MultiHttpBlockConfigTests.groovy
@@ -29,12 +29,12 @@ class MultiHttpBlockConfigTests extends AbstractHttpConfigTests {
         (filterChains.keySet() as List)[0].pattern == '/stateless/**'
     }
 
-    def duplicatePatternsAreRejected () {
+    def duplicateHttpElementsAreRejected () {
         when: "Two <http> elements are used"
-        xml.http(pattern: '/stateless/**', 'create-session': 'stateless') {
+        xml.http('create-session': 'stateless') {
             'http-basic'()
         }
-        xml.http(pattern: '/stateless/**') {
+        xml.http() {
             'form-login'()
         }
         createAppContext()
@@ -42,6 +42,20 @@ class MultiHttpBlockConfigTests extends AbstractHttpConfigTests {
         thrown(BeanDefinitionParsingException)
     }
 
+  def duplicatePatternsAreRejected () {
+      when: "Two <http> elements with the same pattern are used"
+      xml.http(pattern: '/stateless/**', 'create-session': 'stateless') {
+          'http-basic'()
+      }
+      xml.http(pattern: '/stateless/**') {
+          'form-login'()
+      }
+      createAppContext()
+      then:
+      thrown(BeanDefinitionParsingException)
+  }
+
+
     def namedFilterChainIsExposedAsABean () {
         xml.http(name: 'basic', pattern: '/basic/**', 'create-session': 'stateless') {
             'http-basic'()