SEC-1463: Change namespace user-service parser to store username in lower-case when building map for in-memory UserDetailsService. Lookups are supposed to be case-insensitive with this class.

2025-07-08 11:32:47 +00:00 · 2010-04-24 16:41:51 +01:00 · 2010-04-24 16:41:51 +01:00 · 8c605516b3
commit 8c605516b3
parent e6e168f127
5 changed files with 13 additions and 18 deletions
--- a/config/src/main/java/org/springframework/security/config/authentication/UserServiceBeanDefinitionParser.java
+++ b/config/src/main/java/org/springframework/security/config/authentication/UserServiceBeanDefinitionParser.java
@ -24,6 +24,7 @@ import org.w3c.dom.Element;
 * @author Luke Taylor
 * @author Ben Alex
 */
+@SuppressWarnings("deprecation")
 public class UserServiceBeanDefinitionParser extends AbstractUserDetailsServiceBeanDefinitionParser {

    static final String ATT_PASSWORD = "password";
@ -90,7 +91,7 @@ public class UserServiceBeanDefinitionParser extends AbstractUserDetailsServiceB
            user.addConstructorArgValue(!locked);
            user.addConstructorArgValue(authorities.getBeanDefinition());

-            users.put(userName, user.getBeanDefinition());
+            users.put(userName.toLowerCase(), user.getBeanDefinition());
        }

        userMap.getPropertyValues().addPropertyValue("users", users);
--- a/config/src/test/java/org/springframework/security/config/authentication/UserServiceBeanDefinitionParserTests.java
+++ b/config/src/test/java/org/springframework/security/config/authentication/UserServiceBeanDefinitionParserTests.java
@ -77,12 +77,12 @@ public class UserServiceBeanDefinitionParserTests {
        setContext(
                "<user-service id='service'>" +
                "    <user name='joe' password='joespassword' authorities='ROLE_A' locked='true'/>" +
-                "    <user name='bob' password='bobspassword' authorities='ROLE_A' disabled='true'/>" +
+                "    <user name='Bob' password='bobspassword' authorities='ROLE_A' disabled='true'/>" +
                "</user-service>");
        UserDetailsService userService = (UserDetailsService) appContext.getBean("service");
        UserDetails joe = userService.loadUserByUsername("joe");
        assertFalse(joe.isAccountNonLocked());
-        UserDetails bob = userService.loadUserByUsername("bob");
+        UserDetails bob = userService.loadUserByUsername("bOb");
        assertFalse(bob.isEnabled());
    }

--- a/core/src/main/java/org/springframework/security/core/userdetails/memory/InMemoryDaoImpl.java
+++ b/core/src/main/java/org/springframework/security/core/userdetails/memory/InMemoryDaoImpl.java
@ -29,10 +29,14 @@ import java.util.Properties;


 /**
- * Retrieves user details from an in-memory list created by the bean context.
+ * Retrieves user details from an in-memory list created in the application context.
+ * <p>
+ * Username lookups are case-insensitive.
 *
 * @author Ben Alex
+ * @author Luke Taylor
 */
+@SuppressWarnings("deprecation")
 public class InMemoryDaoImpl implements UserDetailsService, InitializingBean {
    //~ Instance fields ================================================================================================

--- a/core/src/main/java/org/springframework/security/core/userdetails/memory/UserMap.java
+++ b/core/src/main/java/org/springframework/security/core/userdetails/memory/UserMap.java
@ -29,7 +29,9 @@ import org.springframework.util.Assert;
 * Used by {@link InMemoryDaoImpl} to store a list of users and their corresponding granted authorities.
 *
 * @author Ben Alex
+ * @deprecated Use a plain map instead
 */
+@Deprecated
 public class UserMap {
    //~ Static fields/initializers =====================================================================================

--- a/core/src/test/java/org/springframework/security/core/userdetails/memory/InMemoryDaoTests.java
+++ b/core/src/test/java/org/springframework/security/core/userdetails/memory/InMemoryDaoTests.java
@ -30,26 +30,14 @@ import java.util.Properties;
 *
 * @author Ben Alex
 */
+@SuppressWarnings("deprecation")
 public class InMemoryDaoTests extends TestCase {
-    //~ Constructors ===================================================================================================
-
-    public InMemoryDaoTests() {
-        super();
-    }
-
-    public InMemoryDaoTests(String arg0) {
-        super(arg0);
-    }

    //~ Methods ========================================================================================================

-    public static void main(String[] args) {
-        junit.textui.TestRunner.run(InMemoryDaoTests.class);
-    }
-
    private UserMap makeUserMap() {
        UserMapEditor editor = new UserMapEditor();
-        editor.setAsText("rod=koala,ROLE_ONE,ROLE_TWO,enabled\r\nscott=wombat,ROLE_ONE,ROLE_TWO,enabled");
+        editor.setAsText("rod=koala,ROLE_ONE,ROLE_TWO,enabled\nScott=wombat,ROLE_ONE,ROLE_TWO,enabled");

        return (UserMap) editor.getValue();
    }