SEC-2455: form-login@login-processing-url & logout@logout-url use matchers

Remove the deprecation warnings of using setFilterProcessingUrl by invoking the matcher methods instead.
2025-06-23 12:32:13 +00:00 · 2014-01-29 15:35:18 -06:00 · 2014-01-29 15:35:18 -06:00 · 8d8475deb1
commit 8d8475deb1
parent b5f5665ea6
5 changed files with 50 additions and 2 deletions
--- a/config/src/main/java/org/springframework/security/config/http/FormLoginBeanDefinitionParser.java
+++ b/config/src/main/java/org/springframework/security/config/http/FormLoginBeanDefinitionParser.java
@ -148,7 +148,10 @@ public class FormLoginBeanDefinitionParser {
            loginUrl = defaultLoginProcessingUrl;
        }

-        filterBuilder.addPropertyValue("filterProcessesUrl", loginUrl);
+        BeanDefinitionBuilder matcherBuilder = BeanDefinitionBuilder.rootBeanDefinition("org.springframework.security.web.authentication.logout.LogoutFilter$FilterProcessUrlRequestMatcher");
+        matcherBuilder.addConstructorArgValue(loginUrl);
+
+        filterBuilder.addPropertyValue("requiresAuthenticationRequestMatcher", matcherBuilder.getBeanDefinition());

        if (StringUtils.hasText(successHandlerRef)) {
            filterBuilder.addPropertyReference("authenticationSuccessHandler", successHandlerRef);
--- a/config/src/main/java/org/springframework/security/config/http/LogoutBeanDefinitionParser.java
+++ b/config/src/main/java/org/springframework/security/config/http/LogoutBeanDefinitionParser.java
@ -78,7 +78,10 @@ class LogoutBeanDefinitionParser implements BeanDefinitionParser {
        if (!StringUtils.hasText(logoutUrl)) {
            logoutUrl = DEF_LOGOUT_URL;
        }
-        builder.addPropertyValue("filterProcessesUrl", logoutUrl);
+        BeanDefinitionBuilder matcherBuilder = BeanDefinitionBuilder.rootBeanDefinition("org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter$FilterProcessUrlRequestMatcher");
+        matcherBuilder.addConstructorArgValue(logoutUrl);
+
+        builder.addPropertyValue("logoutRequestMatcher", matcherBuilder.getBeanDefinition());

        if (StringUtils.hasText(successHandlerRef)) {
            if (StringUtils.hasText(logoutSuccessUrl)) {
--- a/config/src/test/groovy/org/springframework/security/config/http/FormLoginConfigTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/http/FormLoginConfigTests.groovy
@ -6,6 +6,8 @@ import org.springframework.security.web.access.ExceptionTranslationFilter
 import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
 import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
+import org.springframework.test.util.ReflectionTestUtils;
+import org.springframework.util.ReflectionUtils;

 /**
 *
@ -102,4 +104,18 @@ class FormLoginConfigTests extends AbstractHttpConfigTests {
        apf.usernameParameter == 'xname';
        apf.passwordParameter == 'xpass'
    }
+
+    def 'SEC-2455: http@login-processing-url'() {
+        when:
+            xml.http {
+                'form-login'('login-processing-url':'/authenticate')
+            }
+            createAppContext()
+
+            def apf = getFilter(UsernamePasswordAuthenticationFilter);
+
+        then:
+            apf.filterProcessesUrl == null // SEC-2455 setFilterProcessesUrl was not invoked
+            FieldUtils.getFieldValue(apf,'requiresAuthenticationRequestMatcher.filterProcessesUrl') == '/authenticate'
+    }
 }
--- a/config/src/test/groovy/org/springframework/security/config/http/LogoutConfigTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/http/LogoutConfigTests.groovy
@ -0,0 +1,25 @@
+package org.springframework.security.config.http
+
+import org.springframework.security.util.FieldUtils
+import org.springframework.security.web.authentication.logout.LogoutFilter
+
+/**
+ *
+ * @author Rob Winch
+ */
+class LogoutConfigTests extends AbstractHttpConfigTests {
+
+    def 'SEC-2455: logout@logout-url'() {
+        when:
+            httpAutoConfig {
+                'logout'('logout-url':'/logout')
+            }
+            createAppContext()
+
+            def lf = getFilter(LogoutFilter);
+
+        then:
+            lf.filterProcessesUrl == null // SEC-2455 setFilterProcessesUrl was not invoked
+            FieldUtils.getFieldValue(lf,'logoutRequestMatcher.filterProcessesUrl') == '/logout'
+    }
+}
--- a/web/src/main/java/org/springframework/security/web/authentication/logout/LogoutFilter.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/logout/LogoutFilter.java
@ -125,6 +125,7 @@ public class LogoutFilter extends GenericFilterBean {
    public void setLogoutRequestMatcher(RequestMatcher logoutRequestMatcher) {
        Assert.notNull(logoutRequestMatcher, "logoutRequestMatcher cannot be null");
        this.logoutRequestMatcher = logoutRequestMatcher;
+        this.filterProcessesUrl = null;
    }

    @Deprecated