From 8d8475deb178c55c855d95f32a0d864c61074e46 Mon Sep 17 00:00:00 2001 From: Rob Winch Date: Wed, 29 Jan 2014 15:35:18 -0600 Subject: [PATCH] SEC-2455: form-login@login-processing-url & logout@logout-url use matchers Remove the deprecation warnings of using setFilterProcessingUrl by invoking the matcher methods instead. --- .../http/FormLoginBeanDefinitionParser.java | 5 +++- .../http/LogoutBeanDefinitionParser.java | 5 +++- .../config/http/FormLoginConfigTests.groovy | 16 ++++++++++++ .../config/http/LogoutConfigTests.groovy | 25 +++++++++++++++++++ .../authentication/logout/LogoutFilter.java | 1 + 5 files changed, 50 insertions(+), 2 deletions(-) create mode 100644 config/src/test/groovy/org/springframework/security/config/http/LogoutConfigTests.groovy diff --git a/config/src/main/java/org/springframework/security/config/http/FormLoginBeanDefinitionParser.java b/config/src/main/java/org/springframework/security/config/http/FormLoginBeanDefinitionParser.java index b3a7ed34b6..a15b48b66c 100644 --- a/config/src/main/java/org/springframework/security/config/http/FormLoginBeanDefinitionParser.java +++ b/config/src/main/java/org/springframework/security/config/http/FormLoginBeanDefinitionParser.java @@ -148,7 +148,10 @@ public class FormLoginBeanDefinitionParser { loginUrl = defaultLoginProcessingUrl; } - filterBuilder.addPropertyValue("filterProcessesUrl", loginUrl); + BeanDefinitionBuilder matcherBuilder = BeanDefinitionBuilder.rootBeanDefinition("org.springframework.security.web.authentication.logout.LogoutFilter$FilterProcessUrlRequestMatcher"); + matcherBuilder.addConstructorArgValue(loginUrl); + + filterBuilder.addPropertyValue("requiresAuthenticationRequestMatcher", matcherBuilder.getBeanDefinition()); if (StringUtils.hasText(successHandlerRef)) { filterBuilder.addPropertyReference("authenticationSuccessHandler", successHandlerRef); diff --git a/config/src/main/java/org/springframework/security/config/http/LogoutBeanDefinitionParser.java b/config/src/main/java/org/springframework/security/config/http/LogoutBeanDefinitionParser.java index 57a0d46be8..dda8275c54 100644 --- a/config/src/main/java/org/springframework/security/config/http/LogoutBeanDefinitionParser.java +++ b/config/src/main/java/org/springframework/security/config/http/LogoutBeanDefinitionParser.java @@ -78,7 +78,10 @@ class LogoutBeanDefinitionParser implements BeanDefinitionParser { if (!StringUtils.hasText(logoutUrl)) { logoutUrl = DEF_LOGOUT_URL; } - builder.addPropertyValue("filterProcessesUrl", logoutUrl); + BeanDefinitionBuilder matcherBuilder = BeanDefinitionBuilder.rootBeanDefinition("org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter$FilterProcessUrlRequestMatcher"); + matcherBuilder.addConstructorArgValue(logoutUrl); + + builder.addPropertyValue("logoutRequestMatcher", matcherBuilder.getBeanDefinition()); if (StringUtils.hasText(successHandlerRef)) { if (StringUtils.hasText(logoutSuccessUrl)) { diff --git a/config/src/test/groovy/org/springframework/security/config/http/FormLoginConfigTests.groovy b/config/src/test/groovy/org/springframework/security/config/http/FormLoginConfigTests.groovy index 66b1bd3b78..95523f9624 100644 --- a/config/src/test/groovy/org/springframework/security/config/http/FormLoginConfigTests.groovy +++ b/config/src/test/groovy/org/springframework/security/config/http/FormLoginConfigTests.groovy @@ -6,6 +6,8 @@ import org.springframework.security.web.access.ExceptionTranslationFilter import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler; import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter +import org.springframework.test.util.ReflectionTestUtils; +import org.springframework.util.ReflectionUtils; /** * @@ -102,4 +104,18 @@ class FormLoginConfigTests extends AbstractHttpConfigTests { apf.usernameParameter == 'xname'; apf.passwordParameter == 'xpass' } + + def 'SEC-2455: http@login-processing-url'() { + when: + xml.http { + 'form-login'('login-processing-url':'/authenticate') + } + createAppContext() + + def apf = getFilter(UsernamePasswordAuthenticationFilter); + + then: + apf.filterProcessesUrl == null // SEC-2455 setFilterProcessesUrl was not invoked + FieldUtils.getFieldValue(apf,'requiresAuthenticationRequestMatcher.filterProcessesUrl') == '/authenticate' + } } diff --git a/config/src/test/groovy/org/springframework/security/config/http/LogoutConfigTests.groovy b/config/src/test/groovy/org/springframework/security/config/http/LogoutConfigTests.groovy new file mode 100644 index 0000000000..49e13c425f --- /dev/null +++ b/config/src/test/groovy/org/springframework/security/config/http/LogoutConfigTests.groovy @@ -0,0 +1,25 @@ +package org.springframework.security.config.http + +import org.springframework.security.util.FieldUtils +import org.springframework.security.web.authentication.logout.LogoutFilter + +/** + * + * @author Rob Winch + */ +class LogoutConfigTests extends AbstractHttpConfigTests { + + def 'SEC-2455: logout@logout-url'() { + when: + httpAutoConfig { + 'logout'('logout-url':'/logout') + } + createAppContext() + + def lf = getFilter(LogoutFilter); + + then: + lf.filterProcessesUrl == null // SEC-2455 setFilterProcessesUrl was not invoked + FieldUtils.getFieldValue(lf,'logoutRequestMatcher.filterProcessesUrl') == '/logout' + } +} \ No newline at end of file diff --git a/web/src/main/java/org/springframework/security/web/authentication/logout/LogoutFilter.java b/web/src/main/java/org/springframework/security/web/authentication/logout/LogoutFilter.java index 8f0dca912a..da71cfb2ae 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/logout/LogoutFilter.java +++ b/web/src/main/java/org/springframework/security/web/authentication/logout/LogoutFilter.java @@ -125,6 +125,7 @@ public class LogoutFilter extends GenericFilterBean { public void setLogoutRequestMatcher(RequestMatcher logoutRequestMatcher) { Assert.notNull(logoutRequestMatcher, "logoutRequestMatcher cannot be null"); this.logoutRequestMatcher = logoutRequestMatcher; + this.filterProcessesUrl = null; } @Deprecated