SEC-1471: Allow use of a RequestMatcher with HttpSessionRequestCache to configure which requests should be cached by calls to saveRequest.

Also removed the justUseSavedRequestOnGet property, as this behaviour can be controlled by the RequestMatcher.
This commit is contained in:
Luke Taylor 2010-06-28 18:11:14 +01:00
parent c8ceca35b4
commit 8df356de29
3 changed files with 36 additions and 24 deletions
web/src
main/java/org/springframework/security/web/savedrequest
test/java/org/springframework/security/web

View File

@ -9,9 +9,11 @@ import org.apache.commons.logging.LogFactory;
import org.springframework.security.web.PortResolver; import org.springframework.security.web.PortResolver;
import org.springframework.security.web.PortResolverImpl; import org.springframework.security.web.PortResolverImpl;
import org.springframework.security.web.WebAttributes; import org.springframework.security.web.WebAttributes;
import org.springframework.security.web.util.AnyRequestMatcher;
import org.springframework.security.web.util.RequestMatcher;
/** /**
* <tt>RequestCache</tt> which stores the <tt>SavedRequest</tt> in the HttpSession. * {@code RequestCache} which stores the {@code SavedRequest} in the HttpSession.
* *
* The {@link DefaultSavedRequest} class is used as the implementation. * The {@link DefaultSavedRequest} class is used as the implementation.
* *
@ -23,13 +25,13 @@ public class HttpSessionRequestCache implements RequestCache {
private PortResolver portResolver = new PortResolverImpl(); private PortResolver portResolver = new PortResolverImpl();
private boolean createSessionAllowed = true; private boolean createSessionAllowed = true;
private boolean justUseSavedRequestOnGet; private RequestMatcher requestMatcher = new AnyRequestMatcher();
/** /**
* Stores the current request, provided the configuration properties allow it. * Stores the current request, provided the configuration properties allow it.
*/ */
public void saveRequest(HttpServletRequest request, HttpServletResponse response) { public void saveRequest(HttpServletRequest request, HttpServletResponse response) {
if (!justUseSavedRequestOnGet || "GET".equals(request.getMethod())) { if (requestMatcher.matches(request)) {
DefaultSavedRequest savedRequest = new DefaultSavedRequest(request, portResolver); DefaultSavedRequest savedRequest = new DefaultSavedRequest(request, portResolver);
if (createSessionAllowed || request.getSession(false) != null) { if (createSessionAllowed || request.getSession(false) != null) {
@ -38,8 +40,9 @@ public class HttpSessionRequestCache implements RequestCache {
request.getSession().setAttribute(WebAttributes.SAVED_REQUEST, savedRequest); request.getSession().setAttribute(WebAttributes.SAVED_REQUEST, savedRequest);
logger.debug("DefaultSavedRequest added to Session: " + savedRequest); logger.debug("DefaultSavedRequest added to Session: " + savedRequest);
} }
} else {
logger.debug("Request not saved as configured RequestMatcher did not match");
} }
} }
public SavedRequest getRequest(HttpServletRequest currentRequest, HttpServletResponse response) { public SavedRequest getRequest(HttpServletRequest currentRequest, HttpServletResponse response) {
@ -79,11 +82,15 @@ public class HttpSessionRequestCache implements RequestCache {
} }
/** /**
* If <code>true</code>, will only use <code>DefaultSavedRequest</code> to determine the target URL on successful * Allows selective use of saved requests for a subset of requests. By default any request will be cached
* authentication if the request that caused the authentication request was a GET. Defaults to false. * by the {@code saveRequest} method.
* <p>
* If set, only matching requests will be cached.
*
* @param requestMatcher a request matching strategy which defines which requests should be cached.
*/ */
public void setJustUseSavedRequestOnGet(boolean justUseSavedRequestOnGet) { public void setRequestMatcher(RequestMatcher requestMatcher) {
this.justUseSavedRequestOnGet = justUseSavedRequestOnGet; this.requestMatcher = requestMatcher;
} }
/** /**

View File

@ -185,22 +185,6 @@ public class ExceptionTranslationFilterTests {
assertEquals("http://www.example.com:8080/mycontext/secure/page.html", getSavedRequestUrl(request)); assertEquals("http://www.example.com:8080/mycontext/secure/page.html", getSavedRequestUrl(request));
} }
@Test
public void testSavedRequestIsNotStoredForPostIfJustUseSaveRequestOnGetIsSet() throws Exception {
ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
HttpSessionRequestCache requestCache = new HttpSessionRequestCache();
requestCache.setPortResolver(new MockPortResolver(8080, 8443));
requestCache.setJustUseSavedRequestOnGet(true);
filter.setRequestCache(requestCache);
filter.setAuthenticationEntryPoint(mockEntryPoint());
MockHttpServletRequest request = new MockHttpServletRequest();
FilterChain fc = mock(FilterChain.class);
doThrow(new BadCredentialsException("")).when(fc).doFilter(any(HttpServletRequest.class), any(HttpServletResponse.class));
request.setMethod("POST");
filter.doFilter(request, new MockHttpServletResponse(), fc);
assertTrue(request.getSession().getAttribute(WebAttributes.SAVED_REQUEST) == null);
}
@Test(expected=IllegalArgumentException.class) @Test(expected=IllegalArgumentException.class)
public void testStartupDetectsMissingAuthenticationEntryPoint() throws Exception { public void testStartupDetectsMissingAuthenticationEntryPoint() throws Exception {
ExceptionTranslationFilter filter = new ExceptionTranslationFilter(); ExceptionTranslationFilter filter = new ExceptionTranslationFilter();

View File

@ -2,10 +2,13 @@ package org.springframework.security.web.savedrequest;
import static org.junit.Assert.*; import static org.junit.Assert.*;
import javax.servlet.http.HttpServletRequest;
import org.junit.Test; import org.junit.Test;
import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse; import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.web.WebAttributes; import org.springframework.security.web.WebAttributes;
import org.springframework.security.web.util.RequestMatcher;
/** /**
* *
@ -30,4 +33,22 @@ public class HttpSessionRequestCacheTests {
} }
@Test
public void requestMatcherDefinesCorrectSubsetOfCachedRequests() throws Exception {
HttpSessionRequestCache cache = new HttpSessionRequestCache();
cache.setRequestMatcher(new RequestMatcher() {
public boolean matches(HttpServletRequest request) {
return request.getMethod().equals("GET");
}
});
MockHttpServletRequest request = new MockHttpServletRequest("POST", "/destination");
MockHttpServletResponse response = new MockHttpServletResponse();
cache.saveRequest(request, response);
assertNull(cache.getRequest(request, response));
assertNull(cache.getRequest(new MockHttpServletRequest(), new MockHttpServletResponse()));
assertNull(cache.getMatchingRequest(request, response));
}
} }