Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-26 22:02:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

SEC-2882: DefaultLoginPageGeneratingFilter match on /login

Browse Source 
Previously DefaultLoginPageGeneratingFilter would match on /**/login
which was not ideal since other parts of the application may want to
match on the URL.

Now it matches on /login.
This commit is contained in:
Rob Winch 2015-03-10 11:52:26 -05:00
parent 217152c8fd
commit 9d0085bb64
2 changed files with 71 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
web/src/main/java/org/springframework/security/web/authentication/ui/DefaultLoginPageGeneratingFilter.java
View File

@ -260,9 +260,9 @@ public class DefaultLoginPageGeneratingFilter extends GenericFilterBean {
}
if ("".equals(request.getContextPath())) {
return uri.endsWith(url);
return uri.equals(url);
}
return uri.endsWith(request.getContextPath() + url);
return uri.equals(request.getContextPath() + url);
}
}

69
web/src/test/java/org/springframework/security/web/authentication/DefaultLoginPageGeneratingFilterTests.java
View File

@ -1,5 +1,6 @@
package org.springframework.security.web.authentication;
import static org.fest.assertions.Assertions.assertThat;
import static org.mockito.Mockito.mock;
import java.util.Locale;
@ -34,6 +35,74 @@ public class DefaultLoginPageGeneratingFilterTests {
filter.doFilter(new MockHttpServletRequest("GET", "/login;pathparam=unused"), new MockHttpServletResponse(), chain);
}
@Test
public void generatesForGetLogin() throws Exception {
DefaultLoginPageGeneratingFilter filter = new DefaultLoginPageGeneratingFilter(new UsernamePasswordAuthenticationFilter());
MockHttpServletResponse response = new MockHttpServletResponse();
filter.doFilter(new MockHttpServletRequest("GET", "/login"), response, chain);
assertThat(response.getContentAsString()).isNotEmpty();
}
@Test
public void generatesForPostLogin() throws Exception {
DefaultLoginPageGeneratingFilter filter = new DefaultLoginPageGeneratingFilter(new UsernamePasswordAuthenticationFilter());
MockHttpServletResponse response = new MockHttpServletResponse();
MockHttpServletRequest request = new MockHttpServletRequest("POST", "/login");
filter.doFilter(request, response, chain);
assertThat(response.getContentAsString()).isEmpty();
}
@Test
public void generatesForNotEmptyContextLogin() throws Exception {
DefaultLoginPageGeneratingFilter filter = new DefaultLoginPageGeneratingFilter(new UsernamePasswordAuthenticationFilter());
MockHttpServletResponse response = new MockHttpServletResponse();
MockHttpServletRequest request = new MockHttpServletRequest("GET", "/context/login");
request.setContextPath("/context");
filter.doFilter(request, response, chain);
assertThat(response.getContentAsString()).isNotEmpty();
}
@Test
public void generatesForGetApiLogin() throws Exception {
DefaultLoginPageGeneratingFilter filter = new DefaultLoginPageGeneratingFilter(new UsernamePasswordAuthenticationFilter());
MockHttpServletResponse response = new MockHttpServletResponse();
filter.doFilter(new MockHttpServletRequest("GET", "/api/login"), response, chain);
assertThat(response.getContentAsString()).isEmpty();
}
@Test
public void generatesForWithQueryMatch() throws Exception {
DefaultLoginPageGeneratingFilter filter = new DefaultLoginPageGeneratingFilter(new UsernamePasswordAuthenticationFilter());
MockHttpServletResponse response = new MockHttpServletResponse();
MockHttpServletRequest request = new MockHttpServletRequest("GET", "/login");
request.setQueryString("error");
filter.doFilter(request, response, chain);
assertThat(response.getContentAsString()).isNotEmpty();
}
@Test
public void generatesForWithQueryNoMatch() throws Exception {
DefaultLoginPageGeneratingFilter filter = new DefaultLoginPageGeneratingFilter(new UsernamePasswordAuthenticationFilter());
MockHttpServletResponse response = new MockHttpServletResponse();
MockHttpServletRequest request = new MockHttpServletRequest("GET", "/login");
request.setQueryString("not");
filter.doFilter(request, response, chain);
assertThat(response.getContentAsString()).isEmpty();
}
@Test
public void generatingPageWithOpenIdFilterOnlyIsSuccessFul() throws Exception {