From 9e7fbf80670255e03f379d9963ae4b15e81b5673 Mon Sep 17 00:00:00 2001 From: Rob Winch Date: Mon, 28 Oct 2013 14:00:56 -0500 Subject: [PATCH] SEC-2321: Refine to use X-Requested-With: XMLHttpRequest --- .../annotation/web/configurers/HttpBasicConfigurer.java | 2 +- .../web/configurers/RequestCacheConfigurer.java | 2 +- .../web/configurers/RequestCacheConfigurerTests.groovy | 8 +++++--- 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurer.java index a532ce2412..bd104bd94c 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurer.java @@ -89,7 +89,7 @@ public final class HttpBasicConfigurer> extends realmName(DEFAULT_REALM); LinkedHashMap entryPoints = new LinkedHashMap(); - entryPoints.put(new RequestHeaderRequestMatcher("X-Requested-With"), new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED)); + entryPoints.put(new RequestHeaderRequestMatcher("X-Requested-With","XMLHttpRequest"), new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED)); DelegatingAuthenticationEntryPoint defaultEntryPoint = new DelegatingAuthenticationEntryPoint(entryPoints); defaultEntryPoint.setDefaultEntryPoint(basicAuthEntryPoint); diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/RequestCacheConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/RequestCacheConfigurer.java index 68d7c96e8e..cb581c88c5 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/RequestCacheConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/RequestCacheConfigurer.java @@ -126,7 +126,7 @@ public final class RequestCacheConfigurer> exte jsonRequest.setIgnoredMediaTypes(Collections.singleton(MediaType.ALL)); RequestMatcher notJson = new NegatedRequestMatcher(jsonRequest); - RequestMatcher notXRequestedWith = new NegatedRequestMatcher(new RequestHeaderRequestMatcher("X-Requested-With")); + RequestMatcher notXRequestedWith = new NegatedRequestMatcher(new RequestHeaderRequestMatcher("X-Requested-With","XMLHttpRequest")); return new AndRequestMatcher(getRequests, notFavIcon, notJson, notXRequestedWith); } } diff --git a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/RequestCacheConfigurerTests.groovy b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/RequestCacheConfigurerTests.groovy index 1516fb929c..ae319d4260 100644 --- a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/RequestCacheConfigurerTests.groovy +++ b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/RequestCacheConfigurerTests.groovy @@ -138,10 +138,10 @@ class RequestCacheConfigurerTests extends BaseSpringSpec { } @Unroll - def "RequestCache saves Accept: #accept"() { + def "RequestCache saves #headerName: #headerValue"() { setup: loadConfig(RequestCacheDefautlsConfig) - request.addHeader("Accept", accept) + request.addHeader(headerName, headerValue) request.method = "GET" request.servletPath = "/messages" request.requestURI = "/messages" @@ -157,7 +157,9 @@ class RequestCacheConfigurerTests extends BaseSpringSpec { response.status == HttpServletResponse.SC_MOVED_TEMPORARILY response.redirectedUrl == "http://localhost/messages" where: - accept << [MediaType.ALL_VALUE, MediaType.TEXT_HTML, "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"] + headerName << ["Accept", "Accept", "Accept", "X-Requested-With"] + headerValue << [MediaType.ALL_VALUE, MediaType.TEXT_HTML, "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","com.android"] + } @Configuration