SEC-1283: AuthenticationConfigBuilder.createAnonymousFilter uses httpElt instead of anonymousElt. Corrected element name.

2025-06-27 06:12:27 +00:00 · 2009-11-04 17:39:26 +00:00 · 2009-11-04 17:39:26 +00:00 · a2468c523a
commit a2468c523a
parent 617e517e5e
2 changed files with 17 additions and 4 deletions
--- a/config/src/main/java/org/springframework/security/config/http/AuthenticationConfigBuilder.java
+++ b/config/src/main/java/org/springframework/security/config/http/AuthenticationConfigBuilder.java
@ -125,7 +125,7 @@ final class AuthenticationConfigBuilder {
        Element rememberMeElt = DomUtils.getChildElementByTagName(httpElt, Elements.REMEMBER_ME);

        if (rememberMeElt != null) {
-        	String key = rememberMeElt.getAttribute(ATT_KEY);
+            String key = rememberMeElt.getAttribute(ATT_KEY);

            if (!StringUtils.hasText(key)) {
                key = DEF_KEY;
@ -370,9 +370,9 @@ final class AuthenticationConfigBuilder {
        Object source = pc.extractSource(httpElt);

        if (anonymousElt != null) {
-            grantedAuthority = httpElt.getAttribute("granted-authority");
-            username = httpElt.getAttribute("username");
-            key = httpElt.getAttribute("key");
+            grantedAuthority = anonymousElt.getAttribute("granted-authority");
+            username = anonymousElt.getAttribute("username");
+            key = anonymousElt.getAttribute("key");
            source = pc.extractSource(anonymousElt);
        }

--- a/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java
+++ b/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java
@ -253,6 +253,18 @@ public class HttpSecurityBeanDefinitionParserTests {
        assertThat(getFilters("/anything").get(5), not(instanceOf(AnonymousAuthenticationFilter.class)));
    }

+    @Test
+    public void anonymousCustomAttributesAreSetCorrectly() throws Exception {
+        setContext(
+                "<http>" +
+                "   <form-login />" +
+                "   <anonymous enabled='true' username='joe' granted-authority='anonymity' key='customKey' />" +
+                "</http>" + AUTH_PROVIDER_XML);
+        AnonymousAuthenticationFilter filter = (AnonymousAuthenticationFilter) getFilters("/anything").get(5);
+        assertEquals("customKey", filter.getKey());
+        assertEquals("joe", filter.getUserAttribute().getPassword());
+        assertEquals("anonymity", filter.getUserAttribute().getAuthorities().get(0).getAuthority());
+    }

    @Test(expected=BeanCreationException.class)
    public void invalidLoginPageIsDetected() throws Exception {
@ -859,6 +871,7 @@ public class HttpSecurityBeanDefinitionParserTests {
        setContext(
                "    <http>" +
                "        <intercept-url pattern='/**' access='ROLE_A'/>" +
+                "        <anonymous enabled='false' />" +
                "        <form-login login-page='/login.jsp' default-target-url='/messageList.html'/>" +
                "    </http>" + AUTH_PROVIDER_XML);
        closeAppContext();