Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-12 07:02:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

SEC-1672: Provide error message when ambiguous configuration of intercept-url contains attributes filters=none and (access or requires-channel)

Browse Source
This commit is contained in:
Rob Winch 2011-02-05 16:40:01 -06:00
parent 187a530760
commit afd556412e
3 changed files with 41 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
config/src/main/java/org/springframework/security/config/http/FilterInvocationSecurityMetadataSourceParser.java
View File

@ -1,5 +1,8 @@
package org.springframework.security.config.http;
import static org.springframework.security.config.http.HttpSecurityBeanDefinitionParser.*;
import static org.springframework.security.config.Elements.*;
import java.util.List;
import org.apache.commons.logging.Log;
@ -112,6 +115,13 @@ public class FilterInvocationSecurityMetadataSourceParser implements BeanDefinit
if (!StringUtils.hasText(access)) {
continue;
}
String filters = urlElt.getAttribute(ATT_FILTERS);
if(OPT_FILTERS_NONE.equals(filters)) {
parserContext.getReaderContext().error(
"Ambiguous configuration. Cannot contain " + INTERCEPT_URL+"@" + ATT_FILTERS +
"=\"" + OPT_FILTERS_NONE + "\" and " + INTERCEPT_URL + "@" + ATT_ACCESS,
parserContext.extractSource(urlElt));
}
String path = urlElt.getAttribute(ATT_PATTERN);

8
config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java
View File

@ -2,6 +2,7 @@ package org.springframework.security.config.http;
import static org.springframework.security.config.http.SecurityFilters.*;
import static org.springframework.security.config.http.HttpSecurityBeanDefinitionParser.*;
import static org.springframework.security.config.Elements.*;
import java.util.ArrayList;
import java.util.Collections;
@ -393,6 +394,13 @@ class HttpConfigurationBuilder {
String requiredChannel = urlElt.getAttribute(ATT_REQUIRES_CHANNEL);
if (StringUtils.hasText(requiredChannel)) {
String filters = urlElt.getAttribute(ATT_FILTERS);
if(OPT_FILTERS_NONE.equals(filters)) {
pc.getReaderContext().error(
"Ambiguous configuration. Cannot contain " + INTERCEPT_URL+"@" + ATT_FILTERS +
"=\"" + OPT_FILTERS_NONE + "\" and " + INTERCEPT_URL + "@" + ATT_REQUIRES_CHANNEL,
pc.extractSource(urlElt));
}
BeanDefinition requestKey = new RootBeanDefinition(RequestKey.class);
requestKey.getConstructorArgumentValues().addGenericArgumentValue(path);

23
config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java
View File

@ -185,6 +185,29 @@ public class HttpSecurityBeanDefinitionParserTests {
assertTrue(filters.size() == 0);
}
@Test(expected=BeanDefinitionParsingException.class)
public void filtersEqualsNoneErrorsWithRequiresChannel() throws Exception {
setContext(
" <http auto-config='true'>" +
" <intercept-url pattern='/ambiguousConfig' requires-channel='https' filters='none' />" +
" </http>" + AUTH_PROVIDER_XML);
}
@Test(expected=BeanDefinitionParsingException.class)
public void filtersEqualsNoneErrorsWithAccess() throws Exception {
setContext(
" <http auto-config='true'>" +
" <intercept-url pattern='/ambiguousConfig' access='ROLE_USER' filters='none' />" +
" </http>" + AUTH_PROVIDER_XML);
}
@Test(expected=BeanDefinitionParsingException.class)
public void filtersEqualsNoneErrorsWithRequiresChannelAndAccess() throws Exception {
setContext(
" <http auto-config='true'>" +
" <intercept-url pattern='/ambiguousConfig' requires-channel='https' filters='none' />" +
" </http>" + AUTH_PROVIDER_XML);
}
@Test
public void regexPathsWorkCorrectly() throws Exception {