From afd556412e1e1aa7dbbc6d959c06f9a1a8818cc3 Mon Sep 17 00:00:00 2001
From: Rob Winch <rwinch@gmail.com>
Date: Sat, 5 Feb 2011 16:40:01 -0600
Subject: [PATCH] SEC-1672: Provide error message when ambiguous configuration
 of intercept-url contains attributes filters=none and (access or
 requires-channel)

---
 ...nvocationSecurityMetadataSourceParser.java | 10 ++++++++
 .../config/http/HttpConfigurationBuilder.java |  8 +++++++
 ...HttpSecurityBeanDefinitionParserTests.java | 23 +++++++++++++++++++
 3 files changed, 41 insertions(+)

diff --git a/config/src/main/java/org/springframework/security/config/http/FilterInvocationSecurityMetadataSourceParser.java b/config/src/main/java/org/springframework/security/config/http/FilterInvocationSecurityMetadataSourceParser.java
index 6505a7701a..b1f340366d 100644
--- a/config/src/main/java/org/springframework/security/config/http/FilterInvocationSecurityMetadataSourceParser.java
+++ b/config/src/main/java/org/springframework/security/config/http/FilterInvocationSecurityMetadataSourceParser.java
@@ -1,5 +1,8 @@
 package org.springframework.security.config.http;
 
+import static org.springframework.security.config.http.HttpSecurityBeanDefinitionParser.*;
+import static org.springframework.security.config.Elements.*;
+
 import java.util.List;
 
 import org.apache.commons.logging.Log;
@@ -112,6 +115,13 @@ public class FilterInvocationSecurityMetadataSourceParser implements BeanDefinit
             if (!StringUtils.hasText(access)) {
                 continue;
             }
+            String filters = urlElt.getAttribute(ATT_FILTERS);
+            if(OPT_FILTERS_NONE.equals(filters)) {
+                parserContext.getReaderContext().error(
+                        "Ambiguous configuration. Cannot contain " + INTERCEPT_URL+"@" + ATT_FILTERS +
+                        "=\"" + OPT_FILTERS_NONE + "\" and " + INTERCEPT_URL + "@" + ATT_ACCESS,
+                        parserContext.extractSource(urlElt));
+            }
 
             String path = urlElt.getAttribute(ATT_PATTERN);
 
diff --git a/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java b/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java
index 6dafcd3789..3d2ab82bc7 100644
--- a/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java
+++ b/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java
@@ -2,6 +2,7 @@ package org.springframework.security.config.http;
 
 import static org.springframework.security.config.http.SecurityFilters.*;
 import static org.springframework.security.config.http.HttpSecurityBeanDefinitionParser.*;
+import static org.springframework.security.config.Elements.*;
 
 import java.util.ArrayList;
 import java.util.Collections;
@@ -393,6 +394,13 @@ class HttpConfigurationBuilder {
             String requiredChannel = urlElt.getAttribute(ATT_REQUIRES_CHANNEL);
 
             if (StringUtils.hasText(requiredChannel)) {
+                String filters = urlElt.getAttribute(ATT_FILTERS);
+                if(OPT_FILTERS_NONE.equals(filters)) {
+                    pc.getReaderContext().error(
+                            "Ambiguous configuration. Cannot contain " + INTERCEPT_URL+"@" + ATT_FILTERS +
+                            "=\"" + OPT_FILTERS_NONE + "\" and " + INTERCEPT_URL + "@" + ATT_REQUIRES_CHANNEL,
+                            pc.extractSource(urlElt));
+                }
                 BeanDefinition requestKey = new RootBeanDefinition(RequestKey.class);
                 requestKey.getConstructorArgumentValues().addGenericArgumentValue(path);
 
diff --git a/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java b/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java
index afac521328..0a94e12d81 100644
--- a/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java
+++ b/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java
@@ -185,6 +185,29 @@ public class HttpSecurityBeanDefinitionParserTests {
         assertTrue(filters.size() == 0);
     }
 
+    @Test(expected=BeanDefinitionParsingException.class)
+    public void filtersEqualsNoneErrorsWithRequiresChannel() throws Exception {
+        setContext(
+                "    <http auto-config='true'>" +
+                "        <intercept-url pattern='/ambiguousConfig' requires-channel='https' filters='none' />" +
+                "    </http>" + AUTH_PROVIDER_XML);
+    }
+
+    @Test(expected=BeanDefinitionParsingException.class)
+    public void filtersEqualsNoneErrorsWithAccess() throws Exception {
+        setContext(
+                "    <http auto-config='true'>" +
+                "        <intercept-url pattern='/ambiguousConfig' access='ROLE_USER' filters='none' />" +
+                "    </http>" + AUTH_PROVIDER_XML);
+    }
+
+    @Test(expected=BeanDefinitionParsingException.class)
+    public void filtersEqualsNoneErrorsWithRequiresChannelAndAccess() throws Exception {
+        setContext(
+                "    <http auto-config='true'>" +
+                "        <intercept-url pattern='/ambiguousConfig' requires-channel='https' filters='none' />" +
+                "    </http>" + AUTH_PROVIDER_XML);
+    }
 
     @Test
     public void regexPathsWorkCorrectly() throws Exception {