SEC-1672: Provide error message when ambiguous configuration of intercept-url contains attributes filters=none and (access or requires-channel)

config/src/main/java/org/springframework/security/config/http/FilterInvocationSecurityMetadataSourceParser.java

@@ -1,5 +1,8 @@
 package org.springframework.security.config.http;
 
+import static org.springframework.security.config.http.HttpSecurityBeanDefinitionParser.*;
+import static org.springframework.security.config.Elements.*;
+
 import java.util.List;
 
 import org.apache.commons.logging.Log;
@@ -112,6 +115,13 @@ public class FilterInvocationSecurityMetadataSourceParser implements BeanDefinit
             if (!StringUtils.hasText(access)) {
                 continue;
             }
+            String filters = urlElt.getAttribute(ATT_FILTERS);
+            if(OPT_FILTERS_NONE.equals(filters)) {
+                parserContext.getReaderContext().error(
+                        "Ambiguous configuration. Cannot contain " + INTERCEPT_URL+"@" + ATT_FILTERS +
+                        "=\"" + OPT_FILTERS_NONE + "\" and " + INTERCEPT_URL + "@" + ATT_ACCESS,
+                        parserContext.extractSource(urlElt));
+            }
 
             String path = urlElt.getAttribute(ATT_PATTERN);
 

config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java

@@ -2,6 +2,7 @@ package org.springframework.security.config.http;
 
 import static org.springframework.security.config.http.SecurityFilters.*;
 import static org.springframework.security.config.http.HttpSecurityBeanDefinitionParser.*;
+import static org.springframework.security.config.Elements.*;
 
 import java.util.ArrayList;
 import java.util.Collections;
@@ -393,6 +394,13 @@ class HttpConfigurationBuilder {
             String requiredChannel = urlElt.getAttribute(ATT_REQUIRES_CHANNEL);
 
             if (StringUtils.hasText(requiredChannel)) {
+                String filters = urlElt.getAttribute(ATT_FILTERS);
+                if(OPT_FILTERS_NONE.equals(filters)) {
+                    pc.getReaderContext().error(
+                            "Ambiguous configuration. Cannot contain " + INTERCEPT_URL+"@" + ATT_FILTERS +
+                            "=\"" + OPT_FILTERS_NONE + "\" and " + INTERCEPT_URL + "@" + ATT_REQUIRES_CHANNEL,
+                            pc.extractSource(urlElt));
+                }
                 BeanDefinition requestKey = new RootBeanDefinition(RequestKey.class);
                 requestKey.getConstructorArgumentValues().addGenericArgumentValue(path);
 

config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java

@@ -185,6 +185,29 @@ public class HttpSecurityBeanDefinitionParserTests {
         assertTrue(filters.size() == 0);
     }
 
+    @Test(expected=BeanDefinitionParsingException.class)
+    public void filtersEqualsNoneErrorsWithRequiresChannel() throws Exception {
+        setContext(
+                "    <http auto-config='true'>" +
+                "        <intercept-url pattern='/ambiguousConfig' requires-channel='https' filters='none' />" +
+                "    </http>" + AUTH_PROVIDER_XML);
+    }
+
+    @Test(expected=BeanDefinitionParsingException.class)
+    public void filtersEqualsNoneErrorsWithAccess() throws Exception {
+        setContext(
+                "    <http auto-config='true'>" +
+                "        <intercept-url pattern='/ambiguousConfig' access='ROLE_USER' filters='none' />" +
+                "    </http>" + AUTH_PROVIDER_XML);
+    }
+
+    @Test(expected=BeanDefinitionParsingException.class)
+    public void filtersEqualsNoneErrorsWithRequiresChannelAndAccess() throws Exception {
+        setContext(
+                "    <http auto-config='true'>" +
+                "        <intercept-url pattern='/ambiguousConfig' requires-channel='https' filters='none' />" +
+                "    </http>" + AUTH_PROVIDER_XML);
+    }
 
     @Test
     public void regexPathsWorkCorrectly() throws Exception {