Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-24 13:02:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

SEC-3170: Null check for Java Config of RememberMeServices

Browse Source 
Added a null check in LogoutConfigurer.addLogoutHandler() method to
ensure that a logout handler is always provided..
This commit is contained in:
Nikos Kastamoulas 2015-12-15 01:21:50 +02:00 committed by Rob Winch
parent e66eb539cc
commit b28c62a6fe
3 changed files with 32 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
config/src/main/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurer.java
View File

@ -33,6 +33,7 @@ import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuc
import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter; import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.Assert;
/** /**
* Adds logout support. Other {@link SecurityConfigurer} instances may invoke * Adds logout support. Other {@link SecurityConfigurer} instances may invoke
@ -85,6 +86,7 @@ public final class LogoutConfigurer<H extends HttpSecurityBuilder<H>> extends
* @return the {@link LogoutConfigurer} for further customization * @return the {@link LogoutConfigurer} for further customization
*/ */
public LogoutConfigurer<H> addLogoutHandler(LogoutHandler logoutHandler) { public LogoutConfigurer<H> addLogoutHandler(LogoutHandler logoutHandler) {
Assert.notNull(logoutHandler, "logoutHandler cannot be null");
this.logoutHandlers.add(logoutHandler); this.logoutHandlers.add(logoutHandler);
return this; return this;
} }

23
config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/LogoutConfigurerTests.groovy
View File

@ -15,6 +15,7 @@
*/ */
package org.springframework.security.config.annotation.web.configurers package org.springframework.security.config.annotation.web.configurers
import org.springframework.beans.factory.BeanCreationException
import org.springframework.context.annotation.Configuration import org.springframework.context.annotation.Configuration
import org.springframework.security.config.annotation.AnyObjectPostProcessor import org.springframework.security.config.annotation.AnyObjectPostProcessor
import org.springframework.security.config.annotation.BaseSpringSpec import org.springframework.security.config.annotation.BaseSpringSpec
@ -22,6 +23,7 @@ import org.springframework.security.config.annotation.authentication.builders.Au
import org.springframework.security.config.annotation.web.builders.HttpSecurity import org.springframework.security.config.annotation.web.builders.HttpSecurity
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
import org.springframework.security.web.authentication.RememberMeServices
import org.springframework.security.web.authentication.logout.LogoutFilter import org.springframework.security.web.authentication.logout.LogoutFilter
/** /**
@ -111,4 +113,25 @@ class LogoutConfigurerTests extends BaseSpringSpec {
.csrf().disable() .csrf().disable()
} }
} }
def "SEC-3170: LogoutConfigurer allows null LogoutHandler"() {
when:
loadConfig(RememberMeNoLogoutHandler)
request.method = "GET"
request.servletPath = "/logout"
findFilter(LogoutFilter).doFilter(request, response, chain)
then:
thrown(BeanCreationException)
}
@EnableWebSecurity
static class RememberMeNoLogoutHandler extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.rememberMe()
.rememberMeServices(Mock(RememberMeServices))
}
}
} }

8
config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceRememberMeTests.groovy
View File

@ -19,7 +19,8 @@ import org.springframework.security.config.annotation.authentication.builders.Au
import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.BaseWebConfig; import org.springframework.security.config.annotation.web.configuration.BaseWebConfig;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
import org.springframework.security.web.authentication.logout.LogoutHandler;
import javax.servlet.http.Cookie import javax.servlet.http.Cookie
@ -112,9 +113,12 @@ public class NamespaceRememberMeTests extends BaseSpringSpec {
} }
} }
// See SEC-3170
static interface RememberMeServicesLogoutHandler extends RememberMeServices, LogoutHandler{}
def "http/remember-me@services-ref"() { def "http/remember-me@services-ref"() {
setup: setup:
RememberMeServicesRefConfig.REMEMBER_ME_SERVICES = Mock(RememberMeServices) RememberMeServicesRefConfig.REMEMBER_ME_SERVICES = Mock(RememberMeServicesLogoutHandler)
when: "use custom remember-me services" when: "use custom remember-me services"
loadConfig(RememberMeServicesRefConfig) loadConfig(RememberMeServicesRefConfig)
then: "custom remember-me services used" then: "custom remember-me services used"