diff --git a/web/src/main/java/org/springframework/security/web/access/expression/WebExpressionVoter.java b/web/src/main/java/org/springframework/security/web/access/expression/WebExpressionVoter.java index 916a23451a..6779f8077b 100644 --- a/web/src/main/java/org/springframework/security/web/access/expression/WebExpressionVoter.java +++ b/web/src/main/java/org/springframework/security/web/access/expression/WebExpressionVoter.java @@ -49,7 +49,7 @@ public class WebExpressionVoter implements AccessDecisionVoter } public boolean supports(Class clazz) { - return clazz.isAssignableFrom(FilterInvocation.class); + return FilterInvocation.class.isAssignableFrom(clazz); } public void setExpressionHandler(SecurityExpressionHandler expressionHandler) { diff --git a/web/src/test/java/org/springframework/security/web/access/expression/WebExpressionVoterTests.java b/web/src/test/java/org/springframework/security/web/access/expression/WebExpressionVoterTests.java index 7f8e6c86f4..1ab2338b29 100644 --- a/web/src/test/java/org/springframework/security/web/access/expression/WebExpressionVoterTests.java +++ b/web/src/test/java/org/springframework/security/web/access/expression/WebExpressionVoterTests.java @@ -1,5 +1,6 @@ package org.springframework.security.web.access.expression; +import static org.fest.assertions.Assertions.*; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; @@ -19,6 +20,10 @@ import org.springframework.security.web.FilterInvocation; import java.util.ArrayList; +import javax.servlet.FilterChain; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; + /** * @author Luke Taylor */ @@ -63,4 +68,29 @@ public class WebExpressionVoterTests { assertEquals(AccessDecisionVoter.ACCESS_DENIED, voter.vote(user, fi, attributes)); } + // SEC-2507 + @Test + public void supportFilterInvocationSubClass() { + WebExpressionVoter voter = new WebExpressionVoter(); + assertThat(voter.supports(FilterInvocationChild.class)).isTrue(); + } + + private static class FilterInvocationChild extends FilterInvocation { + public FilterInvocationChild(ServletRequest request, + ServletResponse response, FilterChain chain) { + super(request, response, chain); + } + } + + @Test + public void supportFilterInvocation() { + WebExpressionVoter voter = new WebExpressionVoter(); + assertThat(voter.supports(FilterInvocation.class)).isTrue(); + } + + @Test + public void supportsObjectIsFalse() { + WebExpressionVoter voter = new WebExpressionVoter(); + assertThat(voter.supports(Object.class)).isFalse(); + } }