From c53fd99430739ced5289c6bbe5c50563710fa610 Mon Sep 17 00:00:00 2001 From: Rob Winch Date: Wed, 19 Sep 2012 09:35:16 -0500 Subject: [PATCH] SEC-2045: AbstractPreAuthenticationFilter afterPropertiesSet invokes super --- ...bstractPreAuthenticatedProcessingFilter.java | 6 ++++++ ...ctPreAuthenticatedProcessingFilterTests.java | 17 +++++++++++++++++ 2 files changed, 23 insertions(+) diff --git a/web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java b/web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java index 2ab32598ce..312a17802b 100755 --- a/web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java +++ b/web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java @@ -68,6 +68,12 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFi */ @Override public void afterPropertiesSet() { + try { + super.afterPropertiesSet(); + } catch(ServletException e) { + // convert to RuntimeException for passivity on afterPropertiesSet signature + throw new RuntimeException(e); + } Assert.notNull(authenticationManager, "An AuthenticationManager must be set"); } diff --git a/web/src/test/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilterTests.java b/web/src/test/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilterTests.java index cd4cdd907c..6dc9c8a5e4 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilterTests.java @@ -5,6 +5,7 @@ import static org.mockito.Matchers.any; import static org.mockito.Mockito.*; import javax.servlet.FilterChain; +import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import org.junit.After; @@ -77,6 +78,16 @@ public class AbstractPreAuthenticatedProcessingFilterTests { } } + // SEC-2045 + @Test + public void testAfterPropertiesSetInvokesSuper() throws Exception { + ConcretePreAuthenticatedProcessingFilter filter = new ConcretePreAuthenticatedProcessingFilter(); + AuthenticationManager am = mock(AuthenticationManager.class); + filter.setAuthenticationManager(am); + filter.afterPropertiesSet(); + assertTrue(filter.initFilterBeanInvoked); + } + @Test public void testDoFilterAuthenticated() throws Exception { testDoFilter(true); @@ -140,12 +151,18 @@ public class AbstractPreAuthenticatedProcessingFilterTests { private static class ConcretePreAuthenticatedProcessingFilter extends AbstractPreAuthenticatedProcessingFilter { private String principal = "testPrincipal"; + private boolean initFilterBeanInvoked; protected Object getPreAuthenticatedPrincipal(HttpServletRequest httpRequest) { return principal; } protected Object getPreAuthenticatedCredentials(HttpServletRequest httpRequest) { return "testCredentials"; } + @Override + protected void initFilterBean() throws ServletException { + super.initFilterBean(); + initFilterBeanInvoked = true; + } } }