SEC-2916: disable-url-rewriting=true by default

2025-06-01 09:42:13 +00:00 · 2015-03-23 11:45:24 -05:00 · 2015-03-23 11:45:24 -05:00 · c94a5cf8e2
commit c94a5cf8e2
parent ae6af5d73c
7 changed files with 1896 additions and 1875 deletions
--- a/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java
+++ b/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java
@ -232,6 +232,9 @@ class HttpConfigurationBuilder {
 		String repoRef = httpElt.getAttribute(ATT_SECURITY_CONTEXT_REPOSITORY);
 		String disableUrlRewriting = httpElt.getAttribute(ATT_DISABLE_URL_REWRITING);
 		if(!StringUtils.hasText(disableUrlRewriting)) {
 			disableUrlRewriting = "true";
 		}
 		if (StringUtils.hasText(repoRef)) {
 			if (sessionPolicy == SessionCreationPolicy.ALWAYS) {
--- a/config/src/main/resources/org/springframework/security/config/spring-security-4.0.rnc
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-4.0.rnc
--- a/config/src/main/resources/org/springframework/security/config/spring-security-4.0.xsd
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-4.0.xsd
@ -872,9 +872,9 @@
      </xs:attribute>
      <xs:attribute name="same-origin-disabled" type="xs:boolean">
         <xs:annotation>
-            <xs:documentation>Disables the requrement for CSRF token to be present in the Stomp headers (default false).
+            <xs:documentation>Disables the requirement for CSRF token to be present in the Stomp headers (default
-                Changing the default is useful if it is necessary to allow other origins to make SockJS
+                false). Changing the default is useful if it is necessary to allow other origins to make
-                connections.
+                SockJS connections.
                </xs:documentation>
         </xs:annotation>
      </xs:attribute>
@ -1233,7 +1233,8 @@
      </xs:attribute>
      <xs:attribute name="disable-url-rewriting" type="xs:boolean">
         <xs:annotation>
-            <xs:documentation>Prevents the jsessionid parameter from being added to rendered URLs.
+            <xs:documentation>Prevents the jsessionid parameter from being added to rendered URLs. Defaults to "true"
                (rewriting is disabled).
                </xs:documentation>
         </xs:annotation>
      </xs:attribute>
@ -1828,11 +1829,11 @@
         </xs:annotation>
      </xs:attribute>
      <xs:attribute name="remember-me-cookie" type="xs:token">
-          <xs:annotation>
+         <xs:annotation>
-              <xs:documentation>The name of cookie which store the token for remember-me authentication. Defaults to
+            <xs:documentation>The name of cookie which store the token for remember-me authentication. Defaults to
-                  'remember-me'.
+                'remember-me'.
-              </xs:documentation>
+                </xs:documentation>
-          </xs:annotation>
+         </xs:annotation>
      </xs:attribute>
  </xs:attributeGroup>
  <xs:attributeGroup name="token-repository-ref">
--- a/config/src/test/groovy/org/springframework/security/config/annotation/web/builders/NamespaceHttpTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/web/builders/NamespaceHttpTests.groovy
@ -248,7 +248,7 @@ public class NamespaceHttpTests extends BaseSpringSpec {
 	static class EnableUrlRewritingConfig extends BaseWebConfig {
 		protected void configure(HttpSecurity http) throws Exception {
 			HttpSessionSecurityContextRepository repository = new HttpSessionSecurityContextRepository()
-			repository.disableUrlRewriting = false // explicitly configured (not necessary due to default values)
+			repository.disableUrlRewriting = false // explicitly configured
 			http.
 				securityContext()
--- a/config/src/test/groovy/org/springframework/security/config/http/HttpConfigTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/http/HttpConfigTests.groovy
@ -12,32 +12,17 @@
 */
 package org.springframework.security.config.http
 import org.springframework.mock.web.MockFilterChain
 import org.springframework.mock.web.MockHttpServletRequest
 import org.springframework.mock.web.MockHttpServletResponse
 import org.springframework.security.access.AccessDeniedException
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken
 import org.springframework.security.core.Authentication
 import org.springframework.security.core.authority.AuthorityUtils
 import org.springframework.security.core.context.SecurityContextImpl
 import org.springframework.security.web.access.AccessDeniedHandler
 import org.springframework.security.web.context.HttpRequestResponseHolder
 import org.springframework.security.web.context.HttpSessionSecurityContextRepository
 import org.springframework.security.web.csrf.CsrfFilter
 import org.springframework.security.web.csrf.CsrfToken
 import org.springframework.security.web.csrf.CsrfTokenRepository
 import org.springframework.security.web.csrf.DefaultCsrfToken
 import org.springframework.security.web.util.matcher.RequestMatcher
 import org.springframework.web.servlet.support.RequestDataValueProcessor
 import spock.lang.Unroll
 import javax.servlet.http.HttpServletRequest
 import javax.servlet.http.HttpServletResponse
 import static org.mockito.Matchers.any
 import static org.mockito.Matchers.eq
 import static org.mockito.Mockito.*
 import javax.servlet.http.HttpServletResponse
 import javax.servlet.http.HttpServletResponseWrapper
 import org.springframework.mock.web.MockFilterChain
 import org.springframework.mock.web.MockHttpServletRequest
 import org.springframework.mock.web.MockHttpServletResponse
 /**
 *
 * @author Rob Winch
@ -59,4 +44,36 @@ class HttpConfigTests extends AbstractHttpConfigTests {
 		response.status == HttpServletResponse.SC_MOVED_TEMPORARILY
 		response.redirectedUrl == 'http://localhost/login'
 	}
 	def 'http disable-url-rewriting defaults to true'() {
 		setup:
 		xml.http() {}
 		createAppContext("""<user-service>
 		<user name="user" password="password" authorities="ROLE_USER" />
 	</user-service>""")
 		HttpServletResponse testResponse = new HttpServletResponseWrapper(response) {
 			public String encodeURL(String url) {
 				throw new RuntimeException("Unexpected invocation of encodeURL")
 			}
 			public String encodeRedirectURL(String url) {
 				throw new RuntimeException("Unexpected invocation of encodeURL")
 			}
 			public String encodeUrl(String url) {
 				throw new RuntimeException("Unexpected invocation of encodeURL")
 			}
 			public String encodeRedirectUrl(String url) {
 				throw new RuntimeException("Unexpected invocation of encodeURL")
 			}
 		}
 		when: 'request protected URL'
 		springSecurityFilterChain.doFilter(request,testResponse,{ request,response->
 			response.encodeURL("/url")
 			response.encodeRedirectURL("/url")
 			response.encodeUrl("/url")
 			response.encodeRedirectUrl("/url")
 		})
 		then: 'sent to login page'
 		response.status == HttpServletResponse.SC_MOVED_TEMPORARILY
 		response.redirectedUrl == 'http://localhost/login'
 	}
 }
--- a/config/src/test/groovy/org/springframework/security/config/http/SessionManagementConfigTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/http/SessionManagementConfigTests.groovy
@ -67,7 +67,7 @@ class SessionManagementConfigTests extends AbstractHttpConfigTests {
 		expect:
 		filter.forceEagerSessionCreation
 		filter.repo.allowSessionCreation
-		!filter.repo.disableUrlRewriting
+		filter.repo.disableUrlRewriting
 	}
 	def settingCreateSessionToNeverSetsFilterPropertiesCorrectly() {
--- a/docs/manual/src/docs/asciidoc/index.adoc
+++ b/docs/manual/src/docs/asciidoc/index.adoc