mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-06-01 09:42:13 +00:00
SEC-2916: disable-url-rewriting=true by default
This commit is contained in:
parent
ae6af5d73c
commit
c94a5cf8e2
@ -232,6 +232,9 @@ class HttpConfigurationBuilder {
|
|||||||
|
|
||||||
String repoRef = httpElt.getAttribute(ATT_SECURITY_CONTEXT_REPOSITORY);
|
String repoRef = httpElt.getAttribute(ATT_SECURITY_CONTEXT_REPOSITORY);
|
||||||
String disableUrlRewriting = httpElt.getAttribute(ATT_DISABLE_URL_REWRITING);
|
String disableUrlRewriting = httpElt.getAttribute(ATT_DISABLE_URL_REWRITING);
|
||||||
|
if(!StringUtils.hasText(disableUrlRewriting)) {
|
||||||
|
disableUrlRewriting = "true";
|
||||||
|
}
|
||||||
|
|
||||||
if (StringUtils.hasText(repoRef)) {
|
if (StringUtils.hasText(repoRef)) {
|
||||||
if (sessionPolicy == SessionCreationPolicy.ALWAYS) {
|
if (sessionPolicy == SessionCreationPolicy.ALWAYS) {
|
||||||
|
File diff suppressed because it is too large
Load Diff
@ -872,9 +872,9 @@
|
|||||||
</xs:attribute>
|
</xs:attribute>
|
||||||
<xs:attribute name="same-origin-disabled" type="xs:boolean">
|
<xs:attribute name="same-origin-disabled" type="xs:boolean">
|
||||||
<xs:annotation>
|
<xs:annotation>
|
||||||
<xs:documentation>Disables the requrement for CSRF token to be present in the Stomp headers (default false).
|
<xs:documentation>Disables the requirement for CSRF token to be present in the Stomp headers (default
|
||||||
Changing the default is useful if it is necessary to allow other origins to make SockJS
|
false). Changing the default is useful if it is necessary to allow other origins to make
|
||||||
connections.
|
SockJS connections.
|
||||||
</xs:documentation>
|
</xs:documentation>
|
||||||
</xs:annotation>
|
</xs:annotation>
|
||||||
</xs:attribute>
|
</xs:attribute>
|
||||||
@ -1233,7 +1233,8 @@
|
|||||||
</xs:attribute>
|
</xs:attribute>
|
||||||
<xs:attribute name="disable-url-rewriting" type="xs:boolean">
|
<xs:attribute name="disable-url-rewriting" type="xs:boolean">
|
||||||
<xs:annotation>
|
<xs:annotation>
|
||||||
<xs:documentation>Prevents the jsessionid parameter from being added to rendered URLs.
|
<xs:documentation>Prevents the jsessionid parameter from being added to rendered URLs. Defaults to "true"
|
||||||
|
(rewriting is disabled).
|
||||||
</xs:documentation>
|
</xs:documentation>
|
||||||
</xs:annotation>
|
</xs:annotation>
|
||||||
</xs:attribute>
|
</xs:attribute>
|
||||||
@ -1828,11 +1829,11 @@
|
|||||||
</xs:annotation>
|
</xs:annotation>
|
||||||
</xs:attribute>
|
</xs:attribute>
|
||||||
<xs:attribute name="remember-me-cookie" type="xs:token">
|
<xs:attribute name="remember-me-cookie" type="xs:token">
|
||||||
<xs:annotation>
|
<xs:annotation>
|
||||||
<xs:documentation>The name of cookie which store the token for remember-me authentication. Defaults to
|
<xs:documentation>The name of cookie which store the token for remember-me authentication. Defaults to
|
||||||
'remember-me'.
|
'remember-me'.
|
||||||
</xs:documentation>
|
</xs:documentation>
|
||||||
</xs:annotation>
|
</xs:annotation>
|
||||||
</xs:attribute>
|
</xs:attribute>
|
||||||
</xs:attributeGroup>
|
</xs:attributeGroup>
|
||||||
<xs:attributeGroup name="token-repository-ref">
|
<xs:attributeGroup name="token-repository-ref">
|
||||||
|
@ -248,7 +248,7 @@ public class NamespaceHttpTests extends BaseSpringSpec {
|
|||||||
static class EnableUrlRewritingConfig extends BaseWebConfig {
|
static class EnableUrlRewritingConfig extends BaseWebConfig {
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
protected void configure(HttpSecurity http) throws Exception {
|
||||||
HttpSessionSecurityContextRepository repository = new HttpSessionSecurityContextRepository()
|
HttpSessionSecurityContextRepository repository = new HttpSessionSecurityContextRepository()
|
||||||
repository.disableUrlRewriting = false // explicitly configured (not necessary due to default values)
|
repository.disableUrlRewriting = false // explicitly configured
|
||||||
|
|
||||||
http.
|
http.
|
||||||
securityContext()
|
securityContext()
|
||||||
|
@ -12,32 +12,17 @@
|
|||||||
*/
|
*/
|
||||||
package org.springframework.security.config.http
|
package org.springframework.security.config.http
|
||||||
|
|
||||||
import org.springframework.mock.web.MockFilterChain
|
|
||||||
import org.springframework.mock.web.MockHttpServletRequest
|
|
||||||
import org.springframework.mock.web.MockHttpServletResponse
|
|
||||||
import org.springframework.security.access.AccessDeniedException
|
|
||||||
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken
|
|
||||||
import org.springframework.security.core.Authentication
|
|
||||||
import org.springframework.security.core.authority.AuthorityUtils
|
|
||||||
import org.springframework.security.core.context.SecurityContextImpl
|
|
||||||
import org.springframework.security.web.access.AccessDeniedHandler
|
|
||||||
import org.springframework.security.web.context.HttpRequestResponseHolder
|
|
||||||
import org.springframework.security.web.context.HttpSessionSecurityContextRepository
|
|
||||||
import org.springframework.security.web.csrf.CsrfFilter
|
|
||||||
import org.springframework.security.web.csrf.CsrfToken
|
|
||||||
import org.springframework.security.web.csrf.CsrfTokenRepository
|
|
||||||
import org.springframework.security.web.csrf.DefaultCsrfToken
|
|
||||||
import org.springframework.security.web.util.matcher.RequestMatcher
|
|
||||||
import org.springframework.web.servlet.support.RequestDataValueProcessor
|
|
||||||
import spock.lang.Unroll
|
|
||||||
|
|
||||||
import javax.servlet.http.HttpServletRequest
|
|
||||||
import javax.servlet.http.HttpServletResponse
|
|
||||||
|
|
||||||
import static org.mockito.Matchers.any
|
import static org.mockito.Matchers.any
|
||||||
import static org.mockito.Matchers.eq
|
import static org.mockito.Matchers.eq
|
||||||
import static org.mockito.Mockito.*
|
import static org.mockito.Mockito.*
|
||||||
|
|
||||||
|
import javax.servlet.http.HttpServletResponse
|
||||||
|
import javax.servlet.http.HttpServletResponseWrapper
|
||||||
|
|
||||||
|
import org.springframework.mock.web.MockFilterChain
|
||||||
|
import org.springframework.mock.web.MockHttpServletRequest
|
||||||
|
import org.springframework.mock.web.MockHttpServletResponse
|
||||||
|
|
||||||
/**
|
/**
|
||||||
*
|
*
|
||||||
* @author Rob Winch
|
* @author Rob Winch
|
||||||
@ -59,4 +44,36 @@ class HttpConfigTests extends AbstractHttpConfigTests {
|
|||||||
response.status == HttpServletResponse.SC_MOVED_TEMPORARILY
|
response.status == HttpServletResponse.SC_MOVED_TEMPORARILY
|
||||||
response.redirectedUrl == 'http://localhost/login'
|
response.redirectedUrl == 'http://localhost/login'
|
||||||
}
|
}
|
||||||
|
|
||||||
|
def 'http disable-url-rewriting defaults to true'() {
|
||||||
|
setup:
|
||||||
|
xml.http() {}
|
||||||
|
createAppContext("""<user-service>
|
||||||
|
<user name="user" password="password" authorities="ROLE_USER" />
|
||||||
|
</user-service>""")
|
||||||
|
HttpServletResponse testResponse = new HttpServletResponseWrapper(response) {
|
||||||
|
public String encodeURL(String url) {
|
||||||
|
throw new RuntimeException("Unexpected invocation of encodeURL")
|
||||||
|
}
|
||||||
|
public String encodeRedirectURL(String url) {
|
||||||
|
throw new RuntimeException("Unexpected invocation of encodeURL")
|
||||||
|
}
|
||||||
|
public String encodeUrl(String url) {
|
||||||
|
throw new RuntimeException("Unexpected invocation of encodeURL")
|
||||||
|
}
|
||||||
|
public String encodeRedirectUrl(String url) {
|
||||||
|
throw new RuntimeException("Unexpected invocation of encodeURL")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
when: 'request protected URL'
|
||||||
|
springSecurityFilterChain.doFilter(request,testResponse,{ request,response->
|
||||||
|
response.encodeURL("/url")
|
||||||
|
response.encodeRedirectURL("/url")
|
||||||
|
response.encodeUrl("/url")
|
||||||
|
response.encodeRedirectUrl("/url")
|
||||||
|
})
|
||||||
|
then: 'sent to login page'
|
||||||
|
response.status == HttpServletResponse.SC_MOVED_TEMPORARILY
|
||||||
|
response.redirectedUrl == 'http://localhost/login'
|
||||||
|
}
|
||||||
}
|
}
|
@ -67,7 +67,7 @@ class SessionManagementConfigTests extends AbstractHttpConfigTests {
|
|||||||
expect:
|
expect:
|
||||||
filter.forceEagerSessionCreation
|
filter.forceEagerSessionCreation
|
||||||
filter.repo.allowSessionCreation
|
filter.repo.allowSessionCreation
|
||||||
!filter.repo.disableUrlRewriting
|
filter.repo.disableUrlRewriting
|
||||||
}
|
}
|
||||||
|
|
||||||
def settingCreateSessionToNeverSetsFilterPropertiesCorrectly() {
|
def settingCreateSessionToNeverSetsFilterPropertiesCorrectly() {
|
||||||
|
File diff suppressed because it is too large
Load Diff
Loading…
x
Reference in New Issue
Block a user