SEC-2916: disable-url-rewriting=true by default

2015-03-23 11:45:24 -05:00 · 2015-03-23 11:45:24 -05:00 · c94a5cf8e2
parent ae6af5d73c
commit c94a5cf8e2
7 changed files with 1896 additions and 1875 deletions
--- a/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java
+++ b/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java
@ -232,6 +232,9 @@ class HttpConfigurationBuilder {

 		String repoRef = httpElt.getAttribute(ATT_SECURITY_CONTEXT_REPOSITORY);
 		String disableUrlRewriting = httpElt.getAttribute(ATT_DISABLE_URL_REWRITING);
+		if(!StringUtils.hasText(disableUrlRewriting)) {
+			disableUrlRewriting = "true";
+		}

 		if (StringUtils.hasText(repoRef)) {
 			if (sessionPolicy == SessionCreationPolicy.ALWAYS) {
--- a/config/src/main/resources/org/springframework/security/config/spring-security-4.0.rnc
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-4.0.rnc
@ -345,7 +345,7 @@ http.attlist &=
 	## Corresponds to the observeOncePerRequest property of FilterSecurityInterceptor. Defaults to "true"
 	attribute once-per-request {xsd:boolean}?
 http.attlist &=
-    ## Prevents the jsessionid parameter from being added to rendered URLs.
+	## Prevents the jsessionid parameter from being added to rendered URLs. Defaults to "true" (rewriting is disabled).
 	attribute disable-url-rewriting {xsd:boolean}?
 http.attlist &=
 	## Exposes the list of filters defined by this configuration under this bean name in the application context.
--- a/config/src/main/resources/org/springframework/security/config/spring-security-4.0.xsd
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-4.0.xsd
@ -872,9 +872,9 @@
      </xs:attribute>
      <xs:attribute name="same-origin-disabled" type="xs:boolean">
         <xs:annotation>
-            <xs:documentation>Disables the requrement for CSRF token to be present in the Stomp headers (default false).
-                Changing the default is useful if it is necessary to allow other origins to make SockJS
-                connections.
+            <xs:documentation>Disables the requirement for CSRF token to be present in the Stomp headers (default
+                false). Changing the default is useful if it is necessary to allow other origins to make
+                SockJS connections.
                </xs:documentation>
         </xs:annotation>
      </xs:attribute>
@ -1233,7 +1233,8 @@
      </xs:attribute>
      <xs:attribute name="disable-url-rewriting" type="xs:boolean">
         <xs:annotation>
-            <xs:documentation>Prevents the jsessionid parameter from being added to rendered URLs.
+            <xs:documentation>Prevents the jsessionid parameter from being added to rendered URLs. Defaults to "true"
+                (rewriting is disabled).
                </xs:documentation>
         </xs:annotation>
      </xs:attribute>
--- a/config/src/test/groovy/org/springframework/security/config/annotation/web/builders/NamespaceHttpTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/web/builders/NamespaceHttpTests.groovy
@ -248,7 +248,7 @@ public class NamespaceHttpTests extends BaseSpringSpec {
 	static class EnableUrlRewritingConfig extends BaseWebConfig {
 		protected void configure(HttpSecurity http) throws Exception {
 			HttpSessionSecurityContextRepository repository = new HttpSessionSecurityContextRepository()
-			repository.disableUrlRewriting = false // explicitly configured (not necessary due to default values)
+			repository.disableUrlRewriting = false // explicitly configured

 			http.
 				securityContext()
--- a/config/src/test/groovy/org/springframework/security/config/http/HttpConfigTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/http/HttpConfigTests.groovy
@ -12,32 +12,17 @@
 */
 package org.springframework.security.config.http

-import org.springframework.mock.web.MockFilterChain
-import org.springframework.mock.web.MockHttpServletRequest
-import org.springframework.mock.web.MockHttpServletResponse
-import org.springframework.security.access.AccessDeniedException
-import org.springframework.security.authentication.UsernamePasswordAuthenticationToken
-import org.springframework.security.core.Authentication
-import org.springframework.security.core.authority.AuthorityUtils
-import org.springframework.security.core.context.SecurityContextImpl
-import org.springframework.security.web.access.AccessDeniedHandler
-import org.springframework.security.web.context.HttpRequestResponseHolder
-import org.springframework.security.web.context.HttpSessionSecurityContextRepository
-import org.springframework.security.web.csrf.CsrfFilter
-import org.springframework.security.web.csrf.CsrfToken
-import org.springframework.security.web.csrf.CsrfTokenRepository
-import org.springframework.security.web.csrf.DefaultCsrfToken
-import org.springframework.security.web.util.matcher.RequestMatcher
-import org.springframework.web.servlet.support.RequestDataValueProcessor
-import spock.lang.Unroll
-
-import javax.servlet.http.HttpServletRequest
-import javax.servlet.http.HttpServletResponse
-
 import static org.mockito.Matchers.any
 import static org.mockito.Matchers.eq
 import static org.mockito.Mockito.*

+import javax.servlet.http.HttpServletResponse
+import javax.servlet.http.HttpServletResponseWrapper
+
+import org.springframework.mock.web.MockFilterChain
+import org.springframework.mock.web.MockHttpServletRequest
+import org.springframework.mock.web.MockHttpServletResponse
+
 /**
 *
 * @author Rob Winch
@ -59,4 +44,36 @@ class HttpConfigTests extends AbstractHttpConfigTests {
 		response.status == HttpServletResponse.SC_MOVED_TEMPORARILY
 		response.redirectedUrl == 'http://localhost/login'
 	}
+
+	def 'http disable-url-rewriting defaults to true'() {
+		setup:
+		xml.http() {}
+		createAppContext("""<user-service>
+		<user name="user" password="password" authorities="ROLE_USER" />
+	</user-service>""")
+		HttpServletResponse testResponse = new HttpServletResponseWrapper(response) {
+			public String encodeURL(String url) {
+				throw new RuntimeException("Unexpected invocation of encodeURL")
+			}
+			public String encodeRedirectURL(String url) {
+				throw new RuntimeException("Unexpected invocation of encodeURL")
+			}
+			public String encodeUrl(String url) {
+				throw new RuntimeException("Unexpected invocation of encodeURL")
+			}
+			public String encodeRedirectUrl(String url) {
+				throw new RuntimeException("Unexpected invocation of encodeURL")
+			}
+		}
+		when: 'request protected URL'
+		springSecurityFilterChain.doFilter(request,testResponse,{ request,response->
+			response.encodeURL("/url")
+			response.encodeRedirectURL("/url")
+			response.encodeUrl("/url")
+			response.encodeRedirectUrl("/url")
+		})
+		then: 'sent to login page'
+		response.status == HttpServletResponse.SC_MOVED_TEMPORARILY
+		response.redirectedUrl == 'http://localhost/login'
+	}
 }
--- a/config/src/test/groovy/org/springframework/security/config/http/SessionManagementConfigTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/http/SessionManagementConfigTests.groovy
@ -67,7 +67,7 @@ class SessionManagementConfigTests extends AbstractHttpConfigTests {
 		expect:
 		filter.forceEagerSessionCreation
 		filter.repo.allowSessionCreation
-		!filter.repo.disableUrlRewriting
+		filter.repo.disableUrlRewriting
 	}

 	def settingCreateSessionToNeverSetsFilterPropertiesCorrectly() {
--- a/docs/manual/src/docs/asciidoc/index.adoc
+++ b/docs/manual/src/docs/asciidoc/index.adoc
@ -6690,7 +6690,7 @@ Controls the eagerness with which an HTTP session is created by Spring Security

 [[nsa-http-disable-url-rewriting]]
 * **disable-url-rewriting**
-Prevents session IDs from being appended to URLs in the application. Clients must use cookies if this attribute is set to `true`. The default is `false`.
+Prevents session IDs from being appended to URLs in the application. Clients must use cookies if this attribute is set to `true`. The default is `true`.


 [[nsa-http-entry-point-ref]]