SEC-2243: Remove additional Debug Filter

2025-10-30 22:28:46 +00:00 · 2013-09-26 11:38:16 -05:00 · 2013-09-26 11:38:16 -05:00 · cea0cf9260
commit cea0cf9260
parent 56ce7d284c
10 changed files with 26 additions and 207 deletions
--- a/config/src/main/java/org/springframework/security/config/annotation/web/builders/DebugFilter.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/builders/DebugFilter.java
@ -1,191 +0,0 @@
 /*
 * Copyright 2002-2013 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package org.springframework.security.config.annotation.web.builders;
 import java.io.IOException;
 import java.io.PrintWriter;
 import java.io.StringWriter;
 import java.util.List;
 import javax.servlet.Filter;
 import javax.servlet.FilterChain;
 import javax.servlet.FilterConfig;
 import javax.servlet.ServletException;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletRequestWrapper;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.springframework.security.web.FilterChainProxy;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.util.UrlUtils;
 /**
 * Spring Security debugging filter.
 * <p>
 * Logs information (such as session creation) to help the user understand how requests are being handled
 * by Spring Security and provide them with other relevant information (such as when sessions are being created).
 *
 *
 * @author Luke Taylor
 * @author Rob Winch
 * @since 3.1
 */
 class DebugFilter implements Filter {
    private static final String ALREADY_FILTERED_ATTR_NAME = DebugFilter.class.getName().concat(".FILTERED");
    private final FilterChainProxy fcp;
    private final Logger logger = new Logger();
    public DebugFilter(FilterChainProxy fcp) {
        this.fcp = fcp;
    }
    public final void doFilter(ServletRequest srvltRequest, ServletResponse srvltResponse, FilterChain filterChain)
            throws ServletException, IOException {
        if (!(srvltRequest instanceof HttpServletRequest) || !(srvltResponse instanceof HttpServletResponse)) {
            throw new ServletException("DebugFilter just supports HTTP requests");
        }
        HttpServletRequest request = (HttpServletRequest) srvltRequest;
        HttpServletResponse response = (HttpServletResponse) srvltResponse;
        List<Filter> filters = getFilters(request);
        logger.log("Request received for '" + UrlUtils.buildRequestUrl(request) + "':\n\n" +
                request + "\n\n" +
                "servletPath:" + request.getServletPath() + "\n" +
                "pathInfo:" + request.getPathInfo() + "\n\n" +
                formatFilters(filters));
        if (request.getAttribute(ALREADY_FILTERED_ATTR_NAME) == null) {
            invokeWithWrappedRequest(request, response, filterChain);
        } else {
            fcp.doFilter(request, response, filterChain);
        }
    }
    private void invokeWithWrappedRequest(HttpServletRequest request,
            HttpServletResponse response, FilterChain filterChain) throws IOException, ServletException {
        request.setAttribute(ALREADY_FILTERED_ATTR_NAME, Boolean.TRUE);
        request = new DebugRequestWrapper(request);
        try {
            fcp.doFilter(request, response, filterChain);
        }
        finally {
            request.removeAttribute(ALREADY_FILTERED_ATTR_NAME);
        }
    }
    String formatFilters(List<Filter> filters) {
        StringBuilder sb = new StringBuilder();
        sb.append("Security filter chain: ");
        if (filters == null) {
            sb.append("no match");
        } else if (filters.isEmpty()) {
            sb.append("[] empty (bypassed by security='none') ");
        } else {
            sb.append("[\n");
            for (Filter f : filters) {
                sb.append("  ").append(f.getClass().getSimpleName()).append("\n");
            }
            sb.append("]");
        }
        return sb.toString();
    }
    private List<Filter> getFilters(HttpServletRequest request)  {
        for (SecurityFilterChain chain : fcp.getFilterChains()) {
            if (chain.matches(request)) {
                return chain.getFilters();
            }
        }
        return null;
    }
    public void init(FilterConfig filterConfig) throws ServletException {
    }
    public void destroy() {
    }
 }
 class DebugRequestWrapper extends HttpServletRequestWrapper {
    private static final Logger logger = new Logger();
    public DebugRequestWrapper(HttpServletRequest request) {
        super(request);
    }
    @Override
    public HttpSession getSession() {
        boolean sessionExists = super.getSession(false) != null;
        HttpSession session = super.getSession();
        if (!sessionExists) {
            logger.log("New HTTP session created: " + session.getId(), true);
        }
        return session;
    }
    @Override
    public HttpSession getSession(boolean create) {
        if (!create) {
            return super.getSession(create);
        }
        return getSession();
    }
 }
 /**
 * Controls output for the Spring Security debug feature.
 *
 * @author Luke Taylor
 * @since 3.1
 */
 final class Logger {
    final static Log logger = LogFactory.getLog("Spring Security Debugger");
    void log(String message) {
        log(message, false);
    }
    void log(String message, boolean dumpStack) {
        StringBuilder output = new StringBuilder(256);
        output.append("\n\n************************************************************\n\n");
        output.append(message).append("\n");
        if (dumpStack) {
            StringWriter os = new StringWriter();
            new Exception().printStackTrace(new PrintWriter(os));
            StringBuffer buffer = os.getBuffer();
            // Remove the exception in case it scares people.
            int start = buffer.indexOf("java.lang.Exception");
            buffer.replace(start, start + 19, "");
            output.append("\nCall stack: \n").append(os.toString());
        }
        output.append("\n\n************************************************************\n\n");
        logger.info(output.toString());
    }
 }
--- a/config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java
@ -40,6 +40,7 @@ import org.springframework.security.web.access.DefaultWebInvocationPrivilegeEval
 import org.springframework.security.web.access.WebInvocationPrivilegeEvaluator;
 import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
 import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
 import org.springframework.security.web.debug.DebugFilter;
 import org.springframework.security.web.firewall.DefaultHttpFirewall;
 import org.springframework.security.web.firewall.HttpFirewall;
 import org.springframework.security.web.util.RequestMatcher;
--- a/config/src/main/java/org/springframework/security/config/debug/SecurityDebugBeanFactoryPostProcessor.java
+++ b/config/src/main/java/org/springframework/security/config/debug/SecurityDebugBeanFactoryPostProcessor.java
@ -15,6 +15,8 @@
 */
 package org.springframework.security.config.debug;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.springframework.beans.BeansException;
 import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
@ -22,15 +24,17 @@ import org.springframework.beans.factory.support.BeanDefinitionBuilder;
 import org.springframework.beans.factory.support.BeanDefinitionRegistry;
 import org.springframework.beans.factory.support.BeanDefinitionRegistryPostProcessor;
 import org.springframework.security.config.BeanIds;
 import org.springframework.security.web.debug.DebugFilter;
 /**
 * @author Luke Taylor
 * @author Rob Winch
 */
 public class SecurityDebugBeanFactoryPostProcessor implements BeanDefinitionRegistryPostProcessor {
    private final Log logger = LogFactory.getLog(getClass());
    public void postProcessBeanDefinitionRegistry(BeanDefinitionRegistry registry) throws BeansException {
-        Logger.logger.warn("\n\n" +
+        logger.warn("\n\n" +
                "********************************************************************\n" +
                "**********        Security debugging is enabled.       *************\n" +
                "**********    This may include sensitive information.  *************\n" +
--- a/config/src/test/groovy/org/springframework/security/config/annotation/web/configuration/EnableWebSecurityTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/web/configuration/EnableWebSecurityTests.groovy
@ -23,9 +23,9 @@ import org.springframework.security.authentication.AuthenticationManager
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken
 import org.springframework.security.config.annotation.BaseSpringSpec
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder
 import org.springframework.security.config.annotation.web.builders.DebugFilter;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.web.authentication.AnonymousAuthenticationFilter
 import org.springframework.security.web.debug.DebugFilter;
 class EnableWebSecurityTests extends BaseSpringSpec {
--- a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceDebugTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceDebugTests.groovy
@ -29,7 +29,6 @@ import org.springframework.security.access.ConfigAttribute
 import org.springframework.security.authentication.AnonymousAuthenticationToken
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.BaseSpringSpec
 import org.springframework.security.config.annotation.web.builders.DebugFilter;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.Authentication;
@ -49,6 +48,7 @@ import org.springframework.security.web.authentication.www.BasicAuthenticationFi
 import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
 import org.springframework.security.web.context.NullSecurityContextRepository;
 import org.springframework.security.web.context.SecurityContextPersistenceFilter
 import org.springframework.security.web.debug.DebugFilter;
 import org.springframework.security.web.jaasapi.JaasApiIntegrationFilter;
 import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter;
 import org.springframework.security.web.util.AntPathRequestMatcher
--- a/config/src/test/groovy/org/springframework/security/config/debug/SecurityDebugBeanFactoryPostProcessorTest.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/debug/SecurityDebugBeanFactoryPostProcessorTest.groovy
@ -18,6 +18,7 @@ package org.springframework.security.config.debug
 import org.springframework.security.config.BeanIds
 import org.springframework.security.config.http.AbstractHttpConfigTests
 import org.springframework.security.web.FilterChainProxy;
 import org.springframework.security.web.debug.DebugFilter;
 class SecurityDebugBeanFactoryPostProcessorTest extends AbstractHttpConfigTests {
--- a/config/src/test/groovy/org/springframework/security/config/http/MiscHttpConfigTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/http/MiscHttpConfigTests.groovy
@ -55,6 +55,7 @@ import org.springframework.security.web.authentication.www.BasicAuthenticationFi
 import org.springframework.security.web.context.HttpSessionSecurityContextRepository
 import org.springframework.security.web.context.SecurityContextPersistenceFilter
 import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter;
 import org.springframework.security.web.debug.DebugFilter;
 import org.springframework.security.web.jaasapi.JaasApiIntegrationFilter
 import org.springframework.security.web.savedrequest.HttpSessionRequestCache
 import org.springframework.security.web.savedrequest.RequestCacheAwareFilter
@ -620,7 +621,7 @@ class MiscHttpConfigTests extends AbstractHttpConfigTests {
        request.addParameter("j_username", "bob");
        request.addParameter("j_password", "bobspassword");
        then: "App context creation and login request succeed"
-        Filter debugFilter = appContext.getBean(BeanIds.SPRING_SECURITY_FILTER_CHAIN);
+        DebugFilter debugFilter = appContext.getBean(BeanIds.SPRING_SECURITY_FILTER_CHAIN);
        debugFilter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain());
        appListener.events.size() == 2
        appListener.authenticationEvents.size() == 2
--- a/config/src/main/java/org/springframework/security/config/debug/DebugFilter.java
+++ b/config/src/main/java/org/springframework/security/config/debug/DebugFilter.java
@ -1,4 +1,4 @@
-package org.springframework.security.config.debug;
+package org.springframework.security.web.debug;
 import org.springframework.security.web.FilterChainProxy;
 import org.springframework.security.web.SecurityFilterChain;
@ -28,7 +28,7 @@ import java.util.*;
 * @author Rob Winch
 * @since 3.1
 */
-class DebugFilter implements Filter {
+public final class DebugFilter implements Filter {
    private static final String ALREADY_FILTERED_ATTR_NAME = DebugFilter.class.getName().concat(".FILTERED");
    private final FilterChainProxy fcp;
@ -48,7 +48,7 @@ class DebugFilter implements Filter {
        HttpServletResponse response = (HttpServletResponse) srvltResponse;
        List<Filter> filters = getFilters(request);
-        logger.log("Request received for '" + UrlUtils.buildRequestUrl(request) + "':\n\n" +
+        logger.info("Request received for '" + UrlUtils.buildRequestUrl(request) + "':\n\n" +
                request + "\n\n" +
                "servletPath:" + request.getServletPath() + "\n" +
                "pathInfo:" + request.getPathInfo() + "\n\n" +
@ -121,7 +121,7 @@ class DebugRequestWrapper extends HttpServletRequestWrapper {
        HttpSession session = super.getSession();
        if (!sessionExists) {
-            logger.log("New HTTP session created: " + session.getId(), true);
+            logger.info("New HTTP session created: " + session.getId(), true);
        }
        return session;
--- a/config/src/main/java/org/springframework/security/config/debug/Logger.java
+++ b/config/src/main/java/org/springframework/security/config/debug/Logger.java
@ -1,4 +1,4 @@
-package org.springframework.security.config.debug;
+package org.springframework.security.web.debug;
 import java.io.PrintWriter;
 import java.io.StringWriter;
@ -13,13 +13,13 @@ import org.apache.commons.logging.LogFactory;
 * @since 3.1
 */
 final class Logger {
-    final static Log logger = LogFactory.getLog("Spring Security Debugger");
+    private static final Log logger = LogFactory.getLog("Spring Security Debugger");
-    void log(String message) {
+    public void info(String message) {
-        log(message, false);
+        info(message, false);
    }
-    void log(String message, boolean dumpStack) {
+    public void info(String message, boolean dumpStack) {
        StringBuilder output = new StringBuilder(256);
        output.append("\n\n************************************************************\n\n");
        output.append(message).append("\n");
--- a/config/src/test/java/org/springframework/security/config/debug/DebugFilterTest.java
+++ b/config/src/test/java/org/springframework/security/config/debug/DebugFilterTest.java
@ -1,4 +1,4 @@
-package org.springframework.security.config.debug;
+package org.springframework.security.web.debug;
 import static org.junit.Assert.assertEquals;
 import static org.mockito.Matchers.anyString;
@ -22,6 +22,9 @@ import org.powermock.core.classloader.annotations.PrepareOnlyThisForTest;
 import org.powermock.modules.junit4.PowerMockRunner;
 import org.powermock.reflect.internal.WhiteboxImpl;
 import org.springframework.security.web.FilterChainProxy;
 import org.springframework.security.web.debug.DebugFilter;
 import org.springframework.security.web.debug.DebugRequestWrapper;
 import org.springframework.security.web.debug.Logger;
 /**
 *
@ -60,7 +63,7 @@ public class DebugFilterTest {
    public void doFilterProcessesRequests() throws Exception {
        filter.doFilter(request, response, filterChain);
-        verify(logger).log(anyString());
+        verify(logger).info(anyString());
        verify(request).setAttribute(requestAttr, Boolean.TRUE);
        verify(fcp).doFilter(requestCaptor.capture(), eq(response), eq(filterChain));
        assertEquals(DebugRequestWrapper.class,requestCaptor.getValue().getClass());
@ -75,7 +78,7 @@ public class DebugFilterTest {
        filter.doFilter(request, response, filterChain);
-        verify(logger).log(anyString());
+        verify(logger).info(anyString());
        verify(fcp).doFilter(request, response, filterChain);
        verify(this.request,never()).removeAttribute(requestAttr);
    }