From e80853b698559b7b5389ffb6a8166f28ccdeeed4 Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Mon, 15 Nov 2010 16:14:24 +0000 Subject: [PATCH] SEC-1412: DefaultSavedRequest should ignore "If-Modified-Since" headers to prevent re-displaying the login form (the cached result of the original request). --- .../web/savedrequest/DefaultSavedRequest.java | 68 +++++++++---------- 1 file changed, 32 insertions(+), 36 deletions(-) diff --git a/web/src/main/java/org/springframework/security/web/savedrequest/DefaultSavedRequest.java b/web/src/main/java/org/springframework/security/web/savedrequest/DefaultSavedRequest.java index ef082062d9..b759aaf6e3 100644 --- a/web/src/main/java/org/springframework/security/web/savedrequest/DefaultSavedRequest.java +++ b/web/src/main/java/org/springframework/security/web/savedrequest/DefaultSavedRequest.java @@ -15,18 +15,6 @@ package org.springframework.security.web.savedrequest; -import java.util.ArrayList; -import java.util.Collection; -import java.util.Collections; -import java.util.Enumeration; -import java.util.List; -import java.util.Locale; -import java.util.Map; -import java.util.TreeMap; - -import javax.servlet.http.Cookie; -import javax.servlet.http.HttpServletRequest; - import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.springframework.security.web.PortResolver; @@ -34,19 +22,27 @@ import org.springframework.security.web.WebAttributes; import org.springframework.security.web.util.UrlUtils; import org.springframework.util.Assert; +import javax.servlet.http.Cookie; +import javax.servlet.http.HttpServletRequest; +import java.util.*; /** - * Represents central information from a HttpServletRequest.

This class is used by {@link - * org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter} and {@link org.springframework.security.web.savedrequest.SavedRequestAwareWrapper} to + * Represents central information from a HttpServletRequest. + *

+ * This class is used by {@link org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter} + * and {@link org.springframework.security.web.savedrequest.SavedRequestAwareWrapper} to * reproduce the request after successful authentication. An instance of this class is stored at the time of an - * authentication exception by {@link org.springframework.security.web.access.ExceptionTranslationFilter}.

- *

IMPLEMENTATION NOTE: It is assumed that this object is accessed only from the context of a single - * thread, so no synchronization around internal collection classes is performed.

- *

This class is based on code in Apache Tomcat.

+ * authentication exception by {@link org.springframework.security.web.access.ExceptionTranslationFilter}. + *

+ * IMPLEMENTATION NOTE: It is assumed that this object is accessed only from the context of a single + * thread, so no synchronization around internal collection classes is performed. + *

+ * This class is based on code in Apache Tomcat. * * @author Craig McClanahan * @author Andrey Grebnev * @author Ben Alex + * @author Luke Taylor */ public class DefaultSavedRequest implements SavedRequest { //~ Static fields/initializers ===================================================================================== @@ -59,23 +55,24 @@ public class DefaultSavedRequest implements SavedRequest { public static final String SPRING_SECURITY_SAVED_REQUEST_KEY = WebAttributes.SAVED_REQUEST; private static final String HEADER_IF_NONE_MATCH = "If-None-Match"; + private static final String HEADER_IF_MODIFIED_SINCE = "If-Modified-Since"; //~ Instance fields ================================================================================================ - private ArrayList cookies = new ArrayList(); - private ArrayList locales = new ArrayList(); - private Map> headers = new TreeMap>(String.CASE_INSENSITIVE_ORDER); - private Map parameters = new TreeMap(String.CASE_INSENSITIVE_ORDER); - private String contextPath; - private String method; - private String pathInfo; - private String queryString; - private String requestURI; - private String requestURL; - private String scheme; - private String serverName; - private String servletPath; - private int serverPort; + private final ArrayList cookies = new ArrayList(); + private final ArrayList locales = new ArrayList(); + private final Map> headers = new TreeMap>(String.CASE_INSENSITIVE_ORDER); + private final Map parameters = new TreeMap(String.CASE_INSENSITIVE_ORDER); + private final String contextPath; + private final String method; + private final String pathInfo; + private final String queryString; + private final String requestURI; + private final String requestURL; + private final String scheme; + private final String serverName; + private final String servletPath; + private final int serverPort; //~ Constructors =================================================================================================== @@ -98,8 +95,8 @@ public class DefaultSavedRequest implements SavedRequest { while (names.hasMoreElements()) { String name = names.nextElement(); - // Skip If-None-Match header. SEC-1412. - if (HEADER_IF_NONE_MATCH.equalsIgnoreCase(name)) { + // Skip If-Modified-Since and If-None-Match header. SEC-1412, SEC-1624. + if (HEADER_IF_MODIFIED_SINCE.equalsIgnoreCase(name) || HEADER_IF_NONE_MATCH.equalsIgnoreCase(name)) { continue; } Enumeration values = request.getHeaders(name); @@ -195,8 +192,7 @@ public class DefaultSavedRequest implements SavedRequest { return false; } - if (!propertyEquals("serverPort", new Integer(this.serverPort), new Integer(portResolver.getServerPort(request)))) - { + if (!propertyEquals("serverPort", new Integer(this.serverPort), new Integer(portResolver.getServerPort(request)))) { return false; }