Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-09-08 20:51:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

SEC-1201: PropertyPlaceholderConfigurer does not work for intercept-url attributes. Ensure that channel processing handles paths which are placeholders.

Browse Source
This commit is contained in:
Luke Taylor 2009-08-23 15:57:59 +00:00
parent 9bf8656d66
commit ea01e9cdf7
2 changed files with 17 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java
View File

@ -6,7 +6,6 @@ import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom; import java.security.SecureRandom;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Collections; import java.util.Collections;
import java.util.LinkedHashMap;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
@ -181,7 +180,7 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
// Use ManagedMap to allow placeholder resolution // Use ManagedMap to allow placeholder resolution
final ManagedMap<String, List<BeanMetadataElement>> filterChainMap = final ManagedMap<String, List<BeanMetadataElement>> filterChainMap =
parseInterceptUrlsForEmptyFilterChains(interceptUrls, convertPathsToLowerCase, pc); parseInterceptUrlsForEmptyFilterChains(interceptUrls, convertPathsToLowerCase, pc);
final LinkedHashMap<RequestKey, List<ConfigAttribute>> channelRequestMap = final ManagedMap<BeanDefinition,List<ConfigAttribute>> channelRequestMap =
parseInterceptUrlsForChannelSecurity(interceptUrls, convertPathsToLowerCase, pc); parseInterceptUrlsForChannelSecurity(interceptUrls, convertPathsToLowerCase, pc);
BeanDefinition cpf = null; BeanDefinition cpf = null;
@ -894,14 +893,14 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
} }
private BeanDefinition createChannelProcessingFilter(ParserContext pc, UrlMatcher matcher, private BeanDefinition createChannelProcessingFilter(ParserContext pc, UrlMatcher matcher,
LinkedHashMap<RequestKey, List<ConfigAttribute>> channelRequestMap, String portMapperBeanName) { ManagedMap<BeanDefinition,List<ConfigAttribute>> channelRequestMap, String portMapperBeanName) {
RootBeanDefinition channelFilter = new RootBeanDefinition(ChannelProcessingFilter.class); RootBeanDefinition channelFilter = new RootBeanDefinition(ChannelProcessingFilter.class);
BeanDefinitionBuilder metadataSourceBldr = BeanDefinitionBuilder.rootBeanDefinition(DefaultFilterInvocationSecurityMetadataSource.class);
metadataSourceBldr.addConstructorArgValue(matcher);
metadataSourceBldr.addConstructorArgValue(channelRequestMap);
metadataSourceBldr.addPropertyValue("stripQueryStringFromUrls", matcher instanceof AntUrlPathMatcher);
DefaultFilterInvocationSecurityMetadataSource channelFilterInvDefSource = channelFilter.getPropertyValues().addPropertyValue("securityMetadataSource", metadataSourceBldr.getBeanDefinition());
new DefaultFilterInvocationSecurityMetadataSource(matcher, channelRequestMap);
channelFilterInvDefSource.setStripQueryStringFromUrls(matcher instanceof AntUrlPathMatcher);
channelFilter.getPropertyValues().addPropertyValue("securityMetadataSource", channelFilterInvDefSource);
RootBeanDefinition channelDecisionManager = new RootBeanDefinition(ChannelDecisionManagerImpl.class); RootBeanDefinition channelDecisionManager = new RootBeanDefinition(ChannelDecisionManagerImpl.class);
ManagedList<RootBeanDefinition> channelProcessors = new ManagedList<RootBeanDefinition>(3); ManagedList<RootBeanDefinition> channelProcessors = new ManagedList<RootBeanDefinition>(3);
RootBeanDefinition secureChannelProcessor = new RootBeanDefinition(SecureChannelProcessor.class); RootBeanDefinition secureChannelProcessor = new RootBeanDefinition(SecureChannelProcessor.class);
@ -1196,10 +1195,10 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
* map used to create the FilterInvocationDefintionSource for the FilterSecurityInterceptor. * map used to create the FilterInvocationDefintionSource for the FilterSecurityInterceptor.
* @return * @return
*/ */
LinkedHashMap<RequestKey, List<ConfigAttribute>> parseInterceptUrlsForChannelSecurity(List<Element> urlElts, private ManagedMap<BeanDefinition,List<ConfigAttribute>> parseInterceptUrlsForChannelSecurity(List<Element> urlElts,
boolean useLowerCasePaths, ParserContext parserContext) { boolean useLowerCasePaths, ParserContext parserContext) {
LinkedHashMap<RequestKey, List<ConfigAttribute>> channelRequestMap = new ManagedMap<RequestKey, List<ConfigAttribute>>(); ManagedMap<BeanDefinition, List<ConfigAttribute>> channelRequestMap = new ManagedMap<BeanDefinition, List<ConfigAttribute>>();
for (Element urlElt : urlElts) { for (Element urlElt : urlElts) {
String path = urlElt.getAttribute(ATT_PATH_PATTERN); String path = urlElt.getAttribute(ATT_PATH_PATTERN);
@ -1227,8 +1226,10 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
parserContext.getReaderContext().error("Unsupported channel " + requiredChannel, urlElt); parserContext.getReaderContext().error("Unsupported channel " + requiredChannel, urlElt);
} }
channelRequestMap.put(new RequestKey(path), BeanDefinition requestKey = new RootBeanDefinition(RequestKey.class);
SecurityConfig.createList((StringUtils.commaDelimitedListToStringArray(channelConfigAttribute)))); requestKey.getConstructorArgumentValues().addGenericArgumentValue(path);
channelRequestMap.put(requestKey, SecurityConfig.createList(channelConfigAttribute));
} }
} }

6
config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java
View File

@ -390,11 +390,13 @@ public class HttpSecurityBeanDefinitionParserTests {
@Test @Test
public void requiresChannelSupportsPlaceholder() throws Exception { public void requiresChannelSupportsPlaceholder() throws Exception {
System.setProperty("secure.url", "/secure");
setContext( setContext(
" <b:bean id='configurer' class='org.springframework.beans.factory.config.PropertyPlaceholderConfigurer'/>" +
" <http auto-config='true'>" + " <http auto-config='true'>" +
" <intercept-url pattern='/**' requires-channel='https' />" + " <intercept-url pattern='${secure.url}' requires-channel='https' />" +
" </http>" + AUTH_PROVIDER_XML); " </http>" + AUTH_PROVIDER_XML);
List<Filter> filters = getFilters("/someurl"); List<Filter> filters = getFilters("/secure");
assertEquals("Expected " + (AUTO_CONFIG_FILTERS + 1) +" filters in chain", AUTO_CONFIG_FILTERS + 1, filters.size()); assertEquals("Expected " + (AUTO_CONFIG_FILTERS + 1) +" filters in chain", AUTO_CONFIG_FILTERS + 1, filters.size());