diff --git a/itest/context/pom.xml b/itest/context/pom.xml
index 0549afce86..0eca5dfa6b 100644
--- a/itest/context/pom.xml
+++ b/itest/context/pom.xml
@@ -5,13 +5,18 @@
org.springframework.security
spring-security-itest
- 2.0.4-SNAPSHOT
+ 2.0.6.CI-SNAPSHOT
spring-security-itest-context
Spring Security - Miscellaneous Application Context Integration Tests
jar
+
+ javax.servlet
+ servlet-api
+ 2.5
+
junit
junit
diff --git a/itest/context/src/test/java/org/springframework/security/integration/HttpPathParameterStrippingTests.java b/itest/context/src/test/java/org/springframework/security/integration/HttpPathParameterStrippingTests.java
new file mode 100644
index 0000000000..28c0c97f79
--- /dev/null
+++ b/itest/context/src/test/java/org/springframework/security/integration/HttpPathParameterStrippingTests.java
@@ -0,0 +1,67 @@
+package org.springframework.security.integration;
+
+import static org.junit.Assert.assertEquals;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.mock.web.MockFilterChain;
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.mock.web.MockHttpSession;
+import org.springframework.security.context.HttpSessionContextIntegrationFilter;
+import org.springframework.security.context.SecurityContextHolder;
+import org.springframework.security.providers.UsernamePasswordAuthenticationToken;
+import org.springframework.security.util.AuthorityUtils;
+import org.springframework.security.util.FilterChainProxy;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+
+import javax.servlet.http.HttpSession;
+
+@ContextConfiguration(locations={"/http-path-param-stripping-app-context.xml"})
+@RunWith(SpringJUnit4ClassRunner.class)
+public class HttpPathParameterStrippingTests {
+
+ @Autowired
+ private FilterChainProxy fcp;
+
+ @Test
+ public void securedFilterChainCannotBeBypassedByAddingPathParameters() throws Exception {
+ MockHttpServletRequest request = new MockHttpServletRequest();
+ request.setPathInfo("/secured;x=y/admin.html");
+ request.setSession(createAuthenticatedSession("ROLE_USER"));
+ MockHttpServletResponse response = new MockHttpServletResponse();
+ fcp.doFilter(request, response, new MockFilterChain());
+ assertEquals(403, response.getStatus());
+ }
+
+ @Test
+ public void adminFilePatternCannotBeBypassedByAddingPathParameters() throws Exception {
+ MockHttpServletRequest request = new MockHttpServletRequest();
+ request.setServletPath("/secured/admin.html;x=user.html");
+ request.setSession(createAuthenticatedSession("ROLE_USER"));
+ MockHttpServletResponse response = new MockHttpServletResponse();
+ fcp.doFilter(request, response, new MockFilterChain());
+ assertEquals(403, response.getStatus());
+
+ // Try with pathInfo
+ request = new MockHttpServletRequest();
+ request.setServletPath("/secured");
+ request.setPathInfo("/admin.html;x=user.html");
+ request.setSession(createAuthenticatedSession("ROLE_USER"));
+ response = new MockHttpServletResponse();
+ fcp.doFilter(request, response, new MockFilterChain());
+ assertEquals(403, response.getStatus());
+ }
+
+ public HttpSession createAuthenticatedSession(String... roles) {
+ MockHttpSession session = new MockHttpSession();
+ SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken("bob", "bobspassword",
+ AuthorityUtils.stringArrayToAuthorityArray(roles)));
+ session.setAttribute(HttpSessionContextIntegrationFilter.SPRING_SECURITY_CONTEXT_KEY, SecurityContextHolder.getContext());
+ SecurityContextHolder.clearContext();
+ return session;
+ }
+
+}
diff --git a/itest/context/src/test/resources/http-path-param-stripping-app-context.xml b/itest/context/src/test/resources/http-path-param-stripping-app-context.xml
new file mode 100644
index 0000000000..5a2328ae7e
--- /dev/null
+++ b/itest/context/src/test/resources/http-path-param-stripping-app-context.xml
@@ -0,0 +1,28 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/itest/pom.xml b/itest/pom.xml
index 5f16b3f54e..4694e591d9 100644
--- a/itest/pom.xml
+++ b/itest/pom.xml
@@ -1,20 +1,20 @@
- 4.0.0
+ 4.0.0
org.springframework.security
spring-security-itest
Spring Security - Integration Tests
pom
- 2.0.4-SNAPSHOT
+ 2.0.6.CI-SNAPSHOT
web
context
-
+
org.springframework
spring
- 2.5.5
+ 2.5.6.SEC02
commons-logging
@@ -25,14 +25,14 @@
org.springframework
spring-test
- 2.5.5
+ 2.5.6.SEC02
commons-logging
commons-logging
-
+
org.springframework.security
spring-security-core
@@ -58,7 +58,7 @@
commons-logging
commons-logging
-
+
org.springframework.security
@@ -69,18 +69,18 @@
commons-logging
commons-logging
-
+
+
+
+ org.aspectj
+ aspectjrt
+ 1.6.1
+
+
+ org.aspectj
+ aspectjweaver
+ 1.6.1
-
- org.aspectj
- aspectjrt
- 1.6.1
-
-
- org.aspectj
- aspectjweaver
- 1.6.1
-
org.slf4j
slf4j-api
@@ -97,7 +97,7 @@
commons-logging
commons-logging
-
+
org.apache.directory.server
@@ -128,9 +128,9 @@
commons-logging
commons-logging
-
-
-
+
+
+
org.slf4j
slf4j-log4j12
@@ -195,10 +195,10 @@
-
+
6.1.11
-
+
diff --git a/itest/web/pom.xml b/itest/web/pom.xml
index 175652368d..b24d258cb7 100644
--- a/itest/web/pom.xml
+++ b/itest/web/pom.xml
@@ -5,7 +5,7 @@
org.springframework.security
spring-security-itest
- 2.0.4-SNAPSHOT
+ 2.0.6.CI-SNAPSHOT
spring-security-itest-web
Spring Security - Web Integration Tests
@@ -36,7 +36,7 @@
jetty-naming
${jetty.version}
test
-
+
org.mortbay.jetty
jetty-plus
@@ -53,8 +53,8 @@
org.mortbay.jetty
jsp-api-2.1
${jetty.version}
-
-
+-->
-