SEC-1584: Additional integration tests.

2025-07-06 02:32:14 +00:00 · 2010-10-03 22:42:07 +01:00 · 2010-10-03 22:42:07 +01:00 · ed7f589998
commit ed7f589998
parent 8f6ddb0f17
5 changed files with 133 additions and 33 deletions
--- a/itest/context/pom.xml
+++ b/itest/context/pom.xml
@ -5,13 +5,18 @@
    <parent>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-itest</artifactId>
-        <version>2.0.4-SNAPSHOT</version>
+        <version>2.0.6.CI-SNAPSHOT</version>
    </parent>
    <artifactId>spring-security-itest-context</artifactId>
    <name>Spring Security - Miscellaneous Application Context Integration Tests</name>
    <packaging>jar</packaging>

    <dependencies>
+        <dependency>
+            <groupId>javax.servlet</groupId>
+            <artifactId>servlet-api</artifactId>
+            <version>2.5</version>
+        </dependency>
        <dependency>
            <groupId>junit</groupId>
            <artifactId>junit</artifactId>
--- a/itest/context/src/test/java/org/springframework/security/integration/HttpPathParameterStrippingTests.java
+++ b/itest/context/src/test/java/org/springframework/security/integration/HttpPathParameterStrippingTests.java
@ -0,0 +1,67 @@
+package org.springframework.security.integration;
+
+import static org.junit.Assert.assertEquals;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.mock.web.MockFilterChain;
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.mock.web.MockHttpSession;
+import org.springframework.security.context.HttpSessionContextIntegrationFilter;
+import org.springframework.security.context.SecurityContextHolder;
+import org.springframework.security.providers.UsernamePasswordAuthenticationToken;
+import org.springframework.security.util.AuthorityUtils;
+import org.springframework.security.util.FilterChainProxy;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+
+import javax.servlet.http.HttpSession;
+
+@ContextConfiguration(locations={"/http-path-param-stripping-app-context.xml"})
+@RunWith(SpringJUnit4ClassRunner.class)
+public class HttpPathParameterStrippingTests {
+
+    @Autowired
+    private FilterChainProxy fcp;
+
+    @Test
+    public void securedFilterChainCannotBeBypassedByAddingPathParameters() throws Exception {
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        request.setPathInfo("/secured;x=y/admin.html");
+        request.setSession(createAuthenticatedSession("ROLE_USER"));
+        MockHttpServletResponse response = new MockHttpServletResponse();
+        fcp.doFilter(request, response, new MockFilterChain());
+        assertEquals(403, response.getStatus());
+    }
+
+    @Test
+    public void adminFilePatternCannotBeBypassedByAddingPathParameters() throws Exception {
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        request.setServletPath("/secured/admin.html;x=user.html");
+        request.setSession(createAuthenticatedSession("ROLE_USER"));
+        MockHttpServletResponse response = new MockHttpServletResponse();
+        fcp.doFilter(request, response, new MockFilterChain());
+        assertEquals(403, response.getStatus());
+
+        // Try with pathInfo
+        request = new MockHttpServletRequest();
+        request.setServletPath("/secured");
+        request.setPathInfo("/admin.html;x=user.html");
+        request.setSession(createAuthenticatedSession("ROLE_USER"));
+        response = new MockHttpServletResponse();
+        fcp.doFilter(request, response, new MockFilterChain());
+        assertEquals(403, response.getStatus());
+    }
+
+    public HttpSession createAuthenticatedSession(String... roles) {
+        MockHttpSession session = new MockHttpSession();
+        SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken("bob", "bobspassword",
+                AuthorityUtils.stringArrayToAuthorityArray(roles)));
+        session.setAttribute(HttpSessionContextIntegrationFilter.SPRING_SECURITY_CONTEXT_KEY, SecurityContextHolder.getContext());
+        SecurityContextHolder.clearContext();
+        return session;
+    }
+
+}
--- a/itest/context/src/test/resources/http-path-param-stripping-app-context.xml
+++ b/itest/context/src/test/resources/http-path-param-stripping-app-context.xml
@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+  -
+  -->
+
+<b:beans xmlns="http://www.springframework.org/schema/security"
+    xmlns:b="http://www.springframework.org/schema/beans"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
+                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">
+
+    <http>
+        <intercept-url pattern="/secured/*user.html" access="ROLE_USER" />
+        <intercept-url pattern="/secured/admin.html" access="ROLE_ADMIN" />
+        <intercept-url pattern="/secured/user/**" access="ROLE_USER" />
+        <intercept-url pattern="/secured/admin/*" access="ROLE_ADMIN" />
+        <intercept-url pattern="/**" filters="none" />
+        <form-login />
+    </http>
+
+    <authentication-provider>
+        <user-service id="userService">
+            <user name="notused" password="notused" authorities="ROLE_0,ROLE_1"/>
+        </user-service>
+    </authentication-provider>
+
+</b:beans>
--- a/itest/pom.xml
+++ b/itest/pom.xml
@ -4,7 +4,7 @@
    <artifactId>spring-security-itest</artifactId>
    <name>Spring Security - Integration Tests</name>
    <packaging>pom</packaging>
-    <version>2.0.4-SNAPSHOT</version>
+    <version>2.0.6.CI-SNAPSHOT</version>
    <modules>
        <module>web</module>
        <!-- module>webflow</module-->
@ -14,7 +14,7 @@
        <dependency>
            <groupId>org.springframework</groupId>
            <artifactId>spring</artifactId>
-            <version>2.5.5</version>
+            <version>2.5.6.SEC02</version>
            <exclusions>
                <exclusion>
                    <groupId>commons-logging</groupId>
@ -25,7 +25,7 @@
        <dependency>
            <groupId>org.springframework</groupId>
            <artifactId>spring-test</artifactId>
-            <version>2.5.5</version>
+            <version>2.5.6.SEC02</version>
            <exclusions>
                <exclusion>
                    <groupId>commons-logging</groupId>
@ -71,16 +71,16 @@
                </exclusion>
            </exclusions>
        </dependency>
-	    <dependency>
-	        <groupId>org.aspectj</groupId>
-		    <artifactId>aspectjrt</artifactId>
-		    <version>1.6.1</version>
-	    </dependency>
-	    <dependency>
-	        <groupId>org.aspectj</groupId>
-		    <artifactId>aspectjweaver</artifactId>
-		    <version>1.6.1</version>
-	    </dependency>	            
+        <dependency>
+            <groupId>org.aspectj</groupId>
+            <artifactId>aspectjrt</artifactId>
+            <version>1.6.1</version>
+        </dependency>
+        <dependency>
+            <groupId>org.aspectj</groupId>
+            <artifactId>aspectjweaver</artifactId>
+            <version>1.6.1</version>
+        </dependency>
        <dependency>
            <groupId>org.slf4j</groupId>
            <artifactId>slf4j-api</artifactId>
--- a/itest/web/pom.xml
+++ b/itest/web/pom.xml
@ -5,7 +5,7 @@
    <parent>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-itest</artifactId>
-        <version>2.0.4-SNAPSHOT</version>
+        <version>2.0.6.CI-SNAPSHOT</version>
    </parent>
    <artifactId>spring-security-itest-web</artifactId>
    <name>Spring Security - Web Integration Tests</name>