From eed71243cb86833e7edf230e5e43ad89b01142f9 Mon Sep 17 00:00:00 2001 From: Josh Cummings Date: Fri, 27 Mar 2020 13:41:49 -0600 Subject: [PATCH] SwitchUserFilter Defaults to POST Fixes gh-4183 --- .../switchuser/SwitchUserFilter.java | 2 +- .../switchuser/SwitchUserFilterTests.java | 46 +++++++++++++++++-- 2 files changed, 42 insertions(+), 6 deletions(-) diff --git a/web/src/main/java/org/springframework/security/web/authentication/switchuser/SwitchUserFilter.java b/web/src/main/java/org/springframework/security/web/authentication/switchuser/SwitchUserFilter.java index c460f5a522..e7863b90ac 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/switchuser/SwitchUserFilter.java +++ b/web/src/main/java/org/springframework/security/web/authentication/switchuser/SwitchUserFilter.java @@ -563,6 +563,6 @@ public class SwitchUserFilter extends GenericFilterBean } private static RequestMatcher createMatcher(String pattern) { - return new AntPathRequestMatcher(pattern, null, true, new UrlPathHelper()); + return new AntPathRequestMatcher(pattern, "POST", true, new UrlPathHelper()); } } diff --git a/web/src/test/java/org/springframework/security/web/authentication/switchuser/SwitchUserFilterTests.java b/web/src/test/java/org/springframework/security/web/authentication/switchuser/SwitchUserFilterTests.java index af2e24a76d..aa1affbc16 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/switchuser/SwitchUserFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/switchuser/SwitchUserFilterTests.java @@ -16,11 +16,16 @@ package org.springframework.security.web.authentication.switchuser; -import static org.assertj.core.api.Assertions.*; -import static org.mockito.Mockito.*; +import java.util.ArrayList; +import java.util.List; +import javax.servlet.FilterChain; -import org.junit.*; +import org.junit.After; +import org.junit.Before; +import org.junit.Rule; +import org.junit.Test; import org.junit.rules.ExpectedException; + import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletResponse; import org.springframework.security.authentication.AccountExpiredException; @@ -42,8 +47,10 @@ import org.springframework.security.web.DefaultRedirectStrategy; import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler; import org.springframework.security.web.util.matcher.AnyRequestMatcher; -import javax.servlet.FilterChain; -import java.util.*; +import static org.assertj.core.api.Assertions.assertThat; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.never; +import static org.mockito.Mockito.verify; /** * Tests @@ -75,6 +82,7 @@ public class SwitchUserFilterTests { request.setScheme("http"); request.setServerName("localhost"); request.setRequestURI("/login/impersonate"); + request.setMethod("POST"); return request; } @@ -125,6 +133,20 @@ public class SwitchUserFilterTests { assertThat(filter.requiresExitUser(request)).isFalse(); } + @Test + // gh-4183 + public void requiresExitUserWhenGetThenDoesNotMatch() { + SwitchUserFilter filter = new SwitchUserFilter(); + + MockHttpServletRequest request = new MockHttpServletRequest(); + request.setScheme("http"); + request.setServerName("localhost"); + request.setRequestURI("/login/impersonate"); + request.setMethod("GET"); + + assertThat(filter.requiresExitUser(request)).isFalse(); + } + @Test public void requiresExitUserWhenMatcherThenWorks() { SwitchUserFilter filter = new SwitchUserFilter(); @@ -159,6 +181,20 @@ public class SwitchUserFilterTests { assertThat(filter.requiresSwitchUser(request)).isFalse(); } + @Test + // gh-4183 + public void requiresSwitchUserWhenGetThenDoesNotMatch() { + SwitchUserFilter filter = new SwitchUserFilter(); + + MockHttpServletRequest request = new MockHttpServletRequest(); + request.setScheme("http"); + request.setServerName("localhost"); + request.setRequestURI("/login/impersonate"); + request.setMethod("GET"); + + assertThat(filter.requiresSwitchUser(request)).isFalse(); + } + @Test public void requiresSwitchUserWhenMatcherThenWorks() { SwitchUserFilter filter = new SwitchUserFilter();