SEC-1236: Using HTTP Method-specific intercept-urls causes patterns with no method to be ignored. Fixed by also checking null key in map if no method-specific attributes are found.

2009-09-05 15:26:07 +00:00 · 2009-09-05 15:26:07 +00:00 · f518da9d8b
parent 5bdfd8cd77
commit f518da9d8b
2 changed files with 37 additions and 15 deletions
--- a/web/src/main/java/org/springframework/security/web/access/intercept/DefaultFilterInvocationSecurityMetadataSource.java
+++ b/web/src/main/java/org/springframework/security/web/access/intercept/DefaultFilterInvocationSecurityMetadataSource.java
@ -180,28 +180,35 @@ public class DefaultFilterInvocationSecurityMetadataSource implements FilterInvo
        }

        // Obtain the map of request patterns to attributes for this method and lookup the url.
-        Map<Object, List<ConfigAttribute>> requestMap = httpMethodMap.get(method);
+        List<ConfigAttribute> attributes = extractMatchingAttributes(url, httpMethodMap.get(method));

-        // If no method-specific map, use the general one stored under the null key
-        if (requestMap == null) {
-            requestMap = httpMethodMap.get(null);
+        // If no attributes found in method-specific map, use the general one stored under the null key
+        if (attributes == null) {
+            attributes = extractMatchingAttributes(url, httpMethodMap.get(null));
        }

-        if (requestMap != null) {
-            for (Map.Entry<Object, List<ConfigAttribute>> entry : requestMap.entrySet()) {
-                Object p = entry.getKey();
-                boolean matched = urlMatcher.pathMatchesUrl(entry.getKey(), url);
+        return attributes;
+    }

-                if (logger.isDebugEnabled()) {
-                    logger.debug("Candidate is: '" + url + "'; pattern is " + p + "; matched=" + matched);
-                }
+    private List<ConfigAttribute> extractMatchingAttributes(String url, Map<Object, List<ConfigAttribute>> requestMap) {
+        if (requestMap == null) {
+            return null;
+        }

-                if (matched) {
-                    return entry.getValue();
-                }
+        final boolean debug = logger.isDebugEnabled();
+
+        for (Map.Entry<Object, List<ConfigAttribute>> entry : requestMap.entrySet()) {
+            Object p = entry.getKey();
+            boolean matched = urlMatcher.pathMatchesUrl(entry.getKey(), url);
+
+            if (debug) {
+                logger.debug("Candidate is: '" + url + "'; pattern is " + p + "; matched=" + matched);
+            }
+
+            if (matched) {
+                return entry.getValue();
            }
        }
-
        return null;
    }

--- a/web/src/test/java/org/springframework/security/web/access/intercept/DefaultFilterInvocationSecurityMetadataSourceTests.java
+++ b/web/src/test/java/org/springframework/security/web/access/intercept/DefaultFilterInvocationSecurityMetadataSourceTests.java
@ -165,6 +165,21 @@ public class DefaultFilterInvocationSecurityMetadataSourceTests {
        assertEquals(postOnlyDef, attrs);
    }

+    // SEC-1236
+    @Test
+    public void mixingPatternsWithAndWithoutHttpMethodsIsSupported() throws Exception {
+        LinkedHashMap requestMap = new LinkedHashMap();
+        List<ConfigAttribute> userAttrs = SecurityConfig.createList("A");
+        requestMap.put(new RequestKey("/user/**", null), userAttrs);
+        requestMap.put(new RequestKey("/teller/**", "GET"), SecurityConfig.createList("B"));
+        fids = new DefaultFilterInvocationSecurityMetadataSource(new AntUrlPathMatcher(), requestMap);
+        fids.setStripQueryStringFromUrls(true);
+
+        FilterInvocation fi = createFilterInvocation("/user", "GET");
+        List<ConfigAttribute> attrs = fids.getAttributes(fi);
+        assertEquals(userAttrs, attrs);
+    }
+
    /**
     * Check fixes for SEC-321
     */