From f518da9d8bb74c27ffcd72edb063d59df14ef410 Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Sat, 5 Sep 2009 15:26:07 +0000 Subject: [PATCH] SEC-1236: Using HTTP Method-specific intercept-urls causes patterns with no method to be ignored. Fixed by also checking null key in map if no method-specific attributes are found. --- ...ilterInvocationSecurityMetadataSource.java | 37 +++++++++++-------- ...InvocationSecurityMetadataSourceTests.java | 15 ++++++++ 2 files changed, 37 insertions(+), 15 deletions(-) diff --git a/web/src/main/java/org/springframework/security/web/access/intercept/DefaultFilterInvocationSecurityMetadataSource.java b/web/src/main/java/org/springframework/security/web/access/intercept/DefaultFilterInvocationSecurityMetadataSource.java index a3cef32bb6..d5d0225028 100644 --- a/web/src/main/java/org/springframework/security/web/access/intercept/DefaultFilterInvocationSecurityMetadataSource.java +++ b/web/src/main/java/org/springframework/security/web/access/intercept/DefaultFilterInvocationSecurityMetadataSource.java @@ -180,28 +180,35 @@ public class DefaultFilterInvocationSecurityMetadataSource implements FilterInvo } // Obtain the map of request patterns to attributes for this method and lookup the url. - Map> requestMap = httpMethodMap.get(method); + List attributes = extractMatchingAttributes(url, httpMethodMap.get(method)); - // If no method-specific map, use the general one stored under the null key - if (requestMap == null) { - requestMap = httpMethodMap.get(null); + // If no attributes found in method-specific map, use the general one stored under the null key + if (attributes == null) { + attributes = extractMatchingAttributes(url, httpMethodMap.get(null)); } - if (requestMap != null) { - for (Map.Entry> entry : requestMap.entrySet()) { - Object p = entry.getKey(); - boolean matched = urlMatcher.pathMatchesUrl(entry.getKey(), url); + return attributes; + } - if (logger.isDebugEnabled()) { - logger.debug("Candidate is: '" + url + "'; pattern is " + p + "; matched=" + matched); - } + private List extractMatchingAttributes(String url, Map> requestMap) { + if (requestMap == null) { + return null; + } - if (matched) { - return entry.getValue(); - } + final boolean debug = logger.isDebugEnabled(); + + for (Map.Entry> entry : requestMap.entrySet()) { + Object p = entry.getKey(); + boolean matched = urlMatcher.pathMatchesUrl(entry.getKey(), url); + + if (debug) { + logger.debug("Candidate is: '" + url + "'; pattern is " + p + "; matched=" + matched); + } + + if (matched) { + return entry.getValue(); } } - return null; } diff --git a/web/src/test/java/org/springframework/security/web/access/intercept/DefaultFilterInvocationSecurityMetadataSourceTests.java b/web/src/test/java/org/springframework/security/web/access/intercept/DefaultFilterInvocationSecurityMetadataSourceTests.java index 865363dc0d..c3e46ecedd 100644 --- a/web/src/test/java/org/springframework/security/web/access/intercept/DefaultFilterInvocationSecurityMetadataSourceTests.java +++ b/web/src/test/java/org/springframework/security/web/access/intercept/DefaultFilterInvocationSecurityMetadataSourceTests.java @@ -165,6 +165,21 @@ public class DefaultFilterInvocationSecurityMetadataSourceTests { assertEquals(postOnlyDef, attrs); } + // SEC-1236 + @Test + public void mixingPatternsWithAndWithoutHttpMethodsIsSupported() throws Exception { + LinkedHashMap requestMap = new LinkedHashMap(); + List userAttrs = SecurityConfig.createList("A"); + requestMap.put(new RequestKey("/user/**", null), userAttrs); + requestMap.put(new RequestKey("/teller/**", "GET"), SecurityConfig.createList("B")); + fids = new DefaultFilterInvocationSecurityMetadataSource(new AntUrlPathMatcher(), requestMap); + fids.setStripQueryStringFromUrls(true); + + FilterInvocation fi = createFilterInvocation("/user", "GET"); + List attrs = fids.getAttributes(fi); + assertEquals(userAttrs, attrs); + } + /** * Check fixes for SEC-321 */