Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SEC-1236: Using HTTP Method-specific intercept-urls causes patterns with no method to be ignored. Fixed by also checking null key in map if no method-specific attributes are found.

This commit is contained in:
Luke Taylor 2009-09-05 15:26:07 +00:00
parent 5bdfd8cd77
commit f518da9d8b
2 changed files with 37 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
web/src/main/java/org/springframework/security/web/access/intercept/DefaultFilterInvocationSecurityMetadataSource.java
View File

@ -180,28 +180,35 @@ public class DefaultFilterInvocationSecurityMetadataSource implements FilterInvo
} }
// Obtain the map of request patterns to attributes for this method and lookup the url. // Obtain the map of request patterns to attributes for this method and lookup the url.
Map<Object, List<ConfigAttribute>> requestMap = httpMethodMap.get(method); List<ConfigAttribute> attributes = extractMatchingAttributes(url, httpMethodMap.get(method));
// If no method-specific map, use the general one stored under the null key // If no attributes found in method-specific map, use the general one stored under the null key
if (requestMap == null) { if (attributes == null) {
requestMap = httpMethodMap.get(null); attributes = extractMatchingAttributes(url, httpMethodMap.get(null));
} }
if (requestMap != null) { return attributes;
for (Map.Entry<Object, List<ConfigAttribute>> entry : requestMap.entrySet()) { }
Object p = entry.getKey();
boolean matched = urlMatcher.pathMatchesUrl(entry.getKey(), url);
if (logger.isDebugEnabled()) { private List<ConfigAttribute> extractMatchingAttributes(String url, Map<Object, List<ConfigAttribute>> requestMap) {
logger.debug("Candidate is: '" + url + "'; pattern is " + p + "; matched=" + matched); if (requestMap == null) {
} return null;
}
if (matched) { final boolean debug = logger.isDebugEnabled();
return entry.getValue();
} for (Map.Entry<Object, List<ConfigAttribute>> entry : requestMap.entrySet()) {
Object p = entry.getKey();
boolean matched = urlMatcher.pathMatchesUrl(entry.getKey(), url);
if (debug) {
logger.debug("Candidate is: '" + url + "'; pattern is " + p + "; matched=" + matched);
}
if (matched) {
return entry.getValue();
} }
} }
return null; return null;
} }

15
web/src/test/java/org/springframework/security/web/access/intercept/DefaultFilterInvocationSecurityMetadataSourceTests.java
View File

@ -165,6 +165,21 @@ public class DefaultFilterInvocationSecurityMetadataSourceTests {
assertEquals(postOnlyDef, attrs); assertEquals(postOnlyDef, attrs);
} }
// SEC-1236
@Test
public void mixingPatternsWithAndWithoutHttpMethodsIsSupported() throws Exception {
LinkedHashMap requestMap = new LinkedHashMap();
List<ConfigAttribute> userAttrs = SecurityConfig.createList("A");
requestMap.put(new RequestKey("/user/**", null), userAttrs);
requestMap.put(new RequestKey("/teller/**", "GET"), SecurityConfig.createList("B"));
fids = new DefaultFilterInvocationSecurityMetadataSource(new AntUrlPathMatcher(), requestMap);
fids.setStripQueryStringFromUrls(true);
FilterInvocation fi = createFilterInvocation("/user", "GET");
List<ConfigAttribute> attrs = fids.getAttributes(fi);
assertEquals(userAttrs, attrs);
}
/** /**
* Check fixes for SEC-321 * Check fixes for SEC-321
*/ */