Default AntPathRequestMatcher to be case sensitive
Issue gh-3831
This commit is contained in:
@@ -16,15 +16,13 @@
|
||||
|
||||
package org.springframework.security.web.access.intercept;
|
||||
|
||||
import static org.assertj.core.api.Assertions.*;
|
||||
import static org.mockito.Mockito.mock;
|
||||
|
||||
import java.util.Collection;
|
||||
import java.util.LinkedHashMap;
|
||||
|
||||
import javax.servlet.FilterChain;
|
||||
|
||||
import org.junit.Test;
|
||||
|
||||
import org.springframework.mock.web.MockHttpServletRequest;
|
||||
import org.springframework.mock.web.MockHttpServletResponse;
|
||||
import org.springframework.security.access.ConfigAttribute;
|
||||
@@ -33,6 +31,9 @@ import org.springframework.security.web.FilterInvocation;
|
||||
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.RequestMatcher;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.mockito.Mockito.mock;
|
||||
|
||||
/**
|
||||
* Tests {@link DefaultFilterInvocationSecurityMetadataSource}.
|
||||
*
|
||||
@@ -46,18 +47,18 @@ public class DefaultFilterInvocationSecurityMetadataSourceTests {
|
||||
// ========================================================================================================
|
||||
private void createFids(String pattern, String method) {
|
||||
LinkedHashMap<RequestMatcher, Collection<ConfigAttribute>> requestMap = new LinkedHashMap<RequestMatcher, Collection<ConfigAttribute>>();
|
||||
requestMap.put(new AntPathRequestMatcher(pattern, method), def);
|
||||
fids = new DefaultFilterInvocationSecurityMetadataSource(requestMap);
|
||||
requestMap.put(new AntPathRequestMatcher(pattern, method), this.def);
|
||||
this.fids = new DefaultFilterInvocationSecurityMetadataSource(requestMap);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void lookupNotRequiringExactMatchSucceedsIfNotMatching() {
|
||||
createFids("/secure/super/**", null);
|
||||
|
||||
FilterInvocation fi = createFilterInvocation("/SeCuRE/super/somefile.html", null,
|
||||
FilterInvocation fi = createFilterInvocation("/secure/super/somefile.html", null,
|
||||
null, null);
|
||||
|
||||
assertThat(fids.getAttributes(fi)).isEqualTo(def);
|
||||
assertThat(this.fids.getAttributes(fi)).isEqualTo(this.def);
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -66,13 +67,13 @@ public class DefaultFilterInvocationSecurityMetadataSourceTests {
|
||||
*/
|
||||
@Test
|
||||
public void lookupNotRequiringExactMatchSucceedsIfSecureUrlPathContainsUpperCase() {
|
||||
createFids("/SeCuRE/super/**", null);
|
||||
createFids("/secure/super/**", null);
|
||||
|
||||
FilterInvocation fi = createFilterInvocation("/secure", "/super/somefile.html",
|
||||
null, null);
|
||||
|
||||
Collection<ConfigAttribute> response = fids.getAttributes(fi);
|
||||
assertThat(response).isEqualTo(def);
|
||||
Collection<ConfigAttribute> response = this.fids.getAttributes(fi);
|
||||
assertThat(response).isEqualTo(this.def);
|
||||
}
|
||||
|
||||
@Test
|
||||
@@ -82,8 +83,8 @@ public class DefaultFilterInvocationSecurityMetadataSourceTests {
|
||||
FilterInvocation fi = createFilterInvocation("/SeCurE/super/somefile.html", null,
|
||||
null, null);
|
||||
|
||||
Collection<ConfigAttribute> response = fids.getAttributes(fi);
|
||||
assertThat(response).isEqualTo(def);
|
||||
Collection<ConfigAttribute> response = this.fids.getAttributes(fi);
|
||||
assertThat(response).isEqualTo(this.def);
|
||||
}
|
||||
|
||||
@Test
|
||||
@@ -93,8 +94,9 @@ public class DefaultFilterInvocationSecurityMetadataSourceTests {
|
||||
FilterInvocation fi = createFilterInvocation("/someAdminPage.html", null,
|
||||
"a=/test", null);
|
||||
|
||||
Collection<ConfigAttribute> response = fids.getAttributes(fi);
|
||||
assertThat(response); // see SEC-161 (it should truncate after ? sign).isEqualTo(def)
|
||||
Collection<ConfigAttribute> response = this.fids.getAttributes(fi);
|
||||
assertThat(response); // see SEC-161 (it should truncate after ?
|
||||
// sign).isEqualTo(def)
|
||||
}
|
||||
|
||||
@Test(expected = IllegalArgumentException.class)
|
||||
@@ -107,8 +109,8 @@ public class DefaultFilterInvocationSecurityMetadataSourceTests {
|
||||
createFids("/somepage**", "GET");
|
||||
|
||||
FilterInvocation fi = createFilterInvocation("/somepage", null, null, "GET");
|
||||
Collection<ConfigAttribute> attrs = fids.getAttributes(fi);
|
||||
assertThat(attrs).isEqualTo(def);
|
||||
Collection<ConfigAttribute> attrs = this.fids.getAttributes(fi);
|
||||
assertThat(attrs).isEqualTo(this.def);
|
||||
}
|
||||
|
||||
@Test
|
||||
@@ -116,8 +118,8 @@ public class DefaultFilterInvocationSecurityMetadataSourceTests {
|
||||
createFids("/somepage**", null);
|
||||
|
||||
FilterInvocation fi = createFilterInvocation("/somepage", null, null, "GET");
|
||||
Collection<ConfigAttribute> attrs = fids.getAttributes(fi);
|
||||
assertThat(attrs).isEqualTo(def);
|
||||
Collection<ConfigAttribute> attrs = this.fids.getAttributes(fi);
|
||||
assertThat(attrs).isEqualTo(this.def);
|
||||
}
|
||||
|
||||
@Test
|
||||
@@ -125,7 +127,7 @@ public class DefaultFilterInvocationSecurityMetadataSourceTests {
|
||||
createFids("/somepage**", "GET");
|
||||
|
||||
FilterInvocation fi = createFilterInvocation("/somepage", null, null, "POST");
|
||||
Collection<ConfigAttribute> attrs = fids.getAttributes(fi);
|
||||
Collection<ConfigAttribute> attrs = this.fids.getAttributes(fi);
|
||||
assertThat(attrs).isNull();
|
||||
}
|
||||
|
||||
@@ -138,10 +140,10 @@ public class DefaultFilterInvocationSecurityMetadataSourceTests {
|
||||
requestMap.put(new AntPathRequestMatcher("/user/**", null), userAttrs);
|
||||
requestMap.put(new AntPathRequestMatcher("/teller/**", "GET"),
|
||||
SecurityConfig.createList("B"));
|
||||
fids = new DefaultFilterInvocationSecurityMetadataSource(requestMap);
|
||||
this.fids = new DefaultFilterInvocationSecurityMetadataSource(requestMap);
|
||||
|
||||
FilterInvocation fi = createFilterInvocation("/user", null, null, "GET");
|
||||
Collection<ConfigAttribute> attrs = fids.getAttributes(fi);
|
||||
Collection<ConfigAttribute> attrs = this.fids.getAttributes(fi);
|
||||
assertThat(attrs).isEqualTo(userAttrs);
|
||||
}
|
||||
|
||||
@@ -155,13 +157,13 @@ public class DefaultFilterInvocationSecurityMetadataSourceTests {
|
||||
FilterInvocation fi = createFilterInvocation("/someAdminPage.html", null, null,
|
||||
null);
|
||||
|
||||
Collection<ConfigAttribute> response = fids.getAttributes(fi);
|
||||
assertThat(response).isEqualTo(def);
|
||||
Collection<ConfigAttribute> response = this.fids.getAttributes(fi);
|
||||
assertThat(response).isEqualTo(this.def);
|
||||
|
||||
fi = createFilterInvocation("/someAdminPage.html", null, "?", null);
|
||||
|
||||
response = fids.getAttributes(fi);
|
||||
assertThat(response).isEqualTo(def);
|
||||
response = this.fids.getAttributes(fi);
|
||||
assertThat(response).isEqualTo(this.def);
|
||||
}
|
||||
|
||||
private FilterInvocation createFilterInvocation(String servletPath, String pathInfo,
|
||||
|
||||
@@ -52,7 +52,8 @@ public class AntPathRequestMatcherTests {
|
||||
|
||||
@Test
|
||||
public void trailingWildcardMatchesCorrectly() {
|
||||
AntPathRequestMatcher matcher = new AntPathRequestMatcher("/blah/blAh/**");
|
||||
AntPathRequestMatcher matcher = new AntPathRequestMatcher("/blah/blAh/**", null,
|
||||
false);
|
||||
assertThat(matcher.matches(createRequest("/BLAH/blah"))).isTrue();
|
||||
assertThat(matcher.matches(createRequest("/blah/bleh"))).isFalse();
|
||||
assertThat(matcher.matches(createRequest("/blah/blah/"))).isTrue();
|
||||
@@ -64,11 +65,11 @@ public class AntPathRequestMatcherTests {
|
||||
request.setPathInfo("blah/bleh");
|
||||
assertThat(matcher.matches(request)).isTrue();
|
||||
|
||||
matcher = new AntPathRequestMatcher("/bl?h/blAh/**");
|
||||
matcher = new AntPathRequestMatcher("/bl?h/blAh/**", null, false);
|
||||
assertThat(matcher.matches(createRequest("/BLAH/Blah/aaa/"))).isTrue();
|
||||
assertThat(matcher.matches(createRequest("/bleh/Blah"))).isTrue();
|
||||
|
||||
matcher = new AntPathRequestMatcher("/blAh/**/blah/**");
|
||||
matcher = new AntPathRequestMatcher("/blAh/**/blah/**", null, false);
|
||||
assertThat(matcher.matches(createRequest("/blah/blah"))).isTrue();
|
||||
assertThat(matcher.matches(createRequest("/blah/bleh"))).isFalse();
|
||||
assertThat(matcher.matches(createRequest("/blah/aaa/blah/bbb"))).isTrue();
|
||||
@@ -76,7 +77,8 @@ public class AntPathRequestMatcherTests {
|
||||
|
||||
@Test
|
||||
public void trailingWildcardWithVariableMatchesCorrectly() {
|
||||
AntPathRequestMatcher matcher = new AntPathRequestMatcher("/{id}/blAh/**");
|
||||
AntPathRequestMatcher matcher = new AntPathRequestMatcher("/{id}/blAh/**", null,
|
||||
false);
|
||||
assertThat(matcher.matches(createRequest("/1234/blah"))).isTrue();
|
||||
assertThat(matcher.matches(createRequest("/4567/bleh"))).isFalse();
|
||||
assertThat(matcher.matches(createRequest("/paskos/blah/"))).isTrue();
|
||||
@@ -210,7 +212,7 @@ public class AntPathRequestMatcherTests {
|
||||
|
||||
@Test
|
||||
public void postProcessVariableNameCaseInsensitive() {
|
||||
AntPathRequestMatcher matcher = new AntPathRequestMatcher("/**");
|
||||
AntPathRequestMatcher matcher = new AntPathRequestMatcher("/**", null, false);
|
||||
String variableName = "userName";
|
||||
assertThat(matcher.postProcessVariableName(variableName))
|
||||
.isEqualTo(variableName.toLowerCase());
|
||||
|
||||
Reference in New Issue
Block a user