diff --git a/web/src/main/java/org/springframework/security/web/access/expression/PathVariableSecurityEvaluationContextPostProcessor.java b/web/src/main/java/org/springframework/security/web/access/expression/PathVariableSecurityEvaluationContextPostProcessor.java index ed8a68718f..c153c9e724 100644 --- a/web/src/main/java/org/springframework/security/web/access/expression/PathVariableSecurityEvaluationContextPostProcessor.java +++ b/web/src/main/java/org/springframework/security/web/access/expression/PathVariableSecurityEvaluationContextPostProcessor.java @@ -17,6 +17,8 @@ package org.springframework.security.web.access.expression; import java.util.Map; +import javax.servlet.http.HttpServletRequest; + import org.springframework.expression.EvaluationContext; import org.springframework.security.web.FilterInvocation; import org.springframework.util.AntPathMatcher; @@ -51,11 +53,22 @@ class PathVariableSecurityEvaluationContextPostProcessor implements SecurityEval if(antPattern == null) { return context; } - Map variables = matcher.extractUriTemplateVariables(antPattern, invocation.getRequestUrl()); + + String path = getRequestPath(invocation.getHttpRequest()); + Map variables = matcher.extractUriTemplateVariables(antPattern, path); for(Map.Entry entry : variables.entrySet()) { context.setVariable(entry.getKey(), entry.getValue()); } return context; } + private String getRequestPath(HttpServletRequest request) { + String url = request.getServletPath(); + + if (request.getPathInfo() != null) { + url += request.getPathInfo(); + } + + return url; + } } diff --git a/web/src/test/java/org/springframework/security/web/access/expression/PathVariableSecurityEvaluationContextPostProcessorTests.java b/web/src/test/java/org/springframework/security/web/access/expression/PathVariableSecurityEvaluationContextPostProcessorTests.java new file mode 100644 index 0000000000..1d654287e6 --- /dev/null +++ b/web/src/test/java/org/springframework/security/web/access/expression/PathVariableSecurityEvaluationContextPostProcessorTests.java @@ -0,0 +1,56 @@ +/* + * Copyright 2002-2015 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.springframework.security.web.access.expression; + +import org.junit.Before; +import org.junit.Test; +import org.springframework.expression.spel.support.StandardEvaluationContext; +import org.springframework.mock.web.MockFilterChain; +import org.springframework.mock.web.MockHttpServletRequest; +import org.springframework.mock.web.MockHttpServletResponse; +import org.springframework.security.web.FilterInvocation; + +/** + * @author Rob Winch + * + */ +public class PathVariableSecurityEvaluationContextPostProcessorTests { + PathVariableSecurityEvaluationContextPostProcessor processor; + + FilterInvocation invocation; + + MockHttpServletRequest request; + MockHttpServletResponse response; + StandardEvaluationContext context; + + @Before + public void setup() { + processor = new PathVariableSecurityEvaluationContextPostProcessor("/"); + + request = new MockHttpServletRequest(); + request.setServletPath("/"); + response = new MockHttpServletResponse(); + invocation = new FilterInvocation(request,response, new MockFilterChain()); + context = new StandardEvaluationContext(); + } + + @Test + public void queryIgnored() { + request.setQueryString("logout"); + processor.postProcess(context, invocation); + } + +}