From ea01e9cdf7813be61d8eed828d307d58436b11f1 Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Sun, 23 Aug 2009 15:57:59 +0000 Subject: [PATCH] SEC-1201: PropertyPlaceholderConfigurer does not work for intercept-url attributes. Ensure that channel processing handles paths which are placeholders. --- .../HttpSecurityBeanDefinitionParser.java | 25 ++++++++++--------- ...HttpSecurityBeanDefinitionParserTests.java | 6 +++-- 2 files changed, 17 insertions(+), 14 deletions(-) diff --git a/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java b/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java index 135d606065..b8899bdf46 100644 --- a/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java +++ b/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java @@ -6,7 +6,6 @@ import java.security.NoSuchAlgorithmException; import java.security.SecureRandom; import java.util.ArrayList; import java.util.Collections; -import java.util.LinkedHashMap; import java.util.List; import java.util.Map; @@ -181,7 +180,7 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser { // Use ManagedMap to allow placeholder resolution final ManagedMap> filterChainMap = parseInterceptUrlsForEmptyFilterChains(interceptUrls, convertPathsToLowerCase, pc); - final LinkedHashMap> channelRequestMap = + final ManagedMap> channelRequestMap = parseInterceptUrlsForChannelSecurity(interceptUrls, convertPathsToLowerCase, pc); BeanDefinition cpf = null; @@ -894,14 +893,14 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser { } private BeanDefinition createChannelProcessingFilter(ParserContext pc, UrlMatcher matcher, - LinkedHashMap> channelRequestMap, String portMapperBeanName) { + ManagedMap> channelRequestMap, String portMapperBeanName) { RootBeanDefinition channelFilter = new RootBeanDefinition(ChannelProcessingFilter.class); + BeanDefinitionBuilder metadataSourceBldr = BeanDefinitionBuilder.rootBeanDefinition(DefaultFilterInvocationSecurityMetadataSource.class); + metadataSourceBldr.addConstructorArgValue(matcher); + metadataSourceBldr.addConstructorArgValue(channelRequestMap); + metadataSourceBldr.addPropertyValue("stripQueryStringFromUrls", matcher instanceof AntUrlPathMatcher); - DefaultFilterInvocationSecurityMetadataSource channelFilterInvDefSource = - new DefaultFilterInvocationSecurityMetadataSource(matcher, channelRequestMap); - channelFilterInvDefSource.setStripQueryStringFromUrls(matcher instanceof AntUrlPathMatcher); - - channelFilter.getPropertyValues().addPropertyValue("securityMetadataSource", channelFilterInvDefSource); + channelFilter.getPropertyValues().addPropertyValue("securityMetadataSource", metadataSourceBldr.getBeanDefinition()); RootBeanDefinition channelDecisionManager = new RootBeanDefinition(ChannelDecisionManagerImpl.class); ManagedList channelProcessors = new ManagedList(3); RootBeanDefinition secureChannelProcessor = new RootBeanDefinition(SecureChannelProcessor.class); @@ -1196,10 +1195,10 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser { * map used to create the FilterInvocationDefintionSource for the FilterSecurityInterceptor. * @return */ - LinkedHashMap> parseInterceptUrlsForChannelSecurity(List urlElts, + private ManagedMap> parseInterceptUrlsForChannelSecurity(List urlElts, boolean useLowerCasePaths, ParserContext parserContext) { - LinkedHashMap> channelRequestMap = new ManagedMap>(); + ManagedMap> channelRequestMap = new ManagedMap>(); for (Element urlElt : urlElts) { String path = urlElt.getAttribute(ATT_PATH_PATTERN); @@ -1227,8 +1226,10 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser { parserContext.getReaderContext().error("Unsupported channel " + requiredChannel, urlElt); } - channelRequestMap.put(new RequestKey(path), - SecurityConfig.createList((StringUtils.commaDelimitedListToStringArray(channelConfigAttribute)))); + BeanDefinition requestKey = new RootBeanDefinition(RequestKey.class); + requestKey.getConstructorArgumentValues().addGenericArgumentValue(path); + + channelRequestMap.put(requestKey, SecurityConfig.createList(channelConfigAttribute)); } } diff --git a/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java b/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java index 2b57a5bee9..ce7c5f4dc3 100644 --- a/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java +++ b/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java @@ -390,11 +390,13 @@ public class HttpSecurityBeanDefinitionParserTests { @Test public void requiresChannelSupportsPlaceholder() throws Exception { + System.setProperty("secure.url", "/secure"); setContext( + " " + " " + - " " + + " " + " " + AUTH_PROVIDER_XML); - List filters = getFilters("/someurl"); + List filters = getFilters("/secure"); assertEquals("Expected " + (AUTO_CONFIG_FILTERS + 1) +" filters in chain", AUTO_CONFIG_FILTERS + 1, filters.size());