SEC-1236: Using HTTP Method-specific intercept-urls causes patterns with no method to be ignored. Fixed by also checking null key in map if no method-specific attributes are found.

This commit is contained in:
Luke Taylor
2009-09-05 15:26:07 +00:00
parent 5bdfd8cd77
commit f518da9d8b
2 changed files with 37 additions and 15 deletions

View File

@@ -165,6 +165,21 @@ public class DefaultFilterInvocationSecurityMetadataSourceTests {
assertEquals(postOnlyDef, attrs);
}
// SEC-1236
@Test
public void mixingPatternsWithAndWithoutHttpMethodsIsSupported() throws Exception {
LinkedHashMap requestMap = new LinkedHashMap();
List<ConfigAttribute> userAttrs = SecurityConfig.createList("A");
requestMap.put(new RequestKey("/user/**", null), userAttrs);
requestMap.put(new RequestKey("/teller/**", "GET"), SecurityConfig.createList("B"));
fids = new DefaultFilterInvocationSecurityMetadataSource(new AntUrlPathMatcher(), requestMap);
fids.setStripQueryStringFromUrls(true);
FilterInvocation fi = createFilterInvocation("/user", "GET");
List<ConfigAttribute> attrs = fids.getAttributes(fi);
assertEquals(userAttrs, attrs);
}
/**
* Check fixes for SEC-321
*/