Spring Security
  1. Spring Security
  2. SEC-1129

FilterChainProxy. Not matching ant url when a parameter contains /

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Duplicate
    • Affects Version/s: 2.0.4
    • Fix Version/s: 3.0.0 M1
    • Component/s: None
    • Labels:
      None
    • Environment:
      windows xp sp2
      Eclipse 3.4
      Tomcat 5.23

      Description

      I am using Filter proxy to add several filters to my pages

      <security:filter-chain-map path-type="ant">
      <security:filter-chain filters="filtroLoginAutomatico,filtroLogin,filtroBase ..." pattern="/*/.html*"/>
      </security:filter-chain-map>

      The * at the end is because some pages have GET parameters. The problem comes when one of those parameters, constains a / character (Text is already escaped with javascript escape function). In that case, the page is not matched. It may be solved, adding a new filter-chain

      <security:filter-chain-map path-type="ant">
      <security:filter-chain filters="filtroLoginAutomatico,filtroLogin,filtroBase ..." pattern="/*/.html*"/>
      <security:filter-chain filters="filtroLoginAutomatico,filtroLogin,filtroBase ..." pattern="/*/.html*/*"/>
      </security:filter-chain-map>

      Notice the / at the end of the second chain

      I think it's a bug, as the / character is in the parameter string and not in the url.

        Activity

        Hide
        Luke Taylor added a comment - - edited

        The ant pattern matcher isn't supposed to match parameters as the query string is supposed to be stripped before the match (see SEC-953, for example). Please make sure you are raising issues against the latest release version. If you need complicated matching syntax then you can use regular expressions instead of ant paths.

        Show
        Luke Taylor added a comment - - edited The ant pattern matcher isn't supposed to match parameters as the query string is supposed to be stripped before the match (see SEC-953 , for example). Please make sure you are raising issues against the latest release version. If you need complicated matching syntax then you can use regular expressions instead of ant paths.
        Hide
        Roberto Ruiz added a comment -

        No, I don't want the parameters to be matched. The problem is precisely that, and that's because I put an * after .html. If I don't do that, urls with parameters are never matched. I'll try with latest version anyway

        Show
        Roberto Ruiz added a comment - No, I don't want the parameters to be matched. The problem is precisely that, and that's because I put an * after .html. If I don't do that, urls with parameters are never matched. I'll try with latest version anyway
        Hide
        Roberto Ruiz added a comment -

        No, I don't want the parameters to be matched. The problem is precisely that, and that's because I put an * after .html. If I don't do that, urls with parameters are never matched. I'll try with latest version anyway

        Show
        Roberto Ruiz added a comment - No, I don't want the parameters to be matched. The problem is precisely that, and that's because I put an * after .html. If I don't do that, urls with parameters are never matched. I'll try with latest version anyway
        Hide
        Luke Taylor added a comment -

        So this is effectively a duplicate of SEC-953 and was fixed in the 2.0.4 release.

        Show
        Luke Taylor added a comment - So this is effectively a duplicate of SEC-953 and was fixed in the 2.0.4 release.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Roberto Ruiz
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: