Uploaded image for project: 'Spring Security'
  1. Spring Security
  2. SEC-1236

Using HTTP Method-specific intercept-urls causes patterns with no method to be ignored

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.0 M1, 3.0.0 M2
    • Fix Version/s: 3.0.0 RC1
    • Component/s: Web
    • Labels:
      None
    • Environment:
      All

      Description

      With this configuration the URLs with /user/** pattern does not get intercepted:

      <http>
      <http-basic/>
      <intercept-url pattern="/user/**" access="ROLE_USER"/>
      <intercept-url pattern="/teller/**" access="ROLE_TELLER" method="GET"/>
      </http>

      this is beacause org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource never search for null key.
      Here is the current code:

      Map<Object, List<ConfigAttribute>> requestMap = httpMethodMap.get(method);
      // If no method-specific map, use the general one stored under the null key
      if (requestMap == null)

      { requestMap = httpMethodMap.get(null); }

      Because "method" is never "null", in the first line the variable "requestMap" will either, so the "if"'s condition is never "true".

      Attached is a working version of the class.

        Activity

        Hide
        luke Luke Taylor added a comment -

        Renamed, as this isn't actually related to Basic authentication.

        Show
        luke Luke Taylor added a comment - Renamed, as this isn't actually related to Basic authentication.
        Hide
        luke Luke Taylor added a comment -

        Thanks for spotting this. I've modified the lookupAttributes method to check under the null key in the map if no (HTTP) method specific attributes are found.

        Show
        luke Luke Taylor added a comment - Thanks for spotting this. I've modified the lookupAttributes method to check under the null key in the map if no (HTTP) method specific attributes are found.
        Hide
        rodrigoap Rodrigo Peinado added a comment -

        Thank you guys for all the hard work.

        Show
        rodrigoap Rodrigo Peinado added a comment - Thank you guys for all the hard work.

          People

          • Assignee:
            luke Luke Taylor
            Reporter:
            rodrigoap Rodrigo Peinado
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: