Spring Security
  1. Spring Security
  2. SEC-1236

Using HTTP Method-specific intercept-urls causes patterns with no method to be ignored

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.0 M1, 3.0.0 M2
    • Fix Version/s: 3.0.0 RC1
    • Component/s: Web
    • Labels:
      None
    • Environment:
      All

      Description

      With this configuration the URLs with /user/** pattern does not get intercepted:

      <http>
      <http-basic/>
      <intercept-url pattern="/user/**" access="ROLE_USER"/>
      <intercept-url pattern="/teller/**" access="ROLE_TELLER" method="GET"/>
      </http>

      this is beacause org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource never search for null key.
      Here is the current code:

      Map<Object, List<ConfigAttribute>> requestMap = httpMethodMap.get(method);
      // If no method-specific map, use the general one stored under the null key
      if (requestMap == null)

      { requestMap = httpMethodMap.get(null); }

      Because "method" is never "null", in the first line the variable "requestMap" will either, so the "if"'s condition is never "true".

      Attached is a working version of the class.

        Activity

        Hide
        Luke Taylor added a comment -

        Renamed, as this isn't actually related to Basic authentication.

        Show
        Luke Taylor added a comment - Renamed, as this isn't actually related to Basic authentication.
        Hide
        Luke Taylor added a comment -

        Thanks for spotting this. I've modified the lookupAttributes method to check under the null key in the map if no (HTTP) method specific attributes are found.

        Show
        Luke Taylor added a comment - Thanks for spotting this. I've modified the lookupAttributes method to check under the null key in the map if no (HTTP) method specific attributes are found.
        Hide
        Rodrigo Peinado added a comment -

        Thank you guys for all the hard work.

        Show
        Rodrigo Peinado added a comment - Thank you guys for all the hard work.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Rodrigo Peinado
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: