Spring Security
  1. Spring Security
  2. SEC-1427

Inconsistent handling of URL query parts via <url-intercept>

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Won't Fix
    • Affects Version/s: 3.0.2
    • Fix Version/s: 3.1.0.M1
    • Component/s: None
    • Labels:
      None

      Description

      I came across this code in HttpConfigurationBuilder:

      BeanDefinitionBuilder metadataSourceBldr = BeanDefinitionBuilder.rootBeanDefinition(DefaultFilterInvocationSecurityMetadataSource.class);
      metadataSourceBldr.addConstructorArgValue(matcher);
      metadataSourceBldr.addConstructorArgValue(channelRequestMap);
      metadataSourceBldr.addPropertyValue("stripQueryStringFromUrls", matcher instanceof AntUrlPathMatcher);

      Similar code appears in FilterInvocationSecurityMetadataSourceParser.

      As far as I can make out, this means that if you use "path-type=ant" in your <http> element, then query parts will be stripped from URLs before matching them in the interceptor filter, but with "path-type=regex" the matching is done with URL query parts intact.

      I don't understand see the rationale for this behaviour. I don't know if it is a bug, or it is a unexpected feature that should be properly documented.

      (And as an aside, I would not that Appendix B 1.1 does not give the allowed values for path-type. You have to search the manual for the related examples to find what they are.)

        Issue Links

          Activity

          Hide
          Luke Taylor added a comment -

          It was a deliberate decision (you can search the Jira history and the forum for more information, e.g. SEC-161).

          The recent changes for SEC-1407 make the behaviour more clearly defined (as it is encapsulated in the specific matcher classes and described in their Javadoc).

          Show
          Luke Taylor added a comment - It was a deliberate decision (you can search the Jira history and the forum for more information, e.g. SEC-161 ). The recent changes for SEC-1407 make the behaviour more clearly defined (as it is encapsulated in the specific matcher classes and described in their Javadoc).

            People

            • Assignee:
              Luke Taylor
              Reporter:
              Stephen Crawley
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: