Spring Security
  1. Spring Security
  2. SEC-1540

Namespace improperly handles method attribute when populating ChannelProcessingFilter.securityMetadataSource

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 3.0.3
    • Fix Version/s: 3.1.0.M1, 3.0.4
    • Component/s: Namespace
    • Labels:
      None

      Description

      The namespace improperly handles the method attribute when populating ChannelProcessingFilter.securityMetadataSource. The problems differ between 3.0.x and 3.1.x. For 3.0.x the issue is that the method is ignored. The issue for 3.1.x is that if the path is /** the method is ignored. I have attached a patch with tests and a fix for both master and 3.0.x. Note that I included a test for 3.1.x that actually works but was broke in 3.0.x in order to ensure it continues to work. While it might be wise to refactor to reuse the logic in creating the securityMetadataSource, I did not do so to limit the scope of this change.

      PS: I did not look at 2.x to see if it needed corrections.

        Activity

        Hide
        Luke Taylor added a comment -

        Thanks a lot Rob. I've applied your patches

        Show
        Luke Taylor added a comment - Thanks a lot Rob. I've applied your patches
        Hide
        Rob Winch added a comment -

        No problem at all.

        PS: Keep up the good work on Spring Security

        Show
        Rob Winch added a comment - No problem at all. PS: Keep up the good work on Spring Security

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Rob Winch
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: