Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

once-per-request="true" does not work in XML configuration #13491

Closed
svorcmar opened this issue Jul 12, 2023 · 1 comment
Closed

once-per-request="true" does not work in XML configuration #13491

svorcmar opened this issue Jul 12, 2023 · 1 comment
Assignees
@marcusdacoregio
Labels
in: config An issue in spring-security-config type: bug A general bug
Milestone
6.0.5

Comments

@svorcmar
Copy link

Describe the bug
When using XML configuration with once-per-request="true" with use-authorization-manager="false" as per this guide, the resulting org.springframework.security.web.access.intercept.FilterSecurityInterceptor still containts observeOncePerRequest = false.

This is probably because org.springframework.security.config.http.HttpConfigurationBuilder does not ever set the value to true:

if ("false".equals(this.httpElt.getAttribute(ATT_ONCE_PER_REQUEST))) {
    builder.addPropertyValue("observeOncePerRequest", Boolean.FALSE);
}

It is probably expected that the default is still true, which changed in gh-11466 (6455e98)

To Reproduce

  1. Create a Spring Security configuration with a similar configuration:
<http once-per-request="true" use-authorization-manager="false">
    <intercept-url pattern="/app/*" access="hasRole('APP')"/>
    <!-- ... -->
</http>
  1. Perform a forward when serving the request (such as forwarding to a view from Spring MVC).
  2. The forwarded request is then still processed by the security chain.

Expected behavior
Upon setting once-per-request="true", the forwarded request should not be processed the second time.
@svorcmar svorcmar added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Jul 12, 2023
@marcusdacoregio marcusdacoregio self-assigned this Jul 12, 2023
@marcusdacoregio marcusdacoregio added in: config An issue in spring-security-config and removed status: waiting-for-triage An issue we've not yet triaged labels Jul 12, 2023
@marcusdacoregio marcusdacoregio added this to the 6.0.5 milestone Jul 12, 2023
@marcusdacoregio marcusdacoregio mentioned this issue Jul 12, 2023
Closed
@marcusdacoregio
Copy link
Contributor

Thanks for the report @svorcmar, this is now fixed and will be available in 6.0.5 and 6.1.2.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marcusdacoregio marcusdacoregio

Labels
in: config An issue in spring-security-config type: bug A general bug
Projects
Spring Security Team
Archived in project
Milestone
6.0.5
Development

No branches or pull requests
2 participants
@svorcmar @marcusdacoregio