Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1236: Using HTTP Method-specific intercept-urls causes patterns with no method to be ignored #1483

spring-issuemaster opened this Issue Sep 4, 2009 · 3 comments


None yet
1 participant

Rodrigo Peinado (Migrated from SEC-1236) said:

With this configuration the URLs with /user/** pattern does not get intercepted:

this is beacause org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource never search for null key.
Here is the current code:

Map<Object, List> requestMap = httpMethodMap.get(method);
// If no method-specific map, use the general one stored under the null key
if (requestMap == null) {
requestMap = httpMethodMap.get(null);

Because "method" is never "null", in the first line the variable "requestMap" will either, so the "if"'s condition is never "true".

Attached is a working version of the class.

Luke Taylor said:

Renamed, as this isn't actually related to Basic authentication.

Luke Taylor said:

Thanks for spotting this. I've modified the lookupAttributes method to check under the null key in the map if no (HTTP) method specific attributes are found.

Rodrigo Peinado said:

Thank you guys for all the hard work.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 RC1 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment