SEC-1236: Using HTTP Method-specific intercept-urls causes patterns with no method to be ignored #1483

Closed
spring-issuemaster opened this Issue Sep 4, 2009 · 3 comments

1 participant

@spring-issuemaster

Rodrigo Peinado (Migrated from SEC-1236) said:

With this configuration the URLs with /user/** pattern does not get intercepted:





this is beacause org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource never search for null key.
Here is the current code:

Map> requestMap = httpMethodMap.get(method);
// If no method-specific map, use the general one stored under the null key
if (requestMap == null) {
requestMap = httpMethodMap.get(null);
}

Because "method" is never "null", in the first line the variable "requestMap" will either, so the "if"'s condition is never "true".

Attached is a working version of the class.

@spring-issuemaster

Luke Taylor said:

Renamed, as this isn't actually related to Basic authentication.

@spring-issuemaster

Luke Taylor said:

Thanks for spotting this. I've modified the lookupAttributes method to check under the null key in the map if no (HTTP) method specific attributes are found.

@spring-issuemaster

Rodrigo Peinado said:

Thank you guys for all the hard work.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 RC1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment