SEC-1427: Inconsistent handling of URL query parts via <url-intercept> #1670

Closed
spring-issuemaster opened this Issue Mar 2, 2010 · 1 comment

1 participant

@spring-issuemaster

Stephen Crawley (Migrated from SEC-1427) said:

I came across this code in HttpConfigurationBuilder:

    BeanDefinitionBuilder metadataSourceBldr = BeanDefinitionBuilder.rootBeanDefinition(DefaultFilterInvocationSecurityMetadataSource.class);
    metadataSourceBldr.addConstructorArgValue(matcher);
    metadataSourceBldr.addConstructorArgValue(channelRequestMap);
    metadataSourceBldr.addPropertyValue("stripQueryStringFromUrls", matcher instanceof AntUrlPathMatcher);

Similar code appears in FilterInvocationSecurityMetadataSourceParser.

As far as I can make out, this means that if you use "path-type=ant" in your element, then query parts will be stripped from URLs before matching them in the interceptor filter, but with "path-type=regex" the matching is done with URL query parts intact.

I don't understand see the rationale for this behaviour. I don't know if it is a bug, or it is a unexpected feature that should be properly documented.

(And as an aside, I would not that Appendix B 1.1 does not give the allowed values for path-type. You have to search the manual for the related examples to find what they are.)

@spring-issuemaster

Luke Taylor said:

It was a deliberate decision (you can search the Jira history and the forum for more information, e.g. SEC-161).

The recent changes for SEC-1407 make the behaviour more clearly defined (as it is encapsulated in the specific matcher classes and described in their Javadoc).

@spring-issuemaster spring-issuemaster added this to the 3.1.0.M1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment