Home Explore Help
Register Sign In
github
/
spring-security
mirror of https://github.com/spring-projects/spring-security
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

SEC-1412: Modify DefaultSavedRequest to ignore If-Not-Matched header.

The browser (or at least Firefox) does not send it after a redirect, and it causes problems with Spring's ShallowEtagHeaderFilter if it is stored and returned by the saved request.
Luke Taylor 15 years ago
parent
9bdc012c69
commit
14ae36ac3b
2 changed files with 15 additions and 0 deletions
Split View Show Diff Stats
  1. 6 0
      web/src/main/java/org/springframework/security/web/savedrequest/DefaultSavedRequest.java
  2. 9 0
      web/src/test/java/org/springframework/security/web/savedrequest/DefaultSavedRequestTests.java

+ 6 - 0
web/src/main/java/org/springframework/security/web/savedrequest/DefaultSavedRequest.java
View File 

@@ -54,6 +54,8 @@ public class DefaultSavedRequest implements SavedRequest {
 
 
     public static final String SPRING_SECURITY_SAVED_REQUEST_KEY = "SPRING_SECURITY_SAVED_REQUEST_KEY";
 
 
+    private static final String HEADER_IF_NONE_MATCH = "If-None-Match";
 
+
 
     //~ Instance fields ================================================================================================
 
 
     private ArrayList<SavedCookie> cookies = new ArrayList<SavedCookie>();
 
@@ -92,6 +94,10 @@ public class DefaultSavedRequest implements SavedRequest {
 
 
         while (names.hasMoreElements()) {
 
             String name = names.nextElement();
 
+            // Skip If-None-Match header. SEC-1412.
 
+            if (HEADER_IF_NONE_MATCH.equalsIgnoreCase(name)) {
 
+                continue;
 
+            }
 
             Enumeration<String> values = request.getHeaders(name);
 
 
             while (values.hasMoreElements()) {

+ 9 - 0
web/src/test/java/org/springframework/security/web/savedrequest/DefaultSavedRequestTests.java
View File 

@@ -21,6 +21,15 @@ public class DefaultSavedRequestTests {
 
         assertEquals("Mozilla", saved.getHeaderValues("user-agent").get(0));
 
     }
 
 
+    // SEC-1412
 
+    @Test
 
+    public void discardsIfNoneMatchHeader() throws Exception {
 
+        MockHttpServletRequest request = new MockHttpServletRequest();
 
+        request.addHeader("If-None-Match", "somehashvalue");
 
+        DefaultSavedRequest saved = new DefaultSavedRequest(request, new MockPortResolver(8080, 8443));
 
+        assertTrue(saved.getHeaderValues("if-none-match").isEmpty());
 
+    }
 
+
 
     // TODO: Why are parameters case insensitive. I think this is a mistake
 
     @Test
 
     public void parametersAreCaseInsensitive() throws Exception {