SEC-1404: Use a factory method to convert the path to lower case for use in the filter-chain map.

Delays the conversion till after palceholders have been substituted, preventing the placeholder from being converted (or the value not being converted).

config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java

@@ -83,8 +83,7 @@ class HttpConfigurationBuilder {
     private final List<Element> interceptUrls;
 
     // Use ManagedMap to allow placeholder resolution
-    private List<String> emptyFilterChainPaths;
-    private ManagedMap<String, List<BeanMetadataElement>> filterChainMap;
+    private ManagedMap<BeanDefinition, List<BeanMetadataElement>> filterChainMap;
 
     private BeanDefinition cpf;
     private BeanDefinition securityContextPersistenceFilter;
@@ -97,7 +96,6 @@ class HttpConfigurationBuilder {
     private String portMapperName;
     private BeanReference fsi;
 
-
     public HttpConfigurationBuilder(Element element, ParserContext pc, UrlMatcher matcher, String portMapperName) {
         this.httpElt = element;
         this.pc = pc;
@@ -111,8 +109,7 @@ class HttpConfigurationBuilder {
     }
 
     void parseInterceptUrlsForEmptyFilterChains() {
-        emptyFilterChainPaths = new ArrayList<String>();
-        filterChainMap = new ManagedMap<String, List<BeanMetadataElement>>();
+        filterChainMap = new ManagedMap<BeanDefinition, List<BeanMetadataElement>>();
 
         for (Element urlElt : interceptUrls) {
             String path = urlElt.getAttribute(ATT_PATH_PATTERN);
@@ -121,9 +118,10 @@ class HttpConfigurationBuilder {
                 pc.getReaderContext().error("path attribute cannot be empty or null", urlElt);
             }
 
-            if (convertPathsToLowerCase) {
-                path = path.toLowerCase();
-            }
+            BeanDefinitionBuilder pathBean = BeanDefinitionBuilder.rootBeanDefinition(HttpConfigurationBuilder.class);
+            pathBean.setFactoryMethod("createPath");
+            pathBean.addConstructorArgValue(path);
+            pathBean.addConstructorArgValue(convertPathsToLowerCase);
 
             String filters = urlElt.getAttribute(ATT_FILTERS);
 
@@ -133,14 +131,17 @@ class HttpConfigurationBuilder {
                             "filters attribute", urlElt);
                 }
 
-                emptyFilterChainPaths.add(path);
-
                 List<BeanMetadataElement> noFilters = Collections.emptyList();
-                filterChainMap.put(path, noFilters);
+                filterChainMap.put(pathBean.getBeanDefinition(), noFilters);
             }
         }
     }
 
+    // Needed to account for placeholders
+    static String createPath(String path, boolean lowerCase) {
+        return lowerCase ? path.toLowerCase() : path;
+    }
+
     void createSecurityContextPersistenceFilter() {
         BeanDefinitionBuilder scpf = BeanDefinitionBuilder.rootBeanDefinition(SecurityContextPersistenceFilter.class);
 
@@ -463,8 +464,8 @@ class HttpConfigurationBuilder {
         return allowSessionCreation;
     }
 
-    List<String> getEmptyFilterChainPaths() {
-        return emptyFilterChainPaths;
+    public ManagedMap<BeanDefinition, List<BeanMetadataElement>> getFilterChainMap() {
+        return filterChainMap;
     }
 
     List<OrderDecorator> getFilters() {

config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java

@@ -135,18 +135,13 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
             filterChain.add(od.bean);
         }
 
-        ManagedMap<String, List<BeanMetadataElement>> filterChainMap = new ManagedMap<String, List<BeanMetadataElement>>();
-
-        for (String path : httpBldr.getEmptyFilterChainPaths()) {
-            filterChainMap.put(path, NO_FILTERS);
-        }
-
-        filterChainMap.put(matcher.getUniversalMatchPattern(), filterChain);
+        ManagedMap<BeanDefinition, List<BeanMetadataElement>> filterChainMap = httpBldr.getFilterChainMap();
+        BeanDefinition universalMatch = new RootBeanDefinition(String.class);
+        universalMatch.getConstructorArgumentValues().addGenericArgumentValue(matcher.getUniversalMatchPattern());
+        filterChainMap.put(universalMatch, filterChain);
 
         registerFilterChainProxy(pc, filterChainMap, matcher, source);
 
-
-
         pc.popAndRegisterContainingComponent();
         return null;
     }
@@ -252,7 +247,7 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
         return customFilters;
     }
 
-    private void registerFilterChainProxy(ParserContext pc, Map<String, List<BeanMetadataElement>> filterChainMap, UrlMatcher matcher, Object source) {
+    private void registerFilterChainProxy(ParserContext pc, Map<BeanDefinition, List<BeanMetadataElement>> filterChainMap, UrlMatcher matcher, Object source) {
         if (pc.getRegistry().containsBeanDefinition(BeanIds.FILTER_CHAIN_PROXY)) {
             pc.getReaderContext().error("Duplicate <http> element detected", source);
         }