Startseite Erkunden Hilfe
Registrieren Anmelden
github
/
spring-security
Mirror von https://github.com/spring-projects/spring-security
2
0
Fork 0
Dateien Issues 0 Wiki
Quellcode durchsuchen

SEC-378: Use trim instead of replacement for space removal.

Ben Alex vor 19 Jahren
Ursprung
ad6c501379
Commit
5640eb0511
2 geänderte Dateien mit 4 neuen und 4 gelöschten Zeilen
Geteilte Ansicht Diff-Statistik anzeigen
  1. 1 1
      core/src/main/java/org/acegisecurity/taglibs/authz/AuthorizeTag.java
  2. 3 3
      core/src/test/java/org/acegisecurity/taglibs/authz/AuthorizeTagTests.java

+ 1 - 1
core/src/main/java/org/acegisecurity/taglibs/authz/AuthorizeTag.java
Datei anzeigen 

@@ -150,7 +150,7 @@ public class AuthorizeTag extends TagSupport {
 
 
             // Remove the role's whitespace characters without depending on JDK 1.4+ 
             // Includes space, tab, new line, carriage return and form feed. 
-            String role = StringUtils.replace(authority, " ", "");
 
+            String role = authority.trim(); // trim, don't use spaces, as per SEC-378
 
             role = StringUtils.replace(role, "\t", "");
 
             role = StringUtils.replace(role, "\r", "");
 
             role = StringUtils.replace(role, "\n", "");

+ 3 - 3
core/src/test/java/org/acegisecurity/taglibs/authz/AuthorizeTagTests.java
Datei anzeigen 

@@ -47,7 +47,7 @@ public class AuthorizeTagTests extends TestCase {
 
 
         currentUser = new TestingAuthenticationToken("abc", "123",
 
                 new GrantedAuthority[] {
 
-                    new GrantedAuthorityImpl("ROLE_SUPERVISOR"), new GrantedAuthorityImpl("ROLE_TELLER"),
 
+                    new GrantedAuthorityImpl("ROLE SUPERVISOR"), new GrantedAuthorityImpl("ROLE_TELLER"),
 
                 });
 
 
         SecurityContextHolder.getContext().setAuthentication(currentUser);
 
@@ -80,7 +80,7 @@ public class AuthorizeTagTests extends TestCase {
 
     }
 
 
     public void testOutputsBodyWhenAllGranted() throws JspException {
 
-        authorizeTag.setIfAllGranted("ROLE_SUPERVISOR,ROLE_TELLER");
 
+        authorizeTag.setIfAllGranted("ROLE SUPERVISOR,ROLE_TELLER");
 
         assertEquals("allows request - all required roles granted on principal", Tag.EVAL_BODY_INCLUDE,
 
             authorizeTag.doStartTag());
 
     }
 
@@ -107,7 +107,7 @@ public class AuthorizeTagTests extends TestCase {
 
 
     public void testSkipsBodyWhenMissingAnAllGranted()
 
         throws JspException {
 
-        authorizeTag.setIfAllGranted("ROLE_SUPERVISOR,ROLE_TELLER,ROLE_BANKER");
 
+        authorizeTag.setIfAllGranted("ROLE SUPERVISOR,ROLE_TELLER,ROLE_BANKER");
 
         assertEquals("prevents request - missing ROLE_BANKER on principal", Tag.SKIP_BODY, authorizeTag.doStartTag());
 
     }