15 سال پیش · 863ccecf55
--- a/config/src/main/java/org/springframework/security/config/authentication/AuthenticationManagerBeanDefinitionParser.java
+++ b/config/src/main/java/org/springframework/security/config/authentication/AuthenticationManagerBeanDefinitionParser.java
@@ -25,6 +25,8 @@ import org.w3c.dom.Element;
 
				 import org.w3c.dom.Node;
			
 
				 import org.w3c.dom.NodeList;
			
 
				 
			
 
				+import com.sun.tools.internal.xjc.util.DOMUtils;
			
 
				+
			
 
				 /**
			
 
				  * Registers the central ProviderManager used by the namespace configuration, and allows the configuration of an
			
 
				  * alias, allowing users to reference it in their beans and clearly see where the name is
			
@@ -56,6 +58,10 @@ public class AuthenticationManagerBeanDefinitionParser implements BeanDefinition
 
				             if (node instanceof Element) {
			
 
				                 Element providerElt = (Element)node;
			
 
				                 if (StringUtils.hasText(providerElt.getAttribute(ATT_REF))) {
			
 
				+                    if (DOMUtils.getChildElements(providerElt).length > 0) {
			
 
				+                        pc.getReaderContext().error("authentication-provider element cannot have children when used " +
			
 
				+                                "with 'ref' atribute", pc.extractSource(element));
			
 
				+                    }
			
 
				                     providers.add(new RuntimeBeanReference(providerElt.getAttribute(ATT_REF)));
			
 
				                 } else {
			
 
				                     BeanDefinition provider = resolver.resolve(providerElt.getNamespaceURI()).parse(providerElt, pc);
			
--- a/config/src/test/java/org/springframework/security/config/authentication/AuthenticationProviderBeanDefinitionParserTests.java
+++ b/config/src/test/java/org/springframework/security/config/authentication/AuthenticationProviderBeanDefinitionParserTests.java
@@ -11,6 +11,7 @@ import org.springframework.security.config.BeanIds;
 
				 import org.springframework.security.config.authentication.AuthenticationProviderBeanDefinitionParser;
			
 
				 import org.springframework.security.config.util.InMemoryXmlApplicationContext;
			
 
				 import org.springframework.security.util.FieldUtils;
			
 
				+import org.springframework.beans.factory.parsing.BeanDefinitionParsingException;
			
 
				 import org.springframework.context.support.AbstractXmlApplicationContext;
			
 
				 
			
 
				 import org.junit.Test;
			
@@ -129,6 +130,20 @@ public class AuthenticationProviderBeanDefinitionParserTests {
 
				         getProvider().authenticate(bob);
			
 
				     }
			
 
				 
			
 
				+    // SEC-1466
			
 
				+    @Test(expected=BeanDefinitionParsingException.class)
			
 
				+    public void exernalProviderDoesNotSupportChildElements() throws Exception {
			
 
				+        appContext = new InMemoryXmlApplicationContext(
			
 
				+                "    <authentication-manager>" +
			
 
				+                "      <authentication-provider ref='aProvider'>" +
			
 
				+                "        <password-encoder ref='customPasswordEncoder'/>" +
			
 
				+                "      </authentication-provider>" +
			
 
				+                "    </authentication-manager>" +
			
 
				+                "    <b:bean id='aProvider' class='org.springframework.security.authentication.TestingAuthenticationProvider'/>" +
			
 
				+                "    <b:bean id='customPasswordEncoder' " +
			
 
				+                "        class='org.springframework.security.authentication.encoding.Md5PasswordEncoder'/>");
			
 
				+    }
			
 
				+
			
 
				     private AuthenticationProvider getProvider() {
			
 
				         List<AuthenticationProvider> providers =
			
 
				                 ((ProviderManager)appContext.getBean(BeanIds.AUTHENTICATION_MANAGER)).getProviders();