SEC-1662: Cater for the case where a user uses two <http> elements without patterns and the RequestMatcher does not have two arguments.

config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java

@@ -273,8 +273,11 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
             for (BeanDefinition matcherBean : filterChainMap.keySet()) {
                 if (existingFilterChainMap.containsKey(matcherBean)) {
                     Map<Integer,ValueHolder> args = matcherBean.getConstructorArgumentValues().getIndexedArgumentValues();
+                    String matcherError = args.size() == 2 ? args.get(0).getValue() + ", " +args.get(1).getValue() :
+                            matcherBean.toString();
                     pc.getReaderContext().error("The filter chain map already contains this request matcher ["
-                            + args.get(0).getValue() + ", " +args.get(1).getValue() + "]", source);
+                            + matcherError + "]. If you are using multiple <http> namespace elements, you must use a 'pattern' attribute" +
+                            " to define the request patterns to which they apply.", source);
                 }
             }
             existingFilterChainMap.putAll(filterChainMap);

config/src/test/groovy/org/springframework/security/config/http/MultiHttpBlockConfigTests.groovy

@@ -29,12 +29,12 @@ class MultiHttpBlockConfigTests extends AbstractHttpConfigTests {
         (filterChains.keySet() as List)[0].pattern == '/stateless/**'
     }
 
-    def duplicatePatternsAreRejected () {
+    def duplicateHttpElementsAreRejected () {
         when: "Two <http> elements are used"
-        xml.http(pattern: '/stateless/**', 'create-session': 'stateless') {
+        xml.http('create-session': 'stateless') {
             'http-basic'()
         }
-        xml.http(pattern: '/stateless/**') {
+        xml.http() {
             'form-login'()
         }
         createAppContext()
@@ -42,6 +42,20 @@ class MultiHttpBlockConfigTests extends AbstractHttpConfigTests {
         thrown(BeanDefinitionParsingException)
     }
 
+  def duplicatePatternsAreRejected () {
+      when: "Two <http> elements with the same pattern are used"
+      xml.http(pattern: '/stateless/**', 'create-session': 'stateless') {
+          'http-basic'()
+      }
+      xml.http(pattern: '/stateless/**') {
+          'form-login'()
+      }
+      createAppContext()
+      then:
+      thrown(BeanDefinitionParsingException)
+  }
+
+
     def namedFilterChainIsExposedAsABean () {
         xml.http(name: 'basic', pattern: '/basic/**', 'create-session': 'stateless') {
             'http-basic'()