Home Explore Help
Register Sign In
github
/
spring-security
mirror of https://github.com/spring-projects/spring-security
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

SEC-2882: DefaultLoginPageGeneratingFilter match on /login

Previously DefaultLoginPageGeneratingFilter would match on /**/login
which was not ideal since other parts of the application may want to
match on the URL.

Now it matches on /login.
Rob Winch 10 years ago
parent
217152c8fd
commit
9d0085bb64
2 changed files with 71 additions and 2 deletions
Split View Show Diff Stats
  1. 2 2
      web/src/main/java/org/springframework/security/web/authentication/ui/DefaultLoginPageGeneratingFilter.java
  2. 69 0
      web/src/test/java/org/springframework/security/web/authentication/DefaultLoginPageGeneratingFilterTests.java

+ 2 - 2
web/src/main/java/org/springframework/security/web/authentication/ui/DefaultLoginPageGeneratingFilter.java
View File 

@@ -260,9 +260,9 @@ public class DefaultLoginPageGeneratingFilter extends GenericFilterBean {
 
         }
 
 
         if ("".equals(request.getContextPath())) {
 
-            return uri.endsWith(url);
 
+            return uri.equals(url);
 
         }
 
 
-        return uri.endsWith(request.getContextPath() + url);
 
+        return uri.equals(request.getContextPath() + url);
 
     }
 
 }

+ 69 - 0
web/src/test/java/org/springframework/security/web/authentication/DefaultLoginPageGeneratingFilterTests.java
View File 

@@ -1,5 +1,6 @@
 
 package org.springframework.security.web.authentication;
 
 
+import static org.fest.assertions.Assertions.assertThat;
 
 import static org.mockito.Mockito.mock;
 
 
 import java.util.Locale;
 
@@ -34,6 +35,74 @@ public class DefaultLoginPageGeneratingFilterTests {
 
         filter.doFilter(new MockHttpServletRequest("GET", "/login;pathparam=unused"), new MockHttpServletResponse(), chain);
 
     }
 
 
+    @Test
 
+    public void generatesForGetLogin() throws Exception {
 
+        DefaultLoginPageGeneratingFilter filter = new DefaultLoginPageGeneratingFilter(new UsernamePasswordAuthenticationFilter());
 
+        MockHttpServletResponse response = new MockHttpServletResponse();
 
+
 
+        filter.doFilter(new MockHttpServletRequest("GET", "/login"), response, chain);
 
+
 
+        assertThat(response.getContentAsString()).isNotEmpty();
 
+    }
 
+
 
+    @Test
 
+    public void generatesForPostLogin() throws Exception {
 
+        DefaultLoginPageGeneratingFilter filter = new DefaultLoginPageGeneratingFilter(new UsernamePasswordAuthenticationFilter());
 
+        MockHttpServletResponse response = new MockHttpServletResponse();
 
+
 
+        MockHttpServletRequest request = new MockHttpServletRequest("POST", "/login");
 
+        filter.doFilter(request, response, chain);
 
+
 
+        assertThat(response.getContentAsString()).isEmpty();
 
+    }
 
+
 
+    @Test
 
+    public void generatesForNotEmptyContextLogin() throws Exception {
 
+        DefaultLoginPageGeneratingFilter filter = new DefaultLoginPageGeneratingFilter(new UsernamePasswordAuthenticationFilter());
 
+        MockHttpServletResponse response = new MockHttpServletResponse();
 
+
 
+        MockHttpServletRequest request = new MockHttpServletRequest("GET", "/context/login");
 
+        request.setContextPath("/context");
 
+        filter.doFilter(request, response, chain);
 
+
 
+        assertThat(response.getContentAsString()).isNotEmpty();
 
+    }
 
+
 
+    @Test
 
+    public void generatesForGetApiLogin() throws Exception {
 
+        DefaultLoginPageGeneratingFilter filter = new DefaultLoginPageGeneratingFilter(new UsernamePasswordAuthenticationFilter());
 
+        MockHttpServletResponse response = new MockHttpServletResponse();
 
+
 
+        filter.doFilter(new MockHttpServletRequest("GET", "/api/login"), response, chain);
 
+
 
+        assertThat(response.getContentAsString()).isEmpty();
 
+    }
 
+
 
+    @Test
 
+    public void generatesForWithQueryMatch() throws Exception {
 
+        DefaultLoginPageGeneratingFilter filter = new DefaultLoginPageGeneratingFilter(new UsernamePasswordAuthenticationFilter());
 
+        MockHttpServletResponse response = new MockHttpServletResponse();
 
+
 
+        MockHttpServletRequest request = new MockHttpServletRequest("GET", "/login");
 
+        request.setQueryString("error");
 
+
 
+        filter.doFilter(request, response, chain);
 
+
 
+        assertThat(response.getContentAsString()).isNotEmpty();
 
+    }
 
+
 
+    @Test
 
+    public void generatesForWithQueryNoMatch() throws Exception {
 
+        DefaultLoginPageGeneratingFilter filter = new DefaultLoginPageGeneratingFilter(new UsernamePasswordAuthenticationFilter());
 
+        MockHttpServletResponse response = new MockHttpServletResponse();
 
+
 
+        MockHttpServletRequest request = new MockHttpServletRequest("GET", "/login");
 
+        request.setQueryString("not");
 
+
 
+        filter.doFilter(request, response, chain);
 
+
 
+        assertThat(response.getContentAsString()).isEmpty();
 
+    }
 
 
     @Test
 
     public void generatingPageWithOpenIdFilterOnlyIsSuccessFul() throws Exception {