9 anos atrás · b28c62a6fe
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurer.java
@@ -33,6 +33,7 @@ import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuc
 
															 import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
														
 
															 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
														
 
															 import org.springframework.security.web.util.matcher.RequestMatcher;
														
 
															+import org.springframework.util.Assert;
														
 
															 /**
														
 
															  * Adds logout support. Other {@link SecurityConfigurer} instances may invoke
														
@@ -85,6 +86,7 @@ public final class LogoutConfigurer<H extends HttpSecurityBuilder<H>> extends
 
															 	 * @return the {@link LogoutConfigurer} for further customization
														
 
															 	 */
														
 
															 	public LogoutConfigurer<H> addLogoutHandler(LogoutHandler logoutHandler) {
														
 
															+		Assert.notNull(logoutHandler, "logoutHandler cannot be null");
														
 
															 		this.logoutHandlers.add(logoutHandler);
														
 
															 		return this;
														
 
															 	}
														
@@ -311,4 +313,4 @@ public final class LogoutConfigurer<H extends HttpSecurityBuilder<H>> extends
 
															 		}
														
 
															 		return this.logoutRequestMatcher;
														
 
															 	}
														
 
															-}
														
 
															+}
														
--- a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/LogoutConfigurerTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/LogoutConfigurerTests.groovy
@@ -15,6 +15,7 @@
 
															  */
														
 
															 package org.springframework.security.config.annotation.web.configurers
														
 
															+import org.springframework.beans.factory.BeanCreationException
														
 
															 import org.springframework.context.annotation.Configuration
														
 
															 import org.springframework.security.config.annotation.AnyObjectPostProcessor
														
 
															 import org.springframework.security.config.annotation.BaseSpringSpec
														
@@ -22,6 +23,7 @@ import org.springframework.security.config.annotation.authentication.builders.Au
 
															 import org.springframework.security.config.annotation.web.builders.HttpSecurity
														
 
															 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
														
 
															 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
														
 
															+import org.springframework.security.web.authentication.RememberMeServices
														
 
															 import org.springframework.security.web.authentication.logout.LogoutFilter
														
 
															 /**
														
@@ -111,4 +113,25 @@ class LogoutConfigurerTests extends BaseSpringSpec {
 
															 				.csrf().disable()
														
 
															 		}
														
 
															 	}
														
 
															+
														
 
															+	def "SEC-3170: LogoutConfigurer allows null LogoutHandler"() {
														
 
															+		when:
														
 
															+			loadConfig(RememberMeNoLogoutHandler)
														
 
															+			request.method = "GET"
														
 
															+			request.servletPath = "/logout"
														
 
															+			findFilter(LogoutFilter).doFilter(request, response, chain)
														
 
															+		then:
														
 
															+			thrown(BeanCreationException)
														
 
															+	}
														
 
															+
														
 
															+	@EnableWebSecurity
														
 
															+	static class RememberMeNoLogoutHandler extends WebSecurityConfigurerAdapter {
														
 
															+
														
 
															+		@Override
														
 
															+		protected void configure(HttpSecurity http) throws Exception {
														
 
															+			http
														
 
															+					.rememberMe()
														
 
															+					.rememberMeServices(Mock(RememberMeServices))
														
 
															+		}
														
 
															+	}
														
 
															 }
														
--- a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceRememberMeTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceRememberMeTests.groovy
@@ -19,7 +19,8 @@ import org.springframework.security.config.annotation.authentication.builders.Au
 
															 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
														
 
															 import org.springframework.security.config.annotation.web.configuration.BaseWebConfig;
														
 
															 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
														
 
															-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
														
 
															+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
														
 
															+import org.springframework.security.web.authentication.logout.LogoutHandler;
														
 
															 import javax.servlet.http.Cookie
														
@@ -112,9 +113,12 @@ public class NamespaceRememberMeTests extends BaseSpringSpec {
 
															 		}
														
 
															 	}
														
 
															+	// See SEC-3170
														
 
															+	static interface RememberMeServicesLogoutHandler extends RememberMeServices, LogoutHandler{}
														
 
															+
														
 
															 	def "http/remember-me@services-ref"() {
														
 
															 		setup:
														
 
															-			RememberMeServicesRefConfig.REMEMBER_ME_SERVICES = Mock(RememberMeServices)
														
 
															+			RememberMeServicesRefConfig.REMEMBER_ME_SERVICES = Mock(RememberMeServicesLogoutHandler)
														
 
															 		when: "use custom remember-me services"
														
 
															 			loadConfig(RememberMeServicesRefConfig)
														
 
															 		then: "custom remember-me services used"