Accueil Explorer Aide
S'inscrire Connexion
github
/
spring-security
miroir de https://github.com/spring-projects/spring-security
2
0
Fork 0
Fichiers Tickets 0 Wiki
Parcourir la source

Include HttpStatusRequestRequestedHandler

Closes gh-12548
Josh Cummings il y a 2 ans
Parent
66711f2365
commit
c3563df25a
2 fichiers modifiés avec 16 ajouts et 2 suppressions
Vue séparée Afficher les stats Diff
  1. 6 2
      config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java
  2. 10 0
      config/src/test/java/org/springframework/security/config/annotation/web/builders/WebSecurityTests.java

+ 6 - 2
config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java
Voir le fichier 

@@ -56,7 +56,9 @@ import org.springframework.security.web.access.expression.DefaultWebSecurityExpr
 
 import org.springframework.security.web.access.intercept.AuthorizationFilter;
 
 import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
 
 import org.springframework.security.web.debug.DebugFilter;
 
+import org.springframework.security.web.firewall.CompositeRequestRejectedHandler;
 
 import org.springframework.security.web.firewall.HttpFirewall;
 
+import org.springframework.security.web.firewall.HttpStatusRequestRejectedHandler;
 
 import org.springframework.security.web.firewall.ObservationMarkingRequestRejectedHandler;
 
 import org.springframework.security.web.firewall.RequestRejectedHandler;
 
 import org.springframework.security.web.firewall.StrictHttpFirewall;
 
@@ -309,8 +311,10 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
 
 			filterChainProxy.setRequestRejectedHandler(this.requestRejectedHandler);
 
 		}
 
 		else if (!this.observationRegistry.isNoop()) {
 
-			filterChainProxy
 
-					.setRequestRejectedHandler(new ObservationMarkingRequestRejectedHandler(this.observationRegistry));
 
+			CompositeRequestRejectedHandler requestRejectedHandler = new CompositeRequestRejectedHandler(
 
+					new ObservationMarkingRequestRejectedHandler(this.observationRegistry),
 
+					new HttpStatusRequestRejectedHandler());
 
+			filterChainProxy.setRequestRejectedHandler(requestRejectedHandler);
 
 		}
 
 		filterChainProxy.setFilterChainDecorator(getFilterChainDecorator());
 
 		filterChainProxy.afterPropertiesSet();

+ 10 - 0
config/src/test/java/org/springframework/security/config/annotation/web/builders/WebSecurityTests.java
Voir le fichier 

@@ -122,6 +122,16 @@ public class WebSecurityTests {
 
 		assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_BAD_REQUEST);
 
 	}
 
 
+	// gh-12548
 
+	@Test
 
+	public void requestRejectedHandlerInvokedWhenOperationalObservationRegistry() throws ServletException, IOException {
 
+		loadConfig(ObservationRegistryConfig.class);
 
+		this.request.setServletPath("/spring");
 
+		this.request.setRequestURI("/spring/\u0019path");
 
+		this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
 
+		assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_BAD_REQUEST);
 
+	}
 
+
 
 	@Test
 
 	public void ignoringMvcMatcherServletPath() throws Exception {
 
 		loadConfig(MvcMatcherServletPathConfig.class, LegacyMvcMatchingConfig.class);