17 lat temu · d4c105d8ba
--- a/core/src/main/java/org/springframework/security/config/HttpSecurityBeanDefinitionParser.java
+++ b/core/src/main/java/org/springframework/security/config/HttpSecurityBeanDefinitionParser.java
@@ -50,7 +50,7 @@ import org.w3c.dom.Element;
 
				  * @version $Id$
			
 
				  */
			
 
				 public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
			
 
				-	protected final Log logger = LogFactory.getLog(getClass());
			
 
				+	static final Log logger = LogFactory.getLog(HttpSecurityBeanDefinitionParser.class);
			
 
				 
			
 
				     static final String ATT_REALM = "realm";
			
 
				     static final String DEF_REALM = "Spring Security Application";
			
@@ -605,7 +605,13 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
 
				             // Convert the comma-separated list of access attributes to a ConfigAttributeDefinition
			
 
				             if (StringUtils.hasText(access)) {
			
 
				                 editor.setAsText(access);
			
 
				-                filterInvocationDefinitionMap.put(new RequestKey(path, method), editor.getValue());
			
 
				+                Object key = new RequestKey(path, method);
			
 
				+                
			
 
				+                if (filterInvocationDefinitionMap.containsKey(key)) {
			
 
				+                	logger.warn("Duplicate URL defined: " + key + ". The original attribute values will be overwritten");
			
 
				+                }
			
 
				+                
			
 
				+                filterInvocationDefinitionMap.put(key, editor.getValue());
			
 
				             }
			
 
				         }
			
 
				         
			
--- a/core/src/main/java/org/springframework/security/intercept/web/RequestKey.java
+++ b/core/src/main/java/org/springframework/security/intercept/web/RequestKey.java
@@ -54,4 +54,16 @@ public class RequestKey {
 
				 
			
 
				         return method.equals(key.method);        
			
 
				     }
			
 
				+
			
 
				+	public String toString() {
			
 
				+		StringBuffer sb = new StringBuffer(url.length() + 7);
			
 
				+		sb.append("[");
			
 
				+		if (method != null) {
			
 
				+			sb.append(method).append(",");
			
 
				+		}
			
 
				+		sb.append(url);
			
 
				+		sb.append("]");
			
 
				+		
			
 
				+		return sb.toString();
			
 
				+	}
			
 
				 }
			
--- a/core/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java
+++ b/core/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java
@@ -608,7 +608,6 @@ public class HttpSecurityBeanDefinitionParserTests {
 
				 
			
 
				     @Test
			
 
				     public void settingCreateSessionToAlwaysSetsFilterPropertiesCorrectly() throws Exception {
			
 
				-        // Protected, no anonymous filter configured.
			
 
				         setContext("<http auto-config='true' create-session='always'/>" + AUTH_PROVIDER_XML);
			
 
				         assertEquals(Boolean.TRUE, FieldUtils.getFieldValue(appContext.getBean(BeanIds.HTTP_SESSION_CONTEXT_INTEGRATION_FILTER), "forceEagerSessionCreation"));
			
 
				         assertEquals(Boolean.TRUE, FieldUtils.getFieldValue(appContext.getBean(BeanIds.HTTP_SESSION_CONTEXT_INTEGRATION_FILTER), "allowSessionCreation"));        
			
@@ -616,12 +615,27 @@ public class HttpSecurityBeanDefinitionParserTests {
 
				 
			
 
				     @Test
			
 
				     public void settingCreateSessionToNeverSetsFilterPropertiesCorrectly() throws Exception {
			
 
				-        // Protected, no anonymous filter configured.
			
 
				         setContext("<http auto-config='true' create-session='never'/>" + AUTH_PROVIDER_XML);
			
 
				         assertEquals(Boolean.FALSE, FieldUtils.getFieldValue(appContext.getBean(BeanIds.HTTP_SESSION_CONTEXT_INTEGRATION_FILTER), "forceEagerSessionCreation"));
			
 
				         assertEquals(Boolean.FALSE, FieldUtils.getFieldValue(appContext.getBean(BeanIds.HTTP_SESSION_CONTEXT_INTEGRATION_FILTER), "allowSessionCreation"));        
			
 
				     }    
			
 
				     
			
 
				+    /* SEC-934 */
			
 
				+    @Test
			
 
				+    public void supportsTwoIdenticalInterceptUrls() {
			
 
				+        setContext(
			
 
				+                "<http auto-config='true'>" +
			
 
				+                "    <intercept-url pattern='/someurl' access='ROLE_A'/>" +
			
 
				+                "    <intercept-url pattern='/someurl' access='ROLE_B'/>" +
			
 
				+                "</http>" + AUTH_PROVIDER_XML);
			
 
				+        FilterSecurityInterceptor fis = (FilterSecurityInterceptor) appContext.getBean(BeanIds.FILTER_SECURITY_INTERCEPTOR);
			
 
				+
			
 
				+        FilterInvocationDefinitionSource fids = fis.getObjectDefinitionSource();
			
 
				+        ConfigAttributeDefinition attrDef = fids.getAttributes(createFilterinvocation("/someurl", null));
			
 
				+        assertEquals(1, attrDef.getConfigAttributes().size());
			
 
				+        assertTrue(attrDef.contains(new SecurityConfig("ROLE_B")));
			
 
				+    }
			
 
				+    
			
 
				     private void setContext(String context) {
			
 
				         appContext = new InMemoryXmlApplicationContext(context);
			
 
				     }