OPEN - issue SEC-934: security:intercept-url throws NPE if defined twice with the same url

http://jira.springframework.org/browse/SEC-934. Added log warning when the same url is used multiple times.

core/src/main/java/org/springframework/security/config/HttpSecurityBeanDefinitionParser.java

@@ -50,7 +50,7 @@ import org.w3c.dom.Element;
  * @version $Id$
  */
 public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
-	protected final Log logger = LogFactory.getLog(getClass());
+	static final Log logger = LogFactory.getLog(HttpSecurityBeanDefinitionParser.class);
 
     static final String ATT_REALM = "realm";
     static final String DEF_REALM = "Spring Security Application";
@@ -605,7 +605,13 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
             // Convert the comma-separated list of access attributes to a ConfigAttributeDefinition
             if (StringUtils.hasText(access)) {
                 editor.setAsText(access);
-                filterInvocationDefinitionMap.put(new RequestKey(path, method), editor.getValue());
+                Object key = new RequestKey(path, method);
+                
+                if (filterInvocationDefinitionMap.containsKey(key)) {
+                	logger.warn("Duplicate URL defined: " + key + ". The original attribute values will be overwritten");
+                }
+                
+                filterInvocationDefinitionMap.put(key, editor.getValue());
             }
         }
         

core/src/main/java/org/springframework/security/intercept/web/RequestKey.java

@@ -54,4 +54,16 @@ public class RequestKey {
 
         return method.equals(key.method);        
     }
+
+	public String toString() {
+		StringBuffer sb = new StringBuffer(url.length() + 7);
+		sb.append("[");
+		if (method != null) {
+			sb.append(method).append(",");
+		}
+		sb.append(url);
+		sb.append("]");
+		
+		return sb.toString();
+	}
 }

core/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java

@@ -608,7 +608,6 @@ public class HttpSecurityBeanDefinitionParserTests {
 
     @Test
     public void settingCreateSessionToAlwaysSetsFilterPropertiesCorrectly() throws Exception {
-        // Protected, no anonymous filter configured.
         setContext("<http auto-config='true' create-session='always'/>" + AUTH_PROVIDER_XML);
         assertEquals(Boolean.TRUE, FieldUtils.getFieldValue(appContext.getBean(BeanIds.HTTP_SESSION_CONTEXT_INTEGRATION_FILTER), "forceEagerSessionCreation"));
         assertEquals(Boolean.TRUE, FieldUtils.getFieldValue(appContext.getBean(BeanIds.HTTP_SESSION_CONTEXT_INTEGRATION_FILTER), "allowSessionCreation"));        
@@ -616,12 +615,27 @@ public class HttpSecurityBeanDefinitionParserTests {
 
     @Test
     public void settingCreateSessionToNeverSetsFilterPropertiesCorrectly() throws Exception {
-        // Protected, no anonymous filter configured.
         setContext("<http auto-config='true' create-session='never'/>" + AUTH_PROVIDER_XML);
         assertEquals(Boolean.FALSE, FieldUtils.getFieldValue(appContext.getBean(BeanIds.HTTP_SESSION_CONTEXT_INTEGRATION_FILTER), "forceEagerSessionCreation"));
         assertEquals(Boolean.FALSE, FieldUtils.getFieldValue(appContext.getBean(BeanIds.HTTP_SESSION_CONTEXT_INTEGRATION_FILTER), "allowSessionCreation"));        
     }    
     
+    /* SEC-934 */
+    @Test
+    public void supportsTwoIdenticalInterceptUrls() {
+        setContext(
+                "<http auto-config='true'>" +
+                "    <intercept-url pattern='/someurl' access='ROLE_A'/>" +
+                "    <intercept-url pattern='/someurl' access='ROLE_B'/>" +
+                "</http>" + AUTH_PROVIDER_XML);
+        FilterSecurityInterceptor fis = (FilterSecurityInterceptor) appContext.getBean(BeanIds.FILTER_SECURITY_INTERCEPTOR);
+
+        FilterInvocationDefinitionSource fids = fis.getObjectDefinitionSource();
+        ConfigAttributeDefinition attrDef = fids.getAttributes(createFilterinvocation("/someurl", null));
+        assertEquals(1, attrDef.getConfigAttributes().size());
+        assertTrue(attrDef.contains(new SecurityConfig("ROLE_B")));
+    }
+    
     private void setContext(String context) {
         appContext = new InMemoryXmlApplicationContext(context);
     }