SEC-1584: Additional integration tests.

itest/context/pom.xml

@@ -5,13 +5,18 @@
     <parent>
         <groupId>org.springframework.security</groupId>
         <artifactId>spring-security-itest</artifactId>
-        <version>2.0.4-SNAPSHOT</version>
+        <version>2.0.6.CI-SNAPSHOT</version>
     </parent>
     <artifactId>spring-security-itest-context</artifactId>
     <name>Spring Security - Miscellaneous Application Context Integration Tests</name>
     <packaging>jar</packaging>
 
     <dependencies>
+        <dependency>
+            <groupId>javax.servlet</groupId>
+            <artifactId>servlet-api</artifactId>
+            <version>2.5</version>
+        </dependency>
         <dependency>
             <groupId>junit</groupId>
             <artifactId>junit</artifactId>

itest/context/src/test/java/org/springframework/security/integration/HttpPathParameterStrippingTests.java

@@ -0,0 +1,67 @@
+package org.springframework.security.integration;
+
+import static org.junit.Assert.assertEquals;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.mock.web.MockFilterChain;
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.mock.web.MockHttpSession;
+import org.springframework.security.context.HttpSessionContextIntegrationFilter;
+import org.springframework.security.context.SecurityContextHolder;
+import org.springframework.security.providers.UsernamePasswordAuthenticationToken;
+import org.springframework.security.util.AuthorityUtils;
+import org.springframework.security.util.FilterChainProxy;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+
+import javax.servlet.http.HttpSession;
+
+@ContextConfiguration(locations={"/http-path-param-stripping-app-context.xml"})
+@RunWith(SpringJUnit4ClassRunner.class)
+public class HttpPathParameterStrippingTests {
+
+    @Autowired
+    private FilterChainProxy fcp;
+
+    @Test
+    public void securedFilterChainCannotBeBypassedByAddingPathParameters() throws Exception {
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        request.setPathInfo("/secured;x=y/admin.html");
+        request.setSession(createAuthenticatedSession("ROLE_USER"));
+        MockHttpServletResponse response = new MockHttpServletResponse();
+        fcp.doFilter(request, response, new MockFilterChain());
+        assertEquals(403, response.getStatus());
+    }
+
+    @Test
+    public void adminFilePatternCannotBeBypassedByAddingPathParameters() throws Exception {
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        request.setServletPath("/secured/admin.html;x=user.html");
+        request.setSession(createAuthenticatedSession("ROLE_USER"));
+        MockHttpServletResponse response = new MockHttpServletResponse();
+        fcp.doFilter(request, response, new MockFilterChain());
+        assertEquals(403, response.getStatus());
+
+        // Try with pathInfo
+        request = new MockHttpServletRequest();
+        request.setServletPath("/secured");
+        request.setPathInfo("/admin.html;x=user.html");
+        request.setSession(createAuthenticatedSession("ROLE_USER"));
+        response = new MockHttpServletResponse();
+        fcp.doFilter(request, response, new MockFilterChain());
+        assertEquals(403, response.getStatus());
+    }
+
+    public HttpSession createAuthenticatedSession(String... roles) {
+        MockHttpSession session = new MockHttpSession();
+        SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken("bob", "bobspassword",
+                AuthorityUtils.stringArrayToAuthorityArray(roles)));
+        session.setAttribute(HttpSessionContextIntegrationFilter.SPRING_SECURITY_CONTEXT_KEY, SecurityContextHolder.getContext());
+        SecurityContextHolder.clearContext();
+        return session;
+    }
+
+}

itest/context/src/test/resources/http-path-param-stripping-app-context.xml

@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+  -
+  -->
+
+<b:beans xmlns="http://www.springframework.org/schema/security"
+    xmlns:b="http://www.springframework.org/schema/beans"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
+                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">
+
+    <http>
+        <intercept-url pattern="/secured/*user.html" access="ROLE_USER" />
+        <intercept-url pattern="/secured/admin.html" access="ROLE_ADMIN" />
+        <intercept-url pattern="/secured/user/**" access="ROLE_USER" />
+        <intercept-url pattern="/secured/admin/*" access="ROLE_ADMIN" />
+        <intercept-url pattern="/**" filters="none" />
+        <form-login />
+    </http>
+
+    <authentication-provider>
+        <user-service id="userService">
+            <user name="notused" password="notused" authorities="ROLE_0,ROLE_1"/>
+        </user-service>
+    </authentication-provider>
+
+</b:beans>

itest/pom.xml

@@ -1,20 +1,20 @@
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-    <modelVersion>4.0.0</modelVersion>   
+    <modelVersion>4.0.0</modelVersion>
     <groupId>org.springframework.security</groupId>
     <artifactId>spring-security-itest</artifactId>
     <name>Spring Security - Integration Tests</name>
     <packaging>pom</packaging>
-    <version>2.0.4-SNAPSHOT</version>
+    <version>2.0.6.CI-SNAPSHOT</version>
     <modules>
         <module>web</module>
         <!-- module>webflow</module-->
         <module>context</module>
     </modules>
-    <dependencies>     
+    <dependencies>
         <dependency>
             <groupId>org.springframework</groupId>
             <artifactId>spring</artifactId>
-            <version>2.5.5</version>
+            <version>2.5.6.SEC02</version>
             <exclusions>
                 <exclusion>
                     <groupId>commons-logging</groupId>
@@ -25,14 +25,14 @@
         <dependency>
             <groupId>org.springframework</groupId>
             <artifactId>spring-test</artifactId>
-            <version>2.5.5</version>
+            <version>2.5.6.SEC02</version>
             <exclusions>
                 <exclusion>
                     <groupId>commons-logging</groupId>
                     <artifactId>commons-logging</artifactId>
                 </exclusion>
             </exclusions>
-        </dependency>        
+        </dependency>
         <dependency>
             <groupId>org.springframework.security</groupId>
             <artifactId>spring-security-core</artifactId>
@@ -58,7 +58,7 @@
                     <groupId>commons-logging</groupId>
                     <artifactId>commons-logging</artifactId>
                 </exclusion>
-            </exclusions>            
+            </exclusions>
         </dependency>
         <dependency>
             <groupId>org.springframework.security</groupId>
@@ -69,18 +69,18 @@
                     <groupId>commons-logging</groupId>
                     <artifactId>commons-logging</artifactId>
                 </exclusion>
-            </exclusions>            
+            </exclusions>
+        </dependency>
+        <dependency>
+            <groupId>org.aspectj</groupId>
+            <artifactId>aspectjrt</artifactId>
+            <version>1.6.1</version>
+        </dependency>
+        <dependency>
+            <groupId>org.aspectj</groupId>
+            <artifactId>aspectjweaver</artifactId>
+            <version>1.6.1</version>
         </dependency>
-	    <dependency>
-	        <groupId>org.aspectj</groupId>
-		    <artifactId>aspectjrt</artifactId>
-		    <version>1.6.1</version>
-	    </dependency>
-	    <dependency>
-	        <groupId>org.aspectj</groupId>
-		    <artifactId>aspectjweaver</artifactId>
-		    <version>1.6.1</version>
-	    </dependency>	            
         <dependency>
             <groupId>org.slf4j</groupId>
             <artifactId>slf4j-api</artifactId>
@@ -97,7 +97,7 @@
                     <groupId>commons-logging</groupId>
                     <artifactId>commons-logging</artifactId>
                 </exclusion>
-            </exclusions>            
+            </exclusions>
         </dependency>
         <dependency>
             <groupId>org.apache.directory.server</groupId>
@@ -128,9 +128,9 @@
                 <exclusion>
                     <groupId>commons-logging</groupId>
                     <artifactId>commons-logging</artifactId>
-                </exclusion>                             
-            </exclusions>            
-        </dependency>               
+                </exclusion>
+            </exclusions>
+        </dependency>
         <dependency>
             <groupId>org.slf4j</groupId>
             <artifactId>slf4j-log4j12</artifactId>
@@ -195,10 +195,10 @@
                         </property>
                     </systemProperties>
                 </configuration>
-            </plugin>            
+            </plugin>
         </plugins>
     </build>
     <properties>
         <jetty.version>6.1.11</jetty.version>
-    </properties>  
+    </properties>
 </project>

itest/web/pom.xml

@@ -5,7 +5,7 @@
     <parent>
         <groupId>org.springframework.security</groupId>
         <artifactId>spring-security-itest</artifactId>
-        <version>2.0.4-SNAPSHOT</version>
+        <version>2.0.6.CI-SNAPSHOT</version>
     </parent>
     <artifactId>spring-security-itest-web</artifactId>
     <name>Spring Security - Web Integration Tests</name>
@@ -36,7 +36,7 @@
             <artifactId>jetty-naming</artifactId>
             <version>${jetty.version}</version>
             <scope>test</scope>
-        </dependency>        
+        </dependency>
         <dependency>
             <groupId>org.mortbay.jetty</groupId>
             <artifactId>jetty-plus</artifactId>
@@ -53,8 +53,8 @@
             <groupId>org.mortbay.jetty</groupId>
             <artifactId>jsp-api-2.1</artifactId>
             <version>${jetty.version}</version>
-        </dependency>        
-<!--                
+        </dependency>
+<!--
         <dependency>
             <groupId>javax.servlet</groupId>
             <artifactId>jstl</artifactId>
@@ -67,10 +67,10 @@
             <scope>runtime</scope>
             <version>1.1.2</version>
         </dependency>
--->        
+-->
     </dependencies>
 
-<!-- 
+<!--
     <build>
         <plugins>
             <plugin>
@@ -88,7 +88,7 @@
                 </execution>
               </executions>
             </plugin>
-        </plugins>            
-    </build> 
+        </plugins>
+    </build>
         -->
 </project>