Inicio Explorar Ayuda
Registro Iniciar sesión
github
/
spring-security
espejo de https://github.com/spring-projects/spring-security
2
0
Fork 0
Archivos Incidencias 0 Wiki
Explorar el Código

RequestRejectedException is 400 by Default

Closes gh-7568
Rob Winch hace 3 años
padre
0137f94f3b
commit
f34ea188e2
Se han modificado 3 ficheros con 17 adiciones y 20 borrados
Dividir vista Mostrar estadísticas de diff
  1. 7 10
      config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpFirewallTests.java
  2. 8 8
      itest/context/src/integration-test/java/org/springframework/security/integration/HttpPathParameterStrippingTests.java
  3. 2 2
      web/src/main/java/org/springframework/security/web/FilterChainProxy.java

+ 7 - 10
config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpFirewallTests.java
Ver fichero 

@@ -33,8 +33,8 @@ import org.springframework.security.web.firewall.HttpFirewall;
 
 import org.springframework.security.web.firewall.RequestRejectedException;
 
 import org.springframework.test.web.servlet.MockMvc;
 
 
-import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
 
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
 
 /**
 
  * Tests to verify that all the functionality of <http-firewall> attributes is
 
@@ -52,24 +52,21 @@ public class NamespaceHttpFirewallTests {
 
 	MockMvc mvc;
 
 
 	@Test
 
-	public void requestWhenPathContainsDoubleDotsThenBehaviorMatchesNamespace() {
 
+	public void requestWhenPathContainsDoubleDotsThenBehaviorMatchesNamespace() throws Exception {
 
 		this.rule.register(HttpFirewallConfig.class).autowire();
 
-		assertThatExceptionOfType(RequestRejectedException.class)
 
-				.isThrownBy(() -> this.mvc.perform(get("/public/../private/")));
 
+		this.mvc.perform(get("/public/../private/")).andExpect(status().isBadRequest());
 
 	}
 
 
 	@Test
 
-	public void requestWithCustomFirewallThenBehaviorMatchesNamespace() {
 
+	public void requestWithCustomFirewallThenBehaviorMatchesNamespace() throws Exception {
 
 		this.rule.register(CustomHttpFirewallConfig.class).autowire();
 
-		assertThatExceptionOfType(RequestRejectedException.class)
 
-				.isThrownBy(() -> this.mvc.perform(get("/").param("deny", "true")));
 
+		this.mvc.perform(get("/").param("deny", "true")).andExpect(status().isBadRequest());
 
 	}
 
 
 	@Test
 
-	public void requestWithCustomFirewallBeanThenBehaviorMatchesNamespace() {
 
+	public void requestWithCustomFirewallBeanThenBehaviorMatchesNamespace() throws Exception {
 
 		this.rule.register(CustomHttpFirewallBeanConfig.class).autowire();
 
-		assertThatExceptionOfType(RequestRejectedException.class)
 
-				.isThrownBy(() -> this.mvc.perform(get("/").param("deny", "true")));
 
+		this.mvc.perform(get("/").param("deny", "true")).andExpect(status().isBadRequest());
 
 	}
 
 
 	@EnableWebSecurity

+ 8 - 8
itest/context/src/integration-test/java/org/springframework/security/integration/HttpPathParameterStrippingTests.java
Ver fichero 

@@ -21,6 +21,7 @@ import org.junit.jupiter.api.Test;
 
 import org.junit.jupiter.api.extension.ExtendWith;
 
 
 import org.springframework.beans.factory.annotation.Autowired;
 
+import org.springframework.http.HttpStatus;
 
 import org.springframework.mock.web.MockFilterChain;
 
 import org.springframework.mock.web.MockHttpServletRequest;
 
 import org.springframework.mock.web.MockHttpServletResponse;
 
@@ -29,11 +30,10 @@ import org.springframework.security.authentication.TestingAuthenticationToken;
 
 import org.springframework.security.core.context.SecurityContextHolder;
 
 import org.springframework.security.web.FilterChainProxy;
 
 import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
 
-import org.springframework.security.web.firewall.RequestRejectedException;
 
 import org.springframework.test.context.ContextConfiguration;
 
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 
 
-import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
 
+import static org.assertj.core.api.Assertions.assertThat;
 
 
 @ContextConfiguration(locations = { "/http-path-param-stripping-app-context.xml" })
 
 @ExtendWith(SpringExtension.class)
 
@@ -48,8 +48,8 @@ public class HttpPathParameterStrippingTests {
 
 		request.setPathInfo("/secured;x=y/admin.html");
 
 		request.setSession(createAuthenticatedSession("ROLE_USER"));
 
 		MockHttpServletResponse response = new MockHttpServletResponse();
 
-		assertThatExceptionOfType(RequestRejectedException.class)
 
-				.isThrownBy(() -> this.fcp.doFilter(request, response, new MockFilterChain()));
 
+		this.fcp.doFilter(request, response, new MockFilterChain());
 
+		assertThat(response.getStatus()).isEqualTo(HttpStatus.BAD_REQUEST.value());
 
 	}
 
 
 	@Test
 
@@ -58,8 +58,8 @@ public class HttpPathParameterStrippingTests {
 
 		request.setServletPath("/secured/admin.html;x=user.html");
 
 		request.setSession(createAuthenticatedSession("ROLE_USER"));
 
 		MockHttpServletResponse response = new MockHttpServletResponse();
 
-		assertThatExceptionOfType(RequestRejectedException.class)
 
-				.isThrownBy(() -> this.fcp.doFilter(request, response, new MockFilterChain()));
 
+		this.fcp.doFilter(request, response, new MockFilterChain());
 
+		assertThat(response.getStatus()).isEqualTo(HttpStatus.BAD_REQUEST.value());
 
 	}
 
 
 	@Test
 
@@ -69,8 +69,8 @@ public class HttpPathParameterStrippingTests {
 
 		request.setPathInfo("/admin.html;x=user.html");
 
 		request.setSession(createAuthenticatedSession("ROLE_USER"));
 
 		MockHttpServletResponse response = new MockHttpServletResponse();
 
-		assertThatExceptionOfType(RequestRejectedException.class)
 
-				.isThrownBy(() -> this.fcp.doFilter(request, response, new MockFilterChain()));
 
+		this.fcp.doFilter(request, response, new MockFilterChain());
 
+		assertThat(response.getStatus()).isEqualTo(HttpStatus.BAD_REQUEST.value());
 
 	}
 
 
 	public HttpSession createAuthenticatedSession(String... roles) {

+ 2 - 2
web/src/main/java/org/springframework/security/web/FilterChainProxy.java
Ver fichero 

@@ -33,9 +33,9 @@ import org.apache.commons.logging.LogFactory;
 
 
 import org.springframework.core.log.LogMessage;
 
 import org.springframework.security.core.context.SecurityContextHolder;
 
-import org.springframework.security.web.firewall.DefaultRequestRejectedHandler;
 
 import org.springframework.security.web.firewall.FirewalledRequest;
 
 import org.springframework.security.web.firewall.HttpFirewall;
 
+import org.springframework.security.web.firewall.HttpStatusRequestRejectedHandler;
 
 import org.springframework.security.web.firewall.RequestRejectedException;
 
 import org.springframework.security.web.firewall.RequestRejectedHandler;
 
 import org.springframework.security.web.firewall.StrictHttpFirewall;
 
@@ -151,7 +151,7 @@ public class FilterChainProxy extends GenericFilterBean {
 
 
 	private HttpFirewall firewall = new StrictHttpFirewall();
 
 
-	private RequestRejectedHandler requestRejectedHandler = new DefaultRequestRejectedHandler();
 
+	private RequestRejectedHandler requestRejectedHandler = new HttpStatusRequestRejectedHandler();
 
 
 	public FilterChainProxy() {
 
 	}