SEC-3135: antMatchers(<method>,new String[0]) now passive

config/src/main/java/org/springframework/security/config/annotation/web/AbstractRequestMatcherRegistry.java

@@ -49,6 +49,20 @@ public abstract class AbstractRequestMatcherRegistry<C> {
 		return requestMatchers(ANY_REQUEST);
 	}
 
+	/**
+	 * Maps a {@link List} of
+	 * {@link org.springframework.security.web.util.matcher.AntPathRequestMatcher}
+	 * instances.
+	 *
+	 * @param method the {@link HttpMethod} to use for any
+	 * {@link HttpMethod}.
+	 *
+	 * @return the object that is chained after creating the {@link RequestMatcher}
+	 */
+	public C antMatchers(HttpMethod method) {
+		return antMatchers(method, new String[] { "/**" });
+	}
+
 	/**
 	 * Maps a {@link List} of
 	 * {@link org.springframework.security.web.util.matcher.AntPathRequestMatcher}
@@ -56,7 +70,7 @@ public abstract class AbstractRequestMatcherRegistry<C> {
 	 *
 	 * @param method the {@link HttpMethod} to use or {@code null} for any
 	 * {@link HttpMethod}.
-	 * @param antPatterns the ant patterns to create
+	 * @param antPatterns the ant patterns to create. If {@code null} or empty, then matches on nothing.
 	 * {@link org.springframework.security.web.util.matcher.AntPathRequestMatcher} from
 	 *
 	 * @return the object that is chained after creating the {@link RequestMatcher}
@@ -152,9 +166,6 @@ public abstract class AbstractRequestMatcherRegistry<C> {
 		public static List<RequestMatcher> antMatchers(HttpMethod httpMethod,
 				String... antPatterns) {
 			String method = httpMethod == null ? null : httpMethod.toString();
-			if(ObjectUtils.isEmpty(antPatterns)) {
-				antPatterns = new String[] { "/**" };
-			}
 			List<RequestMatcher> matchers = new ArrayList<RequestMatcher>();
 			for (String pattern : antPatterns) {
 				matchers.add(new AntPathRequestMatcher(pattern, method));

config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeRequestsTests.java

@@ -15,14 +15,15 @@
  */
 package org.springframework.security.config.annotation.web.configurers;
 
-import static org.fest.assertions.Assertions.*;
+import static org.fest.assertions.Assertions.assertThat;
 
 import javax.servlet.http.HttpServletResponse;
 
+import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
-import org.junit.runner.RunWith;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpMethod;
 import org.springframework.mock.web.MockFilterChain;
 import org.springframework.mock.web.MockHttpServletRequest;
@@ -32,23 +33,17 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.web.FilterChainProxy;
-import org.springframework.test.context.ContextConfiguration;
-import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
-import org.springframework.test.context.web.WebAppConfiguration;
+import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
 
 /**
  * @author Rob Winch
  *
  */
-@RunWith(SpringJUnit4ClassRunner.class)
-@ContextConfiguration
-@WebAppConfiguration
 public class AuthorizeRequestsTests {
-	@Autowired
+	AnnotationConfigWebApplicationContext context;
+
 	MockHttpServletRequest request;
-	@Autowired
 	MockHttpServletResponse response;
-
 	MockFilterChain chain;
 
 	@Autowired
@@ -56,12 +51,22 @@ public class AuthorizeRequestsTests {
 
 	@Before
 	public void setup() {
+		request = new MockHttpServletRequest();
+		response = new MockHttpServletResponse();
 		chain = new MockFilterChain();
 	}
 
+	@After
+	public void cleanup() {
+		if(context != null) {
+			context.close();
+		}
+	}
+
 	// SEC-3135
 	@Test
 	public void antMatchersMethodAndNoPatterns() throws Exception {
+		loadConfig(AntMatchersNoPatternsConfig.class);
 		request.setMethod("POST");
 
 		springSecurityFilterChain.doFilter(request, response, chain);
@@ -70,7 +75,8 @@ public class AuthorizeRequestsTests {
 	}
 
 	@EnableWebSecurity
-	static class Config extends WebSecurityConfigurerAdapter {
+	@Configuration
+	static class AntMatchersNoPatternsConfig extends WebSecurityConfigurerAdapter {
 		protected void configure(HttpSecurity http) throws Exception {
 			http
 				.authorizeRequests()
@@ -83,4 +89,12 @@ public class AuthorizeRequestsTests {
 				.inMemoryAuthentication();
 		}
 	}
-}
+
+	public void loadConfig(Class<?>... configs) {
+		context = new AnnotationConfigWebApplicationContext();
+		context.register(configs);
+		context.refresh();
+
+		context.getAutowireCapableBeanFactory().autowireBean(this);
+	}
+}

config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpSecurityAntMatchersTests.java

@@ -0,0 +1,136 @@
+/*
+ * Copyright 2002-2015 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.config.annotation.web.configurers;
+
+import static org.fest.assertions.Assertions.assertThat;
+
+import javax.servlet.http.HttpServletResponse;
+
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpMethod;
+import org.springframework.mock.web.MockFilterChain;
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.web.FilterChainProxy;
+import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
+
+/**
+ * @author Rob Winch
+ *
+ */
+public class HttpSecurityAntMatchersTests {
+	AnnotationConfigWebApplicationContext context;
+
+	MockHttpServletRequest request;
+	MockHttpServletResponse response;
+	MockFilterChain chain;
+
+	@Autowired
+	FilterChainProxy springSecurityFilterChain;
+
+	@Before
+	public void setup() {
+		request = new MockHttpServletRequest();
+		response = new MockHttpServletResponse();
+		chain = new MockFilterChain();
+	}
+
+	@After
+	public void cleanup() {
+		if(context != null) {
+			context.close();
+		}
+	}
+
+	// SEC-3135
+	@Test
+	public void antMatchersMethodAndNoPatterns() throws Exception {
+		loadConfig(AntMatchersNoPatternsConfig.class);
+		request.setMethod("POST");
+
+		springSecurityFilterChain.doFilter(request, response, chain);
+
+		assertThat(response.getStatus()).isEqualTo(HttpServletResponse.SC_FORBIDDEN);
+	}
+
+	@EnableWebSecurity
+	@Configuration
+	static class AntMatchersNoPatternsConfig extends WebSecurityConfigurerAdapter {
+		protected void configure(HttpSecurity http) throws Exception {
+			http
+				.requestMatchers()
+					.antMatchers(HttpMethod.POST)
+					.and()
+				.authorizeRequests()
+					.anyRequest().denyAll();
+		}
+
+		@Override
+		protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+			auth
+				.inMemoryAuthentication();
+		}
+	}
+
+	// SEC-3135
+	@Test
+	public void antMatchersMethodAndEmptyPatterns() throws Exception {
+		loadConfig(AntMatchersEmptyPatternsConfig.class);
+		request.setMethod("POST");
+
+		springSecurityFilterChain.doFilter(request, response, chain);
+
+		assertThat(response.getStatus()).isEqualTo(HttpServletResponse.SC_OK);
+	}
+
+	@EnableWebSecurity
+	@Configuration
+	static class AntMatchersEmptyPatternsConfig extends WebSecurityConfigurerAdapter {
+		protected void configure(HttpSecurity http) throws Exception {
+			http
+				.requestMatchers()
+					.antMatchers("/never/")
+					.antMatchers(HttpMethod.POST, new String[0])
+					.and()
+				.authorizeRequests()
+					.anyRequest().denyAll();
+		}
+
+		@Override
+		protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+			auth
+				.inMemoryAuthentication();
+		}
+	}
+
+	public void loadConfig(Class<?>... configs) {
+		context = new AnnotationConfigWebApplicationContext();
+		context.register(configs);
+		context.refresh();
+
+		context.getAutowireCapableBeanFactory().autowireBean(this);
+	}
+
+
+}