Improve CsrfBeanDefinitionParser xml parsing

1. CsrfBeanDefinitionParser registers requestDataValueProcessor if not already registered 2. Created Tests in CsrfBeanDefinitionParserTests Fixes: gh-6423
spring-projects · Jan 22, 2019 · 0aaaaf9 · 0aaaaf9
1 parent be7d2a3
commit 0aaaaf9
Show file tree

Hide file tree

Showing 3 changed files with 80 additions and 5 deletions.
diff --git a/config/src/main/java/org/springframework/security/config/http/CsrfBeanDefinitionParser.java b/config/src/main/java/org/springframework/security/config/http/CsrfBeanDefinitionParser.java
@@ -45,6 +45,7 @@
  * Parser for the {@code CsrfFilter}.
  *
  * @author Rob Winch
+ * @author Ankur Pathak
  * @since 3.2
  */
 public class CsrfBeanDefinitionParser implements BeanDefinitionParser {
@@ -67,11 +68,13 @@ public BeanDefinition parse(Element element, ParserContext pc) {
 		boolean webmvcPresent = ClassUtils.isPresent(DISPATCHER_SERVLET_CLASS_NAME,
 				getClass().getClassLoader());
 		if (webmvcPresent) {
-			RootBeanDefinition beanDefinition = new RootBeanDefinition(
-					CsrfRequestDataValueProcessor.class);
-			BeanComponentDefinition componentDefinition = new BeanComponentDefinition(
-					beanDefinition, REQUEST_DATA_VALUE_PROCESSOR);
-			pc.registerBeanComponent(componentDefinition);
+			if (!pc.getRegistry().containsBeanDefinition(REQUEST_DATA_VALUE_PROCESSOR)) {
+				RootBeanDefinition beanDefinition = new RootBeanDefinition(
+						CsrfRequestDataValueProcessor.class);
+				BeanComponentDefinition componentDefinition = new BeanComponentDefinition(
+						beanDefinition, REQUEST_DATA_VALUE_PROCESSOR);
+				pc.registerBeanComponent(componentDefinition);
+			}
 		}
 
 		String matcherRef = null;

diff --git a/...src/test/java/org/springframework/security/config/http/CsrfBeanDefinitionParserTests.java b/...src/test/java/org/springframework/security/config/http/CsrfBeanDefinitionParserTests.java
@@ -0,0 +1,41 @@
+/*
+ * Copyright 2002-2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.config.http;
+
+import org.junit.Test;
+
+import org.springframework.context.support.ClassPathXmlApplicationContext;
+
+/**
+ * @author Ankur Pathak
+ */
+public class CsrfBeanDefinitionParserTests {
+	private static final String CONFIG_LOCATION_PREFIX =
+			"classpath:org/springframework/security/config/http/CsrfBeanDefinitionParserTests";
+
+	@Test
+	public void registerDataValueProcessorOnlyIfNotRegistered() throws Exception {
+		try (ClassPathXmlApplicationContext context = new ClassPathXmlApplicationContext()) {
+			context.setAllowBeanDefinitionOverriding(false);
+			context.setConfigLocation(this.xml("RegisterDataValueProcessorOnyIfNotRegistered"));
+			context.refresh();
+		}
+	}
+
+	private String xml(String configName) {
+		return CONFIG_LOCATION_PREFIX + "-" + configName + ".xml";
+	}
+}
diff --git a/...onfig/http/CsrfBeanDefinitionParserTests-RegisterDataValueProcessorOnyIfNotRegistered.xml b/...onfig/http/CsrfBeanDefinitionParserTests-RegisterDataValueProcessorOnyIfNotRegistered.xml
@@ -0,0 +1,31 @@
+<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	   xmlns:context="http://www.springframework.org/schema/context"
+	   xmlns:tx="http://www.springframework.org/schema/tx" xmlns:util="http://www.springframework.org/schema/util"
+	   xmlns:security="http://www.springframework.org/schema/security"
+	   xsi:schemaLocation="
+http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
+http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.1.xsd
+http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
+">
+
+	<security:http pattern="/foo/**">
+		<security:intercept-url pattern="/**" access="hasRole('FOO')" />
+		<security:http-basic/>
+	</security:http>
+
+	<security:http pattern="/bar/**">
+		<security:intercept-url pattern="/**" access="hasRole('BAR')" />
+		<security:http-basic/>
+	</security:http>
+
+	<security:authentication-manager >
+		<security:authentication-provider>
+			<security:user-service>
+				<security:user name="gnu" password="{noop}gnat" authorities="ROLE_FOO" />
+			</security:user-service>
+		</security:authentication-provider>
+	</security:authentication-manager>
+
+</beans>