Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XML configuration with multiple security:http register multiple requestDataValueProcessor #6423

Closed
mtraut opened this issue Jan 14, 2019 · 8 comments · Fixed by #6451
Closed

XML configuration with multiple security:http register multiple requestDataValueProcessor #6423

mtraut opened this issue Jan 14, 2019 · 8 comments · Fixed by #6451
Assignees
@rwinch
Labels
type: bug A general bug
Milestone
5.2.0.M2

Comments

@mtraut
Copy link

mtraut commented Jan 14, 2019

Summary

We use multiple XML configuration for different realms. If CSRF is not disabled, the application startup fails beause of multiple registrations of requestDataValueProcessor bean.

Actual Behavior

see org.springframework.security.config.http.CsrfBeanDefinitionParser.parse()


		boolean webmvcPresent = ClassUtils.isPresent(DISPATCHER_SERVLET_CLASS_NAME,
				getClass().getClassLoader());
		if (webmvcPresent) {
			RootBeanDefinition beanDefinition = new RootBeanDefinition(
					CsrfRequestDataValueProcessor.class);
			BeanComponentDefinition componentDefinition = new BeanComponentDefinition(
					beanDefinition, REQUEST_DATA_VALUE_PROCESSOR);
			pc.registerBeanComponent(componentDefinition);
		}

unconditionally registers bean

Expected Behavior

CsrfBeanDefinitionParser should check presence?

Version

version 5.1.3

Sample

This will not start

	<bean id="errorAuthenticationEntryPoint"
		class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
 	<security:http name="securityRealmControl" pattern="/api/v1/control/**" entry-point-ref="errorAuthenticationEntryPoint">
		<security:intercept-url pattern="/**" access="hasRole('OPERATOR')" />
	</security:http>
 	<security:http name="securityRealmFlow" pattern="/api/v1/flow/**" entry-point-ref="errorAuthenticationEntryPoint">
		<security:intercept-url pattern="/api/v1/flow/*/create" access="hasRole('USER')" />
	</security:http>
@rwinch
Copy link
Member

rwinch commented Jan 14, 2019

Thank you for the report. Can you please provide a minimal and complete sample to reproduce the problem?

@rwinch rwinch added the status: waiting-for-feedback We need additional information before we can continue label Jan 14, 2019
@mtraut
Copy link
Author

mtraut commented Jan 15, 2019

Here you are....

@rwinch
Copy link
Member

rwinch commented Jan 16, 2019

You are right that the CsrfBeanDefinitionParser should only register a new requestDataValueProcessor if it is not already found. Would you be interested in submitting a Pull Request?

You can work around this by providing the following setting spring.main.allow-bean-definition-overriding=true which is the default for non Spring Boot applications.

@rwinch rwinch added this to the 5.2.x milestone Jan 16, 2019
@rwinch rwinch added Namespace type: bug A general bug status: ideal-for-contribution An issue that we actively are looking for someone to help us with and removed status: waiting-for-feedback We need additional information before we can continue labels Jan 16, 2019
@ankurpathak ankurpathak mentioned this issue Jan 17, 2019
Merged
@ankurpathak
Copy link
Contributor

Pull request for issue:
#6451

@ankurpathak
Copy link
Contributor

ankurpathak commented Jan 17, 2019
edited
Loading

@rwinch @mtraut its working with sample.

@mtraut
Copy link
Author

mtraut commented Jan 17, 2019

thx for helping. I've never created a pull request before.

@ankurpathak
Copy link
Contributor

@mtraut Please link your pull request with Issue.

@mtraut
Copy link
Author

mtraut commented Jan 17, 2019

I have none - as i said, i hesitated to start as i've not made it before. You are the one and only...

ankurpathak added a commit to ankurpathak/spring-security that referenced this issue Jan 18, 2019
@ankurpathak
Improve CsrfBeanDefinitionParser xml parsing
4376342 
1. CsrfBeanDefinitionParser registers requestDataValueProcessor
if not already registered
2. Created Tests in CsrfBeanDefinitionParserTests

Fixes: spring-projectsgh-6423
@rwinch rwinch modified the milestones: 5.2.x, 5.2.0.M2 Jan 22, 2019
@rwinch rwinch removed the status: ideal-for-contribution An issue that we actively are looking for someone to help us with label Jan 22, 2019
@rwinch rwinch self-assigned this Jan 22, 2019
rwinch pushed a commit that referenced this issue Jan 22, 2019
@ankurpathak @rwinch
Improve CsrfBeanDefinitionParser xml parsing
2e70d66 
1. CsrfBeanDefinitionParser registers requestDataValueProcessor
if not already registered
2. Created Tests in CsrfBeanDefinitionParserTests

Fixes: gh-6423
rwinch pushed a commit that referenced this issue Jan 22, 2019
@ankurpathak @rwinch
Improve CsrfBeanDefinitionParser xml parsing
0aaaaf9 
1. CsrfBeanDefinitionParser registers requestDataValueProcessor
if not already registered
2. Created Tests in CsrfBeanDefinitionParserTests

Fixes: gh-6423
This was referenced Jan 22, 2019
Closed
Closed
rwinch pushed a commit that referenced this issue Jan 22, 2019
@ankurpathak @rwinch
Improve CsrfBeanDefinitionParser xml parsing
64ec35c 
1. CsrfBeanDefinitionParser registers requestDataValueProcessor
if not already registered
2. Created Tests in CsrfBeanDefinitionParserTests

Fixes: gh-6423
rwinch pushed a commit that referenced this issue Jan 22, 2019
@ankurpathak @rwinch
Improve CsrfBeanDefinitionParser xml parsing
41a7d82 
1. CsrfBeanDefinitionParser registers requestDataValueProcessor
if not already registered
2. Created Tests in CsrfBeanDefinitionParserTests

Fixes: gh-6423
@rwinch rwinch mentioned this issue Jan 22, 2019
Closed
rwinch added a commit that referenced this issue Jan 22, 2019
@rwinch
Fix CsrfBeanDefinitionParserTests Merge
da17016 
Issue: gh-6423
@rwinch rwinch removed in: config An issue in spring-security-config Namespace labels May 3, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rwinch rwinch

Labels
type: bug A general bug
Projects
None yet
Milestone
5.2.0.M2
Development

Successfully merging a pull request may close this issue.

Improve CsrfBeanDefinitionParser xml parsing ankurpathak/spring-security
3 participants
@rwinch @mtraut @ankurpathak