Spring-security: XML configuration with multiple security:http register multiple requestDataValueProcessor

Created on 14 Jan 2019  路  8Comments  路  Source: spring-projects/spring-security

Summary

We use multiple XML configuration for different realms. If CSRF is not disabled, the application startup fails beause of multiple registrations of requestDataValueProcessor bean.

Actual Behavior

see org.springframework.security.config.http.CsrfBeanDefinitionParser.parse()


        boolean webmvcPresent = ClassUtils.isPresent(DISPATCHER_SERVLET_CLASS_NAME,
                getClass().getClassLoader());
        if (webmvcPresent) {
            RootBeanDefinition beanDefinition = new RootBeanDefinition(
                    CsrfRequestDataValueProcessor.class);
            BeanComponentDefinition componentDefinition = new BeanComponentDefinition(
                    beanDefinition, REQUEST_DATA_VALUE_PROCESSOR);
            pc.registerBeanComponent(componentDefinition);
        }

unconditionally registers bean

Expected Behavior

CsrfBeanDefinitionParser should check presence?

Version

version 5.1.3

Sample

This will not start

    <bean id="errorAuthenticationEntryPoint"
        class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
    <security:http name="securityRealmControl" pattern="/api/v1/control/**" entry-point-ref="errorAuthenticationEntryPoint">
        <security:intercept-url pattern="/**" access="hasRole('OPERATOR')" />
    </security:http>
    <security:http name="securityRealmFlow" pattern="/api/v1/flow/**" entry-point-ref="errorAuthenticationEntryPoint">
        <security:intercept-url pattern="/api/v1/flow/*/create" access="hasRole('USER')" />
    </security:http>
bug
Source
picture mtraut

All 8 comments

Thank you for the report. Can you please provide a minimal and complete sample to reproduce the problem?

rwinch picture rwinch on 14 Jan 2019

Here you are....

mtraut picture mtraut on 15 Jan 2019
👍1

You are right that the CsrfBeanDefinitionParser should only register a new requestDataValueProcessor if it is not already found. Would you be interested in submitting a Pull Request?

You can work around this by providing the following setting spring.main.allow-bean-definition-overriding=true which is the default for non Spring Boot applications.

rwinch picture rwinch on 16 Jan 2019

Pull request for issue:
https://github.com/spring-projects/spring-security/pull/6451

ankurpathak picture ankurpathak on 17 Jan 2019

@rwinch @mtraut its working with sample.

ankurpathak picture ankurpathak on 17 Jan 2019
👍1

thx for helping. I've never created a pull request before.

mtraut picture mtraut on 17 Jan 2019
👍1

@mtraut Please link your pull request with Issue.

ankurpathak picture ankurpathak on 17 Jan 2019

I have none - as i said, i hesitated to start as i've not made it before. You are the one and only...

mtraut picture mtraut on 17 Jan 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

unlimitedsola picture unlimitedsola  路  4Comments
kazuki43zoo picture kazuki43zoo  路  4Comments
joshlong picture joshlong  路  3Comments
mstoecklmayr picture mstoecklmayr  路  3Comments
xingfudeshi picture xingfudeshi  路  3Comments