SEC-1432: Convert map keys to lower-case in UserMap.setUsers().

Otherwise the lookup on mixed-case fails, since the lookup is performed with a lower-case key.
2026-05-22 21:33:16 +00:00 · 2010-03-05 17:55:29 +00:00
parent 43f0e11106
commit b38b8e55ac
4 changed files with 27 additions and 8 deletions
@@ -58,7 +58,7 @@ public class UserServiceBeanDefinitionParser extends AbstractUserDetailsServiceB
            return;
        }

-        if(CollectionUtils.isEmpty(userElts)) {
+        if (CollectionUtils.isEmpty(userElts)) {
            throw new BeanDefinitionStoreException("You must supply user definitions, either with <" + ELT_USER + "> child elements or a " +
                "properties file (using the '" + ATT_PROPERTIES + "' attribute)" );
        }
@@ -560,7 +560,7 @@ ap.attlist &=
    user-service-ref?

 user-service =
-    ## Creates an in-memory UserDetailsService from a properties file or a list of "user" child elements.
+    ## Creates an in-memory UserDetailsService from a properties file or a list of "user" child elements. Usernames are converted to lower-case internally to allow for case-insensitive lookups, so this should not be used if case-sensitivity is required.
    element user-service {id? & (properties-file | (user*))}
 properties-file =
    attribute properties {xsd:token}?
@@ -72,21 +72,34 @@ public class UserServiceBeanDefinitionParserTests {
        Long.parseLong(joe.getPassword());
    }

+    @Test
+    public void worksWithOpenIDUrlsAsNames() {
+        setContext(
+                "<user-service id='service'>" +
+                "    <user name='http://joe.myopenid.com/' authorities='ROLE_A'/>" +
+                "    <user name='https://www.google.com/accounts/o8/id?id=MPtOaenBIk5yzW9n7n9' authorities='ROLE_A'/>" +
+                "</user-service>");
+        UserDetailsService userService = (UserDetailsService) appContext.getBean("service");
+        assertEquals("http://joe.myopenid.com/", userService.loadUserByUsername("http://joe.myopenid.com/").getUsername());
+        assertEquals("https://www.google.com/accounts/o8/id?id=MPtOaenBIk5yzW9n7n9",
+                userService.loadUserByUsername("https://www.google.com/accounts/o8/id?id=MPtOaenBIk5yzW9n7n9").getUsername());
+    }
+
    @Test
    public void disabledAndEmbeddedFlagsAreSupported() {
        setContext(
                "<user-service id='service'>" +
                "    <user name='joe' password='joespassword' authorities='ROLE_A' locked='true'/>" +
-                "    <user name='bob' password='bobspassword' authorities='ROLE_A' disabled='true'/>" +
+                "    <user name='Bob' password='bobspassword' authorities='ROLE_A' disabled='true'/>" +
                "</user-service>");
        UserDetailsService userService = (UserDetailsService) appContext.getBean("service");
        UserDetails joe = userService.loadUserByUsername("joe");
        assertFalse(joe.isAccountNonLocked());
+        // Check case-sensitive lookup SEC-1432
        UserDetails bob = userService.loadUserByUsername("bob");
        assertFalse(bob.isEnabled());
    }

-
    @Test(expected=FatalBeanException.class)
    public void userWithBothPropertiesAndEmbeddedUsersThrowsException() {
        setContext(