GitHub-Spring
/
spring-framework
mirror of https://github.com/spring-projects/spring-framework.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Check the user of a SockJS request 

Issue: SPR-12497
(backport of commit dc5b5c)
pull/710/head
Rossen Stoyanchev 11 years ago
parent
328ba7b6d4
commit
ac5c361688
2 changed files with 32 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 9
      spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/TransportHandlingSockJsService.java
  2. 23
      spring-websocket/src/test/java/org/springframework/web/socket/sockjs/transport/handler/DefaultSockJsServiceTests.java

9
spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/TransportHandlingSockJsService.java
Unescape View File

@ -242,6 +242,15 @@ public class TransportHandlingSockJsService extends AbstractSockJsService implem @@ -242,6 +242,15 @@ public class TransportHandlingSockJsService extends AbstractSockJsService implem
return;
}
}
else {
if (session.getPrincipal() != null) {
if (!session.getPrincipal().equals(request.getPrincipal())) {
logger.debug("The user for the session does not match the user for the request.");
response.setStatusCode(HttpStatus.NOT_FOUND);
return;
}
}
}
if (transportType.sendsNoCacheInstruction()) {
addNoCacheHeaders(response);

23
spring-websocket/src/test/java/org/springframework/web/socket/sockjs/transport/handler/DefaultSockJsServiceTests.java
Unescape View File

@ -27,6 +27,7 @@ import org.mockito.MockitoAnnotations; @@ -27,6 +27,7 @@ import org.mockito.MockitoAnnotations;
import org.springframework.scheduling.TaskScheduler;
import org.springframework.web.socket.AbstractHttpRequestTests;
import org.springframework.web.socket.WebSocketHandler;
import org.springframework.web.socket.handler.TestPrincipal;
import org.springframework.web.socket.sockjs.transport.SockJsSessionFactory;
import org.springframework.web.socket.sockjs.transport.TransportHandler;
import org.springframework.web.socket.sockjs.transport.TransportHandlingSockJsService;
@ -178,6 +179,28 @@ public class DefaultSockJsServiceTests extends AbstractHttpRequestTests { @@ -178,6 +179,28 @@ public class DefaultSockJsServiceTests extends AbstractHttpRequestTests {
verify(this.xhrSendHandler).handleRequest(this.request, this.response, this.wsHandler, this.session);
}
@Test
public void handleTransportRequestXhrSendWithDifferentUser() throws Exception {
String sockJsPath = sessionUrlPrefix + "xhr";
setRequest("POST", sockJsPrefix + sockJsPath);
this.service.handleRequest(this.request, this.response, sockJsPath, this.wsHandler);
assertEquals(200, this.servletResponse.getStatus()); // session created
verify(this.xhrHandler).handleRequest(this.request, this.response, this.wsHandler, this.session);
this.session.setPrincipal(new TestPrincipal("little red riding hood"));
this.servletRequest.setUserPrincipal(new TestPrincipal("wolf"));
resetResponse();
reset(this.xhrSendHandler);
sockJsPath = sessionUrlPrefix + "xhr_send";
setRequest("POST", sockJsPrefix + sockJsPath);
this.service.handleRequest(this.request, this.response, sockJsPath, this.wsHandler);
assertEquals(404, this.servletResponse.getStatus());
verifyNoMoreInteractions(this.xhrSendHandler);
}
interface SessionCreatingTransportHandler extends TransportHandler, SockJsSessionFactory {
}

Write Preview
Loading…
Cancel
Save