GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

SEC-2036: Set cookie path to / when default context path in CookieClearingLogoutHandler

pull/16/head
Rob Winch 14 years ago
parent
c53fd99430
commit
0a2fa03160
2 changed files with 22 additions and 1 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 7
      web/src/main/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandler.java
  2. 16
      web/src/test/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandlerTests.java

7
web/src/main/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandler.java
Unescape View File

@ -7,6 +7,7 @@ import javax.servlet.http.HttpServletResponse; @@ -7,6 +7,7 @@ import javax.servlet.http.HttpServletResponse;
import org.springframework.security.core.Authentication;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
/**
* A logout handler which clears a defined list of cookies, using the context path as the
@ -26,7 +27,11 @@ public final class CookieClearingLogoutHandler implements LogoutHandler { @@ -26,7 +27,11 @@ public final class CookieClearingLogoutHandler implements LogoutHandler {
public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
for (String cookieName : cookiesToClear) {
Cookie cookie = new Cookie(cookieName, null);
cookie.setPath(request.getContextPath());
String cookiePath = request.getContextPath();
if(!StringUtils.hasLength(cookiePath)) {
cookiePath = "/";
}
cookie.setPath(cookiePath);
cookie.setMaxAge(0);
response.addCookie(cookie);
}

16
web/src/test/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandlerTests.java
Unescape View File

@ -14,6 +14,22 @@ import org.springframework.security.core.Authentication; @@ -14,6 +14,22 @@ import org.springframework.security.core.Authentication;
* @author Luke Taylor
*/
public class CookieClearingLogoutHandlerTests {
// SEC-2036
@Test
public void emptyContextRootIsConverted() {
MockHttpServletResponse response = new MockHttpServletResponse();
MockHttpServletRequest request = new MockHttpServletRequest();
request.setContextPath("");
CookieClearingLogoutHandler handler = new CookieClearingLogoutHandler("my_cookie");
handler.logout(request, response, mock(Authentication.class));
assertEquals(1, response.getCookies().length);
for (Cookie c : response.getCookies()) {
assertEquals("/", c.getPath());
assertEquals(0, c.getMaxAge());
}
}
@Test
public void configuredCookiesAreCleared() {
MockHttpServletResponse response = new MockHttpServletResponse();

Write Preview
Loading…
Cancel
Save