GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Default to Xor CSRF tokens in CsrfFilter 

Issue gh-11960
pull/12109/head
Steve Riesenberg 3 years ago
parent
60aa799498
commit
2a2051cd7b
No known key found for this signature in database
GPG Key ID: 5F311AB48A55D521
6 changed files with 96 additions and 56 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 11
      config/src/test/java/org/springframework/security/config/annotation/web/configurers/DefaultFiltersTests.java
  2. 36
      config/src/test/java/org/springframework/security/config/annotation/web/configurers/DefaultLoginPageConfigurerTests.java
  3. 9
      config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerServlet31Tests.java
  4. 10
      test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsCsrfTests.java
  5. 2
      web/src/main/java/org/springframework/security/web/csrf/CsrfFilter.java
  6. 84
      web/src/test/java/org/springframework/security/web/csrf/CsrfFilterTests.java

11
config/src/test/java/org/springframework/security/config/annotation/web/configurers/DefaultFiltersTests.java
Unescape View File

@ -51,8 +51,11 @@ import org.springframework.security.web.context.SecurityContextHolderFilter;
import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter; import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter;
import org.springframework.security.web.csrf.CsrfFilter; import org.springframework.security.web.csrf.CsrfFilter;
import org.springframework.security.web.csrf.CsrfToken; import org.springframework.security.web.csrf.CsrfToken;
import org.springframework.security.web.csrf.CsrfTokenRepository;
import org.springframework.security.web.csrf.CsrfTokenRequestHandler;
import org.springframework.security.web.csrf.DefaultCsrfToken; import org.springframework.security.web.csrf.DefaultCsrfToken;
import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository; import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
import org.springframework.security.web.csrf.XorCsrfTokenRequestAttributeHandler;
import org.springframework.security.web.header.HeaderWriterFilter; import org.springframework.security.web.header.HeaderWriterFilter;
import org.springframework.security.web.savedrequest.RequestCacheAwareFilter; import org.springframework.security.web.savedrequest.RequestCacheAwareFilter;
import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter; import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter;
@ -121,8 +124,12 @@ public class DefaultFiltersTests {
MockHttpServletRequest request = new MockHttpServletRequest("POST", ""); MockHttpServletRequest request = new MockHttpServletRequest("POST", "");
request.setServletPath("/logout"); request.setServletPath("/logout");
CsrfToken csrfToken = new DefaultCsrfToken("X-CSRF-TOKEN", "_csrf", "BaseSpringSpec_CSRFTOKEN"); CsrfToken csrfToken = new DefaultCsrfToken("X-CSRF-TOKEN", "_csrf", "BaseSpringSpec_CSRFTOKEN");
new HttpSessionCsrfTokenRepository().saveToken(csrfToken, request, response); CsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
request.setParameter(csrfToken.getParameterName(), csrfToken.getToken()); repository.saveToken(csrfToken, request, response);
CsrfTokenRequestHandler handler = new XorCsrfTokenRequestAttributeHandler();
handler.handle(request, response, () -> csrfToken);
CsrfToken token = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
request.setParameter(token.getParameterName(), token.getToken());
this.spring.getContext().getBean("springSecurityFilterChain", Filter.class).doFilter(request, response, this.spring.getContext().getBean("springSecurityFilterChain", Filter.class).doFilter(request, response,
new MockFilterChain()); new MockFilterChain());
assertThat(response.getRedirectedUrl()).isEqualTo("/login?logout"); assertThat(response.getRedirectedUrl()).isEqualTo("/login?logout");

36
config/src/test/java/org/springframework/security/config/annotation/web/configurers/DefaultLoginPageConfigurerTests.java
Unescape View File

@ -85,7 +85,9 @@ public class DefaultLoginPageConfigurerTests {
String csrfAttributeName = HttpSessionCsrfTokenRepository.class.getName().concat(".CSRF_TOKEN"); String csrfAttributeName = HttpSessionCsrfTokenRepository.class.getName().concat(".CSRF_TOKEN");
// @formatter:off // @formatter:off
this.mvc.perform(get("/login").sessionAttr(csrfAttributeName, csrfToken)) this.mvc.perform(get("/login").sessionAttr(csrfAttributeName, csrfToken))
.andExpect(content().string("<!DOCTYPE html>\n" .andExpect((result) -> {
CsrfToken token = (CsrfToken) result.getRequest().getAttribute(CsrfToken.class.getName());
assertThat(result.getResponse().getContentAsString()).isEqualTo("<!DOCTYPE html>\n"
+ "<html lang=\"en\">\n" + "<html lang=\"en\">\n"
+ " <head>\n" + " <head>\n"
+ " <meta charset=\"utf-8\">\n" + " <meta charset=\"utf-8\">\n"
@ -108,11 +110,12 @@ public class DefaultLoginPageConfigurerTests {
+ " <label for=\"password\" class=\"sr-only\">Password</label>\n" + " <label for=\"password\" class=\"sr-only\">Password</label>\n"
+ " <input type=\"password\" id=\"password\" name=\"password\" class=\"form-control\" placeholder=\"Password\" required>\n" + " <input type=\"password\" id=\"password\" name=\"password\" class=\"form-control\" placeholder=\"Password\" required>\n"
+ " </p>\n" + " </p>\n"
+ "<input name=\"" + csrfToken.getParameterName() + "\" type=\"hidden\" value=\"" + csrfToken.getToken() + "\" />\n" + "<input name=\"" + token.getParameterName() + "\" type=\"hidden\" value=\"" + token.getToken() + "\" />\n"
+ " <button class=\"btn btn-lg btn-primary btn-block\" type=\"submit\">Sign in</button>\n" + " <button class=\"btn btn-lg btn-primary btn-block\" type=\"submit\">Sign in</button>\n"
+ " </form>\n" + " </form>\n"
+ "</div>\n" + "</div>\n"
+ "</body></html>")); + "</body></html>");
});
// @formatter:on // @formatter:on
} }
@ -131,7 +134,9 @@ public class DefaultLoginPageConfigurerTests {
// @formatter:off // @formatter:off
this.mvc.perform(get("/login?error").session((MockHttpSession) mvcResult.getRequest().getSession()) this.mvc.perform(get("/login?error").session((MockHttpSession) mvcResult.getRequest().getSession())
.sessionAttr(csrfAttributeName, csrfToken)) .sessionAttr(csrfAttributeName, csrfToken))
.andExpect(content().string("<!DOCTYPE html>\n" .andExpect((result) -> {
CsrfToken token = (CsrfToken) result.getRequest().getAttribute(CsrfToken.class.getName());
assertThat(result.getResponse().getContentAsString()).isEqualTo("<!DOCTYPE html>\n"
+ "<html lang=\"en\">\n" + "<html lang=\"en\">\n"
+ " <head>\n" + " <head>\n"
+ " <meta charset=\"utf-8\">\n" + " <meta charset=\"utf-8\">\n"
@ -153,11 +158,12 @@ public class DefaultLoginPageConfigurerTests {
+ " <label for=\"password\" class=\"sr-only\">Password</label>\n" + " <label for=\"password\" class=\"sr-only\">Password</label>\n"
+ " <input type=\"password\" id=\"password\" name=\"password\" class=\"form-control\" placeholder=\"Password\" required>\n" + " <input type=\"password\" id=\"password\" name=\"password\" class=\"form-control\" placeholder=\"Password\" required>\n"
+ " </p>\n" + " </p>\n"
+ "<input name=\"" + csrfToken.getParameterName() + "\" type=\"hidden\" value=\"" + csrfToken.getToken() + "\" />\n" + "<input name=\"" + token.getParameterName() + "\" type=\"hidden\" value=\"" + token.getToken() + "\" />\n"
+ " <button class=\"btn btn-lg btn-primary btn-block\" type=\"submit\">Sign in</button>\n" + " <button class=\"btn btn-lg btn-primary btn-block\" type=\"submit\">Sign in</button>\n"
+ " </form>\n" + " </form>\n"
+ "</div>\n" + "</div>\n"
+ "</body></html>")); + "</body></html>");
});
// @formatter:on // @formatter:on
} }
@ -180,7 +186,9 @@ public class DefaultLoginPageConfigurerTests {
String csrfAttributeName = HttpSessionCsrfTokenRepository.class.getName().concat(".CSRF_TOKEN"); String csrfAttributeName = HttpSessionCsrfTokenRepository.class.getName().concat(".CSRF_TOKEN");
// @formatter:off // @formatter:off
this.mvc.perform(get("/login?logout").sessionAttr(csrfAttributeName, csrfToken)) this.mvc.perform(get("/login?logout").sessionAttr(csrfAttributeName, csrfToken))
.andExpect(content().string("<!DOCTYPE html>\n" .andExpect((result) -> {
CsrfToken token = (CsrfToken) result.getRequest().getAttribute(CsrfToken.class.getName());
assertThat(result.getResponse().getContentAsString()).isEqualTo("<!DOCTYPE html>\n"
+ "<html lang=\"en\">\n" + "<html lang=\"en\">\n"
+ " <head>\n" + " <head>\n"
+ " <meta charset=\"utf-8\">\n" + " <meta charset=\"utf-8\">\n"
@ -203,11 +211,12 @@ public class DefaultLoginPageConfigurerTests {
+ " <label for=\"password\" class=\"sr-only\">Password</label>\n" + " <label for=\"password\" class=\"sr-only\">Password</label>\n"
+ " <input type=\"password\" id=\"password\" name=\"password\" class=\"form-control\" placeholder=\"Password\" required>\n" + " <input type=\"password\" id=\"password\" name=\"password\" class=\"form-control\" placeholder=\"Password\" required>\n"
+ " </p>\n" + " </p>\n"
+ "<input name=\"" + csrfToken.getParameterName() + "\" type=\"hidden\" value=\"" + csrfToken.getToken() + "\" />\n" + "<input name=\"" + token.getParameterName() + "\" type=\"hidden\" value=\"" + token.getToken() + "\" />\n"
+ " <button class=\"btn btn-lg btn-primary btn-block\" type=\"submit\">Sign in</button>\n" + " <button class=\"btn btn-lg btn-primary btn-block\" type=\"submit\">Sign in</button>\n"
+ " </form>\n" + " </form>\n"
+ "</div>\n" + "</div>\n"
+ "</body></html>")); + "</body></html>");
});
// @formatter:on // @formatter:on
} }
@ -230,7 +239,9 @@ public class DefaultLoginPageConfigurerTests {
String csrfAttributeName = HttpSessionCsrfTokenRepository.class.getName().concat(".CSRF_TOKEN"); String csrfAttributeName = HttpSessionCsrfTokenRepository.class.getName().concat(".CSRF_TOKEN");
// @formatter:off // @formatter:off
this.mvc.perform(get("/login").sessionAttr(csrfAttributeName, csrfToken)) this.mvc.perform(get("/login").sessionAttr(csrfAttributeName, csrfToken))
.andExpect(content().string("<!DOCTYPE html>\n" .andExpect((result) -> {
CsrfToken token = (CsrfToken) result.getRequest().getAttribute(CsrfToken.class.getName());
assertThat(result.getResponse().getContentAsString()).isEqualTo("<!DOCTYPE html>\n"
+ "<html lang=\"en\">\n" + "<html lang=\"en\">\n"
+ " <head>\n" + " <head>\n"
+ " <meta charset=\"utf-8\">\n" + " <meta charset=\"utf-8\">\n"
@ -254,11 +265,12 @@ public class DefaultLoginPageConfigurerTests {
+ " <input type=\"password\" id=\"password\" name=\"password\" class=\"form-control\" placeholder=\"Password\" required>\n" + " <input type=\"password\" id=\"password\" name=\"password\" class=\"form-control\" placeholder=\"Password\" required>\n"
+ " </p>\n" + " </p>\n"
+ "<p><input type='checkbox' name='remember-me'/> Remember me on this computer.</p>\n" + "<p><input type='checkbox' name='remember-me'/> Remember me on this computer.</p>\n"
+ "<input name=\"" + csrfToken.getParameterName() + "\" type=\"hidden\" value=\"" + csrfToken.getToken() + "\" />\n" + "<input name=\"" + token.getParameterName() + "\" type=\"hidden\" value=\"" + token.getToken() + "\" />\n"
+ " <button class=\"btn btn-lg btn-primary btn-block\" type=\"submit\">Sign in</button>\n" + " <button class=\"btn btn-lg btn-primary btn-block\" type=\"submit\">Sign in</button>\n"
+ " </form>\n" + " </form>\n"
+ "</div>\n" + "</div>\n"
+ "</body></html>")); + "</body></html>");
});
// @formatter:on // @formatter:on
} }

9
config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerServlet31Tests.java
Unescape View File

@ -39,7 +39,10 @@ import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.context.HttpRequestResponseHolder; import org.springframework.security.web.context.HttpRequestResponseHolder;
import org.springframework.security.web.context.HttpSessionSecurityContextRepository; import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
import org.springframework.security.web.csrf.CsrfToken; import org.springframework.security.web.csrf.CsrfToken;
import org.springframework.security.web.csrf.CsrfTokenRequestHandler;
import org.springframework.security.web.csrf.DeferredCsrfToken;
import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository; import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
import org.springframework.security.web.csrf.XorCsrfTokenRequestAttributeHandler;
import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThat;
@ -82,8 +85,10 @@ public class SessionManagementConfigurerServlet31Tests {
request.setParameter("username", "user"); request.setParameter("username", "user");
request.setParameter("password", "password"); request.setParameter("password", "password");
HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository(); HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
CsrfToken token = repository.generateToken(request); CsrfTokenRequestHandler handler = new XorCsrfTokenRequestAttributeHandler();
repository.saveToken(token, request, this.response); DeferredCsrfToken deferredCsrfToken = repository.loadDeferredToken(request, this.response);
handler.handle(request, this.response, deferredCsrfToken::get);
CsrfToken token = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
request.setParameter(token.getParameterName(), token.getToken()); request.setParameter(token.getParameterName(), token.getToken());
request.getSession().setAttribute("attribute1", "value1"); request.getSession().setAttribute("attribute1", "value1");
loadConfig(SessionManagementDefaultSessionFixationServlet31Config.class); loadConfig(SessionManagementDefaultSessionFixationServlet31Config.class);

10
test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsCsrfTests.java
Unescape View File

@ -40,7 +40,10 @@ import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequ
import org.springframework.security.web.FilterChainProxy; import org.springframework.security.web.FilterChainProxy;
import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.csrf.CsrfToken; import org.springframework.security.web.csrf.CsrfToken;
import org.springframework.security.web.csrf.CsrfTokenRequestHandler;
import org.springframework.security.web.csrf.DeferredCsrfToken;
import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository; import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
import org.springframework.security.web.csrf.XorCsrfTokenRequestAttributeHandler;
import org.springframework.test.context.ContextConfiguration; import org.springframework.test.context.ContextConfiguration;
import org.springframework.test.context.junit.jupiter.SpringExtension; import org.springframework.test.context.junit.jupiter.SpringExtension;
import org.springframework.test.context.web.WebAppConfiguration; import org.springframework.test.context.web.WebAppConfiguration;
@ -157,9 +160,12 @@ public class SecurityMockMvcRequestPostProcessorsCsrfTests {
// @formatter:off // @formatter:off
this.mockMvc.perform(post("/").with(csrf())); this.mockMvc.perform(post("/").with(csrf()));
MockHttpServletRequest request = new MockHttpServletRequest(); MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletResponse response = new MockHttpServletResponse();
HttpSessionCsrfTokenRepository repo = new HttpSessionCsrfTokenRepository(); HttpSessionCsrfTokenRepository repo = new HttpSessionCsrfTokenRepository();
CsrfToken token = repo.generateToken(request); CsrfTokenRequestHandler handler = new XorCsrfTokenRequestAttributeHandler();
repo.saveToken(token, request, new MockHttpServletResponse()); DeferredCsrfToken deferredCsrfToken = repo.loadDeferredToken(request, response);
handler.handle(request, response, deferredCsrfToken::get);
CsrfToken token = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
MockHttpServletRequestBuilder requestWithCsrf = post("/") MockHttpServletRequestBuilder requestWithCsrf = post("/")
.param(token.getParameterName(), token.getToken()) .param(token.getParameterName(), token.getToken())
.session((MockHttpSession) request.getSession()); .session((MockHttpSession) request.getSession());

2
web/src/main/java/org/springframework/security/web/csrf/CsrfFilter.java
Unescape View File

@ -87,7 +87,7 @@ public final class CsrfFilter extends OncePerRequestFilter {
private AccessDeniedHandler accessDeniedHandler = new AccessDeniedHandlerImpl(); private AccessDeniedHandler accessDeniedHandler = new AccessDeniedHandlerImpl();
private CsrfTokenRequestHandler requestHandler = new CsrfTokenRequestAttributeHandler(); private CsrfTokenRequestHandler requestHandler = new XorCsrfTokenRequestAttributeHandler();
/** /**
* Creates a new instance. * Creates a new instance.

84
web/src/test/java/org/springframework/security/web/csrf/CsrfFilterTests.java
Unescape View File

@ -130,8 +130,8 @@ public class CsrfFilterTests {
given(this.tokenRepository.loadDeferredToken(this.request, this.response)) given(this.tokenRepository.loadDeferredToken(this.request, this.response))
.willReturn(new TestDeferredCsrfToken(this.token, false)); .willReturn(new TestDeferredCsrfToken(this.token, false));
this.filter.doFilter(this.request, this.response, this.filterChain); this.filter.doFilter(this.request, this.response, this.filterChain);
assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token); assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isNotNull();
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token); assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isNotNull();
verify(this.deniedHandler).handle(eq(this.request), eq(this.response), any(InvalidCsrfTokenException.class)); verify(this.deniedHandler).handle(eq(this.request), eq(this.response), any(InvalidCsrfTokenException.class));
verifyNoMoreInteractions(this.filterChain); verifyNoMoreInteractions(this.filterChain);
} }
@ -143,8 +143,8 @@ public class CsrfFilterTests {
.willReturn(new TestDeferredCsrfToken(this.token, false)); .willReturn(new TestDeferredCsrfToken(this.token, false));
this.request.setParameter(this.token.getParameterName(), this.token.getToken() + " INVALID"); this.request.setParameter(this.token.getParameterName(), this.token.getToken() + " INVALID");
this.filter.doFilter(this.request, this.response, this.filterChain); this.filter.doFilter(this.request, this.response, this.filterChain);
assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token); assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isNotNull();
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token); assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isNotNull();
verify(this.deniedHandler).handle(eq(this.request), eq(this.response), any(InvalidCsrfTokenException.class)); verify(this.deniedHandler).handle(eq(this.request), eq(this.response), any(InvalidCsrfTokenException.class));
verifyNoMoreInteractions(this.filterChain); verifyNoMoreInteractions(this.filterChain);
} }
@ -156,8 +156,8 @@ public class CsrfFilterTests {
.willReturn(new TestDeferredCsrfToken(this.token, false)); .willReturn(new TestDeferredCsrfToken(this.token, false));
this.request.addHeader(this.token.getHeaderName(), this.token.getToken() + " INVALID"); this.request.addHeader(this.token.getHeaderName(), this.token.getToken() + " INVALID");
this.filter.doFilter(this.request, this.response, this.filterChain); this.filter.doFilter(this.request, this.response, this.filterChain);
assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token); assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isNotNull();
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token); assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isNotNull();
verify(this.deniedHandler).handle(eq(this.request), eq(this.response), any(InvalidCsrfTokenException.class)); verify(this.deniedHandler).handle(eq(this.request), eq(this.response), any(InvalidCsrfTokenException.class));
verifyNoMoreInteractions(this.filterChain); verifyNoMoreInteractions(this.filterChain);
} }
@ -168,11 +168,14 @@ public class CsrfFilterTests {
given(this.requestMatcher.matches(this.request)).willReturn(true); given(this.requestMatcher.matches(this.request)).willReturn(true);
given(this.tokenRepository.loadDeferredToken(this.request, this.response)) given(this.tokenRepository.loadDeferredToken(this.request, this.response))
.willReturn(new TestDeferredCsrfToken(this.token, false)); .willReturn(new TestDeferredCsrfToken(this.token, false));
this.request.setParameter(this.token.getParameterName(), this.token.getToken()); CsrfTokenRequestHandler handler = new XorCsrfTokenRequestAttributeHandler();
this.request.addHeader(this.token.getHeaderName(), this.token.getToken() + " INVALID"); handler.handle(this.request, this.response, () -> this.token);
CsrfToken csrfToken = (CsrfToken) this.request.getAttribute(CsrfToken.class.getName());
this.request.setParameter(csrfToken.getParameterName(), csrfToken.getToken());
this.request.addHeader(csrfToken.getHeaderName(), csrfToken.getToken() + " INVALID");
this.filter.doFilter(this.request, this.response, this.filterChain); this.filter.doFilter(this.request, this.response, this.filterChain);
assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token); assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isNotNull();
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token); assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isNotNull();
verify(this.deniedHandler).handle(eq(this.request), eq(this.response), any(InvalidCsrfTokenException.class)); verify(this.deniedHandler).handle(eq(this.request), eq(this.response), any(InvalidCsrfTokenException.class));
verifyNoMoreInteractions(this.filterChain); verifyNoMoreInteractions(this.filterChain);
} }
@ -183,8 +186,8 @@ public class CsrfFilterTests {
given(this.tokenRepository.loadDeferredToken(this.request, this.response)) given(this.tokenRepository.loadDeferredToken(this.request, this.response))
.willReturn(new TestDeferredCsrfToken(this.token, false)); .willReturn(new TestDeferredCsrfToken(this.token, false));
this.filter.doFilter(this.request, this.response, this.filterChain); this.filter.doFilter(this.request, this.response, this.filterChain);
assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token); assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isNotNull();
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token); assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isNotNull();
verify(this.filterChain).doFilter(this.request, this.response); verify(this.filterChain).doFilter(this.request, this.response);
verifyNoMoreInteractions(this.deniedHandler); verifyNoMoreInteractions(this.deniedHandler);
} }
@ -195,8 +198,8 @@ public class CsrfFilterTests {
given(this.tokenRepository.loadDeferredToken(this.request, this.response)) given(this.tokenRepository.loadDeferredToken(this.request, this.response))
.willReturn(new TestDeferredCsrfToken(this.token, true)); .willReturn(new TestDeferredCsrfToken(this.token, true));
this.filter.doFilter(this.request, this.response, this.filterChain); this.filter.doFilter(this.request, this.response, this.filterChain);
assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token); assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isNotNull();
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token); assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isNotNull();
verify(this.filterChain).doFilter(this.request, this.response); verify(this.filterChain).doFilter(this.request, this.response);
verifyNoMoreInteractions(this.deniedHandler); verifyNoMoreInteractions(this.deniedHandler);
} }
@ -206,10 +209,13 @@ public class CsrfFilterTests {
given(this.requestMatcher.matches(this.request)).willReturn(true); given(this.requestMatcher.matches(this.request)).willReturn(true);
given(this.tokenRepository.loadDeferredToken(this.request, this.response)) given(this.tokenRepository.loadDeferredToken(this.request, this.response))
.willReturn(new TestDeferredCsrfToken(this.token, false)); .willReturn(new TestDeferredCsrfToken(this.token, false));
this.request.addHeader(this.token.getHeaderName(), this.token.getToken()); CsrfTokenRequestHandler handler = new XorCsrfTokenRequestAttributeHandler();
handler.handle(this.request, this.response, () -> this.token);
CsrfToken csrfToken = (CsrfToken) this.request.getAttribute(CsrfToken.class.getName());
this.request.addHeader(csrfToken.getHeaderName(), csrfToken.getToken());
this.filter.doFilter(this.request, this.response, this.filterChain); this.filter.doFilter(this.request, this.response, this.filterChain);
assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token); assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isNotNull();
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token); assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isNotNull();
verify(this.filterChain).doFilter(this.request, this.response); verify(this.filterChain).doFilter(this.request, this.response);
verifyNoMoreInteractions(this.deniedHandler); verifyNoMoreInteractions(this.deniedHandler);
} }
@ -220,11 +226,14 @@ public class CsrfFilterTests {
given(this.requestMatcher.matches(this.request)).willReturn(true); given(this.requestMatcher.matches(this.request)).willReturn(true);
given(this.tokenRepository.loadDeferredToken(this.request, this.response)) given(this.tokenRepository.loadDeferredToken(this.request, this.response))
.willReturn(new TestDeferredCsrfToken(this.token, false)); .willReturn(new TestDeferredCsrfToken(this.token, false));
this.request.setParameter(this.token.getParameterName(), this.token.getToken() + " INVALID"); CsrfTokenRequestHandler handler = new XorCsrfTokenRequestAttributeHandler();
this.request.addHeader(this.token.getHeaderName(), this.token.getToken()); handler.handle(this.request, this.response, () -> this.token);
CsrfToken csrfToken = (CsrfToken) this.request.getAttribute(CsrfToken.class.getName());
this.request.setParameter(csrfToken.getParameterName(), csrfToken.getToken() + " INVALID");
this.request.addHeader(csrfToken.getHeaderName(), csrfToken.getToken());
this.filter.doFilter(this.request, this.response, this.filterChain); this.filter.doFilter(this.request, this.response, this.filterChain);
assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token); assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isNotNull();
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token); assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isNotNull();
verify(this.filterChain).doFilter(this.request, this.response); verify(this.filterChain).doFilter(this.request, this.response);
verifyNoMoreInteractions(this.deniedHandler); verifyNoMoreInteractions(this.deniedHandler);
} }
@ -234,10 +243,13 @@ public class CsrfFilterTests {
given(this.requestMatcher.matches(this.request)).willReturn(true); given(this.requestMatcher.matches(this.request)).willReturn(true);
given(this.tokenRepository.loadDeferredToken(this.request, this.response)) given(this.tokenRepository.loadDeferredToken(this.request, this.response))
.willReturn(new TestDeferredCsrfToken(this.token, false)); .willReturn(new TestDeferredCsrfToken(this.token, false));
this.request.setParameter(this.token.getParameterName(), this.token.getToken()); CsrfTokenRequestHandler handler = new XorCsrfTokenRequestAttributeHandler();
handler.handle(this.request, this.response, () -> this.token);
CsrfToken csrfToken = (CsrfToken) this.request.getAttribute(CsrfToken.class.getName());
this.request.setParameter(csrfToken.getParameterName(), csrfToken.getToken());
this.filter.doFilter(this.request, this.response, this.filterChain); this.filter.doFilter(this.request, this.response, this.filterChain);
assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token); assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isNotNull();
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token); assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isNotNull();
verify(this.filterChain).doFilter(this.request, this.response); verify(this.filterChain).doFilter(this.request, this.response);
verifyNoMoreInteractions(this.deniedHandler); verifyNoMoreInteractions(this.deniedHandler);
verify(this.tokenRepository, never()).saveToken(any(CsrfToken.class), any(HttpServletRequest.class), verify(this.tokenRepository, never()).saveToken(any(CsrfToken.class), any(HttpServletRequest.class),
@ -249,10 +261,13 @@ public class CsrfFilterTests {
given(this.requestMatcher.matches(this.request)).willReturn(true); given(this.requestMatcher.matches(this.request)).willReturn(true);
given(this.tokenRepository.loadDeferredToken(this.request, this.response)) given(this.tokenRepository.loadDeferredToken(this.request, this.response))
.willReturn(new TestDeferredCsrfToken(this.token, true)); .willReturn(new TestDeferredCsrfToken(this.token, true));
this.request.setParameter(this.token.getParameterName(), this.token.getToken()); CsrfTokenRequestHandler handler = new XorCsrfTokenRequestAttributeHandler();
handler.handle(this.request, this.response, () -> this.token);
CsrfToken csrfToken = (CsrfToken) this.request.getAttribute(CsrfToken.class.getName());
this.request.setParameter(csrfToken.getParameterName(), csrfToken.getToken());
this.filter.doFilter(this.request, this.response, this.filterChain); this.filter.doFilter(this.request, this.response, this.filterChain);
assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token); assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isNotNull();
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token); assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isNotNull();
// LazyCsrfTokenRepository requires the response as an attribute // LazyCsrfTokenRepository requires the response as an attribute
assertThat(this.request.getAttribute(HttpServletResponse.class.getName())).isEqualTo(this.response); assertThat(this.request.getAttribute(HttpServletResponse.class.getName())).isEqualTo(this.response);
verify(this.filterChain).doFilter(this.request, this.response); verify(this.filterChain).doFilter(this.request, this.response);
@ -320,8 +335,8 @@ public class CsrfFilterTests {
given(this.tokenRepository.loadDeferredToken(this.request, this.response)) given(this.tokenRepository.loadDeferredToken(this.request, this.response))
.willReturn(new TestDeferredCsrfToken(this.token, false)); .willReturn(new TestDeferredCsrfToken(this.token, false));
this.filter.doFilter(this.request, this.response, this.filterChain); this.filter.doFilter(this.request, this.response, this.filterChain);
assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token); assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isNotNull();
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token); assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isNotNull();
assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_FORBIDDEN); assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_FORBIDDEN);
verifyNoMoreInteractions(this.filterChain); verifyNoMoreInteractions(this.filterChain);
} }
@ -371,12 +386,9 @@ public class CsrfFilterTests {
given(this.requestMatcher.matches(this.request)).willReturn(false); given(this.requestMatcher.matches(this.request)).willReturn(false);
given(this.tokenRepository.loadDeferredToken(this.request, this.response)) given(this.tokenRepository.loadDeferredToken(this.request, this.response))
.willReturn(new TestDeferredCsrfToken(this.token, false)); .willReturn(new TestDeferredCsrfToken(this.token, false));
XorCsrfTokenRequestAttributeHandler requestHandler = new XorCsrfTokenRequestAttributeHandler();
requestHandler.setCsrfRequestAttributeName(this.token.getParameterName());
this.filter.setRequestHandler(requestHandler);
this.filter.doFilter(this.request, this.response, this.filterChain); this.filter.doFilter(this.request, this.response, this.filterChain);
assertThat(this.request.getAttribute(CsrfToken.class.getName())).isNotNull(); assertThat(this.request.getAttribute(CsrfToken.class.getName())).isNotNull();
assertThat(this.request.getAttribute(this.token.getParameterName())).isNotNull(); assertThat(this.request.getAttribute("_csrf")).isNotNull();
verify(this.filterChain).doFilter(this.request, this.response); verify(this.filterChain).doFilter(this.request, this.response);
assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_OK); assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_OK);
@ -397,8 +409,6 @@ public class CsrfFilterTests {
given(this.requestMatcher.matches(this.request)).willReturn(true); given(this.requestMatcher.matches(this.request)).willReturn(true);
given(this.tokenRepository.loadDeferredToken(this.request, this.response)) given(this.tokenRepository.loadDeferredToken(this.request, this.response))
.willReturn(new TestDeferredCsrfToken(this.token, false)); .willReturn(new TestDeferredCsrfToken(this.token, false));
XorCsrfTokenRequestAttributeHandler requestHandler = new XorCsrfTokenRequestAttributeHandler();
this.filter.setRequestHandler(requestHandler);
this.request.setParameter(this.token.getParameterName(), this.token.getToken()); this.request.setParameter(this.token.getParameterName(), this.token.getToken());
this.filter.doFilter(this.request, this.response, this.filterChain); this.filter.doFilter(this.request, this.response, this.filterChain);
verify(this.deniedHandler).handle(eq(this.request), eq(this.response), any(AccessDeniedException.class)); verify(this.deniedHandler).handle(eq(this.request), eq(this.response), any(AccessDeniedException.class));
@ -421,7 +431,7 @@ public class CsrfFilterTests {
throws ServletException, IOException { throws ServletException, IOException {
CsrfFilter filter = createCsrfFilter(this.tokenRepository); CsrfFilter filter = createCsrfFilter(this.tokenRepository);
String csrfAttrName = "_csrf"; String csrfAttrName = "_csrf";
CsrfTokenRequestAttributeHandler requestHandler = new CsrfTokenRequestAttributeHandler(); CsrfTokenRequestAttributeHandler requestHandler = new XorCsrfTokenRequestAttributeHandler();
requestHandler.setCsrfRequestAttributeName(csrfAttrName); requestHandler.setCsrfRequestAttributeName(csrfAttrName);
filter.setRequestHandler(requestHandler); filter.setRequestHandler(requestHandler);
CsrfToken expectedCsrfToken = mock(CsrfToken.class); CsrfToken expectedCsrfToken = mock(CsrfToken.class);
@ -432,7 +442,7 @@ public class CsrfFilterTests {
verifyNoInteractions(expectedCsrfToken); verifyNoInteractions(expectedCsrfToken);
CsrfToken tokenFromRequest = (CsrfToken) this.request.getAttribute(csrfAttrName); CsrfToken tokenFromRequest = (CsrfToken) this.request.getAttribute(csrfAttrName);
assertThatCsrfToken(tokenFromRequest).isEqualTo(expectedCsrfToken); assertThatCsrfToken(tokenFromRequest).isNotNull();
} }
} }

Write Preview
Loading…
Cancel
Save