GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Check for existing token before clearing 

Closes gh-12236
pull/12266/head
Steve Riesenberg 3 years ago
parent
1919b4e38b
commit
2ed7cff643
No known key found for this signature in database
GPG Key ID: 5F311AB48A55D521
3 changed files with 22 additions and 5 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 6
      config/src/test/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurerTests.java
  2. 12
      web/src/main/java/org/springframework/security/web/csrf/CsrfAuthenticationStrategy.java
  3. 9
      web/src/test/java/org/springframework/security/web/csrf/CsrfAuthenticationStrategyTests.java

6
config/src/test/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurerTests.java
Unescape View File

@ -302,6 +302,7 @@ public class CsrfConfigurerTests { @@ -302,6 +302,7 @@ public class CsrfConfigurerTests {
public void loginWhenCustomCsrfTokenRepositoryThenCsrfTokenIsCleared() throws Exception {
CsrfTokenRepositoryConfig.REPO = mock(CsrfTokenRepository.class);
DefaultCsrfToken csrfToken = new DefaultCsrfToken("X-CSRF-TOKEN", "_csrf", "token");
given(CsrfTokenRepositoryConfig.REPO.loadToken(any())).willReturn(csrfToken);
given(CsrfTokenRepositoryConfig.REPO.loadDeferredToken(any(HttpServletRequest.class),
any(HttpServletResponse.class))).willReturn(new TestDeferredCsrfToken(csrfToken));
this.spring.register(CsrfTokenRepositoryConfig.class, BasicController.class).autowire();
@ -312,6 +313,7 @@ public class CsrfConfigurerTests { @@ -312,6 +313,7 @@ public class CsrfConfigurerTests {
.param("password", "password");
// @formatter:on
this.mvc.perform(loginRequest).andExpect(redirectedUrl("/"));
verify(CsrfTokenRepositoryConfig.REPO).loadToken(any(HttpServletRequest.class));
verify(CsrfTokenRepositoryConfig.REPO).saveToken(isNull(), any(HttpServletRequest.class),
any(HttpServletResponse.class));
}
@ -443,6 +445,7 @@ public class CsrfConfigurerTests { @@ -443,6 +445,7 @@ public class CsrfConfigurerTests {
public void loginWhenCsrfTokenRequestAttributeHandlerSetAndNormalCsrfTokenThenSuccess() throws Exception {
CsrfToken csrfToken = new DefaultCsrfToken("X-CSRF-TOKEN", "_csrf", "token");
CsrfTokenRepository csrfTokenRepository = mock(CsrfTokenRepository.class);
given(csrfTokenRepository.loadToken(any(HttpServletRequest.class))).willReturn(csrfToken);
given(csrfTokenRepository.loadDeferredToken(any(HttpServletRequest.class), any(HttpServletResponse.class)))
.willReturn(new TestDeferredCsrfToken(csrfToken));
CsrfTokenRequestHandlerConfig.REPO = csrfTokenRepository;
@ -456,6 +459,7 @@ public class CsrfConfigurerTests { @@ -456,6 +459,7 @@ public class CsrfConfigurerTests {
.param("password", "password");
// @formatter:on
this.mvc.perform(loginRequest).andExpect(redirectedUrl("/"));
verify(csrfTokenRepository).loadToken(any(HttpServletRequest.class));
verify(csrfTokenRepository).saveToken(isNull(), any(HttpServletRequest.class), any(HttpServletResponse.class));
verify(csrfTokenRepository, times(2)).loadDeferredToken(any(HttpServletRequest.class),
any(HttpServletResponse.class));
@ -481,6 +485,7 @@ public class CsrfConfigurerTests { @@ -481,6 +485,7 @@ public class CsrfConfigurerTests {
public void loginWhenXorCsrfTokenRequestAttributeHandlerSetAndMaskedCsrfTokenThenSuccess() throws Exception {
CsrfToken csrfToken = new DefaultCsrfToken("X-CSRF-TOKEN", "_csrf", "token");
CsrfTokenRepository csrfTokenRepository = mock(CsrfTokenRepository.class);
given(csrfTokenRepository.loadToken(any(HttpServletRequest.class))).willReturn(csrfToken);
given(csrfTokenRepository.loadDeferredToken(any(HttpServletRequest.class), any(HttpServletResponse.class)))
.willReturn(new TestDeferredCsrfToken(csrfToken));
CsrfTokenRequestHandlerConfig.REPO = csrfTokenRepository;
@ -497,6 +502,7 @@ public class CsrfConfigurerTests { @@ -497,6 +502,7 @@ public class CsrfConfigurerTests {
.param("password", "password");
// @formatter:on
this.mvc.perform(loginRequest).andExpect(redirectedUrl("/"));
verify(csrfTokenRepository).loadToken(any(HttpServletRequest.class));
verify(csrfTokenRepository).saveToken(isNull(), any(HttpServletRequest.class), any(HttpServletResponse.class));
verify(csrfTokenRepository, times(3)).loadDeferredToken(any(HttpServletRequest.class),
any(HttpServletResponse.class));

12
web/src/main/java/org/springframework/security/web/csrf/CsrfAuthenticationStrategy.java
Unescape View File

@ -33,6 +33,7 @@ import org.springframework.util.Assert; @@ -33,6 +33,7 @@ import org.springframework.util.Assert;
* the next request.
*
* @author Rob Winch
* @author Steve Riesenberg
* @since 3.2
*/
public final class CsrfAuthenticationStrategy implements SessionAuthenticationStrategy {
@ -65,10 +66,13 @@ public final class CsrfAuthenticationStrategy implements SessionAuthenticationSt @@ -65,10 +66,13 @@ public final class CsrfAuthenticationStrategy implements SessionAuthenticationSt
@Override
public void onAuthentication(Authentication authentication, HttpServletRequest request,
HttpServletResponse response) throws SessionAuthenticationException {
this.tokenRepository.saveToken(null, request, response);
DeferredCsrfToken deferredCsrfToken = this.tokenRepository.loadDeferredToken(request, response);
this.requestHandler.handle(request, response, deferredCsrfToken::get);
this.logger.debug("Replaced CSRF Token");
boolean containsToken = this.tokenRepository.loadToken(request) != null;
if (containsToken) {
this.tokenRepository.saveToken(null, request, response);
DeferredCsrfToken deferredCsrfToken = this.tokenRepository.loadDeferredToken(request, response);
this.requestHandler.handle(request, response, deferredCsrfToken::get);
this.logger.debug("Replaced CSRF Token");
}
}
}

9
web/src/test/java/org/springframework/security/web/csrf/CsrfAuthenticationStrategyTests.java
Unescape View File

@ -36,6 +36,7 @@ import static org.mockito.ArgumentMatchers.eq; @@ -36,6 +36,7 @@ import static org.mockito.ArgumentMatchers.eq;
import static org.mockito.BDDMockito.given;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.never;
import static org.mockito.Mockito.times;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.verifyNoMoreInteractions;
@ -82,6 +83,7 @@ public class CsrfAuthenticationStrategyTests { @@ -82,6 +83,7 @@ public class CsrfAuthenticationStrategyTests {
@Test
public void onAuthenticationWhenCustomRequestHandlerThenUsed() {
given(this.csrfTokenRepository.loadToken(this.request)).willReturn(this.existingToken);
given(this.csrfTokenRepository.loadDeferredToken(this.request, this.response))
.willReturn(new TestDeferredCsrfToken(this.existingToken, false));
@ -89,16 +91,20 @@ public class CsrfAuthenticationStrategyTests { @@ -89,16 +91,20 @@ public class CsrfAuthenticationStrategyTests {
this.strategy.setRequestHandler(requestHandler);
this.strategy.onAuthentication(new TestingAuthenticationToken("user", "password", "ROLE_USER"), this.request,
this.response);
verify(this.csrfTokenRepository).loadToken(this.request);
verify(this.csrfTokenRepository).loadDeferredToken(this.request, this.response);
verify(requestHandler).handle(eq(this.request), eq(this.response), any());
verifyNoMoreInteractions(requestHandler);
}
@Test
public void logoutRemovesCsrfTokenAndLoadsNewDeferredCsrfToken() {
given(this.csrfTokenRepository.loadToken(this.request)).willReturn(this.existingToken);
given(this.csrfTokenRepository.loadDeferredToken(this.request, this.response))
.willReturn(new TestDeferredCsrfToken(this.generatedToken, false));
this.strategy.onAuthentication(new TestingAuthenticationToken("user", "password", "ROLE_USER"), this.request,
this.response);
verify(this.csrfTokenRepository).loadToken(this.request);
verify(this.csrfTokenRepository).saveToken(null, this.request, this.response);
verify(this.csrfTokenRepository).loadDeferredToken(this.request, this.response);
// SEC-2404, SEC-2832
@ -113,6 +119,7 @@ public class CsrfAuthenticationStrategyTests { @@ -113,6 +119,7 @@ public class CsrfAuthenticationStrategyTests {
@Test
public void delaySavingCsrf() {
this.strategy = new CsrfAuthenticationStrategy(new LazyCsrfTokenRepository(this.csrfTokenRepository));
given(this.csrfTokenRepository.loadToken(this.request)).willReturn(this.existingToken, (CsrfToken) null);
given(this.csrfTokenRepository.generateToken(this.request)).willReturn(this.generatedToken);
this.strategy.onAuthentication(new TestingAuthenticationToken("user", "password", "ROLE_USER"), this.request,
this.response);
@ -121,7 +128,7 @@ public class CsrfAuthenticationStrategyTests { @@ -121,7 +128,7 @@ public class CsrfAuthenticationStrategyTests {
any(HttpServletResponse.class));
CsrfToken tokenInRequest = (CsrfToken) this.request.getAttribute(CsrfToken.class.getName());
tokenInRequest.getToken();
verify(this.csrfTokenRepository).loadToken(this.request);
verify(this.csrfTokenRepository, times(2)).loadToken(this.request);
verify(this.csrfTokenRepository).generateToken(this.request);
verify(this.csrfTokenRepository).saveToken(eq(this.generatedToken), any(HttpServletRequest.class),
any(HttpServletResponse.class));

Write Preview
Loading…
Cancel
Save