GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

SEC-2325: Polish CSRF Tag support 

- Rename csrfField to csrfInput
- Make AbstractCsrfTag package scope
- rename FormFieldTag to CsrfInputTag
- rename MetaTagsTag to CsrfMetaTagsTag
- removed whitespace from tag output so output is
  minimized & improving browser performance
- Update @since
- changed test names to be more meaningful
pull/56/merge
Rob Winch 12 years ago
parent
a3e0475998
commit
32d3e29c65
8 changed files with 39 additions and 39 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 8
      docs/manual/src/asciidoc/index.adoc
  2. 4
      taglibs/src/main/java/org/springframework/security/taglibs/csrf/AbstractCsrfTag.java
  3. 6
      taglibs/src/main/java/org/springframework/security/taglibs/csrf/CsrfInputTag.java
  4. 10
      taglibs/src/main/java/org/springframework/security/taglibs/csrf/CsrfMetaTagsTag.java
  5. 6
      taglibs/src/main/resources/META-INF/security.tld
  6. 8
      taglibs/src/test/java/org/springframework/security/taglibs/csrf/AbstractCsrfTagTests.java
  7. 14
      taglibs/src/test/java/org/springframework/security/taglibs/csrf/CsrfInputTagTests.java
  8. 22
      taglibs/src/test/java/org/springframework/security/taglibs/csrf/CsrfMetaTagsTagTests.java

8
docs/manual/src/asciidoc/index.adoc
Unescape View File

@ -3139,7 +3139,7 @@ The last step is to ensure that you include the CSRF token in all PATCH, POST, P @@ -3139,7 +3139,7 @@ The last step is to ensure that you include the CSRF token in all PATCH, POST, P
</form>
----
An easier approach is to use <<the-csrffield-tag,the csrfField tag>> from the Spring Security JSP tag library.
An easier approach is to use <<the-csrfInput-tag,the csrfInput tag>> from the Spring Security JSP tag library.
[NOTE]
====
@ -5037,17 +5037,17 @@ The permissions are passed to the `PermissionFactory` defined in the application @@ -5037,17 +5037,17 @@ The permissions are passed to the `PermissionFactory` defined in the application
This tag also supports the `var` attribute, in the same way as the `authorize` tag.
=== The csrfField Tag
=== The csrfInput Tag
If CSRF protection is enabled, this tag inserts a hidden form field with the correct name and value for the CSRF protection token. If CSRF protection is not enabled, this tag outputs nothing.
Normally Spring Security automatically inserts a CSRF form field for any `<form:form>` tags you use, but if for some reason you cannot use `<form:form>`, `csrfField` is a handy replacement.
Normally Spring Security automatically inserts a CSRF form field for any `<form:form>` tags you use, but if for some reason you cannot use `<form:form>`, `csrfInput` is a handy replacement.
You should place this tag within an HTML `<form></form>` block, where you would normally place other input fields. Do NOT place this tag within a Spring `<form:form></form:form>` block—Spring Security handles Spring forms automatically.
[source,xml]
----
<form method="post" action="/do/something">
<sec:csrfField />
<sec:csrfInput />
Name:<br />
<input type="text" name="name" />
...

4
taglibs/src/main/java/org/springframework/security/taglibs/csrf/AbstractCsrfTag.java
Unescape View File

@ -25,10 +25,10 @@ import java.io.IOException; @@ -25,10 +25,10 @@ import java.io.IOException;
/**
* An abstract tag for handling CSRF operations.
*
* @since 3.2.1
* @since 3.2.2
* @author Nick Williams
*/
public abstract class AbstractCsrfTag extends TagSupport {
abstract class AbstractCsrfTag extends TagSupport {
@Override
public int doEndTag() throws JspException {

6
taglibs/src/main/java/org/springframework/security/taglibs/csrf/FormFieldTag.java → taglibs/src/main/java/org/springframework/security/taglibs/csrf/CsrfInputTag.java
Unescape View File

@ -22,14 +22,14 @@ import org.springframework.security.web.csrf.CsrfToken; @@ -22,14 +22,14 @@ import org.springframework.security.web.csrf.CsrfToken;
* A JSP tag that prints out a hidden form field for the CSRF token. See the JSP Tab Library documentation for more
* information.
*
* @since 3.2.1
* @since 3.2.2
* @author Nick Williams
*/
public class FormFieldTag extends AbstractCsrfTag {
public class CsrfInputTag extends AbstractCsrfTag {
@Override
public String handleToken(CsrfToken token) {
return "<input type=\"hidden\" name=\"" + token.getParameterName() + "\" value=\"" + token.getToken() +
"\" />\n";
"\" />";
}
}

10
taglibs/src/main/java/org/springframework/security/taglibs/csrf/MetaTagsTag.java → taglibs/src/main/java/org/springframework/security/taglibs/csrf/CsrfMetaTagsTag.java
Unescape View File

@ -22,15 +22,15 @@ import org.springframework.security.web.csrf.CsrfToken; @@ -22,15 +22,15 @@ import org.springframework.security.web.csrf.CsrfToken;
* A JSP tag that prints out a meta tags holding the CSRF form field name and token value for use in JavaScrip code.
* See the JSP Tab Library documentation for more information.
*
* @since 3.2.1
* @since 3.2.2
* @author Nick Williams
*/
public class MetaTagsTag extends AbstractCsrfTag {
public class CsrfMetaTagsTag extends AbstractCsrfTag {
@Override
public String handleToken(CsrfToken token) {
return "<meta name=\"_csrf_parameter\" content=\"" + token.getParameterName() + "\" />\n" +
" <meta name=\"_csrf_header\" content=\"" + token.getHeaderName() + "\" />\n" +
" <meta name=\"_csrf\" content=\"" + token.getToken() + "\" />\n";
return "<meta name=\"_csrf_parameter\" content=\"" + token.getParameterName() + "\" />" +
"<meta name=\"_csrf_header\" content=\"" + token.getHeaderName() + "\" />" +
"<meta name=\"_csrf\" content=\"" + token.getToken() + "\" />";
}
}

6
taglibs/src/main/resources/META-INF/security.tld
Unescape View File

@ -200,8 +200,8 @@ @@ -200,8 +200,8 @@
where you would normally place other <input>s. Do NOT place this tag within a Spring <form:form></form:form>
block—Spring Security handles Spring forms automatically.
]]></description>
<name>csrfField</name>
<tag-class>org.springframework.security.taglibs.csrf.FormFieldTag</tag-class>
<name>csrfInput</name>
<tag-class>org.springframework.security.taglibs.csrf.CsrfInputTag</tag-class>
<body-content>empty</body-content>
</tag>
@ -218,7 +218,7 @@ @@ -218,7 +218,7 @@
tag outputs nothing.
]]></description>
<name>csrfMetaTags</name>
<tag-class>org.springframework.security.taglibs.csrf.MetaTagsTag</tag-class>
<tag-class>org.springframework.security.taglibs.csrf.CsrfMetaTagsTag</tag-class>
<body-content>empty</body-content>
</tag>

8
taglibs/src/test/java/org/springframework/security/taglibs/csrf/AbstractCsrfTagTests.java
Unescape View File

@ -36,9 +36,9 @@ public class AbstractCsrfTagTests { @@ -36,9 +36,9 @@ public class AbstractCsrfTagTests {
}
@Test
public void testDoEndTag01() throws JspException, UnsupportedEncodingException {
public void noCsrfDoesNotRender() throws JspException, UnsupportedEncodingException {
this.tag.handleReturn = "fooBarBazQux";
this.tag.handleReturn = "shouldNotBeRendered";
int returned = this.tag.doEndTag();
@ -47,7 +47,7 @@ public class AbstractCsrfTagTests { @@ -47,7 +47,7 @@ public class AbstractCsrfTagTests {
}
@Test
public void testDoEndTag02() throws JspException, UnsupportedEncodingException {
public void hasCsrfRendersReturnedValue() throws JspException, UnsupportedEncodingException {
CsrfToken token = new DefaultCsrfToken("X-Csrf-Token", "_csrf", "abc123def456ghi789");
this.request.setAttribute(CsrfToken.class.getName(), token);
@ -62,7 +62,7 @@ public class AbstractCsrfTagTests { @@ -62,7 +62,7 @@ public class AbstractCsrfTagTests {
}
@Test
public void testDoEndTag03() throws JspException, UnsupportedEncodingException {
public void hasCsrfRendersDifferentValue() throws JspException, UnsupportedEncodingException {
CsrfToken token = new DefaultCsrfToken("X-Csrf-Token", "_csrf", "abc123def456ghi789");
this.request.setAttribute(CsrfToken.class.getName(), token);

14
taglibs/src/test/java/org/springframework/security/taglibs/csrf/FormFieldTagTests.java → taglibs/src/test/java/org/springframework/security/taglibs/csrf/CsrfInputTagTests.java
Unescape View File

@ -10,36 +10,36 @@ import static org.junit.Assert.*; @@ -10,36 +10,36 @@ import static org.junit.Assert.*;
/**
* @author Nick Williams
*/
public class FormFieldTagTests {
public class CsrfInputTagTests {
public FormFieldTag tag;
public CsrfInputTag tag;
@Before
public void setUp() {
this.tag = new FormFieldTag();
this.tag = new CsrfInputTag();
}
@Test
public void testHandleToken01() {
public void handleTokenReturnsHiddenInput() {
CsrfToken token = new DefaultCsrfToken("X-Csrf-Token", "_csrf", "abc123def456ghi789");
String value = this.tag.handleToken(token);
assertNotNull("The returned value should not be null.", value);
assertEquals("The output is not correct.",
"<input type=\"hidden\" name=\"_csrf\" value=\"abc123def456ghi789\" />\n",
"<input type=\"hidden\" name=\"_csrf\" value=\"abc123def456ghi789\" />",
value);
}
@Test
public void testHandleToken() {
public void handleTokenReturnsHiddenInputDifferentTokenValue() {
CsrfToken token = new DefaultCsrfToken("X-Csrf-Token", "csrfParameter", "fooBarBazQux");
String value = this.tag.handleToken(token);
assertNotNull("The returned value should not be null.", value);
assertEquals("The output is not correct.",
"<input type=\"hidden\" name=\"csrfParameter\" value=\"fooBarBazQux\" />\n",
"<input type=\"hidden\" name=\"csrfParameter\" value=\"fooBarBazQux\" />",
value);
}
}

22
taglibs/src/test/java/org/springframework/security/taglibs/csrf/MetaTagsTagTests.java → taglibs/src/test/java/org/springframework/security/taglibs/csrf/CsrfMetaTagsTagTests.java
Unescape View File

@ -10,40 +10,40 @@ import static org.junit.Assert.*; @@ -10,40 +10,40 @@ import static org.junit.Assert.*;
/**
* @author Nick Williams
*/
public class MetaTagsTagTests {
public class CsrfMetaTagsTagTests {
public MetaTagsTag tag;
public CsrfMetaTagsTag tag;
@Before
public void setUp() {
this.tag = new MetaTagsTag();
this.tag = new CsrfMetaTagsTag();
}
@Test
public void testHandleToken01() {
public void handleTokenRendersTags() {
CsrfToken token = new DefaultCsrfToken("X-Csrf-Token", "_csrf", "abc123def456ghi789");
String value = this.tag.handleToken(token);
assertNotNull("The returned value should not be null.", value);
assertEquals("The output is not correct.",
"<meta name=\"_csrf_parameter\" content=\"_csrf\" />\n" +
" <meta name=\"_csrf_header\" content=\"X-Csrf-Token\" />\n" +
" <meta name=\"_csrf\" content=\"abc123def456ghi789\" />\n",
"<meta name=\"_csrf_parameter\" content=\"_csrf\" />" +
"<meta name=\"_csrf_header\" content=\"X-Csrf-Token\" />" +
"<meta name=\"_csrf\" content=\"abc123def456ghi789\" />",
value);
}
@Test
public void testHandleToken02() {
public void handleTokenRendersTagsDifferentToken() {
CsrfToken token = new DefaultCsrfToken("csrfHeader", "csrfParameter", "fooBarBazQux");
String value = this.tag.handleToken(token);
assertNotNull("The returned value should not be null.", value);
assertEquals("The output is not correct.",
"<meta name=\"_csrf_parameter\" content=\"csrfParameter\" />\n" +
" <meta name=\"_csrf_header\" content=\"csrfHeader\" />\n" +
" <meta name=\"_csrf\" content=\"fooBarBazQux\" />\n",
"<meta name=\"_csrf_parameter\" content=\"csrfParameter\" />" +
"<meta name=\"_csrf_header\" content=\"csrfHeader\" />" +
"<meta name=\"_csrf\" content=\"fooBarBazQux\" />",
value);
}
}
Write Preview
Loading…
Cancel
Save