Merge branch '6.1.x' into 6.2.x

Closes gh-14805
2 years ago · 6f8cc920cd
1 changed files with 37 additions and 1 deletions
--- a/docs/modules/ROOT/pages/servlet/exploits/csrf.adoc
+++ b/docs/modules/ROOT/pages/servlet/exploits/csrf.adoc
@ -876,7 +876,7 @@ class SpaCsrfTokenRequestHandler : CsrfTokenRequestAttributeHandler() {
        delegate.handle(request, response, csrfToken)
    }
-    override fun resolveCsrfTokenValue(request: HttpServletRequest, csrfToken: CsrfToken): String {
+    override fun resolveCsrfTokenValue(request: HttpServletRequest, csrfToken: CsrfToken): String? {
        /*
         * If the request contains a request header, use CsrfTokenRequestAttributeHandler
         * to resolve the CsrfToken. This applies when a single-page application includes
@ -1221,6 +1221,24 @@ public class CsrfTests {
 			.andExpect(header().string(HttpHeaders.LOCATION, "/"));
 	}
 	@Test
 	public void loginWhenInvalidCsrfTokenThenForbidden() throws Exception {
 		this.mockMvc.perform(post("/login").with(csrf().useInvalidToken())
 				.accept(MediaType.TEXT_HTML)
 				.param("username", "user")
 				.param("password", "password"))
 			.andExpect(status().isForbidden());
 	}
 	@Test
 	public void loginWhenMissingCsrfTokenThenForbidden() throws Exception {
 		this.mockMvc.perform(post("/login")
 				.accept(MediaType.TEXT_HTML)
 				.param("username", "user")
 				.param("password", "password"))
 			.andExpect(status().isForbidden());
 	}
 	@Test
 	@WithMockUser
 	public void logoutWhenValidCsrfTokenThenSuccess() throws Exception {
@ -1264,6 +1282,24 @@ class CsrfTests {
 			.andExpect(header().string(HttpHeaders.LOCATION, "/"))
 	}
 	@Test
 	fun loginWhenInvalidCsrfTokenThenForbidden() {
 		mockMvc.perform(post("/login").with(csrf().useInvalidToken())
 				.accept(MediaType.TEXT_HTML)
 				.param("username", "user")
 				.param("password", "password"))
 			.andExpect(status().isForbidden)
 	}
 	@Test
 	fun loginWhenMissingCsrfTokenThenForbidden() {
 		mockMvc.perform(post("/login")
 				.accept(MediaType.TEXT_HTML)
 				.param("username", "user")
 				.param("password", "password"))
 			.andExpect(status().isForbidden)
 	}
 	@Test
 	@WithMockUser
 	@Throws(Exception::class)