GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

WithHttpOnlyCookie defaults to false 

Closes gh-16820

Signed-off-by: DingHao <dh.hiekn@gmail.com>
pull/16916/head
DingHao 9 months ago committed by Josh Cummings
parent
b7df86197c
commit
857ef6fe08
2 changed files with 18 additions and 3 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 4
      web/src/main/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepository.java
  2. 17
      web/src/test/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepositoryTests.java

4
web/src/main/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepository.java
Unescape View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2022 the original author or authors. * Copyright 2002-2025 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -84,7 +84,7 @@ public final class CookieServerCsrfTokenRepository implements ServerCsrfTokenRep
*/ */
public static CookieServerCsrfTokenRepository withHttpOnlyFalse() { public static CookieServerCsrfTokenRepository withHttpOnlyFalse() {
CookieServerCsrfTokenRepository result = new CookieServerCsrfTokenRepository(); CookieServerCsrfTokenRepository result = new CookieServerCsrfTokenRepository();
result.setCookieCustomizer((cookie) -> cookie.httpOnly(false)); result.cookieHttpOnly = false;
return result; return result;
} }

17
web/src/test/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepositoryTests.java
Unescape View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2022 the original author or authors. * Copyright 2002-2025 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -290,6 +290,21 @@ class CookieServerCsrfTokenRepositoryTests {
loadAndAssertExpectedValues(); loadAndAssertExpectedValues();
} }
// gh-16820
@Test
void withHttpOnlyFalseWhenCookieCustomizerThenStillDefaultsToFalse() {
CookieServerCsrfTokenRepository repository = CookieServerCsrfTokenRepository.withHttpOnlyFalse();
repository.setCookieCustomizer((customizer) -> customizer.maxAge(1000));
MockServerHttpRequest.BaseBuilder<?> request = MockServerHttpRequest.get("/dummy");
MockServerWebExchange exchange = MockServerWebExchange.from(request);
CsrfToken csrfToken = repository.generateToken(exchange).block();
repository.saveToken(exchange, csrfToken).block();
ResponseCookie cookie = exchange.getResponse().getCookies().getFirst("XSRF-TOKEN");
assertThat(cookie).isNotNull();
assertThat(cookie.getMaxAge().getSeconds()).isEqualTo(1000);
assertThat(cookie.isHttpOnly()).isEqualTo(Boolean.FALSE);
}
private void setExpectedHeaderName(String expectedHeaderName) { private void setExpectedHeaderName(String expectedHeaderName) {
this.csrfTokenRepository.setHeaderName(expectedHeaderName); this.csrfTokenRepository.setHeaderName(expectedHeaderName);
this.expectedHeaderName = expectedHeaderName; this.expectedHeaderName = expectedHeaderName;

Write Preview
Loading…
Cancel
Save