GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Apply request-handler-ref to CsrfAuthenticationStrategy 

Closes gh-16801
pull/16822/head
Steve Riesenberg 9 months ago
parent
1e7db094d1
commit
c84c438075
No known key found for this signature in database
GPG Key ID: 3D0169B18AB8F0A9
2 changed files with 41 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 3
      config/src/main/java/org/springframework/security/config/http/CsrfBeanDefinitionParser.java
  2. 38
      config/src/test/java/org/springframework/security/config/http/CsrfConfigTests.java

3
config/src/main/java/org/springframework/security/config/http/CsrfBeanDefinitionParser.java
Unescape View File

@ -183,6 +183,9 @@ public class CsrfBeanDefinitionParser implements BeanDefinitionParser {
BeanDefinitionBuilder csrfAuthenticationStrategy = BeanDefinitionBuilder BeanDefinitionBuilder csrfAuthenticationStrategy = BeanDefinitionBuilder
.rootBeanDefinition(CsrfAuthenticationStrategy.class); .rootBeanDefinition(CsrfAuthenticationStrategy.class);
csrfAuthenticationStrategy.addConstructorArgReference(this.csrfRepositoryRef); csrfAuthenticationStrategy.addConstructorArgReference(this.csrfRepositoryRef);
if (StringUtils.hasText(this.requestHandlerRef)) {
csrfAuthenticationStrategy.addPropertyReference("requestHandler", this.requestHandlerRef);
}
return csrfAuthenticationStrategy.getBeanDefinition(); return csrfAuthenticationStrategy.getBeanDefinition();
} }

38
config/src/test/java/org/springframework/security/config/http/CsrfConfigTests.java
Unescape View File

@ -22,6 +22,7 @@ import java.util.List;
import jakarta.servlet.Filter; import jakarta.servlet.Filter;
import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse; import jakarta.servlet.http.HttpServletResponse;
import org.eclipse.jetty.http.HttpStatus; import org.eclipse.jetty.http.HttpStatus;
import org.junit.jupiter.api.Test; import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith; import org.junit.jupiter.api.extension.ExtendWith;
@ -336,6 +337,43 @@ public class CsrfConfigTests {
// @formatter:on // @formatter:on
} }
@Test
public void postWhenUsingCsrfAndXorCsrfTokenRequestAttributeHandlerThenCsrfAuthenticationStrategyUses()
throws Exception {
this.spring.configLocations(this.xml("WithXorCsrfTokenRequestAttributeHandler"), this.xml("shared-controllers"))
.autowire();
// @formatter:off
MvcResult mvcResult1 = this.mvc.perform(get("/csrf"))
.andExpect(status().isOk())
.andReturn();
// @formatter:on
MockHttpServletRequest request1 = mvcResult1.getRequest();
MockHttpSession session = (MockHttpSession) request1.getSession();
CsrfTokenRepository repository = WebTestUtils.getCsrfTokenRepository(request1);
// @formatter:off
MockHttpServletRequestBuilder login = post("/login")
.param("username", "user")
.param("password", "password")
.session(session)
.with(csrf());
this.mvc.perform(login)
.andExpect(status().is3xxRedirection())
.andExpect(redirectedUrl("/"));
// @formatter:on
assertThat(repository.loadToken(request1)).isNull();
// @formatter:off
MvcResult mvcResult2 = this.mvc.perform(get("/csrf").session(session))
.andExpect(status().isOk())
.andReturn();
// @formatter:on
MockHttpServletRequest request2 = mvcResult2.getRequest();
CsrfToken csrfToken = repository.loadToken(request2);
CsrfToken csrfTokenAttribute = (CsrfToken) request2.getAttribute(CsrfToken.class.getName());
assertThat(csrfTokenAttribute).isNotNull();
assertThat(csrfTokenAttribute.getToken()).isNotBlank();
assertThat(csrfTokenAttribute.getToken()).isNotEqualTo(csrfToken.getToken());
}
@Test @Test
public void postWhenHasCsrfTokenButSessionExpiresThenRequestIsCancelledAfterSuccessfulAuthentication() public void postWhenHasCsrfTokenButSessionExpiresThenRequestIsCancelledAfterSuccessfulAuthentication()
throws Exception { throws Exception {

Write Preview
Loading…
Cancel
Save