GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

CsrfWebFilter places Mono<CsrfToken> 

Fixes: gh-4855
pull/4850/merge
Rob Winch 8 years ago
parent
edccafca84
commit
d55db837e1
11 changed files with 73 additions and 114 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 11
      config/src/test/java/org/springframework/security/config/web/server/FormLoginTests.java
  2. 2
      config/src/test/java/org/springframework/security/config/web/server/RequestCacheTests.java
  3. 38
      samples/javaconfig/webflux-form/src/main/java/sample/CsrfControllerAdvice.java
  4. 6
      web/src/main/java/org/springframework/security/web/reactive/result/view/CsrfRequestDataValueProcessor.java
  5. 16
      web/src/main/java/org/springframework/security/web/server/csrf/CsrfWebFilter.java
  6. 71
      web/src/main/java/org/springframework/security/web/server/csrf/WebSessionServerCsrfTokenRepository.java
  7. 4
      web/src/main/java/org/springframework/security/web/server/ui/LoginPageGeneratingWebFilter.java
  8. 4
      web/src/main/java/org/springframework/security/web/server/ui/LogoutPageGeneratingWebFilter.java
  9. 5
      web/src/test/java/org/springframework/security/web/reactive/result/view/CsrfRequestDataValueProcessorTests.java
  10. 6
      web/src/test/java/org/springframework/security/web/server/csrf/CsrfWebFilterTests.java
  11. 24
      web/src/test/java/org/springframework/security/web/server/csrf/WebSessionServerCsrfTokenRepositoryTests.java

11
config/src/test/java/org/springframework/security/config/web/server/FormLoginTests.java
Unescape View File

@ -33,6 +33,7 @@ import org.springframework.test.web.reactive.server.WebTestClient;
import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.server.ServerWebExchange; import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThat;
@ -314,9 +315,9 @@ public class FormLoginTests {
public static class CustomLoginPageController { public static class CustomLoginPageController {
@ResponseBody @ResponseBody
@GetMapping("/login") @GetMapping("/login")
public String login(ServerWebExchange exchange) { public Mono<String> login(ServerWebExchange exchange) {
CsrfToken token = exchange.getAttribute(CsrfToken.class.getName()); Mono<CsrfToken> token = exchange.getAttributeOrDefault(CsrfToken.class.getName(), Mono.empty());
return return token.map(t ->
"<!DOCTYPE html>\n" "<!DOCTYPE html>\n"
+ "<html lang=\"en\">\n" + "<html lang=\"en\">\n"
+ " <head>\n" + " <head>\n"
@ -338,12 +339,12 @@ public class FormLoginTests {
+ " <label for=\"password\" class=\"sr-only\">Password</label>\n" + " <label for=\"password\" class=\"sr-only\">Password</label>\n"
+ " <input type=\"password\" id=\"password\" name=\"password\" placeholder=\"Password\" required>\n" + " <input type=\"password\" id=\"password\" name=\"password\" placeholder=\"Password\" required>\n"
+ " </p>\n" + " </p>\n"
+ " <input type=\"hidden\" name=\"" + token.getParameterName() + "\" value=\"" + token.getToken() + "\">\n" + " <input type=\"hidden\" name=\"" + t.getParameterName() + "\" value=\"" + t.getToken() + "\">\n"
+ " <button type=\"submit\">Sign in</button>\n" + " <button type=\"submit\">Sign in</button>\n"
+ " </form>\n" + " </form>\n"
+ " </div>\n" + " </div>\n"
+ " </body>\n" + " </body>\n"
+ "</html>"; + "</html>");
} }
} }
} }

2
config/src/test/java/org/springframework/security/config/web/server/RequestCacheTests.java
Unescape View File

@ -26,7 +26,6 @@ import org.springframework.security.htmlunit.server.WebTestClientHtmlUnitDriverB
import org.springframework.security.test.web.reactive.server.WebTestClientBuilder; import org.springframework.security.test.web.reactive.server.WebTestClientBuilder;
import org.springframework.security.web.server.SecurityWebFilterChain; import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.security.web.server.WebFilterChainProxy; import org.springframework.security.web.server.WebFilterChainProxy;
import org.springframework.security.web.server.csrf.CsrfToken;
import org.springframework.security.web.server.savedrequest.NoOpServerRequestCache; import org.springframework.security.web.server.savedrequest.NoOpServerRequestCache;
import org.springframework.stereotype.Controller; import org.springframework.stereotype.Controller;
import org.springframework.test.web.reactive.server.WebTestClient; import org.springframework.test.web.reactive.server.WebTestClient;
@ -126,7 +125,6 @@ public class RequestCacheTests {
@ResponseBody @ResponseBody
@GetMapping("/secured") @GetMapping("/secured")
public String login(ServerWebExchange exchange) { public String login(ServerWebExchange exchange) {
CsrfToken token = exchange.getAttribute(CsrfToken.class.getName());
return return
"<!DOCTYPE html>\n" "<!DOCTYPE html>\n"
+ "<html lang=\"en\">\n" + "<html lang=\"en\">\n"

38
samples/javaconfig/webflux-form/src/main/java/sample/CsrfControllerAdvice.java
Unescape View File

@ -0,0 +1,38 @@
/*
* Copyright 2002-2017 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package sample;
import org.springframework.security.web.server.csrf.CsrfToken;
import org.springframework.web.bind.annotation.ControllerAdvice;
import org.springframework.web.bind.annotation.ModelAttribute;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
import static org.springframework.security.web.reactive.result.view.CsrfRequestDataValueProcessor.DEFAULT_CSRF_ATTR_NAME;
/**
* @author Rob Winch
* @since 5.0
*/
@ControllerAdvice
public class CsrfControllerAdvice {
@ModelAttribute
public Mono<CsrfToken> csrfToken(ServerWebExchange exchange) {
Mono<CsrfToken> csrfToken = exchange.getAttribute(CsrfToken.class.getName());
return csrfToken.doOnSuccess(token -> exchange.getAttributes().put(DEFAULT_CSRF_ATTR_NAME, token));
}
}

6
web/src/main/java/org/springframework/security/web/reactive/result/view/CsrfRequestDataValueProcessor.java
Unescape View File

@ -30,6 +30,10 @@ import java.util.regex.Pattern;
* @since 5.0 * @since 5.0
*/ */
public class CsrfRequestDataValueProcessor implements RequestDataValueProcessor { public class CsrfRequestDataValueProcessor implements RequestDataValueProcessor {
/**
* The default request attribute to look for a {@link CsrfToken}.
*/
public static final String DEFAULT_CSRF_ATTR_NAME = "_csrf";
private static final Pattern DISABLE_CSRF_TOKEN_PATTERN = Pattern private static final Pattern DISABLE_CSRF_TOKEN_PATTERN = Pattern
.compile("(?i)^(GET|HEAD|TRACE|OPTIONS)$"); .compile("(?i)^(GET|HEAD|TRACE|OPTIONS)$");
@ -62,7 +66,7 @@ public class CsrfRequestDataValueProcessor implements RequestDataValueProcessor
exchange.getAttributes().remove(DISABLE_CSRF_TOKEN_ATTR); exchange.getAttributes().remove(DISABLE_CSRF_TOKEN_ATTR);
return Collections.emptyMap(); return Collections.emptyMap();
} }
CsrfToken token = exchange.getAttribute(CsrfToken.class.getName()); CsrfToken token = exchange.getAttribute(DEFAULT_CSRF_ATTR_NAME);
if(token == null) { if(token == null) {
return Collections.emptyMap(); return Collections.emptyMap();
} }

16
web/src/main/java/org/springframework/security/web/server/csrf/CsrfWebFilter.java
Unescape View File

@ -47,12 +47,16 @@ import java.util.Set;
* {@link WebSessionServerCsrfTokenRepository}. This is preferred to storing the token in * {@link WebSessionServerCsrfTokenRepository}. This is preferred to storing the token in
* a cookie which can be modified by a client application. * a cookie which can be modified by a client application.
* </p> * </p>
* <p>
* The {@code Mono&lt;CsrfToken&gt;} is exposes as a request attribute with the name of
* {@code CsrfToken.class.getName()}. If the token is new it will automatically be saved
* at the time it is subscribed.
* </p>
* *
* @author Rob Winch * @author Rob Winch
* @since 5.0 * @since 5.0
*/ */
public class CsrfWebFilter implements WebFilter { public class CsrfWebFilter implements WebFilter {
private ServerWebExchangeMatcher requireCsrfProtectionMatcher = new DefaultRequireCsrfProtectionMatcher(); private ServerWebExchangeMatcher requireCsrfProtectionMatcher = new DefaultRequireCsrfProtectionMatcher();
private ServerCsrfTokenRepository csrfTokenRepository = new WebSessionServerCsrfTokenRepository(); private ServerCsrfTokenRepository csrfTokenRepository = new WebSessionServerCsrfTokenRepository();
@ -105,11 +109,11 @@ public class CsrfWebFilter implements WebFilter {
} }
private Mono<Void> continueFilterChain(ServerWebExchange exchange, WebFilterChain chain) { private Mono<Void> continueFilterChain(ServerWebExchange exchange, WebFilterChain chain) {
return csrfToken(exchange) return Mono.defer(() ->{
.doOnSuccess(csrfToken -> exchange.getAttributes().put(CsrfToken.class.getName(), csrfToken)) Mono<CsrfToken> csrfToken = csrfToken(exchange);
.doOnSuccess(csrfToken -> exchange.getAttributes().put(csrfToken.getParameterName(), csrfToken)) exchange.getAttributes().put(CsrfToken.class.getName(), csrfToken);
.flatMap( t -> chain.filter(exchange)) return chain.filter(exchange);
.then(); });
} }
private Mono<CsrfToken> csrfToken(ServerWebExchange exchange) { private Mono<CsrfToken> csrfToken(ServerWebExchange exchange) {

71
web/src/main/java/org/springframework/security/web/server/csrf/WebSessionServerCsrfTokenRepository.java
Unescape View File

@ -17,7 +17,6 @@ package org.springframework.security.web.server.csrf;
import org.springframework.util.Assert; import org.springframework.util.Assert;
import org.springframework.web.server.ServerWebExchange; import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebSession;
import reactor.core.publisher.Mono; import reactor.core.publisher.Mono;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
@ -49,20 +48,15 @@ public class WebSessionServerCsrfTokenRepository
@Override @Override
public Mono<CsrfToken> generateToken(ServerWebExchange exchange) { public Mono<CsrfToken> generateToken(ServerWebExchange exchange) {
return exchange.getSession() return Mono.fromCallable(() -> createCsrfToken());
.map(WebSession::getAttributes)
.map(this::createCsrfToken);
} }
@Override @Override
public Mono<CsrfToken> saveToken(ServerWebExchange exchange, CsrfToken token) { public Mono<CsrfToken> saveToken(ServerWebExchange exchange, CsrfToken token) {
if(token != null) {
return Mono.just(token);
}
return exchange.getSession() return exchange.getSession()
.doOnSuccess(session -> putToken(session.getAttributes(), token)) .doOnNext(session -> putToken(session.getAttributes(), token))
.flatMap(session -> session.changeSessionId()) .flatMap(session -> session.changeSessionId())
.flatMap(r -> Mono.justOrEmpty(token)); .then(Mono.justOrEmpty(token));
} }
private void putToken(Map<String, Object> attributes, CsrfToken token) { private void putToken(Map<String, Object> attributes, CsrfToken token) {
@ -111,11 +105,6 @@ public class WebSessionServerCsrfTokenRepository
this.sessionAttributeName = sessionAttributeName; this.sessionAttributeName = sessionAttributeName;
} }
private CsrfToken createCsrfToken(Map<String, Object> attributes) {
return new LazyCsrfToken(attributes, createCsrfToken());
}
private CsrfToken createCsrfToken() { private CsrfToken createCsrfToken() {
return new DefaultCsrfToken(this.headerName, this.parameterName, createNewToken()); return new DefaultCsrfToken(this.headerName, this.parameterName, createNewToken());
} }
@ -124,58 +113,4 @@ public class WebSessionServerCsrfTokenRepository
return UUID.randomUUID().toString(); return UUID.randomUUID().toString();
} }
private class LazyCsrfToken implements CsrfToken {
private final Map<String, Object> attributes;
private final CsrfToken delegate;
private LazyCsrfToken(Map<String, Object> attributes, CsrfToken delegate) {
this.attributes = attributes;
this.delegate = delegate;
}
@Override
public String getHeaderName() {
return this.delegate.getHeaderName();
}
@Override
public String getParameterName() {
return this.delegate.getParameterName();
}
@Override
public String getToken() {
putToken(this.attributes, this.delegate);
return this.delegate.getToken();
}
@Override
public boolean equals(Object o) {
if (this == o)
return true;
if (o == null || !(o instanceof CsrfToken))
return false;
CsrfToken that = (CsrfToken) o;
if (!getToken().equals(that.getToken()))
return false;
if (!getParameterName().equals(that.getParameterName()))
return false;
return getHeaderName().equals(that.getHeaderName());
}
@Override
public int hashCode() {
int result = getToken().hashCode();
result = 31 * result + getParameterName().hashCode();
result = 31 * result + getHeaderName().hashCode();
return result;
}
@Override
public String toString() {
return "LazyCsrfToken{" + "delegate=" + this.delegate + '}';
}
}
} }

4
web/src/main/java/org/springframework/security/web/server/ui/LoginPageGeneratingWebFilter.java
Unescape View File

@ -60,8 +60,8 @@ public class LoginPageGeneratingWebFilter implements WebFilter {
private Mono<DataBuffer> createBuffer(ServerWebExchange exchange) { private Mono<DataBuffer> createBuffer(ServerWebExchange exchange) {
MultiValueMap<String, String> queryParams = exchange.getRequest() MultiValueMap<String, String> queryParams = exchange.getRequest()
.getQueryParams(); .getQueryParams();
CsrfToken token = exchange.getAttribute(CsrfToken.class.getName()); Mono<CsrfToken> token = exchange.getAttributeOrDefault(CsrfToken.class.getName(), Mono.empty());
return Mono.justOrEmpty(token) return token
.map(LoginPageGeneratingWebFilter::csrfToken) .map(LoginPageGeneratingWebFilter::csrfToken)
.defaultIfEmpty("") .defaultIfEmpty("")
.map(csrfTokenHtmlInput -> { .map(csrfTokenHtmlInput -> {

4
web/src/main/java/org/springframework/security/web/server/ui/LogoutPageGeneratingWebFilter.java
Unescape View File

@ -57,8 +57,8 @@ public class LogoutPageGeneratingWebFilter implements WebFilter {
} }
private Mono<DataBuffer> createBuffer(ServerWebExchange exchange) { private Mono<DataBuffer> createBuffer(ServerWebExchange exchange) {
CsrfToken token = exchange.getAttribute(CsrfToken.class.getName()); Mono<CsrfToken> token = exchange.getAttributeOrDefault(CsrfToken.class.getName(), Mono.empty());
return Mono.justOrEmpty(token) return token
.map(LogoutPageGeneratingWebFilter::csrfToken) .map(LogoutPageGeneratingWebFilter::csrfToken)
.defaultIfEmpty("") .defaultIfEmpty("")
.map(csrfTokenHtmlInput -> { .map(csrfTokenHtmlInput -> {

5
web/src/test/java/org/springframework/security/web/reactive/result/view/CsrfRequestDataValueProcessorTests.java
Unescape View File

@ -30,6 +30,7 @@ import java.util.HashMap;
import java.util.Map; import java.util.Map;
import static org.assertj.core.api.Assertions.*; import static org.assertj.core.api.Assertions.*;
import static org.springframework.security.web.reactive.result.view.CsrfRequestDataValueProcessor.DEFAULT_CSRF_ATTR_NAME;
/** /**
* @author Rob Winch * @author Rob Winch
@ -46,7 +47,7 @@ public class CsrfRequestDataValueProcessorTests {
@Before @Before
public void setup() { public void setup() {
this.expected.put(this.token.getParameterName(), this.token.getToken()); this.expected.put(this.token.getParameterName(), this.token.getToken());
this.exchange.getAttributes().put(CsrfToken.class.getName(), this.token); this.exchange.getAttributes().put(DEFAULT_CSRF_ATTR_NAME, this.token);
} }
@Test @Test
@ -122,7 +123,7 @@ public class CsrfRequestDataValueProcessorTests {
@Test @Test
public void createGetExtraHiddenFieldsHasCsrfToken() { public void createGetExtraHiddenFieldsHasCsrfToken() {
CsrfToken token = new DefaultCsrfToken("1", "a", "b"); CsrfToken token = new DefaultCsrfToken("1", "a", "b");
this.exchange.getAttributes().put(CsrfToken.class.getName(), token); this.exchange.getAttributes().put(DEFAULT_CSRF_ATTR_NAME, token);
Map<String, String> expected = new HashMap<String, String>(); Map<String, String> expected = new HashMap<String, String>();
expected.put(token.getParameterName(), token.getToken()); expected.put(token.getParameterName(), token.getToken());

6
web/src/test/java/org/springframework/security/web/server/csrf/CsrfWebFilterTests.java
Unescape View File

@ -89,8 +89,6 @@ public class CsrfWebFilterTests {
this.csrfFilter.setCsrfTokenRepository(this.repository); this.csrfFilter.setCsrfTokenRepository(this.repository);
when(this.repository.loadToken(any())) when(this.repository.loadToken(any()))
.thenReturn(Mono.just(this.token)); .thenReturn(Mono.just(this.token));
when(this.repository.generateToken(any()))
.thenReturn(Mono.just(this.token));
Mono<Void> result = this.csrfFilter.filter(this.post, this.chain); Mono<Void> result = this.csrfFilter.filter(this.post, this.chain);
@ -106,8 +104,6 @@ public class CsrfWebFilterTests {
this.csrfFilter.setCsrfTokenRepository(this.repository); this.csrfFilter.setCsrfTokenRepository(this.repository);
when(this.repository.loadToken(any())) when(this.repository.loadToken(any()))
.thenReturn(Mono.just(this.token)); .thenReturn(Mono.just(this.token));
when(this.repository.generateToken(any()))
.thenReturn(Mono.just(this.token));
this.post = MockServerWebExchange.from(MockServerHttpRequest.post("/") this.post = MockServerWebExchange.from(MockServerHttpRequest.post("/")
.body(this.token.getParameterName() + "="+this.token.getToken()+"INVALID")); .body(this.token.getParameterName() + "="+this.token.getToken()+"INVALID"));
@ -146,8 +142,6 @@ public class CsrfWebFilterTests {
this.csrfFilter.setCsrfTokenRepository(this.repository); this.csrfFilter.setCsrfTokenRepository(this.repository);
when(this.repository.loadToken(any())) when(this.repository.loadToken(any()))
.thenReturn(Mono.just(this.token)); .thenReturn(Mono.just(this.token));
when(this.repository.generateToken(any()))
.thenReturn(Mono.just(this.token));
this.post = MockServerWebExchange.from(MockServerHttpRequest.post("/") this.post = MockServerWebExchange.from(MockServerHttpRequest.post("/")
.header(this.token.getHeaderName(), this.token.getToken()+"INVALID")); .header(this.token.getHeaderName(), this.token.getToken()+"INVALID"));

24
web/src/test/java/org/springframework/security/web/server/csrf/WebSessionServerCsrfTokenRepositoryTests.java
Unescape View File

@ -61,9 +61,10 @@ public class WebSessionServerCsrfTokenRepositoryTests {
} }
@Test @Test
public void generateTokenWhenGetTokenThenAddsToSession() { public void saveTokenWhenDefaultThenAddsToSession() {
Mono<CsrfToken> result = this.repository.generateToken(this.exchange); Mono<CsrfToken> result = this.repository.generateToken(this.exchange)
result.block().getToken(); .delayUntil(t-> this.repository.saveToken(this.exchange, t));
result.block();
WebSession session = this.exchange.getSession().block(); WebSession session = this.exchange.getSession().block();
Map<String, Object> attributes = session.getAttributes(); Map<String, Object> attributes = session.getAttributes();
@ -76,7 +77,6 @@ public class WebSessionServerCsrfTokenRepositoryTests {
@Test @Test
public void saveTokenWhenNullThenDeletes() { public void saveTokenWhenNullThenDeletes() {
CsrfToken token = this.repository.generateToken(this.exchange).block(); CsrfToken token = this.repository.generateToken(this.exchange).block();
token.getToken();
Mono<CsrfToken> result = this.repository.saveToken(this.exchange, null); Mono<CsrfToken> result = this.repository.saveToken(this.exchange, null);
StepVerifier.create(result) StepVerifier.create(result)
@ -87,22 +87,6 @@ public class WebSessionServerCsrfTokenRepositoryTests {
assertThat(session.getAttributes()).isEmpty(); assertThat(session.getAttributes()).isEmpty();
} }
@Test
public void generateTokenAndLoadTokenDeleteTokenWhenNullThenDeletes() {
CsrfToken generate = this.repository.generateToken(this.exchange).block();
generate.getToken();
CsrfToken load = this.repository.loadToken(this.exchange).block();
assertThat(load).isEqualTo(generate);
this.repository.saveToken(this.exchange, null).block();
WebSession session = this.exchange.getSession().block();
assertThat(session.getAttributes()).isEmpty();
load = this.repository.loadToken(this.exchange).block();
assertThat(load).isNull();
}
@Test @Test
public void saveTokenChangeSessionId() { public void saveTokenChangeSessionId() {
String originalSessionId = this.exchange.getSession().block().getId(); String originalSessionId = this.exchange.getSession().block().getId();

Write Preview
Loading…
Cancel
Save