Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-02-25 17:06:42 +00:00
Code Issues Packages Projects Releases Wiki Activity
spring-security/0002-Make-Csrf-cookie-secure-flag-configurable-WebFlux.patch

272 lines
12 KiB
Diff
Raw Normal View History

Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc.
2021-04-21 16:01:26 -05:00
From e2993d93e109c1a3c9020b7ea9efb6e556751ed4 Mon Sep 17 00:00:00 2001
From: Thomas Vitale <ThomasVitale@users.noreply.github.com>
Date: Mon, 26 Apr 2021 18:13:20 +0200
Subject: [PATCH 2/3] Make Csrf cookie secure flag configurable (WebFlux)
Make the XSRF-TOKEN cookie secure flag configurable in CookieServerCsrfTokenRepository.
Closes gh-9678
---
.../csrf/CookieServerCsrfTokenRepository.java | 30 ++++--
.../CookieServerCsrfTokenRepositoryTests.java | 100 ++++++++++++++++--
2 files changed, 113 insertions(+), 17 deletions(-)
diff --git a/web/src/main/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepository.java b/web/src/main/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepository.java
index 5910ff3e45..bc3a20e711 100644
--- a/web/src/main/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepository.java
+++ b/web/src/main/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepository.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -34,6 +34,7 @@ import org.springframework.web.server.ServerWebExchange;
* AngularJS. When using with AngularJS be sure to use {@link #withHttpOnlyFalse()} .
*
* @author Eric Deandrea
+ * @author Thomas Vitale
* @since 5.1
*/
public final class CookieServerCsrfTokenRepository implements ServerCsrfTokenRepository {
@@ -54,6 +55,8 @@ public final class CookieServerCsrfTokenRepository implements ServerCsrfTokenRep
private boolean cookieHttpOnly = true;
+ private Boolean secure;
+
/**
* Factory method to conveniently create an instance that has
* {@link #setCookieHttpOnly(boolean)} set to false.
@@ -75,11 +78,16 @@ public final class CookieServerCsrfTokenRepository implements ServerCsrfTokenRep
public Mono<Void> saveToken(ServerWebExchange exchange, CsrfToken token) {
return Mono.fromRunnable(() -> {
String tokenValue = (token != null) ? token.getToken() : "";
- int maxAge = !tokenValue.isEmpty() ? -1 : 0;
- String path = (this.cookiePath != null) ? this.cookiePath : getRequestContext(exchange.getRequest());
- boolean secure = exchange.getRequest().getSslInfo() != null;
- ResponseCookie cookie = ResponseCookie.from(this.cookieName, tokenValue).domain(this.cookieDomain)
- .httpOnly(this.cookieHttpOnly).maxAge(maxAge).path(path).secure(secure).build();
+ // @formatter:off
+ ResponseCookie cookie = ResponseCookie
+ .from(this.cookieName, tokenValue)
+ .domain(this.cookieDomain)
+ .httpOnly(this.cookieHttpOnly)
+ .maxAge(!tokenValue.isEmpty() ? -1 : 0)
+ .path((this.cookiePath != null) ? this.cookiePath : getRequestContext(exchange.getRequest()))
+ .secure((this.secure != null) ? this.secure : (exchange.getRequest().getSslInfo() != null))
+ .build();
+ // @formatter:on
exchange.getResponse().addCookie(cookie);
});
}
@@ -146,6 +154,16 @@ public final class CookieServerCsrfTokenRepository implements ServerCsrfTokenRep
this.cookieDomain = cookieDomain;
}
+ /**
+ * Sets the cookie secure flag. If not set, the value depends on
+ * {@link ServerHttpRequest#getSslInfo()}.
+ * @param secure The value for the secure flag
+ * @since 5.5
+ */
+ public void setSecure(boolean secure) {
+ this.secure = secure;
+ }
+
private CsrfToken createCsrfToken() {
return createCsrfToken(createNewToken());
}
diff --git a/web/src/test/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepositoryTests.java b/web/src/test/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepositoryTests.java
index d16f131920..7160337053 100644
--- a/web/src/test/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepositoryTests.java
+++ b/web/src/test/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepositoryTests.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -16,12 +16,15 @@
package org.springframework.security.web.server.csrf;
+import java.security.cert.X509Certificate;
import java.time.Duration;
+import org.junit.Before;
import org.junit.Test;
import org.springframework.http.HttpCookie;
import org.springframework.http.ResponseCookie;
+import org.springframework.http.server.reactive.SslInfo;
import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
import org.springframework.mock.web.server.MockServerWebExchange;
import org.springframework.util.StringUtils;
@@ -30,13 +33,14 @@ import static org.assertj.core.api.Assertions.assertThat;
/**
* @author Eric Deandrea
+ * @author Thomas Vitale
* @since 5.1
*/
public class CookieServerCsrfTokenRepositoryTests {
- private MockServerWebExchange exchange = MockServerWebExchange.from(MockServerHttpRequest.get("/someUri"));
+ private CookieServerCsrfTokenRepository csrfTokenRepository;
- private CookieServerCsrfTokenRepository csrfTokenRepository = new CookieServerCsrfTokenRepository();
+ private MockServerHttpRequest.BaseBuilder<?> request;
private String expectedHeaderName = CookieServerCsrfTokenRepository.DEFAULT_CSRF_HEADER_NAME;
@@ -56,6 +60,12 @@ public class CookieServerCsrfTokenRepositoryTests {
private String expectedCookieValue = "csrfToken";
+ @Before
+ public void setUp() {
+ this.csrfTokenRepository = new CookieServerCsrfTokenRepository();
+ this.request = MockServerHttpRequest.get("/someUri");
+ }
+
@Test
public void generateTokenWhenDefaultThenDefaults() {
generateTokenAndAssertExpectedValues();
@@ -82,8 +92,9 @@ public class CookieServerCsrfTokenRepositoryTests {
@Test
public void saveTokenWhenNoSubscriptionThenNotWritten() {
- this.csrfTokenRepository.saveToken(this.exchange, createToken());
- assertThat(this.exchange.getResponse().getCookies().getFirst(this.expectedCookieName)).isNull();
+ MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
+ this.csrfTokenRepository.saveToken(exchange, createToken());
+ assertThat(exchange.getResponse().getCookies().getFirst(this.expectedCookieName)).isNull();
}
@Test
@@ -112,6 +123,56 @@ public class CookieServerCsrfTokenRepositoryTests {
saveAndAssertExpectedValues(createToken());
}
+ @Test
+ public void saveTokenWhenSslInfoPresentThenSecure() {
+ this.request.sslInfo(new MockSslInfo());
+ MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
+ this.csrfTokenRepository.saveToken(exchange, createToken()).block();
+ ResponseCookie cookie = exchange.getResponse().getCookies().getFirst(this.expectedCookieName);
+ assertThat(cookie).isNotNull();
+ assertThat(cookie.isSecure()).isTrue();
+ }
+
+ @Test
+ public void saveTokenWhenSslInfoNullThenNotSecure() {
+ MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
+ this.csrfTokenRepository.saveToken(exchange, createToken()).block();
+ ResponseCookie cookie = exchange.getResponse().getCookies().getFirst(this.expectedCookieName);
+ assertThat(cookie).isNotNull();
+ assertThat(cookie.isSecure()).isFalse();
+ }
+
+ @Test
+ public void saveTokenWhenSecureFlagTrueThenSecure() {
+ MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
+ this.csrfTokenRepository.setSecure(true);
+ this.csrfTokenRepository.saveToken(exchange, createToken()).block();
+ ResponseCookie cookie = exchange.getResponse().getCookies().getFirst(this.expectedCookieName);
+ assertThat(cookie).isNotNull();
+ assertThat(cookie.isSecure()).isTrue();
+ }
+
+ @Test
+ public void saveTokenWhenSecureFlagFalseThenNotSecure() {
+ MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
+ this.csrfTokenRepository.setSecure(false);
+ this.csrfTokenRepository.saveToken(exchange, createToken()).block();
+ ResponseCookie cookie = exchange.getResponse().getCookies().getFirst(this.expectedCookieName);
+ assertThat(cookie).isNotNull();
+ assertThat(cookie.isSecure()).isFalse();
+ }
+
+ @Test
+ public void saveTokenWhenSecureFlagFalseAndSslInfoThenNotSecure() {
+ MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
+ this.request.sslInfo(new MockSslInfo());
+ this.csrfTokenRepository.setSecure(false);
+ this.csrfTokenRepository.saveToken(exchange, createToken()).block();
+ ResponseCookie cookie = exchange.getResponse().getCookies().getFirst(this.expectedCookieName);
+ assertThat(cookie).isNotNull();
+ assertThat(cookie.isSecure()).isFalse();
+ }
+
@Test
public void loadTokenWhenCookieExistThenTokenFound() {
loadAndAssertExpectedValues();
@@ -127,7 +188,8 @@ public class CookieServerCsrfTokenRepositoryTests {
@Test
public void loadTokenWhenNoCookiesThenNullToken() {
- CsrfToken csrfToken = this.csrfTokenRepository.loadToken(this.exchange).block();
+ MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
+ CsrfToken csrfToken = this.csrfTokenRepository.loadToken(exchange).block();
assertThat(csrfToken).isNull();
}
@@ -180,8 +242,8 @@ public class CookieServerCsrfTokenRepositoryTests {
private void loadAndAssertExpectedValues() {
MockServerHttpRequest.BodyBuilder request = MockServerHttpRequest.post("/someUri")
.cookie(new HttpCookie(this.expectedCookieName, this.expectedCookieValue));
- this.exchange = MockServerWebExchange.from(request);
- CsrfToken csrfToken = this.csrfTokenRepository.loadToken(this.exchange).block();
+ MockServerWebExchange exchange = MockServerWebExchange.from(request);
+ CsrfToken csrfToken = this.csrfTokenRepository.loadToken(exchange).block();
if (StringUtils.hasText(this.expectedCookieValue)) {
assertThat(csrfToken).isNotNull();
assertThat(csrfToken.getHeaderName()).isEqualTo(this.expectedHeaderName);
@@ -198,8 +260,9 @@ public class CookieServerCsrfTokenRepositoryTests {
this.expectedMaxAge = Duration.ofSeconds(0);
this.expectedCookieValue = "";
}
- this.csrfTokenRepository.saveToken(this.exchange, token).block();
- ResponseCookie cookie = this.exchange.getResponse().getCookies().getFirst(this.expectedCookieName);
+ MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
+ this.csrfTokenRepository.saveToken(exchange, token).block();
+ ResponseCookie cookie = exchange.getResponse().getCookies().getFirst(this.expectedCookieName);
assertThat(cookie).isNotNull();
assertThat(cookie.getMaxAge()).isEqualTo(this.expectedMaxAge);
assertThat(cookie.getDomain()).isEqualTo(this.expectedDomain);
@@ -211,7 +274,8 @@ public class CookieServerCsrfTokenRepositoryTests {
}
private void generateTokenAndAssertExpectedValues() {
- CsrfToken csrfToken = this.csrfTokenRepository.generateToken(this.exchange).block();
+ MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
+ CsrfToken csrfToken = this.csrfTokenRepository.generateToken(exchange).block();
assertThat(csrfToken).isNotNull();
assertThat(csrfToken.getHeaderName()).isEqualTo(this.expectedHeaderName);
assertThat(csrfToken.getParameterName()).isEqualTo(this.expectedParameterName);
@@ -226,4 +290,18 @@ public class CookieServerCsrfTokenRepositoryTests {
return new DefaultCsrfToken(headerName, parameterName, tokenValue);
}
+ static class MockSslInfo implements SslInfo {
+
+ @Override
+ public String getSessionId() {
+ return "sessionId";
+ }
+
+ @Override
+ public X509Certificate[] getPeerCertificates() {
+ return new X509Certificate[] {};
+ }
+
+ }
+
}
--
2.24.1
Reference in New Issue Copy Permalink