Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-25 21:42:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

SEC-2036: Set cookie path to / when default context path in CookieClearingLogoutHandler

Browse Source
This commit is contained in:
Rob Winch 2012-09-19 11:29:55 -05:00
parent c53fd99430
commit 0a2fa03160
2 changed files with 22 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
web/src/main/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandler.java
View File

@ -7,6 +7,7 @@ import javax.servlet.http.HttpServletResponse;
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
import org.springframework.util.Assert; import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
/** /**
* A logout handler which clears a defined list of cookies, using the context path as the * A logout handler which clears a defined list of cookies, using the context path as the
@ -26,7 +27,11 @@ public final class CookieClearingLogoutHandler implements LogoutHandler {
public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) { public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
for (String cookieName : cookiesToClear) { for (String cookieName : cookiesToClear) {
Cookie cookie = new Cookie(cookieName, null); Cookie cookie = new Cookie(cookieName, null);
cookie.setPath(request.getContextPath()); String cookiePath = request.getContextPath();
if(!StringUtils.hasLength(cookiePath)) {
cookiePath = "/";
}
cookie.setPath(cookiePath);
cookie.setMaxAge(0); cookie.setMaxAge(0);
response.addCookie(cookie); response.addCookie(cookie);
} }

16
web/src/test/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandlerTests.java
View File

@ -14,6 +14,22 @@ import org.springframework.security.core.Authentication;
* @author Luke Taylor * @author Luke Taylor
*/ */
public class CookieClearingLogoutHandlerTests { public class CookieClearingLogoutHandlerTests {
// SEC-2036
@Test
public void emptyContextRootIsConverted() {
MockHttpServletResponse response = new MockHttpServletResponse();
MockHttpServletRequest request = new MockHttpServletRequest();
request.setContextPath("");
CookieClearingLogoutHandler handler = new CookieClearingLogoutHandler("my_cookie");
handler.logout(request, response, mock(Authentication.class));
assertEquals(1, response.getCookies().length);
for (Cookie c : response.getCookies()) {
assertEquals("/", c.getPath());
assertEquals(0, c.getMaxAge());
}
}
@Test @Test
public void configuredCookiesAreCleared() { public void configuredCookiesAreCleared() {
MockHttpServletResponse response = new MockHttpServletResponse(); MockHttpServletResponse response = new MockHttpServletResponse();