Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add cookieDomain to CookieCsrfTokenRepository 

Fixes: gh-4315
This commit is contained in:
Dongmin Shin 2018-12-12 21:17:54 +09:00 committed by Josh Cummings
parent 2b369cfe98
commit 0d2af416aa
2 changed files with 31 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
web/src/main/java/org/springframework/security/web/csrf/CookieCsrfTokenRepository.java
View File

@ -55,6 +55,8 @@ public final class CookieCsrfTokenRepository implements CsrfTokenRepository {
private String cookiePath;
private String cookieDomain;
public CookieCsrfTokenRepository() {
this.setHttpOnlyMethod = ReflectionUtils.findMethod(Cookie.class, "setHttpOnly", boolean.class);
if (this.setHttpOnlyMethod != null) {
@ -88,6 +90,9 @@ public final class CookieCsrfTokenRepository implements CsrfTokenRepository {
if (cookieHttpOnly && setHttpOnlyMethod != null) {
ReflectionUtils.invokeMethod(setHttpOnlyMethod, cookie, Boolean.TRUE);
}
if (this.cookieDomain != null && !this.cookieDomain.isEmpty()) {
cookie.setDomain(this.cookieDomain);
}
response.addCookie(cookie);
}
@ -194,4 +199,16 @@ public final class CookieCsrfTokenRepository implements CsrfTokenRepository {
public String getCookiePath() {
return this.cookiePath;
}
/**
* Sets the domain of the cookie that the expected CSRF token is saved to and read from.
*
* @since 5.2
* @param cookieDomain the domain of the cookie that the expected CSRF token is saved to
* and read from
*/
public void setCookieDomain(String cookieDomain) {
this.cookieDomain = cookieDomain;
}
}

14
web/src/test/java/org/springframework/security/web/csrf/CookieCsrfTokenRepositoryTests.java
View File

@ -189,6 +189,20 @@ public class CookieCsrfTokenRepositoryTests {
assertThat(tokenCookie.getPath()).isEqualTo(this.request.getContextPath());
}
@Test
public void saveTokenWithCookieDomain() {
String domainName = "example.com";
this.repository.setCookieDomain(domainName);
CsrfToken token = this.repository.generateToken(this.request);
this.repository.saveToken(token, this.request, this.response);
Cookie tokenCookie = this.response
.getCookie(CookieCsrfTokenRepository.DEFAULT_CSRF_COOKIE_NAME);
assertThat(tokenCookie.getDomain()).isEqualTo(domainName);
}
@Test
public void loadTokenNoCookiesNull() {
assertThat(this.repository.loadToken(this.request)).isNull();