Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-01 09:42:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '6.1.x'

Browse Source 
Closes gh-13748
This commit is contained in:
Josh Cummings 2023-08-28 17:04:25 -06:00
commit 0d70a7f508
No known key found for this signature in database
GPG Key ID: A306A51F43B8E5A5
2 changed files with 14 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
web/src/main/java/org/springframework/security/web/csrf/CookieCsrfTokenRepository.java
View File

@ -178,7 +178,7 @@ public final class CookieCsrfTokenRepository implements CsrfTokenRepository {
*/ */
public static CookieCsrfTokenRepository withHttpOnlyFalse() { public static CookieCsrfTokenRepository withHttpOnlyFalse() {
CookieCsrfTokenRepository result = new CookieCsrfTokenRepository(); CookieCsrfTokenRepository result = new CookieCsrfTokenRepository();
result.setCookieCustomizer((cookie) -> cookie.httpOnly(false)); result.cookieHttpOnly = false;
return result; return result;
} }

13
web/src/test/java/org/springframework/security/web/csrf/CookieCsrfTokenRepositoryTests.java
View File

@ -423,6 +423,19 @@ class CookieCsrfTokenRepositoryTests {
assertThat(((MockCookie) tokenCookie).getSameSite()).isEqualTo(sameSitePolicy); assertThat(((MockCookie) tokenCookie).getSameSite()).isEqualTo(sameSitePolicy);
} }
// gh-13659
@Test
void withHttpOnlyFalseWhenCookieCustomizerThenStillDefaultsToFalse() {
CookieCsrfTokenRepository repository = CookieCsrfTokenRepository.withHttpOnlyFalse();
repository.setCookieCustomizer((customizer) -> customizer.maxAge(1000));
CsrfToken token = repository.generateToken(this.request);
repository.saveToken(token, this.request, this.response);
Cookie tokenCookie = this.response.getCookie(CookieCsrfTokenRepository.DEFAULT_CSRF_COOKIE_NAME);
assertThat(tokenCookie).isNotNull();
assertThat(tokenCookie.getMaxAge()).isEqualTo(1000);
assertThat(tokenCookie.isHttpOnly()).isEqualTo(Boolean.FALSE);
}
@Test @Test
void setCookieNameNullIllegalArgumentException() { void setCookieNameNullIllegalArgumentException() {
assertThatIllegalArgumentException().isThrownBy(() -> this.repository.setCookieName(null)); assertThatIllegalArgumentException().isThrownBy(() -> this.repository.setCookieName(null));