Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Set secure on cookie when logging out 

Mark cookie secure flag to ensure cookie identity is the same
This commit is contained in:
Onur Kağan Özcan 2020-01-13 13:01:33 +03:00 committed by Eleftheria Stein-Kousathana
parent 8f1d0cf528
commit 1f6381d970
2 changed files with 29 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
web/src/main/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandler.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2018 the original author or authors. * Copyright 2002-2019 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -32,6 +32,7 @@ import org.springframework.util.Assert;
* - A given list of Cookies * - A given list of Cookies
* *
* @author Luke Taylor * @author Luke Taylor
* @author Onur Kagan Ozcan
* @since 3.1 * @since 3.1
*/ */
public final class CookieClearingLogoutHandler implements LogoutHandler { public final class CookieClearingLogoutHandler implements LogoutHandler {
@ -46,6 +47,7 @@ public final class CookieClearingLogoutHandler implements LogoutHandler {
String cookiePath = request.getContextPath() + "/"; String cookiePath = request.getContextPath() + "/";
cookie.setPath(cookiePath); cookie.setPath(cookiePath);
cookie.setMaxAge(0); cookie.setMaxAge(0);
cookie.setSecure(request.isSecure());
return cookie; return cookie;
}; };
cookieList.add(f); cookieList.add(f);

27
web/src/test/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandlerTests.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2017 the original author or authors. * Copyright 2002-2019 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -27,6 +27,7 @@ import org.springframework.security.core.Authentication;
/** /**
* @author Luke Taylor * @author Luke Taylor
* @author Onur Kagan Ozcan
*/ */
public class CookieClearingLogoutHandlerTests { public class CookieClearingLogoutHandlerTests {
@ -61,6 +62,30 @@ public class CookieClearingLogoutHandlerTests {
} }
} }
@Test
public void configuredCookieIsSecure() {
MockHttpServletResponse response = new MockHttpServletResponse();
MockHttpServletRequest request = new MockHttpServletRequest();
request.setSecure(true);
request.setContextPath("/app");
CookieClearingLogoutHandler handler = new CookieClearingLogoutHandler("my_cookie");
handler.logout(request, response, mock(Authentication.class));
assertThat(response.getCookies()).hasSize(1);
assertThat(response.getCookies()[0].getSecure()).isTrue();
}
@Test
public void configuredCookieIsNotSecure() {
MockHttpServletResponse response = new MockHttpServletResponse();
MockHttpServletRequest request = new MockHttpServletRequest();
request.setSecure(false);
request.setContextPath("/app");
CookieClearingLogoutHandler handler = new CookieClearingLogoutHandler("my_cookie");
handler.logout(request, response, mock(Authentication.class));
assertThat(response.getCookies()).hasSize(1);
assertThat(response.getCookies()[0].getSecure()).isFalse();
}
@Test @Test
public void passedInCookiesAreCleared() { public void passedInCookiesAreCleared() {
MockHttpServletResponse response = new MockHttpServletResponse(); MockHttpServletResponse response = new MockHttpServletResponse();