Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-07-04 09:42:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '6.3.x' into 6.4.x

Browse Source 
Closes gh-16844
This commit is contained in:
Steve Riesenberg 2025-03-28 16:34:01 -05:00
commit 26c63aeb01
No known key found for this signature in database
GPG Key ID: 3D0169B18AB8F0A9
2 changed files with 40 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
config/src/main/java/org/springframework/security/config/http/CsrfBeanDefinitionParser.java
View File

@ -183,6 +183,9 @@ public class CsrfBeanDefinitionParser implements BeanDefinitionParser {
BeanDefinitionBuilder csrfAuthenticationStrategy = BeanDefinitionBuilder
.rootBeanDefinition(CsrfAuthenticationStrategy.class);
csrfAuthenticationStrategy.addConstructorArgReference(this.csrfRepositoryRef);
if (StringUtils.hasText(this.requestHandlerRef)) {
csrfAuthenticationStrategy.addPropertyReference("requestHandler", this.requestHandlerRef);
}
return csrfAuthenticationStrategy.getBeanDefinition();
}

37
config/src/test/java/org/springframework/security/config/http/CsrfConfigTests.java
View File

@ -336,6 +336,43 @@ public class CsrfConfigTests {
// @formatter:on
}
@Test
public void postWhenUsingCsrfAndXorCsrfTokenRequestAttributeHandlerThenCsrfAuthenticationStrategyUses()
throws Exception {
this.spring.configLocations(this.xml("WithXorCsrfTokenRequestAttributeHandler"), this.xml("shared-controllers"))
.autowire();
// @formatter:off
MvcResult mvcResult1 = this.mvc.perform(get("/csrf"))
.andExpect(status().isOk())
.andReturn();
// @formatter:on
MockHttpServletRequest request1 = mvcResult1.getRequest();
MockHttpSession session = (MockHttpSession) request1.getSession();
CsrfTokenRepository repository = WebTestUtils.getCsrfTokenRepository(request1);
// @formatter:off
MockHttpServletRequestBuilder login = post("/login")
.param("username", "user")
.param("password", "password")
.session(session)
.with(csrf());
this.mvc.perform(login)
.andExpect(status().is3xxRedirection())
.andExpect(redirectedUrl("/"));
// @formatter:on
assertThat(repository.loadToken(request1)).isNull();
// @formatter:off
MvcResult mvcResult2 = this.mvc.perform(get("/csrf").session(session))
.andExpect(status().isOk())
.andReturn();
// @formatter:on
MockHttpServletRequest request2 = mvcResult2.getRequest();
CsrfToken csrfToken = repository.loadToken(request2);
CsrfToken csrfTokenAttribute = (CsrfToken) request2.getAttribute(CsrfToken.class.getName());
assertThat(csrfTokenAttribute).isNotNull();
assertThat(csrfTokenAttribute.getToken()).isNotBlank();
assertThat(csrfTokenAttribute.getToken()).isNotEqualTo(csrfToken.getToken());
}
@Test
public void postWhenHasCsrfTokenButSessionExpiresThenRequestIsCancelledAfterSuccessfulAuthentication()
throws Exception {