CookieCsrfTokenRepository supports HttpOnly
CookieCsrfTokenRepository supports HttpOnly Fixes gh-3835 * Add Servlet 3 tests and javadocs Issue gh-3835 * Add copyright header Issue gh-3835
This commit is contained in:
Joe Grandja
Rob Winch
parent
e68d8bfaea
commit
2bdb0231c2
|
|
@ -16,6 +16,7 @@
|
|||
|
||||
package org.springframework.security.web.csrf;
|
||||
|
||||
import java.lang.reflect.Method;
|
||||
import java.util.UUID;
|
||||
|
||||
import javax.servlet.http.Cookie;
|
||||
|
|
@ -23,6 +24,7 @@ import javax.servlet.http.HttpServletRequest;
|
|||
import javax.servlet.http.HttpServletResponse;
|
||||
|
||||
import org.springframework.util.Assert;
|
||||
import org.springframework.util.ReflectionUtils;
|
||||
import org.springframework.util.StringUtils;
|
||||
import org.springframework.web.util.WebUtils;
|
||||
|
||||
|
|
@ -47,6 +49,17 @@ public final class CookieCsrfTokenRepository implements CsrfTokenRepository {
|
|||
|
||||
private String cookieName = DEFAULT_CSRF_COOKIE_NAME;
|
||||
|
||||
private final Method setHttpOnlyMethod;
|
||||
|
||||
private boolean cookieHttpOnly;
|
||||
|
||||
public CookieCsrfTokenRepository() {
|
||||
this.setHttpOnlyMethod = ReflectionUtils.findMethod(Cookie.class, "setHttpOnly", boolean.class);
|
||||
if (this.setHttpOnlyMethod != null) {
|
||||
this.cookieHttpOnly = true;
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public CsrfToken generateToken(HttpServletRequest request) {
|
||||
return new DefaultCsrfToken(this.headerName, this.parameterName,
|
||||
|
|
@ -66,6 +79,10 @@ public final class CookieCsrfTokenRepository implements CsrfTokenRepository {
|
|||
else {
|
||||
cookie.setMaxAge(-1);
|
||||
}
|
||||
if (cookieHttpOnly && setHttpOnlyMethod != null) {
|
||||
ReflectionUtils.invokeMethod(setHttpOnlyMethod, cookie, Boolean.TRUE);
|
||||
}
|
||||
|
||||
response.addCookie(cookie);
|
||||
}
|
||||
|
||||
|
|
@ -94,7 +111,7 @@ public final class CookieCsrfTokenRepository implements CsrfTokenRepository {
|
|||
}
|
||||
|
||||
/**
|
||||
* Sets the name of the HTTP header that should be used to provide the token
|
||||
* Sets the name of the HTTP header that should be used to provide the token.
|
||||
*
|
||||
* @param headerName the name of the HTTP header that should be used to provide the
|
||||
* token
|
||||
|
|
@ -105,7 +122,7 @@ public final class CookieCsrfTokenRepository implements CsrfTokenRepository {
|
|||
}
|
||||
|
||||
/**
|
||||
* Sets the name of the cookie that the expected CSRF token is saved to and read from
|
||||
* Sets the name of the cookie that the expected CSRF token is saved to and read from.
|
||||
*
|
||||
* @param cookieName the name of the cookie that the expected CSRF token is saved to
|
||||
* and read from
|
||||
|
|
@ -115,6 +132,22 @@ public final class CookieCsrfTokenRepository implements CsrfTokenRepository {
|
|||
this.cookieName = cookieName;
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets the HttpOnly attribute on the cookie containing the CSRF token.
|
||||
* The cookie will only be marked as HttpOnly if both <code>cookieHttpOnly</code> is <code>true</code> and the underlying version of Servlet is 3.0 or greater.
|
||||
* Defaults to <code>true</code> if the underlying version of Servlet is 3.0 or greater.
|
||||
* NOTE: The {@link Cookie#setHttpOnly(boolean)} was introduced in Servlet 3.0.
|
||||
*
|
||||
* @param cookieHttpOnly <code>true</code> sets the HttpOnly attribute, <code>false</code> does not set it (depending on Servlet version)
|
||||
* @throws IllegalArgumentException if <code>cookieHttpOnly</code> is <code>true</code> and the underlying version of Servlet is less than 3.0
|
||||
*/
|
||||
public void setCookieHttpOnly(boolean cookieHttpOnly) {
|
||||
if (cookieHttpOnly && setHttpOnlyMethod == null) {
|
||||
throw new IllegalArgumentException("Cookie will not be marked as HttpOnly because you are using a version of Servlet less than 3.0. NOTE: The Cookie#setHttpOnly(boolean) was introduced in Servlet 3.0.");
|
||||
}
|
||||
this.cookieHttpOnly = cookieHttpOnly;
|
||||
}
|
||||
|
||||
private String getCookiePath(HttpServletRequest request) {
|
||||
String contextPath = request.getContextPath();
|
||||
return contextPath.length() > 0 ? contextPath : "/";
|
||||
|
|
|
|||
|
|
@ -0,0 +1,92 @@
|
|||
/*
|
||||
* Copyright 2012-2016 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.springframework.security.web.csrf;
|
||||
|
||||
import org.junit.Test;
|
||||
import org.junit.runner.RunWith;
|
||||
import org.mockito.ArgumentCaptor;
|
||||
import org.mockito.Mock;
|
||||
import org.powermock.core.classloader.annotations.PrepareForTest;
|
||||
import org.powermock.modules.junit4.PowerMockRunner;
|
||||
import org.springframework.util.ReflectionUtils;
|
||||
|
||||
import javax.servlet.http.Cookie;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import java.lang.reflect.Method;
|
||||
|
||||
import static org.mockito.Matchers.eq;
|
||||
import static org.mockito.Matchers.same;
|
||||
import static org.mockito.Mockito.mock;
|
||||
import static org.mockito.Mockito.*;
|
||||
import static org.powermock.api.mockito.PowerMockito.spy;
|
||||
import static org.powermock.api.mockito.PowerMockito.*;
|
||||
import static org.powermock.api.mockito.PowerMockito.when;
|
||||
|
||||
/**
|
||||
* @author Joe Grandja
|
||||
* @since 4.1
|
||||
*/
|
||||
@RunWith(PowerMockRunner.class)
|
||||
@PrepareForTest({ReflectionUtils.class, Method.class})
|
||||
public class CookieCsrfTokenRepositoryServlet3Tests {
|
||||
|
||||
@Mock
|
||||
private Method method;
|
||||
|
||||
@Test
|
||||
public void httpOnlyServlet30() throws Exception {
|
||||
spy(ReflectionUtils.class);
|
||||
when(ReflectionUtils.findMethod(Cookie.class, "setHttpOnly",
|
||||
boolean.class)).thenReturn(method);
|
||||
|
||||
HttpServletRequest request = mock(HttpServletRequest.class);
|
||||
when(request.getContextPath()).thenReturn("/contextpath");
|
||||
HttpServletResponse response = mock(HttpServletResponse.class);
|
||||
ArgumentCaptor<Cookie> cookie = ArgumentCaptor.forClass(Cookie.class);
|
||||
|
||||
CookieCsrfTokenRepository repository = new CookieCsrfTokenRepository();
|
||||
|
||||
CsrfToken token = repository.generateToken(request);
|
||||
repository.saveToken(token, request, response);
|
||||
|
||||
verify(response).addCookie(cookie.capture());
|
||||
verifyStatic();
|
||||
ReflectionUtils.invokeMethod(same(method), eq(cookie.getValue()), eq(true));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void httpOnlyPreServlet30() throws Exception {
|
||||
spy(ReflectionUtils.class);
|
||||
when(ReflectionUtils.findMethod(Cookie.class, "setHttpOnly",
|
||||
boolean.class)).thenReturn(null);
|
||||
|
||||
HttpServletRequest request = mock(HttpServletRequest.class);
|
||||
when(request.getContextPath()).thenReturn("/contextpath");
|
||||
HttpServletResponse response = mock(HttpServletResponse.class);
|
||||
ArgumentCaptor<Cookie> cookie = ArgumentCaptor.forClass(Cookie.class);
|
||||
|
||||
CookieCsrfTokenRepository repository = new CookieCsrfTokenRepository();
|
||||
|
||||
CsrfToken token = repository.generateToken(request);
|
||||
repository.saveToken(token, request, response);
|
||||
|
||||
verify(response).addCookie(cookie.capture());
|
||||
verifyStatic(never());
|
||||
ReflectionUtils.invokeMethod(same(method), eq(cookie.getValue()), eq(true));
|
||||
}
|
||||
|
||||
}
|
||||
|
|
@ -16,14 +16,13 @@
|
|||
|
||||
package org.springframework.security.web.csrf;
|
||||
|
||||
import javax.servlet.http.Cookie;
|
||||
|
||||
import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
|
||||
import org.springframework.mock.web.MockHttpServletRequest;
|
||||
import org.springframework.mock.web.MockHttpServletResponse;
|
||||
|
||||
import javax.servlet.http.Cookie;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
|
||||
/**
|
||||
|
|
@ -84,6 +83,7 @@ public class CookieCsrfTokenRepositoryTests {
|
|||
assertThat(tokenCookie.getPath()).isEqualTo(this.request.getContextPath());
|
||||
assertThat(tokenCookie.getSecure()).isEqualTo(this.request.isSecure());
|
||||
assertThat(tokenCookie.getValue()).isEqualTo(token.getToken());
|
||||
assertThat(tokenCookie.isHttpOnly()).isEqualTo(true);
|
||||
}
|
||||
|
||||
@Test
|
||||
|
|
@ -114,6 +114,30 @@ public class CookieCsrfTokenRepositoryTests {
|
|||
assertThat(tokenCookie.getValue()).isEmpty();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void saveTokenHttpOnlyTrue() {
|
||||
this.repository.setCookieHttpOnly(true);
|
||||
CsrfToken token = this.repository.generateToken(this.request);
|
||||
this.repository.saveToken(token, this.request, this.response);
|
||||
|
||||
Cookie tokenCookie = this.response
|
||||
.getCookie(CookieCsrfTokenRepository.DEFAULT_CSRF_COOKIE_NAME);
|
||||
|
||||
assertThat(tokenCookie.isHttpOnly()).isTrue();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void saveTokenHttpOnlyFalse() {
|
||||
this.repository.setCookieHttpOnly(false);
|
||||
CsrfToken token = this.repository.generateToken(this.request);
|
||||
this.repository.saveToken(token, this.request, this.response);
|
||||
|
||||
Cookie tokenCookie = this.response
|
||||
.getCookie(CookieCsrfTokenRepository.DEFAULT_CSRF_COOKIE_NAME);
|
||||
|
||||
assertThat(tokenCookie.isHttpOnly()).isFalse();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void loadTokenNoCookiesNull() {
|
||||
assertThat(this.repository.loadToken(this.request)).isNull();
|
||||
|
|
|
|||
Loading…
Reference in New Issue