Steve Riesenberg
parent
1919b4e38b
commit
2ed7cff643
|
|
@ -302,6 +302,7 @@ public class CsrfConfigurerTests {
|
|||
public void loginWhenCustomCsrfTokenRepositoryThenCsrfTokenIsCleared() throws Exception {
|
||||
CsrfTokenRepositoryConfig.REPO = mock(CsrfTokenRepository.class);
|
||||
DefaultCsrfToken csrfToken = new DefaultCsrfToken("X-CSRF-TOKEN", "_csrf", "token");
|
||||
given(CsrfTokenRepositoryConfig.REPO.loadToken(any())).willReturn(csrfToken);
|
||||
given(CsrfTokenRepositoryConfig.REPO.loadDeferredToken(any(HttpServletRequest.class),
|
||||
any(HttpServletResponse.class))).willReturn(new TestDeferredCsrfToken(csrfToken));
|
||||
this.spring.register(CsrfTokenRepositoryConfig.class, BasicController.class).autowire();
|
||||
|
|
@ -312,6 +313,7 @@ public class CsrfConfigurerTests {
|
|||
.param("password", "password");
|
||||
// @formatter:on
|
||||
this.mvc.perform(loginRequest).andExpect(redirectedUrl("/"));
|
||||
verify(CsrfTokenRepositoryConfig.REPO).loadToken(any(HttpServletRequest.class));
|
||||
verify(CsrfTokenRepositoryConfig.REPO).saveToken(isNull(), any(HttpServletRequest.class),
|
||||
any(HttpServletResponse.class));
|
||||
}
|
||||
|
|
@ -443,6 +445,7 @@ public class CsrfConfigurerTests {
|
|||
public void loginWhenCsrfTokenRequestAttributeHandlerSetAndNormalCsrfTokenThenSuccess() throws Exception {
|
||||
CsrfToken csrfToken = new DefaultCsrfToken("X-CSRF-TOKEN", "_csrf", "token");
|
||||
CsrfTokenRepository csrfTokenRepository = mock(CsrfTokenRepository.class);
|
||||
given(csrfTokenRepository.loadToken(any(HttpServletRequest.class))).willReturn(csrfToken);
|
||||
given(csrfTokenRepository.loadDeferredToken(any(HttpServletRequest.class), any(HttpServletResponse.class)))
|
||||
.willReturn(new TestDeferredCsrfToken(csrfToken));
|
||||
CsrfTokenRequestHandlerConfig.REPO = csrfTokenRepository;
|
||||
|
|
@ -456,6 +459,7 @@ public class CsrfConfigurerTests {
|
|||
.param("password", "password");
|
||||
// @formatter:on
|
||||
this.mvc.perform(loginRequest).andExpect(redirectedUrl("/"));
|
||||
verify(csrfTokenRepository).loadToken(any(HttpServletRequest.class));
|
||||
verify(csrfTokenRepository).saveToken(isNull(), any(HttpServletRequest.class), any(HttpServletResponse.class));
|
||||
verify(csrfTokenRepository, times(2)).loadDeferredToken(any(HttpServletRequest.class),
|
||||
any(HttpServletResponse.class));
|
||||
|
|
@ -481,6 +485,7 @@ public class CsrfConfigurerTests {
|
|||
public void loginWhenXorCsrfTokenRequestAttributeHandlerSetAndMaskedCsrfTokenThenSuccess() throws Exception {
|
||||
CsrfToken csrfToken = new DefaultCsrfToken("X-CSRF-TOKEN", "_csrf", "token");
|
||||
CsrfTokenRepository csrfTokenRepository = mock(CsrfTokenRepository.class);
|
||||
given(csrfTokenRepository.loadToken(any(HttpServletRequest.class))).willReturn(csrfToken);
|
||||
given(csrfTokenRepository.loadDeferredToken(any(HttpServletRequest.class), any(HttpServletResponse.class)))
|
||||
.willReturn(new TestDeferredCsrfToken(csrfToken));
|
||||
CsrfTokenRequestHandlerConfig.REPO = csrfTokenRepository;
|
||||
|
|
@ -497,6 +502,7 @@ public class CsrfConfigurerTests {
|
|||
.param("password", "password");
|
||||
// @formatter:on
|
||||
this.mvc.perform(loginRequest).andExpect(redirectedUrl("/"));
|
||||
verify(csrfTokenRepository).loadToken(any(HttpServletRequest.class));
|
||||
verify(csrfTokenRepository).saveToken(isNull(), any(HttpServletRequest.class), any(HttpServletResponse.class));
|
||||
verify(csrfTokenRepository, times(3)).loadDeferredToken(any(HttpServletRequest.class),
|
||||
any(HttpServletResponse.class));
|
||||
|
|
|
|||
|
|
@ -33,6 +33,7 @@ import org.springframework.util.Assert;
|
|||
* the next request.
|
||||
*
|
||||
* @author Rob Winch
|
||||
* @author Steve Riesenberg
|
||||
* @since 3.2
|
||||
*/
|
||||
public final class CsrfAuthenticationStrategy implements SessionAuthenticationStrategy {
|
||||
|
|
@ -65,10 +66,13 @@ public final class CsrfAuthenticationStrategy implements SessionAuthenticationSt
|
|||
@Override
|
||||
public void onAuthentication(Authentication authentication, HttpServletRequest request,
|
||||
HttpServletResponse response) throws SessionAuthenticationException {
|
||||
boolean containsToken = this.tokenRepository.loadToken(request) != null;
|
||||
if (containsToken) {
|
||||
this.tokenRepository.saveToken(null, request, response);
|
||||
DeferredCsrfToken deferredCsrfToken = this.tokenRepository.loadDeferredToken(request, response);
|
||||
this.requestHandler.handle(request, response, deferredCsrfToken::get);
|
||||
this.logger.debug("Replaced CSRF Token");
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -36,6 +36,7 @@ import static org.mockito.ArgumentMatchers.eq;
|
|||
import static org.mockito.BDDMockito.given;
|
||||
import static org.mockito.Mockito.mock;
|
||||
import static org.mockito.Mockito.never;
|
||||
import static org.mockito.Mockito.times;
|
||||
import static org.mockito.Mockito.verify;
|
||||
import static org.mockito.Mockito.verifyNoMoreInteractions;
|
||||
|
||||
|
|
@ -82,6 +83,7 @@ public class CsrfAuthenticationStrategyTests {
|
|||
|
||||
@Test
|
||||
public void onAuthenticationWhenCustomRequestHandlerThenUsed() {
|
||||
given(this.csrfTokenRepository.loadToken(this.request)).willReturn(this.existingToken);
|
||||
given(this.csrfTokenRepository.loadDeferredToken(this.request, this.response))
|
||||
.willReturn(new TestDeferredCsrfToken(this.existingToken, false));
|
||||
|
||||
|
|
@ -89,16 +91,20 @@ public class CsrfAuthenticationStrategyTests {
|
|||
this.strategy.setRequestHandler(requestHandler);
|
||||
this.strategy.onAuthentication(new TestingAuthenticationToken("user", "password", "ROLE_USER"), this.request,
|
||||
this.response);
|
||||
verify(this.csrfTokenRepository).loadToken(this.request);
|
||||
verify(this.csrfTokenRepository).loadDeferredToken(this.request, this.response);
|
||||
verify(requestHandler).handle(eq(this.request), eq(this.response), any());
|
||||
verifyNoMoreInteractions(requestHandler);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void logoutRemovesCsrfTokenAndLoadsNewDeferredCsrfToken() {
|
||||
given(this.csrfTokenRepository.loadToken(this.request)).willReturn(this.existingToken);
|
||||
given(this.csrfTokenRepository.loadDeferredToken(this.request, this.response))
|
||||
.willReturn(new TestDeferredCsrfToken(this.generatedToken, false));
|
||||
this.strategy.onAuthentication(new TestingAuthenticationToken("user", "password", "ROLE_USER"), this.request,
|
||||
this.response);
|
||||
verify(this.csrfTokenRepository).loadToken(this.request);
|
||||
verify(this.csrfTokenRepository).saveToken(null, this.request, this.response);
|
||||
verify(this.csrfTokenRepository).loadDeferredToken(this.request, this.response);
|
||||
// SEC-2404, SEC-2832
|
||||
|
|
@ -113,6 +119,7 @@ public class CsrfAuthenticationStrategyTests {
|
|||
@Test
|
||||
public void delaySavingCsrf() {
|
||||
this.strategy = new CsrfAuthenticationStrategy(new LazyCsrfTokenRepository(this.csrfTokenRepository));
|
||||
given(this.csrfTokenRepository.loadToken(this.request)).willReturn(this.existingToken, (CsrfToken) null);
|
||||
given(this.csrfTokenRepository.generateToken(this.request)).willReturn(this.generatedToken);
|
||||
this.strategy.onAuthentication(new TestingAuthenticationToken("user", "password", "ROLE_USER"), this.request,
|
||||
this.response);
|
||||
|
|
@ -121,7 +128,7 @@ public class CsrfAuthenticationStrategyTests {
|
|||
any(HttpServletResponse.class));
|
||||
CsrfToken tokenInRequest = (CsrfToken) this.request.getAttribute(CsrfToken.class.getName());
|
||||
tokenInRequest.getToken();
|
||||
verify(this.csrfTokenRepository).loadToken(this.request);
|
||||
verify(this.csrfTokenRepository, times(2)).loadToken(this.request);
|
||||
verify(this.csrfTokenRepository).generateToken(this.request);
|
||||
verify(this.csrfTokenRepository).saveToken(eq(this.generatedToken), any(HttpServletRequest.class),
|
||||
any(HttpServletResponse.class));
|
||||
|
|
|
|||
Loading…
Reference in New Issue