Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SEC-2325: Polish CSRF Tag support 

- Rename csrfField to csrfInput
- Make AbstractCsrfTag package scope
- rename FormFieldTag to CsrfInputTag
- rename MetaTagsTag to CsrfMetaTagsTag
- removed whitespace from tag output so output is
  minimized & improving browser performance
- Update @since
- changed test names to be more meaningful
This commit is contained in:
Rob Winch 2014-03-07 15:25:57 -06:00
parent a3e0475998
commit 32d3e29c65
8 changed files with 39 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
docs/manual/src/asciidoc/index.adoc
View File

@ -3139,7 +3139,7 @@ The last step is to ensure that you include the CSRF token in all PATCH, POST, P
</form>
----
An easier approach is to use <<the-csrffield-tag,the csrfField tag>> from the Spring Security JSP tag library.
An easier approach is to use <<the-csrfInput-tag,the csrfInput tag>> from the Spring Security JSP tag library.
[NOTE]
====
@ -5037,17 +5037,17 @@ The permissions are passed to the `PermissionFactory` defined in the application
This tag also supports the `var` attribute, in the same way as the `authorize` tag.
=== The csrfField Tag
=== The csrfInput Tag
If CSRF protection is enabled, this tag inserts a hidden form field with the correct name and value for the CSRF protection token. If CSRF protection is not enabled, this tag outputs nothing.
Normally Spring Security automatically inserts a CSRF form field for any `<form:form>` tags you use, but if for some reason you cannot use `<form:form>`, `csrfField` is a handy replacement.
Normally Spring Security automatically inserts a CSRF form field for any `<form:form>` tags you use, but if for some reason you cannot use `<form:form>`, `csrfInput` is a handy replacement.
You should place this tag within an HTML `<form></form>` block, where you would normally place other input fields. Do NOT place this tag within a Spring `<form:form></form:form>` block—Spring Security handles Spring forms automatically.
[source,xml]
----
<form method="post" action="/do/something">
<sec:csrfField />
<sec:csrfInput />
Name:<br />
<input type="text" name="name" />
...

4
taglibs/src/main/java/org/springframework/security/taglibs/csrf/AbstractCsrfTag.java
View File

@ -25,10 +25,10 @@ import java.io.IOException;
/**
* An abstract tag for handling CSRF operations.
*
* @since 3.2.1
* @since 3.2.2
* @author Nick Williams
*/
public abstract class AbstractCsrfTag extends TagSupport {
abstract class AbstractCsrfTag extends TagSupport {
@Override
public int doEndTag() throws JspException {

6
taglibs/src/main/java/org/springframework/security/taglibs/csrf/FormFieldTag.java → taglibs/src/main/java/org/springframework/security/taglibs/csrf/CsrfInputTag.java
View File

@ -22,14 +22,14 @@ import org.springframework.security.web.csrf.CsrfToken;
* A JSP tag that prints out a hidden form field for the CSRF token. See the JSP Tab Library documentation for more
* information.
*
* @since 3.2.1
* @since 3.2.2
* @author Nick Williams
*/
public class FormFieldTag extends AbstractCsrfTag {
public class CsrfInputTag extends AbstractCsrfTag {
@Override
public String handleToken(CsrfToken token) {
return "<input type=\"hidden\" name=\"" + token.getParameterName() + "\" value=\"" + token.getToken() +
"\" />\n";
"\" />";
}
}

10
taglibs/src/main/java/org/springframework/security/taglibs/csrf/MetaTagsTag.java → taglibs/src/main/java/org/springframework/security/taglibs/csrf/CsrfMetaTagsTag.java
View File

@ -22,15 +22,15 @@ import org.springframework.security.web.csrf.CsrfToken;
* A JSP tag that prints out a meta tags holding the CSRF form field name and token value for use in JavaScrip code.
* See the JSP Tab Library documentation for more information.
*
* @since 3.2.1
* @since 3.2.2
* @author Nick Williams
*/
public class MetaTagsTag extends AbstractCsrfTag {
public class CsrfMetaTagsTag extends AbstractCsrfTag {
@Override
public String handleToken(CsrfToken token) {
return "<meta name=\"_csrf_parameter\" content=\"" + token.getParameterName() + "\" />\n" +
" <meta name=\"_csrf_header\" content=\"" + token.getHeaderName() + "\" />\n" +
" <meta name=\"_csrf\" content=\"" + token.getToken() + "\" />\n";
return "<meta name=\"_csrf_parameter\" content=\"" + token.getParameterName() + "\" />" +
"<meta name=\"_csrf_header\" content=\"" + token.getHeaderName() + "\" />" +
"<meta name=\"_csrf\" content=\"" + token.getToken() + "\" />";
}
}

6
taglibs/src/main/resources/META-INF/security.tld
View File

@ -200,8 +200,8 @@
where you would normally place other <input>s. Do NOT place this tag within a Spring <form:form></form:form>
block—Spring Security handles Spring forms automatically.
]]></description>
<name>csrfField</name>
<tag-class>org.springframework.security.taglibs.csrf.FormFieldTag</tag-class>
<name>csrfInput</name>
<tag-class>org.springframework.security.taglibs.csrf.CsrfInputTag</tag-class>
<body-content>empty</body-content>
</tag>
@ -218,7 +218,7 @@
tag outputs nothing.
]]></description>
<name>csrfMetaTags</name>
<tag-class>org.springframework.security.taglibs.csrf.MetaTagsTag</tag-class>
<tag-class>org.springframework.security.taglibs.csrf.CsrfMetaTagsTag</tag-class>
<body-content>empty</body-content>
</tag>

8
taglibs/src/test/java/org/springframework/security/taglibs/csrf/AbstractCsrfTagTests.java
View File

@ -36,9 +36,9 @@ public class AbstractCsrfTagTests {
}
@Test
public void testDoEndTag01() throws JspException, UnsupportedEncodingException {
public void noCsrfDoesNotRender() throws JspException, UnsupportedEncodingException {
this.tag.handleReturn = "fooBarBazQux";
this.tag.handleReturn = "shouldNotBeRendered";
int returned = this.tag.doEndTag();
@ -47,7 +47,7 @@ public class AbstractCsrfTagTests {
}
@Test
public void testDoEndTag02() throws JspException, UnsupportedEncodingException {
public void hasCsrfRendersReturnedValue() throws JspException, UnsupportedEncodingException {
CsrfToken token = new DefaultCsrfToken("X-Csrf-Token", "_csrf", "abc123def456ghi789");
this.request.setAttribute(CsrfToken.class.getName(), token);
@ -62,7 +62,7 @@ public class AbstractCsrfTagTests {
}
@Test
public void testDoEndTag03() throws JspException, UnsupportedEncodingException {
public void hasCsrfRendersDifferentValue() throws JspException, UnsupportedEncodingException {
CsrfToken token = new DefaultCsrfToken("X-Csrf-Token", "_csrf", "abc123def456ghi789");
this.request.setAttribute(CsrfToken.class.getName(), token);

14
taglibs/src/test/java/org/springframework/security/taglibs/csrf/FormFieldTagTests.java → taglibs/src/test/java/org/springframework/security/taglibs/csrf/CsrfInputTagTests.java
View File

@ -10,36 +10,36 @@ import static org.junit.Assert.*;
/**
* @author Nick Williams
*/
public class FormFieldTagTests {
public class CsrfInputTagTests {
public FormFieldTag tag;
public CsrfInputTag tag;
@Before
public void setUp() {
this.tag = new FormFieldTag();
this.tag = new CsrfInputTag();
}
@Test
public void testHandleToken01() {
public void handleTokenReturnsHiddenInput() {
CsrfToken token = new DefaultCsrfToken("X-Csrf-Token", "_csrf", "abc123def456ghi789");
String value = this.tag.handleToken(token);
assertNotNull("The returned value should not be null.", value);
assertEquals("The output is not correct.",
"<input type=\"hidden\" name=\"_csrf\" value=\"abc123def456ghi789\" />\n",
"<input type=\"hidden\" name=\"_csrf\" value=\"abc123def456ghi789\" />",
value);
}
@Test
public void testHandleToken() {
public void handleTokenReturnsHiddenInputDifferentTokenValue() {
CsrfToken token = new DefaultCsrfToken("X-Csrf-Token", "csrfParameter", "fooBarBazQux");
String value = this.tag.handleToken(token);
assertNotNull("The returned value should not be null.", value);
assertEquals("The output is not correct.",
"<input type=\"hidden\" name=\"csrfParameter\" value=\"fooBarBazQux\" />\n",
"<input type=\"hidden\" name=\"csrfParameter\" value=\"fooBarBazQux\" />",
value);
}
}

22
taglibs/src/test/java/org/springframework/security/taglibs/csrf/MetaTagsTagTests.java → taglibs/src/test/java/org/springframework/security/taglibs/csrf/CsrfMetaTagsTagTests.java
View File

@ -10,40 +10,40 @@ import static org.junit.Assert.*;
/**
* @author Nick Williams
*/
public class MetaTagsTagTests {
public class CsrfMetaTagsTagTests {
public MetaTagsTag tag;
public CsrfMetaTagsTag tag;
@Before
public void setUp() {
this.tag = new MetaTagsTag();
this.tag = new CsrfMetaTagsTag();
}
@Test
public void testHandleToken01() {
public void handleTokenRendersTags() {
CsrfToken token = new DefaultCsrfToken("X-Csrf-Token", "_csrf", "abc123def456ghi789");
String value = this.tag.handleToken(token);
assertNotNull("The returned value should not be null.", value);
assertEquals("The output is not correct.",
"<meta name=\"_csrf_parameter\" content=\"_csrf\" />\n" +
" <meta name=\"_csrf_header\" content=\"X-Csrf-Token\" />\n" +
" <meta name=\"_csrf\" content=\"abc123def456ghi789\" />\n",
"<meta name=\"_csrf_parameter\" content=\"_csrf\" />" +
"<meta name=\"_csrf_header\" content=\"X-Csrf-Token\" />" +
"<meta name=\"_csrf\" content=\"abc123def456ghi789\" />",
value);
}
@Test
public void testHandleToken02() {
public void handleTokenRendersTagsDifferentToken() {
CsrfToken token = new DefaultCsrfToken("csrfHeader", "csrfParameter", "fooBarBazQux");
String value = this.tag.handleToken(token);
assertNotNull("The returned value should not be null.", value);
assertEquals("The output is not correct.",
"<meta name=\"_csrf_parameter\" content=\"csrfParameter\" />\n" +
" <meta name=\"_csrf_header\" content=\"csrfHeader\" />\n" +
" <meta name=\"_csrf\" content=\"fooBarBazQux\" />\n",
"<meta name=\"_csrf_parameter\" content=\"csrfParameter\" />" +
"<meta name=\"_csrf_header\" content=\"csrfHeader\" />" +
"<meta name=\"_csrf\" content=\"fooBarBazQux\" />",
value);
}
}