Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-05-30 16:52:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

Polish

Browse Source 
Issue gh-14149
This commit is contained in:
Josh Cummings 2025-05-27 11:17:30 -06:00
parent 1a4de49977
commit 596449d882
2 changed files with 3 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
config/src/main/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurer.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2023 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -397,7 +397,7 @@ public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
}
private static class SpaCsrfTokenRequestHandler implements CsrfTokenRequestHandler {
private static final class SpaCsrfTokenRequestHandler implements CsrfTokenRequestHandler {
private final CsrfTokenRequestAttributeHandler plain = new CsrfTokenRequestAttributeHandler();
@ -409,27 +409,12 @@ public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
@Override
public void handle(HttpServletRequest request, HttpServletResponse response, Supplier<CsrfToken> csrfToken) {
/*
* Always use XorCsrfTokenRequestAttributeHandler to provide BREACH protection
* of the CsrfToken when it is rendered in the response body.
*/
this.xor.handle(request, response, csrfToken);
}
@Override
public String resolveCsrfTokenValue(HttpServletRequest request, CsrfToken csrfToken) {
String headerValue = request.getHeader(csrfToken.getHeaderName());
/*
* If the request contains a request header, use
* CsrfTokenRequestAttributeHandler to resolve the CsrfToken. This applies
* when a single-page application includes the header value automatically,
* which was obtained via a cookie containing the raw CsrfToken.
*
* In all other cases (e.g. if the request contains a request parameter), use
* XorCsrfTokenRequestAttributeHandler to resolve the CsrfToken. This applies
* when a server-side rendered form includes the _csrf request parameter as a
* hidden input.
*/
return (StringUtils.hasText(headerValue) ? this.plain : this.xor).resolveCsrfTokenValue(request, csrfToken);
}

2
config/src/test/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurerTests.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.