SEC-2404: CsrfAuthenticationStrategy creates new valid CsrfToken
This commit is contained in:
parent
5a59c74d02
commit
59e13e7bbb
|
@ -51,6 +51,11 @@ public final class CsrfAuthenticationStrategy implements
|
||||||
public void onAuthentication(Authentication authentication,
|
public void onAuthentication(Authentication authentication,
|
||||||
HttpServletRequest request, HttpServletResponse response)
|
HttpServletRequest request, HttpServletResponse response)
|
||||||
throws SessionAuthenticationException {
|
throws SessionAuthenticationException {
|
||||||
|
boolean containsToken = this.csrfTokenRepository.loadToken(request) != null;
|
||||||
|
if(containsToken) {
|
||||||
|
CsrfToken newToken = this.csrfTokenRepository.generateToken(request);
|
||||||
this.csrfTokenRepository.saveToken(null, request, response);
|
this.csrfTokenRepository.saveToken(null, request, response);
|
||||||
|
this.csrfTokenRepository.saveToken(newToken, request, response);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
|
@ -15,7 +15,14 @@
|
||||||
*/
|
*/
|
||||||
package org.springframework.security.web.csrf;
|
package org.springframework.security.web.csrf;
|
||||||
|
|
||||||
|
import static org.mockito.Matchers.any;
|
||||||
|
import static org.mockito.Matchers.eq;
|
||||||
|
import static org.mockito.Mockito.never;
|
||||||
import static org.mockito.Mockito.verify;
|
import static org.mockito.Mockito.verify;
|
||||||
|
import static org.mockito.Mockito.when;
|
||||||
|
|
||||||
|
import javax.servlet.http.HttpServletRequest;
|
||||||
|
import javax.servlet.http.HttpServletResponse;
|
||||||
|
|
||||||
import org.junit.Before;
|
import org.junit.Before;
|
||||||
import org.junit.Test;
|
import org.junit.Test;
|
||||||
|
@ -41,11 +48,17 @@ public class CsrfAuthenticationStrategyTests {
|
||||||
|
|
||||||
private CsrfAuthenticationStrategy strategy;
|
private CsrfAuthenticationStrategy strategy;
|
||||||
|
|
||||||
|
private CsrfToken existingToken;
|
||||||
|
|
||||||
|
private CsrfToken generatedToken;
|
||||||
|
|
||||||
@Before
|
@Before
|
||||||
public void setup() {
|
public void setup() {
|
||||||
request = new MockHttpServletRequest();
|
request = new MockHttpServletRequest();
|
||||||
response = new MockHttpServletResponse();
|
response = new MockHttpServletResponse();
|
||||||
strategy = new CsrfAuthenticationStrategy(csrfTokenRepository);
|
strategy = new CsrfAuthenticationStrategy(csrfTokenRepository);
|
||||||
|
existingToken = new DefaultCsrfToken("_csrf", "_csrf", "1");
|
||||||
|
generatedToken = new DefaultCsrfToken("_csrf", "_csrf", "2");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test(expected = IllegalArgumentException.class)
|
@Test(expected = IllegalArgumentException.class)
|
||||||
|
@ -54,11 +67,21 @@ public class CsrfAuthenticationStrategyTests {
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void logoutRemovesCsrfToken() {
|
public void logoutRemovesCsrfTokenAndSavesNew() {
|
||||||
strategy.onAuthentication(new TestingAuthenticationToken("user", "password", "ROLE_USER"),request, response);
|
when(csrfTokenRepository.loadToken(request)).thenReturn(existingToken);
|
||||||
|
when(csrfTokenRepository.generateToken(request)).thenReturn(generatedToken);
|
||||||
|
strategy.onAuthentication(new TestingAuthenticationToken("user", "password", "ROLE_USER"), request, response);
|
||||||
|
|
||||||
verify(csrfTokenRepository).saveToken(null, request, response);
|
verify(csrfTokenRepository).saveToken(null, request, response);
|
||||||
|
// SEC-2404
|
||||||
|
verify(csrfTokenRepository).saveToken(eq(generatedToken), eq(request), eq(response));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void logoutRemovesNoActionIfNullToken() {
|
||||||
|
strategy.onAuthentication(new TestingAuthenticationToken("user", "password", "ROLE_USER"), request, response);
|
||||||
|
|
||||||
|
verify(csrfTokenRepository,never()).saveToken(any(CsrfToken.class), any(HttpServletRequest.class), any(HttpServletResponse.class));
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue