Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-05-31 09:12:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

DeferredCsrfToken Implements Supplier

Browse Source 
Closes gh-16870

Signed-off-by: Daeho Kwon <trewq231@naver.com>
This commit is contained in:
Daeho Kwon 2025-04-09 00:38:49 +09:00 committed by Josh Cummings
parent 43ef4262da
commit 9908d96644
No known key found for this signature in database
GPG Key ID: 869B37A20E876129
6 changed files with 13 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerServlet31Tests.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -87,7 +87,7 @@ public class SessionManagementConfigurerServlet31Tests {
HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
CsrfTokenRequestHandler handler = new XorCsrfTokenRequestAttributeHandler();
DeferredCsrfToken deferredCsrfToken = repository.loadDeferredToken(request, this.response);
handler.handle(request, this.response, deferredCsrfToken::get);
handler.handle(request, this.response, deferredCsrfToken);
CsrfToken token = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
request.setParameter(token.getParameterName(), token.getToken());
request.getSession().setAttribute("attribute1", "value1");

2
test/src/main/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessors.java
View File

@ -524,7 +524,7 @@ public final class SecurityMockMvcRequestPostProcessors {
TestCsrfTokenRepository.enable(request);
MockHttpServletResponse response = new MockHttpServletResponse();
DeferredCsrfToken deferredCsrfToken = repository.loadDeferredToken(request, response);
handler.handle(request, response, deferredCsrfToken::get);
handler.handle(request, response, deferredCsrfToken);
CsrfToken token = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
String tokenValue = this.useInvalidToken ? INVALID_TOKEN_VALUE : token.getToken();
if (this.asHeader) {

2
test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsCsrfTests.java
View File

@ -164,7 +164,7 @@ public class SecurityMockMvcRequestPostProcessorsCsrfTests {
HttpSessionCsrfTokenRepository repo = new HttpSessionCsrfTokenRepository();
CsrfTokenRequestHandler handler = new XorCsrfTokenRequestAttributeHandler();
DeferredCsrfToken deferredCsrfToken = repo.loadDeferredToken(request, response);
handler.handle(request, response, deferredCsrfToken::get);
handler.handle(request, response, deferredCsrfToken);
CsrfToken token = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
MockHttpServletRequestBuilder requestWithCsrf = post("/")
.param(token.getParameterName(), token.getToken())

4
web/src/main/java/org/springframework/security/web/csrf/CsrfAuthenticationStrategy.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -69,7 +69,7 @@ public final class CsrfAuthenticationStrategy implements SessionAuthenticationSt
if (containsToken) {
this.tokenRepository.saveToken(null, request, response);
DeferredCsrfToken deferredCsrfToken = this.tokenRepository.loadDeferredToken(request, response);
this.requestHandler.handle(request, response, deferredCsrfToken::get);
this.requestHandler.handle(request, response, deferredCsrfToken);
this.logger.debug("Replaced CSRF Token");
}
}

4
web/src/main/java/org/springframework/security/web/csrf/CsrfFilter.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2023 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -108,7 +108,7 @@ public final class CsrfFilter extends OncePerRequestFilter {
throws ServletException, IOException {
DeferredCsrfToken deferredCsrfToken = this.tokenRepository.loadDeferredToken(request, response);
request.setAttribute(DeferredCsrfToken.class.getName(), deferredCsrfToken);
this.requestHandler.handle(request, response, deferredCsrfToken::get);
this.requestHandler.handle(request, response, deferredCsrfToken);
if (!this.requireCsrfProtectionMatcher.matches(request)) {
if (this.logger.isTraceEnabled()) {
this.logger.trace("Did not protect against CSRF since request did not match "

7
web/src/main/java/org/springframework/security/web/csrf/DeferredCsrfToken.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -16,14 +16,17 @@
package org.springframework.security.web.csrf;
import java.util.function.Supplier;
/**
* An interface that allows delayed access to a {@link CsrfToken} that may be generated.
*
* @author Rob Winch
* @author Steve Riesenberg
* @author Daeho Kwon
* @since 5.8
*/
public interface DeferredCsrfToken {
public interface DeferredCsrfToken extends Supplier<CsrfToken> {
/**
* Gets the {@link CsrfToken}