Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-05-31 17:22:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

LogoutPageGeneratingWebFilter Uses Context Path

Browse Source 
Closes gh-11716
This commit is contained in:
Bert Vanwolleghem 2022-08-22 08:47:01 +02:00 committed by Josh Cummings
parent 070dce1baf
commit a5351f3d89
No known key found for this signature in database
GPG Key ID: A306A51F43B8E5A5
2 changed files with 51 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
web/src/main/java/org/springframework/security/web/server/ui/LogoutPageGeneratingWebFilter.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2017 the original author or authors. * Copyright 2002-2022 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -58,14 +58,15 @@ public class LogoutPageGeneratingWebFilter implements WebFilter {
private Mono<DataBuffer> createBuffer(ServerWebExchange exchange) { private Mono<DataBuffer> createBuffer(ServerWebExchange exchange) {
Mono<CsrfToken> token = exchange.getAttributeOrDefault(CsrfToken.class.getName(), Mono.empty()); Mono<CsrfToken> token = exchange.getAttributeOrDefault(CsrfToken.class.getName(), Mono.empty());
String contextPath = exchange.getRequest().getPath().contextPath().value();
return token.map(LogoutPageGeneratingWebFilter::csrfToken).defaultIfEmpty("").map((csrfTokenHtmlInput) -> { return token.map(LogoutPageGeneratingWebFilter::csrfToken).defaultIfEmpty("").map((csrfTokenHtmlInput) -> {
byte[] bytes = createPage(csrfTokenHtmlInput); byte[] bytes = createPage(csrfTokenHtmlInput, contextPath);
DataBufferFactory bufferFactory = exchange.getResponse().bufferFactory(); DataBufferFactory bufferFactory = exchange.getResponse().bufferFactory();
return bufferFactory.wrap(bytes); return bufferFactory.wrap(bytes);
}); });
} }
private static byte[] createPage(String csrfTokenHtmlInput) { private static byte[] createPage(String csrfTokenHtmlInput, String contextPath) {
StringBuilder page = new StringBuilder(); StringBuilder page = new StringBuilder();
page.append("<!DOCTYPE html>\n"); page.append("<!DOCTYPE html>\n");
page.append("<html lang=\"en\">\n"); page.append("<html lang=\"en\">\n");
@ -82,7 +83,7 @@ public class LogoutPageGeneratingWebFilter implements WebFilter {
page.append(" </head>\n"); page.append(" </head>\n");
page.append(" <body>\n"); page.append(" <body>\n");
page.append(" <div class=\"container\">\n"); page.append(" <div class=\"container\">\n");
page.append(" <form class=\"form-signin\" method=\"post\" action=\"/logout\">\n"); page.append(" <form class=\"form-signin\" method=\"post\" action=\"" + contextPath + "/logout\">\n");
page.append(" <h2 class=\"form-signin-heading\">Are you sure you want to log out?</h2>\n"); page.append(" <h2 class=\"form-signin-heading\">Are you sure you want to log out?</h2>\n");
page.append(csrfTokenHtmlInput); page.append(csrfTokenHtmlInput);
page.append(" <button class=\"btn btn-lg btn-primary btn-block\" type=\"submit\">Log Out</button>\n"); page.append(" <button class=\"btn btn-lg btn-primary btn-block\" type=\"submit\">Log Out</button>\n");

46
web/src/test/java/org/springframework/security/web/server/ui/LogoutPageGeneratingWebFilterTests.java Normal file
View File

@ -0,0 +1,46 @@
/*
* Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.web.server.ui;
import org.junit.jupiter.api.Test;
import reactor.core.publisher.Mono;
import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
import org.springframework.mock.web.server.MockServerWebExchange;
import static org.assertj.core.api.Assertions.assertThat;
public class LogoutPageGeneratingWebFilterTests {
@Test
public void filterWhenLogoutWithContextPathThenActionContainsContextPath() throws Exception {
LogoutPageGeneratingWebFilter filter = new LogoutPageGeneratingWebFilter();
MockServerWebExchange exchange = MockServerWebExchange
.from(MockServerHttpRequest.get("/test/logout").contextPath("/test"));
filter.filter(exchange, (e) -> Mono.empty()).block();
assertThat(exchange.getResponse().getBodyAsString().block()).contains("action=\"/test/logout\"");
}
@Test
public void filterWhenLogoutWithNoContextPathThenActionDoesNotContainsContextPath() throws Exception {
LogoutPageGeneratingWebFilter filter = new LogoutPageGeneratingWebFilter();
MockServerWebExchange exchange = MockServerWebExchange.from(MockServerHttpRequest.get("/logout"));
filter.filter(exchange, (e) -> Mono.empty()).block();
assertThat(exchange.getResponse().getBodyAsString().block()).contains("action=\"/logout\"");
}
}