SEC-2326: CsrfRequestDataValueProcessor implements RequestDataValueProcessor
Previously there was unecessary complexity in CsrfRequestDataValueProcessor due to the non-passive changes in RequestDataValueProcessor. Now it simply implements the interface with the methods for both versions of the interface. This works since linking happens at runtime.
This commit is contained in:
Rob Winch
parent
6f9085dd5d
commit
aaa7cec32e
|
|
@ -48,6 +48,6 @@ class WebMvcSecurityConfiguration extends WebMvcConfigurerAdapter {
|
|||
|
||||
@Bean
|
||||
public RequestDataValueProcessor requestDataValueProcessor() {
|
||||
return CsrfRequestDataValueProcessor.create();
|
||||
return new CsrfRequestDataValueProcessor();
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -59,7 +59,6 @@ public class CsrfBeanDefinitionParser implements BeanDefinitionParser {
|
|||
boolean webmvcPresent = ClassUtils.isPresent(DISPATCHER_SERVLET_CLASS_NAME, getClass().getClassLoader());
|
||||
if(webmvcPresent) {
|
||||
RootBeanDefinition beanDefinition = new RootBeanDefinition(CsrfRequestDataValueProcessor.class);
|
||||
beanDefinition.setFactoryMethodName("create");
|
||||
BeanComponentDefinition componentDefinition =
|
||||
new BeanComponentDefinition(beanDefinition, REQUEST_DATA_VALUE_PROCESSOR);
|
||||
pc.registerBeanComponent(componentDefinition);
|
||||
|
|
|
|||
|
|
@ -15,9 +15,6 @@
|
|||
*/
|
||||
package org.springframework.security.web.servlet.support.csrf;
|
||||
|
||||
import java.lang.reflect.InvocationHandler;
|
||||
import java.lang.reflect.Method;
|
||||
import java.lang.reflect.Proxy;
|
||||
import java.util.Collections;
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
|
|
@ -26,7 +23,6 @@ import java.util.regex.Pattern;
|
|||
import javax.servlet.http.HttpServletRequest;
|
||||
|
||||
import org.springframework.security.web.csrf.CsrfToken;
|
||||
import org.springframework.util.ReflectionUtils;
|
||||
import org.springframework.web.servlet.support.RequestDataValueProcessor;
|
||||
|
||||
/**
|
||||
|
|
@ -36,7 +32,7 @@ import org.springframework.web.servlet.support.RequestDataValueProcessor;
|
|||
* @author Rob Winch
|
||||
* @since 3.2
|
||||
*/
|
||||
public final class CsrfRequestDataValueProcessor {
|
||||
public final class CsrfRequestDataValueProcessor implements RequestDataValueProcessor {
|
||||
private Pattern DISABLE_CSRF_TOKEN_PATTERN = Pattern.compile("(?i)^(GET|HEAD|TRACE|OPTIONS)$");
|
||||
|
||||
private String DISABLE_CSRF_TOKEN_ATTR = "DISABLE_CSRF_TOKEN_ATTR";
|
||||
|
|
@ -78,54 +74,4 @@ public final class CsrfRequestDataValueProcessor {
|
|||
public String processUrl(HttpServletRequest request, String url) {
|
||||
return url;
|
||||
}
|
||||
|
||||
CsrfRequestDataValueProcessor() {}
|
||||
|
||||
/**
|
||||
* Creates an instance of {@link CsrfRequestDataValueProcessor} that
|
||||
* implements {@link RequestDataValueProcessor}. This is necessary to ensure
|
||||
* compatibility between Spring 3 and Spring 4.
|
||||
*
|
||||
* @return an instance of {@link CsrfRequestDataValueProcessor} that
|
||||
* implements {@link RequestDataValueProcessor}
|
||||
*/
|
||||
public static RequestDataValueProcessor create() {
|
||||
CsrfRequestDataValueProcessor target= new CsrfRequestDataValueProcessor();
|
||||
ClassLoader classLoader = CsrfRequestDataValueProcessor.class.getClassLoader();
|
||||
Class<?>[] interfaces = new Class[] { RequestDataValueProcessor.class};
|
||||
TypeConversionInterceptor interceptor = new TypeConversionInterceptor(target);
|
||||
return (RequestDataValueProcessor) Proxy.newProxyInstance(classLoader, interfaces, interceptor);
|
||||
}
|
||||
|
||||
/**
|
||||
* An {@link InvocationHandler} that assumes the target has all the method
|
||||
* defined on it, but the target does not implement the interface. This is
|
||||
* necessary to deal with the fact that Spring 3 and Spring 4 have different
|
||||
* definitions for the {@link RequestDataValueProcessor} interface.
|
||||
*
|
||||
* @author Rob Winch
|
||||
*/
|
||||
private static class TypeConversionInterceptor implements InvocationHandler {
|
||||
|
||||
private final Object target;
|
||||
|
||||
public TypeConversionInterceptor(Object target) {
|
||||
this.target = target;
|
||||
}
|
||||
|
||||
/* (non-Javadoc)
|
||||
* @see java.lang.reflect.InvocationHandler#invoke(java.lang.Object, java.lang.reflect.Method, java.lang.Object[])
|
||||
*/
|
||||
public Object invoke(Object proxy, Method method, Object[] args)
|
||||
throws Throwable {
|
||||
Method methodToInvoke = ReflectionUtils.findMethod(target.getClass(), method.getName(), method.getParameterTypes());
|
||||
return methodToInvoke.invoke(target, args);
|
||||
}
|
||||
|
||||
@Override
|
||||
public String toString() {
|
||||
return "RequestDataValueProcessorInterceptor [target=" + target
|
||||
+ "]";
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -126,7 +126,7 @@ public class CsrfRequestDataValueProcessorTests {
|
|||
Map<String,String> expected = new HashMap<String,String>();
|
||||
expected.put(token.getParameterName(),token.getToken());
|
||||
|
||||
RequestDataValueProcessor processor = CsrfRequestDataValueProcessor.create();
|
||||
RequestDataValueProcessor processor = new CsrfRequestDataValueProcessor();
|
||||
assertThat(processor.getExtraHiddenFields(request)).isEqualTo(expected);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue