Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-05-31 09:12:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '6.4.x'

Browse Source
This commit is contained in:
Josh Cummings 2025-04-01 12:02:53 -06:00
commit b7d399ab89
No known key found for this signature in database
GPG Key ID: 869B37A20E876129
2 changed files with 18 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
web/src/main/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepository.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -84,7 +84,7 @@ public final class CookieServerCsrfTokenRepository implements ServerCsrfTokenRep
*/
public static CookieServerCsrfTokenRepository withHttpOnlyFalse() {
CookieServerCsrfTokenRepository result = new CookieServerCsrfTokenRepository();
result.setCookieCustomizer((cookie) -> cookie.httpOnly(false));
result.cookieHttpOnly = false;
return result;
}

17
web/src/test/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepositoryTests.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -290,6 +290,21 @@ class CookieServerCsrfTokenRepositoryTests {
loadAndAssertExpectedValues();
}
// gh-16820
@Test
void withHttpOnlyFalseWhenCookieCustomizerThenStillDefaultsToFalse() {
CookieServerCsrfTokenRepository repository = CookieServerCsrfTokenRepository.withHttpOnlyFalse();
repository.setCookieCustomizer((customizer) -> customizer.maxAge(1000));
MockServerHttpRequest.BaseBuilder<?> request = MockServerHttpRequest.get("/dummy");
MockServerWebExchange exchange = MockServerWebExchange.from(request);
CsrfToken csrfToken = repository.generateToken(exchange).block();
repository.saveToken(exchange, csrfToken).block();
ResponseCookie cookie = exchange.getResponse().getCookies().getFirst("XSRF-TOKEN");
assertThat(cookie).isNotNull();
assertThat(cookie.getMaxAge().getSeconds()).isEqualTo(1000);
assertThat(cookie.isHttpOnly()).isEqualTo(Boolean.FALSE);
}
private void setExpectedHeaderName(String expectedHeaderName) {
this.csrfTokenRepository.setHeaderName(expectedHeaderName);
this.expectedHeaderName = expectedHeaderName;