Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-22 20:12:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

SEC-2543: Logout with CSRF enabled requires POST by default

Browse Source
This commit is contained in:
Rob Winch 2014-05-02 11:17:57 -05:00
parent dc7a3b30ea
commit bf918df7a3
2 changed files with 43 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
config/src/main/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurer.java
View File

@ -294,7 +294,9 @@ public final class LogoutConfigurer<H extends HttpSecurityBuilder<H>> extends Ab
} }
if(http.getConfigurer(CsrfConfigurer.class) != null) { if(http.getConfigurer(CsrfConfigurer.class) != null) {
this.logoutRequestMatcher = new AntPathRequestMatcher(this.logoutUrl, "POST"); this.logoutRequestMatcher = new AntPathRequestMatcher(this.logoutUrl, "POST");
} else {
this.logoutRequestMatcher = new AntPathRequestMatcher(this.logoutUrl);
} }
return new AntPathRequestMatcher(this.logoutUrl); return this.logoutRequestMatcher;
} }
} }

40
config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/CsrfConfigurerTests.groovy
View File

@ -15,6 +15,8 @@
*/ */
package org.springframework.security.config.annotation.web.configurers package org.springframework.security.config.annotation.web.configurers
import org.springframework.security.web.util.matcher.AntPathRequestMatcher
import javax.servlet.http.HttpServletResponse import javax.servlet.http.HttpServletResponse
import org.springframework.context.annotation.Configuration import org.springframework.context.annotation.Configuration
@ -336,6 +338,18 @@ class CsrfConfigurerTests extends BaseSpringSpec {
currentAuthentication != null currentAuthentication != null
} }
def "SEC-2543: CSRF means logout requires POST"() {
setup:
loadConfig(LogoutConfig)
login()
request.servletPath = "/logout"
request.method = "GET"
when:
springSecurityFilterChain.doFilter(request,response,chain)
then: "logout with GET is not performed"
currentAuthentication != null
}
@Configuration @Configuration
@EnableWebSecurity @EnableWebSecurity
static class LogoutConfig extends WebSecurityConfigurerAdapter { static class LogoutConfig extends WebSecurityConfigurerAdapter {
@ -348,6 +362,32 @@ class CsrfConfigurerTests extends BaseSpringSpec {
} }
} }
def "CSRF can explicitly enable GET for logout"() {
setup:
loadConfig(LogoutAllowsGetConfig)
login()
request.servletPath = "/logout"
request.method = "GET"
when:
springSecurityFilterChain.doFilter(request,response,chain)
then: "logout with GET is not performed"
currentAuthentication == null
}
@Configuration
@EnableWebSecurity
static class LogoutAllowsGetConfig extends WebSecurityConfigurerAdapter {
static AccessDeniedHandler deniedHandler
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.formLogin().and()
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
}
}
def "csrf disables POST requests from RequestCache"() { def "csrf disables POST requests from RequestCache"() {
setup: setup:
CsrfDisablesPostRequestFromRequestCacheConfig.repo = Mock(CsrfTokenRepository) CsrfDisablesPostRequestFromRequestCacheConfig.repo = Mock(CsrfTokenRepository)