mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-07-10 04:13:31 +00:00
SEC-2498: RequestCache allows POST when CSRF is disabled
This commit is contained in:
Rob Winch
parent
d079044592
commit
cb0549a609
@ -15,7 +15,9 @@
|
|||||||
*/
|
*/
|
||||||
package org.springframework.security.config.annotation.web.configurers;
|
package org.springframework.security.config.annotation.web.configurers;
|
||||||
|
|
||||||
|
import java.util.ArrayList;
|
||||||
import java.util.Collections;
|
import java.util.Collections;
|
||||||
|
import java.util.List;
|
||||||
|
|
||||||
import org.springframework.http.MediaType;
|
import org.springframework.http.MediaType;
|
||||||
import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
|
import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
|
||||||
@ -114,12 +116,13 @@ public final class RequestCacheConfigurer<H extends HttpSecurityBuilder<H>> exte
|
|||||||
return defaultCache;
|
return defaultCache;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@SuppressWarnings("unchecked")
|
||||||
private RequestMatcher createDefaultSavedRequestMatcher(H http) {
|
private RequestMatcher createDefaultSavedRequestMatcher(H http) {
|
||||||
ContentNegotiationStrategy contentNegotiationStrategy = http.getSharedObject(ContentNegotiationStrategy.class);
|
ContentNegotiationStrategy contentNegotiationStrategy = http.getSharedObject(ContentNegotiationStrategy.class);
|
||||||
if(contentNegotiationStrategy == null) {
|
if(contentNegotiationStrategy == null) {
|
||||||
contentNegotiationStrategy = new HeaderContentNegotiationStrategy();
|
contentNegotiationStrategy = new HeaderContentNegotiationStrategy();
|
||||||
}
|
}
|
||||||
RequestMatcher getRequests = new AntPathRequestMatcher("/**", "GET");
|
|
||||||
RequestMatcher notFavIcon = new NegatedRequestMatcher(new AntPathRequestMatcher("/**/favicon.ico"));
|
RequestMatcher notFavIcon = new NegatedRequestMatcher(new AntPathRequestMatcher("/**/favicon.ico"));
|
||||||
|
|
||||||
MediaTypeRequestMatcher jsonRequest = new MediaTypeRequestMatcher(contentNegotiationStrategy, MediaType.APPLICATION_JSON);
|
MediaTypeRequestMatcher jsonRequest = new MediaTypeRequestMatcher(contentNegotiationStrategy, MediaType.APPLICATION_JSON);
|
||||||
@ -127,6 +130,18 @@ public final class RequestCacheConfigurer<H extends HttpSecurityBuilder<H>> exte
|
|||||||
RequestMatcher notJson = new NegatedRequestMatcher(jsonRequest);
|
RequestMatcher notJson = new NegatedRequestMatcher(jsonRequest);
|
||||||
|
|
||||||
RequestMatcher notXRequestedWith = new NegatedRequestMatcher(new RequestHeaderRequestMatcher("X-Requested-With","XMLHttpRequest"));
|
RequestMatcher notXRequestedWith = new NegatedRequestMatcher(new RequestHeaderRequestMatcher("X-Requested-With","XMLHttpRequest"));
|
||||||
return new AndRequestMatcher(getRequests, notFavIcon, notJson, notXRequestedWith);
|
|
||||||
|
boolean isCsrfEnabled = http.getConfigurer(CsrfConfigurer.class) != null;
|
||||||
|
|
||||||
|
List<RequestMatcher> matchers = new ArrayList<RequestMatcher>();
|
||||||
|
if(isCsrfEnabled) {
|
||||||
|
RequestMatcher getRequests = new AntPathRequestMatcher("/**", "GET");
|
||||||
|
matchers.add(0, getRequests);
|
||||||
|
}
|
||||||
|
matchers.add(notFavIcon);
|
||||||
|
matchers.add(notJson);
|
||||||
|
matchers.add(notXRequestedWith);
|
||||||
|
|
||||||
|
return new AndRequestMatcher(matchers);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -102,6 +102,49 @@ class CsrfConfigurerTests extends BaseSpringSpec {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
def "SEC-2498: Disable CSRF enables RequestCache for any method"() {
|
||||||
|
setup:
|
||||||
|
loadConfig(DisableCsrfEnablesRequestCacheConfig)
|
||||||
|
request.requestURI = '/tosave'
|
||||||
|
request.method = "POST"
|
||||||
|
clearCsrfToken()
|
||||||
|
when:
|
||||||
|
springSecurityFilterChain.doFilter(request,response,chain)
|
||||||
|
then:
|
||||||
|
response.redirectedUrl
|
||||||
|
when:
|
||||||
|
super.setupWeb(request.session)
|
||||||
|
request.method = "POST"
|
||||||
|
request.servletPath = '/login'
|
||||||
|
request.parameters['username'] = ['user'] as String[]
|
||||||
|
request.parameters['password'] = ['password'] as String[]
|
||||||
|
springSecurityFilterChain.doFilter(request,response,chain)
|
||||||
|
then:
|
||||||
|
response.redirectedUrl == 'http://localhost/tosave'
|
||||||
|
}
|
||||||
|
|
||||||
|
@Configuration
|
||||||
|
@EnableWebSecurity
|
||||||
|
static class DisableCsrfEnablesRequestCacheConfig extends WebSecurityConfigurerAdapter {
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected void configure(HttpSecurity http) throws Exception {
|
||||||
|
http
|
||||||
|
.authorizeRequests()
|
||||||
|
.anyRequest().authenticated()
|
||||||
|
.and()
|
||||||
|
.formLogin().and()
|
||||||
|
.csrf().disable()
|
||||||
|
|
||||||
|
}
|
||||||
|
@Override
|
||||||
|
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
|
||||||
|
auth
|
||||||
|
.inMemoryAuthentication()
|
||||||
|
.withUser("user").password("password").roles("USER")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
def "SEC-2422: csrf expire CSRF token and session-management invalid-session-url"() {
|
def "SEC-2422: csrf expire CSRF token and session-management invalid-session-url"() {
|
||||||
setup:
|
setup:
|
||||||
loadConfig(InvalidSessionUrlConfig)
|
loadConfig(InvalidSessionUrlConfig)
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user