Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-07-05 18:22:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

CookieClearingLogoutHandler enhancement

Browse Source 
Enabled the ability to pass in an array of Cookies to support clearing cookies on a different path other than the default context path
Issue: gh-6078
This commit is contained in:
John Coyne 2018-11-19 20:39:23 -06:00 committed by Rob Winch
parent bcee22d2f9
commit d05ad19276
2 changed files with 65 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
web/src/main/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandler.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2016 the original author or authors. * Copyright 2002-2018 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -24,28 +24,49 @@ import org.springframework.security.core.Authentication;
import org.springframework.util.Assert; import org.springframework.util.Assert;
/** /**
* A logout handler which clears a defined list of cookies, using the context path as the * A logout handler which clears either
* cookie path. * - A defined list of cookie names, using the context path as the cookie path
* OR
* - A given list of Cookies
* *
* @author Luke Taylor * @author Luke Taylor
* @since 3.1 * @since 3.1
*/ */
public final class CookieClearingLogoutHandler implements LogoutHandler { public final class CookieClearingLogoutHandler implements LogoutHandler {
private final List<String> cookiesToClear; private final List<Object> cookiesToClear;
public CookieClearingLogoutHandler(String... cookiesToClear) { public CookieClearingLogoutHandler(String... cookiesToClear) {
Assert.notNull(cookiesToClear, "List of cookies cannot be null"); Assert.notNull(cookiesToClear, "List of cookies cannot be null");
this.cookiesToClear = Arrays.asList(cookiesToClear); this.cookiesToClear = Arrays.asList((Object[]) cookiesToClear);
}
/**
* @since 5.X
* @param cookiesToClear - One or more Cookie objects that must have maxAge of 0
*/
public CookieClearingLogoutHandler(Cookie... cookiesToClear) {
Assert.notNull(cookiesToClear, "List of cookies cannot be null");
List<Object> cookieList = new ArrayList<Object>();
for (Cookie cookie : cookiesToClear) {
Assert.isTrue(cookie.getMaxAge() == 0, "Cookie maxAge must be 0");
cookieList.add(cookie);
}
this.cookiesToClear = cookieList;
} }
public void logout(HttpServletRequest request, HttpServletResponse response, public void logout(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) { Authentication authentication) {
for (String cookieName : cookiesToClear) { for (Object cookie : cookiesToClear) {
Cookie cookie = new Cookie(cookieName, null); Cookie realCookie = null;
if (cookie instanceof String) {
realCookie = new Cookie((String) cookie, null);
String cookiePath = request.getContextPath() + "/"; String cookiePath = request.getContextPath() + "/";
cookie.setPath(cookiePath); realCookie.setPath(cookiePath);
cookie.setMaxAge(0); realCookie.setMaxAge(0);
response.addCookie(cookie); }else if (cookie instanceof Cookie){
realCookie = (Cookie) cookie;
}
response.addCookie(realCookie);
} }
} }
} }

34
web/src/test/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandlerTests.java
View File

@ -15,7 +15,7 @@
*/ */
package org.springframework.security.web.authentication.logout; package org.springframework.security.web.authentication.logout;
import static org.assertj.core.api.Assertions.*; import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.Mockito.mock; import static org.mockito.Mockito.mock;
import javax.servlet.http.Cookie; import javax.servlet.http.Cookie;
@ -60,4 +60,36 @@ public class CookieClearingLogoutHandlerTests {
assertThat(c.getMaxAge()).isZero(); assertThat(c.getMaxAge()).isZero();
} }
} }
@Test
public void passedInCookiesAreCleared() {
MockHttpServletResponse response = new MockHttpServletResponse();
MockHttpServletRequest request = new MockHttpServletRequest();
request.setContextPath("/foo/bar");
Cookie cookie1 = new Cookie("my_cookie",null);
cookie1.setPath("/foo");
cookie1.setMaxAge(0);
Cookie cookie2 = new Cookie("my_cookie_too",null);
cookie2.setPath("/foo");
cookie2.setMaxAge(0);
CookieClearingLogoutHandler handler = new CookieClearingLogoutHandler(cookie1, cookie2);
handler.logout(request, response, mock(Authentication.class));
assertThat(response.getCookies()).hasSize(2);
for (Cookie c : response.getCookies()) {
assertThat(c.getPath()).isEqualTo("/foo");
assertThat(c.getMaxAge()).isZero();
}
}
@Test(expected=IllegalArgumentException.class)
public void invalidAge() {
MockHttpServletResponse response = new MockHttpServletResponse();
MockHttpServletRequest request = new MockHttpServletRequest();
request.setContextPath("/foo/bar");
Cookie cookie1 = new Cookie("my_cookie",null);
cookie1.setPath("/foo");
cookie1.setMaxAge(100);
CookieClearingLogoutHandler handler = new CookieClearingLogoutHandler(cookie1);
handler.logout(request, response, mock(Authentication.class));
}
} }