Make Csrf cookie secure flag configurable (WebFlux)
Make the XSRF-TOKEN cookie secure flag configurable in CookieServerCsrfTokenRepository. Closes gh-9678
This commit is contained in:
Thomas Vitale
Eleftheria Stein-Kousathana
parent
006b9b9607
commit
e2993d93e1
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2002-2019 the original author or authors.
|
||||
* Copyright 2002-2021 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
|
|
@ -34,6 +34,7 @@ import org.springframework.web.server.ServerWebExchange;
|
|||
* AngularJS. When using with AngularJS be sure to use {@link #withHttpOnlyFalse()} .
|
||||
*
|
||||
* @author Eric Deandrea
|
||||
* @author Thomas Vitale
|
||||
* @since 5.1
|
||||
*/
|
||||
public final class CookieServerCsrfTokenRepository implements ServerCsrfTokenRepository {
|
||||
|
|
@ -54,6 +55,8 @@ public final class CookieServerCsrfTokenRepository implements ServerCsrfTokenRep
|
|||
|
||||
private boolean cookieHttpOnly = true;
|
||||
|
||||
private Boolean secure;
|
||||
|
||||
/**
|
||||
* Factory method to conveniently create an instance that has
|
||||
* {@link #setCookieHttpOnly(boolean)} set to false.
|
||||
|
|
@ -75,11 +78,16 @@ public final class CookieServerCsrfTokenRepository implements ServerCsrfTokenRep
|
|||
public Mono<Void> saveToken(ServerWebExchange exchange, CsrfToken token) {
|
||||
return Mono.fromRunnable(() -> {
|
||||
String tokenValue = (token != null) ? token.getToken() : "";
|
||||
int maxAge = !tokenValue.isEmpty() ? -1 : 0;
|
||||
String path = (this.cookiePath != null) ? this.cookiePath : getRequestContext(exchange.getRequest());
|
||||
boolean secure = exchange.getRequest().getSslInfo() != null;
|
||||
ResponseCookie cookie = ResponseCookie.from(this.cookieName, tokenValue).domain(this.cookieDomain)
|
||||
.httpOnly(this.cookieHttpOnly).maxAge(maxAge).path(path).secure(secure).build();
|
||||
// @formatter:off
|
||||
ResponseCookie cookie = ResponseCookie
|
||||
.from(this.cookieName, tokenValue)
|
||||
.domain(this.cookieDomain)
|
||||
.httpOnly(this.cookieHttpOnly)
|
||||
.maxAge(!tokenValue.isEmpty() ? -1 : 0)
|
||||
.path((this.cookiePath != null) ? this.cookiePath : getRequestContext(exchange.getRequest()))
|
||||
.secure((this.secure != null) ? this.secure : (exchange.getRequest().getSslInfo() != null))
|
||||
.build();
|
||||
// @formatter:on
|
||||
exchange.getResponse().addCookie(cookie);
|
||||
});
|
||||
}
|
||||
|
|
@ -146,6 +154,16 @@ public final class CookieServerCsrfTokenRepository implements ServerCsrfTokenRep
|
|||
this.cookieDomain = cookieDomain;
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets the cookie secure flag. If not set, the value depends on
|
||||
* {@link ServerHttpRequest#getSslInfo()}.
|
||||
* @param secure The value for the secure flag
|
||||
* @since 5.5
|
||||
*/
|
||||
public void setSecure(boolean secure) {
|
||||
this.secure = secure;
|
||||
}
|
||||
|
||||
private CsrfToken createCsrfToken() {
|
||||
return createCsrfToken(createNewToken());
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2002-2018 the original author or authors.
|
||||
* Copyright 2002-2021 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
|
|
@ -16,12 +16,15 @@
|
|||
|
||||
package org.springframework.security.web.server.csrf;
|
||||
|
||||
import java.security.cert.X509Certificate;
|
||||
import java.time.Duration;
|
||||
|
||||
import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
|
||||
import org.springframework.http.HttpCookie;
|
||||
import org.springframework.http.ResponseCookie;
|
||||
import org.springframework.http.server.reactive.SslInfo;
|
||||
import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
|
||||
import org.springframework.mock.web.server.MockServerWebExchange;
|
||||
import org.springframework.util.StringUtils;
|
||||
|
|
@ -30,13 +33,14 @@ import static org.assertj.core.api.Assertions.assertThat;
|
|||
|
||||
/**
|
||||
* @author Eric Deandrea
|
||||
* @author Thomas Vitale
|
||||
* @since 5.1
|
||||
*/
|
||||
public class CookieServerCsrfTokenRepositoryTests {
|
||||
|
||||
private MockServerWebExchange exchange = MockServerWebExchange.from(MockServerHttpRequest.get("/someUri"));
|
||||
private CookieServerCsrfTokenRepository csrfTokenRepository;
|
||||
|
||||
private CookieServerCsrfTokenRepository csrfTokenRepository = new CookieServerCsrfTokenRepository();
|
||||
private MockServerHttpRequest.BaseBuilder<?> request;
|
||||
|
||||
private String expectedHeaderName = CookieServerCsrfTokenRepository.DEFAULT_CSRF_HEADER_NAME;
|
||||
|
||||
|
|
@ -56,6 +60,12 @@ public class CookieServerCsrfTokenRepositoryTests {
|
|||
|
||||
private String expectedCookieValue = "csrfToken";
|
||||
|
||||
@Before
|
||||
public void setUp() {
|
||||
this.csrfTokenRepository = new CookieServerCsrfTokenRepository();
|
||||
this.request = MockServerHttpRequest.get("/someUri");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void generateTokenWhenDefaultThenDefaults() {
|
||||
generateTokenAndAssertExpectedValues();
|
||||
|
|
@ -82,8 +92,9 @@ public class CookieServerCsrfTokenRepositoryTests {
|
|||
|
||||
@Test
|
||||
public void saveTokenWhenNoSubscriptionThenNotWritten() {
|
||||
this.csrfTokenRepository.saveToken(this.exchange, createToken());
|
||||
assertThat(this.exchange.getResponse().getCookies().getFirst(this.expectedCookieName)).isNull();
|
||||
MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
|
||||
this.csrfTokenRepository.saveToken(exchange, createToken());
|
||||
assertThat(exchange.getResponse().getCookies().getFirst(this.expectedCookieName)).isNull();
|
||||
}
|
||||
|
||||
@Test
|
||||
|
|
@ -112,6 +123,56 @@ public class CookieServerCsrfTokenRepositoryTests {
|
|||
saveAndAssertExpectedValues(createToken());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void saveTokenWhenSslInfoPresentThenSecure() {
|
||||
this.request.sslInfo(new MockSslInfo());
|
||||
MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
|
||||
this.csrfTokenRepository.saveToken(exchange, createToken()).block();
|
||||
ResponseCookie cookie = exchange.getResponse().getCookies().getFirst(this.expectedCookieName);
|
||||
assertThat(cookie).isNotNull();
|
||||
assertThat(cookie.isSecure()).isTrue();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void saveTokenWhenSslInfoNullThenNotSecure() {
|
||||
MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
|
||||
this.csrfTokenRepository.saveToken(exchange, createToken()).block();
|
||||
ResponseCookie cookie = exchange.getResponse().getCookies().getFirst(this.expectedCookieName);
|
||||
assertThat(cookie).isNotNull();
|
||||
assertThat(cookie.isSecure()).isFalse();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void saveTokenWhenSecureFlagTrueThenSecure() {
|
||||
MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
|
||||
this.csrfTokenRepository.setSecure(true);
|
||||
this.csrfTokenRepository.saveToken(exchange, createToken()).block();
|
||||
ResponseCookie cookie = exchange.getResponse().getCookies().getFirst(this.expectedCookieName);
|
||||
assertThat(cookie).isNotNull();
|
||||
assertThat(cookie.isSecure()).isTrue();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void saveTokenWhenSecureFlagFalseThenNotSecure() {
|
||||
MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
|
||||
this.csrfTokenRepository.setSecure(false);
|
||||
this.csrfTokenRepository.saveToken(exchange, createToken()).block();
|
||||
ResponseCookie cookie = exchange.getResponse().getCookies().getFirst(this.expectedCookieName);
|
||||
assertThat(cookie).isNotNull();
|
||||
assertThat(cookie.isSecure()).isFalse();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void saveTokenWhenSecureFlagFalseAndSslInfoThenNotSecure() {
|
||||
MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
|
||||
this.request.sslInfo(new MockSslInfo());
|
||||
this.csrfTokenRepository.setSecure(false);
|
||||
this.csrfTokenRepository.saveToken(exchange, createToken()).block();
|
||||
ResponseCookie cookie = exchange.getResponse().getCookies().getFirst(this.expectedCookieName);
|
||||
assertThat(cookie).isNotNull();
|
||||
assertThat(cookie.isSecure()).isFalse();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void loadTokenWhenCookieExistThenTokenFound() {
|
||||
loadAndAssertExpectedValues();
|
||||
|
|
@ -127,7 +188,8 @@ public class CookieServerCsrfTokenRepositoryTests {
|
|||
|
||||
@Test
|
||||
public void loadTokenWhenNoCookiesThenNullToken() {
|
||||
CsrfToken csrfToken = this.csrfTokenRepository.loadToken(this.exchange).block();
|
||||
MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
|
||||
CsrfToken csrfToken = this.csrfTokenRepository.loadToken(exchange).block();
|
||||
assertThat(csrfToken).isNull();
|
||||
}
|
||||
|
||||
|
|
@ -180,8 +242,8 @@ public class CookieServerCsrfTokenRepositoryTests {
|
|||
private void loadAndAssertExpectedValues() {
|
||||
MockServerHttpRequest.BodyBuilder request = MockServerHttpRequest.post("/someUri")
|
||||
.cookie(new HttpCookie(this.expectedCookieName, this.expectedCookieValue));
|
||||
this.exchange = MockServerWebExchange.from(request);
|
||||
CsrfToken csrfToken = this.csrfTokenRepository.loadToken(this.exchange).block();
|
||||
MockServerWebExchange exchange = MockServerWebExchange.from(request);
|
||||
CsrfToken csrfToken = this.csrfTokenRepository.loadToken(exchange).block();
|
||||
if (StringUtils.hasText(this.expectedCookieValue)) {
|
||||
assertThat(csrfToken).isNotNull();
|
||||
assertThat(csrfToken.getHeaderName()).isEqualTo(this.expectedHeaderName);
|
||||
|
|
@ -198,8 +260,9 @@ public class CookieServerCsrfTokenRepositoryTests {
|
|||
this.expectedMaxAge = Duration.ofSeconds(0);
|
||||
this.expectedCookieValue = "";
|
||||
}
|
||||
this.csrfTokenRepository.saveToken(this.exchange, token).block();
|
||||
ResponseCookie cookie = this.exchange.getResponse().getCookies().getFirst(this.expectedCookieName);
|
||||
MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
|
||||
this.csrfTokenRepository.saveToken(exchange, token).block();
|
||||
ResponseCookie cookie = exchange.getResponse().getCookies().getFirst(this.expectedCookieName);
|
||||
assertThat(cookie).isNotNull();
|
||||
assertThat(cookie.getMaxAge()).isEqualTo(this.expectedMaxAge);
|
||||
assertThat(cookie.getDomain()).isEqualTo(this.expectedDomain);
|
||||
|
|
@ -211,7 +274,8 @@ public class CookieServerCsrfTokenRepositoryTests {
|
|||
}
|
||||
|
||||
private void generateTokenAndAssertExpectedValues() {
|
||||
CsrfToken csrfToken = this.csrfTokenRepository.generateToken(this.exchange).block();
|
||||
MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
|
||||
CsrfToken csrfToken = this.csrfTokenRepository.generateToken(exchange).block();
|
||||
assertThat(csrfToken).isNotNull();
|
||||
assertThat(csrfToken.getHeaderName()).isEqualTo(this.expectedHeaderName);
|
||||
assertThat(csrfToken.getParameterName()).isEqualTo(this.expectedParameterName);
|
||||
|
|
@ -226,4 +290,18 @@ public class CookieServerCsrfTokenRepositoryTests {
|
|||
return new DefaultCsrfToken(headerName, parameterName, tokenValue);
|
||||
}
|
||||
|
||||
static class MockSslInfo implements SslInfo {
|
||||
|
||||
@Override
|
||||
public String getSessionId() {
|
||||
return "sessionId";
|
||||
}
|
||||
|
||||
@Override
|
||||
public X509Certificate[] getPeerCertificates() {
|
||||
return new X509Certificate[] {};
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue