diff --git a/web/src/main/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepository.java b/web/src/main/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepository.java index 5910ff3e45..bc3a20e711 100644 --- a/web/src/main/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepository.java +++ b/web/src/main/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepository.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2021 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -34,6 +34,7 @@ import org.springframework.web.server.ServerWebExchange; * AngularJS. When using with AngularJS be sure to use {@link #withHttpOnlyFalse()} . * * @author Eric Deandrea + * @author Thomas Vitale * @since 5.1 */ public final class CookieServerCsrfTokenRepository implements ServerCsrfTokenRepository { @@ -54,6 +55,8 @@ public final class CookieServerCsrfTokenRepository implements ServerCsrfTokenRep private boolean cookieHttpOnly = true; + private Boolean secure; + /** * Factory method to conveniently create an instance that has * {@link #setCookieHttpOnly(boolean)} set to false. @@ -75,11 +78,16 @@ public final class CookieServerCsrfTokenRepository implements ServerCsrfTokenRep public Mono saveToken(ServerWebExchange exchange, CsrfToken token) { return Mono.fromRunnable(() -> { String tokenValue = (token != null) ? token.getToken() : ""; - int maxAge = !tokenValue.isEmpty() ? -1 : 0; - String path = (this.cookiePath != null) ? this.cookiePath : getRequestContext(exchange.getRequest()); - boolean secure = exchange.getRequest().getSslInfo() != null; - ResponseCookie cookie = ResponseCookie.from(this.cookieName, tokenValue).domain(this.cookieDomain) - .httpOnly(this.cookieHttpOnly).maxAge(maxAge).path(path).secure(secure).build(); + // @formatter:off + ResponseCookie cookie = ResponseCookie + .from(this.cookieName, tokenValue) + .domain(this.cookieDomain) + .httpOnly(this.cookieHttpOnly) + .maxAge(!tokenValue.isEmpty() ? -1 : 0) + .path((this.cookiePath != null) ? this.cookiePath : getRequestContext(exchange.getRequest())) + .secure((this.secure != null) ? this.secure : (exchange.getRequest().getSslInfo() != null)) + .build(); + // @formatter:on exchange.getResponse().addCookie(cookie); }); } @@ -146,6 +154,16 @@ public final class CookieServerCsrfTokenRepository implements ServerCsrfTokenRep this.cookieDomain = cookieDomain; } + /** + * Sets the cookie secure flag. If not set, the value depends on + * {@link ServerHttpRequest#getSslInfo()}. + * @param secure The value for the secure flag + * @since 5.5 + */ + public void setSecure(boolean secure) { + this.secure = secure; + } + private CsrfToken createCsrfToken() { return createCsrfToken(createNewToken()); } diff --git a/web/src/test/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepositoryTests.java b/web/src/test/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepositoryTests.java index d16f131920..7160337053 100644 --- a/web/src/test/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepositoryTests.java +++ b/web/src/test/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepositoryTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2021 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,12 +16,15 @@ package org.springframework.security.web.server.csrf; +import java.security.cert.X509Certificate; import java.time.Duration; +import org.junit.Before; import org.junit.Test; import org.springframework.http.HttpCookie; import org.springframework.http.ResponseCookie; +import org.springframework.http.server.reactive.SslInfo; import org.springframework.mock.http.server.reactive.MockServerHttpRequest; import org.springframework.mock.web.server.MockServerWebExchange; import org.springframework.util.StringUtils; @@ -30,13 +33,14 @@ import static org.assertj.core.api.Assertions.assertThat; /** * @author Eric Deandrea + * @author Thomas Vitale * @since 5.1 */ public class CookieServerCsrfTokenRepositoryTests { - private MockServerWebExchange exchange = MockServerWebExchange.from(MockServerHttpRequest.get("/someUri")); + private CookieServerCsrfTokenRepository csrfTokenRepository; - private CookieServerCsrfTokenRepository csrfTokenRepository = new CookieServerCsrfTokenRepository(); + private MockServerHttpRequest.BaseBuilder request; private String expectedHeaderName = CookieServerCsrfTokenRepository.DEFAULT_CSRF_HEADER_NAME; @@ -56,6 +60,12 @@ public class CookieServerCsrfTokenRepositoryTests { private String expectedCookieValue = "csrfToken"; + @Before + public void setUp() { + this.csrfTokenRepository = new CookieServerCsrfTokenRepository(); + this.request = MockServerHttpRequest.get("/someUri"); + } + @Test public void generateTokenWhenDefaultThenDefaults() { generateTokenAndAssertExpectedValues(); @@ -82,8 +92,9 @@ public class CookieServerCsrfTokenRepositoryTests { @Test public void saveTokenWhenNoSubscriptionThenNotWritten() { - this.csrfTokenRepository.saveToken(this.exchange, createToken()); - assertThat(this.exchange.getResponse().getCookies().getFirst(this.expectedCookieName)).isNull(); + MockServerWebExchange exchange = MockServerWebExchange.from(this.request); + this.csrfTokenRepository.saveToken(exchange, createToken()); + assertThat(exchange.getResponse().getCookies().getFirst(this.expectedCookieName)).isNull(); } @Test @@ -112,6 +123,56 @@ public class CookieServerCsrfTokenRepositoryTests { saveAndAssertExpectedValues(createToken()); } + @Test + public void saveTokenWhenSslInfoPresentThenSecure() { + this.request.sslInfo(new MockSslInfo()); + MockServerWebExchange exchange = MockServerWebExchange.from(this.request); + this.csrfTokenRepository.saveToken(exchange, createToken()).block(); + ResponseCookie cookie = exchange.getResponse().getCookies().getFirst(this.expectedCookieName); + assertThat(cookie).isNotNull(); + assertThat(cookie.isSecure()).isTrue(); + } + + @Test + public void saveTokenWhenSslInfoNullThenNotSecure() { + MockServerWebExchange exchange = MockServerWebExchange.from(this.request); + this.csrfTokenRepository.saveToken(exchange, createToken()).block(); + ResponseCookie cookie = exchange.getResponse().getCookies().getFirst(this.expectedCookieName); + assertThat(cookie).isNotNull(); + assertThat(cookie.isSecure()).isFalse(); + } + + @Test + public void saveTokenWhenSecureFlagTrueThenSecure() { + MockServerWebExchange exchange = MockServerWebExchange.from(this.request); + this.csrfTokenRepository.setSecure(true); + this.csrfTokenRepository.saveToken(exchange, createToken()).block(); + ResponseCookie cookie = exchange.getResponse().getCookies().getFirst(this.expectedCookieName); + assertThat(cookie).isNotNull(); + assertThat(cookie.isSecure()).isTrue(); + } + + @Test + public void saveTokenWhenSecureFlagFalseThenNotSecure() { + MockServerWebExchange exchange = MockServerWebExchange.from(this.request); + this.csrfTokenRepository.setSecure(false); + this.csrfTokenRepository.saveToken(exchange, createToken()).block(); + ResponseCookie cookie = exchange.getResponse().getCookies().getFirst(this.expectedCookieName); + assertThat(cookie).isNotNull(); + assertThat(cookie.isSecure()).isFalse(); + } + + @Test + public void saveTokenWhenSecureFlagFalseAndSslInfoThenNotSecure() { + MockServerWebExchange exchange = MockServerWebExchange.from(this.request); + this.request.sslInfo(new MockSslInfo()); + this.csrfTokenRepository.setSecure(false); + this.csrfTokenRepository.saveToken(exchange, createToken()).block(); + ResponseCookie cookie = exchange.getResponse().getCookies().getFirst(this.expectedCookieName); + assertThat(cookie).isNotNull(); + assertThat(cookie.isSecure()).isFalse(); + } + @Test public void loadTokenWhenCookieExistThenTokenFound() { loadAndAssertExpectedValues(); @@ -127,7 +188,8 @@ public class CookieServerCsrfTokenRepositoryTests { @Test public void loadTokenWhenNoCookiesThenNullToken() { - CsrfToken csrfToken = this.csrfTokenRepository.loadToken(this.exchange).block(); + MockServerWebExchange exchange = MockServerWebExchange.from(this.request); + CsrfToken csrfToken = this.csrfTokenRepository.loadToken(exchange).block(); assertThat(csrfToken).isNull(); } @@ -180,8 +242,8 @@ public class CookieServerCsrfTokenRepositoryTests { private void loadAndAssertExpectedValues() { MockServerHttpRequest.BodyBuilder request = MockServerHttpRequest.post("/someUri") .cookie(new HttpCookie(this.expectedCookieName, this.expectedCookieValue)); - this.exchange = MockServerWebExchange.from(request); - CsrfToken csrfToken = this.csrfTokenRepository.loadToken(this.exchange).block(); + MockServerWebExchange exchange = MockServerWebExchange.from(request); + CsrfToken csrfToken = this.csrfTokenRepository.loadToken(exchange).block(); if (StringUtils.hasText(this.expectedCookieValue)) { assertThat(csrfToken).isNotNull(); assertThat(csrfToken.getHeaderName()).isEqualTo(this.expectedHeaderName); @@ -198,8 +260,9 @@ public class CookieServerCsrfTokenRepositoryTests { this.expectedMaxAge = Duration.ofSeconds(0); this.expectedCookieValue = ""; } - this.csrfTokenRepository.saveToken(this.exchange, token).block(); - ResponseCookie cookie = this.exchange.getResponse().getCookies().getFirst(this.expectedCookieName); + MockServerWebExchange exchange = MockServerWebExchange.from(this.request); + this.csrfTokenRepository.saveToken(exchange, token).block(); + ResponseCookie cookie = exchange.getResponse().getCookies().getFirst(this.expectedCookieName); assertThat(cookie).isNotNull(); assertThat(cookie.getMaxAge()).isEqualTo(this.expectedMaxAge); assertThat(cookie.getDomain()).isEqualTo(this.expectedDomain); @@ -211,7 +274,8 @@ public class CookieServerCsrfTokenRepositoryTests { } private void generateTokenAndAssertExpectedValues() { - CsrfToken csrfToken = this.csrfTokenRepository.generateToken(this.exchange).block(); + MockServerWebExchange exchange = MockServerWebExchange.from(this.request); + CsrfToken csrfToken = this.csrfTokenRepository.generateToken(exchange).block(); assertThat(csrfToken).isNotNull(); assertThat(csrfToken.getHeaderName()).isEqualTo(this.expectedHeaderName); assertThat(csrfToken.getParameterName()).isEqualTo(this.expectedParameterName); @@ -226,4 +290,18 @@ public class CookieServerCsrfTokenRepositoryTests { return new DefaultCsrfToken(headerName, parameterName, tokenValue); } + static class MockSslInfo implements SslInfo { + + @Override + public String getSessionId() { + return "sessionId"; + } + + @Override + public X509Certificate[] getPeerCertificates() { + return new X509Certificate[] {}; + } + + } + }