Make Csrf cookie secure flag configurable (WebFlux)

Make the XSRF-TOKEN cookie secure flag configurable in CookieServerCsrfTokenRepository.

Closes gh-9678
This commit is contained in:
Thomas Vitale 2021-04-26 18:13:20 +02:00 committed by Eleftheria Stein-Kousathana
parent 006b9b9607
commit e2993d93e1
2 changed files with 113 additions and 17 deletions

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2019 the original author or authors. * Copyright 2002-2021 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -34,6 +34,7 @@ import org.springframework.web.server.ServerWebExchange;
* AngularJS. When using with AngularJS be sure to use {@link #withHttpOnlyFalse()} . * AngularJS. When using with AngularJS be sure to use {@link #withHttpOnlyFalse()} .
* *
* @author Eric Deandrea * @author Eric Deandrea
* @author Thomas Vitale
* @since 5.1 * @since 5.1
*/ */
public final class CookieServerCsrfTokenRepository implements ServerCsrfTokenRepository { public final class CookieServerCsrfTokenRepository implements ServerCsrfTokenRepository {
@ -54,6 +55,8 @@ public final class CookieServerCsrfTokenRepository implements ServerCsrfTokenRep
private boolean cookieHttpOnly = true; private boolean cookieHttpOnly = true;
private Boolean secure;
/** /**
* Factory method to conveniently create an instance that has * Factory method to conveniently create an instance that has
* {@link #setCookieHttpOnly(boolean)} set to false. * {@link #setCookieHttpOnly(boolean)} set to false.
@ -75,11 +78,16 @@ public final class CookieServerCsrfTokenRepository implements ServerCsrfTokenRep
public Mono<Void> saveToken(ServerWebExchange exchange, CsrfToken token) { public Mono<Void> saveToken(ServerWebExchange exchange, CsrfToken token) {
return Mono.fromRunnable(() -> { return Mono.fromRunnable(() -> {
String tokenValue = (token != null) ? token.getToken() : ""; String tokenValue = (token != null) ? token.getToken() : "";
int maxAge = !tokenValue.isEmpty() ? -1 : 0; // @formatter:off
String path = (this.cookiePath != null) ? this.cookiePath : getRequestContext(exchange.getRequest()); ResponseCookie cookie = ResponseCookie
boolean secure = exchange.getRequest().getSslInfo() != null; .from(this.cookieName, tokenValue)
ResponseCookie cookie = ResponseCookie.from(this.cookieName, tokenValue).domain(this.cookieDomain) .domain(this.cookieDomain)
.httpOnly(this.cookieHttpOnly).maxAge(maxAge).path(path).secure(secure).build(); .httpOnly(this.cookieHttpOnly)
.maxAge(!tokenValue.isEmpty() ? -1 : 0)
.path((this.cookiePath != null) ? this.cookiePath : getRequestContext(exchange.getRequest()))
.secure((this.secure != null) ? this.secure : (exchange.getRequest().getSslInfo() != null))
.build();
// @formatter:on
exchange.getResponse().addCookie(cookie); exchange.getResponse().addCookie(cookie);
}); });
} }
@ -146,6 +154,16 @@ public final class CookieServerCsrfTokenRepository implements ServerCsrfTokenRep
this.cookieDomain = cookieDomain; this.cookieDomain = cookieDomain;
} }
/**
* Sets the cookie secure flag. If not set, the value depends on
* {@link ServerHttpRequest#getSslInfo()}.
* @param secure The value for the secure flag
* @since 5.5
*/
public void setSecure(boolean secure) {
this.secure = secure;
}
private CsrfToken createCsrfToken() { private CsrfToken createCsrfToken() {
return createCsrfToken(createNewToken()); return createCsrfToken(createNewToken());
} }

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2018 the original author or authors. * Copyright 2002-2021 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -16,12 +16,15 @@
package org.springframework.security.web.server.csrf; package org.springframework.security.web.server.csrf;
import java.security.cert.X509Certificate;
import java.time.Duration; import java.time.Duration;
import org.junit.Before;
import org.junit.Test; import org.junit.Test;
import org.springframework.http.HttpCookie; import org.springframework.http.HttpCookie;
import org.springframework.http.ResponseCookie; import org.springframework.http.ResponseCookie;
import org.springframework.http.server.reactive.SslInfo;
import org.springframework.mock.http.server.reactive.MockServerHttpRequest; import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
import org.springframework.mock.web.server.MockServerWebExchange; import org.springframework.mock.web.server.MockServerWebExchange;
import org.springframework.util.StringUtils; import org.springframework.util.StringUtils;
@ -30,13 +33,14 @@ import static org.assertj.core.api.Assertions.assertThat;
/** /**
* @author Eric Deandrea * @author Eric Deandrea
* @author Thomas Vitale
* @since 5.1 * @since 5.1
*/ */
public class CookieServerCsrfTokenRepositoryTests { public class CookieServerCsrfTokenRepositoryTests {
private MockServerWebExchange exchange = MockServerWebExchange.from(MockServerHttpRequest.get("/someUri")); private CookieServerCsrfTokenRepository csrfTokenRepository;
private CookieServerCsrfTokenRepository csrfTokenRepository = new CookieServerCsrfTokenRepository(); private MockServerHttpRequest.BaseBuilder<?> request;
private String expectedHeaderName = CookieServerCsrfTokenRepository.DEFAULT_CSRF_HEADER_NAME; private String expectedHeaderName = CookieServerCsrfTokenRepository.DEFAULT_CSRF_HEADER_NAME;
@ -56,6 +60,12 @@ public class CookieServerCsrfTokenRepositoryTests {
private String expectedCookieValue = "csrfToken"; private String expectedCookieValue = "csrfToken";
@Before
public void setUp() {
this.csrfTokenRepository = new CookieServerCsrfTokenRepository();
this.request = MockServerHttpRequest.get("/someUri");
}
@Test @Test
public void generateTokenWhenDefaultThenDefaults() { public void generateTokenWhenDefaultThenDefaults() {
generateTokenAndAssertExpectedValues(); generateTokenAndAssertExpectedValues();
@ -82,8 +92,9 @@ public class CookieServerCsrfTokenRepositoryTests {
@Test @Test
public void saveTokenWhenNoSubscriptionThenNotWritten() { public void saveTokenWhenNoSubscriptionThenNotWritten() {
this.csrfTokenRepository.saveToken(this.exchange, createToken()); MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
assertThat(this.exchange.getResponse().getCookies().getFirst(this.expectedCookieName)).isNull(); this.csrfTokenRepository.saveToken(exchange, createToken());
assertThat(exchange.getResponse().getCookies().getFirst(this.expectedCookieName)).isNull();
} }
@Test @Test
@ -112,6 +123,56 @@ public class CookieServerCsrfTokenRepositoryTests {
saveAndAssertExpectedValues(createToken()); saveAndAssertExpectedValues(createToken());
} }
@Test
public void saveTokenWhenSslInfoPresentThenSecure() {
this.request.sslInfo(new MockSslInfo());
MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
this.csrfTokenRepository.saveToken(exchange, createToken()).block();
ResponseCookie cookie = exchange.getResponse().getCookies().getFirst(this.expectedCookieName);
assertThat(cookie).isNotNull();
assertThat(cookie.isSecure()).isTrue();
}
@Test
public void saveTokenWhenSslInfoNullThenNotSecure() {
MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
this.csrfTokenRepository.saveToken(exchange, createToken()).block();
ResponseCookie cookie = exchange.getResponse().getCookies().getFirst(this.expectedCookieName);
assertThat(cookie).isNotNull();
assertThat(cookie.isSecure()).isFalse();
}
@Test
public void saveTokenWhenSecureFlagTrueThenSecure() {
MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
this.csrfTokenRepository.setSecure(true);
this.csrfTokenRepository.saveToken(exchange, createToken()).block();
ResponseCookie cookie = exchange.getResponse().getCookies().getFirst(this.expectedCookieName);
assertThat(cookie).isNotNull();
assertThat(cookie.isSecure()).isTrue();
}
@Test
public void saveTokenWhenSecureFlagFalseThenNotSecure() {
MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
this.csrfTokenRepository.setSecure(false);
this.csrfTokenRepository.saveToken(exchange, createToken()).block();
ResponseCookie cookie = exchange.getResponse().getCookies().getFirst(this.expectedCookieName);
assertThat(cookie).isNotNull();
assertThat(cookie.isSecure()).isFalse();
}
@Test
public void saveTokenWhenSecureFlagFalseAndSslInfoThenNotSecure() {
MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
this.request.sslInfo(new MockSslInfo());
this.csrfTokenRepository.setSecure(false);
this.csrfTokenRepository.saveToken(exchange, createToken()).block();
ResponseCookie cookie = exchange.getResponse().getCookies().getFirst(this.expectedCookieName);
assertThat(cookie).isNotNull();
assertThat(cookie.isSecure()).isFalse();
}
@Test @Test
public void loadTokenWhenCookieExistThenTokenFound() { public void loadTokenWhenCookieExistThenTokenFound() {
loadAndAssertExpectedValues(); loadAndAssertExpectedValues();
@ -127,7 +188,8 @@ public class CookieServerCsrfTokenRepositoryTests {
@Test @Test
public void loadTokenWhenNoCookiesThenNullToken() { public void loadTokenWhenNoCookiesThenNullToken() {
CsrfToken csrfToken = this.csrfTokenRepository.loadToken(this.exchange).block(); MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
CsrfToken csrfToken = this.csrfTokenRepository.loadToken(exchange).block();
assertThat(csrfToken).isNull(); assertThat(csrfToken).isNull();
} }
@ -180,8 +242,8 @@ public class CookieServerCsrfTokenRepositoryTests {
private void loadAndAssertExpectedValues() { private void loadAndAssertExpectedValues() {
MockServerHttpRequest.BodyBuilder request = MockServerHttpRequest.post("/someUri") MockServerHttpRequest.BodyBuilder request = MockServerHttpRequest.post("/someUri")
.cookie(new HttpCookie(this.expectedCookieName, this.expectedCookieValue)); .cookie(new HttpCookie(this.expectedCookieName, this.expectedCookieValue));
this.exchange = MockServerWebExchange.from(request); MockServerWebExchange exchange = MockServerWebExchange.from(request);
CsrfToken csrfToken = this.csrfTokenRepository.loadToken(this.exchange).block(); CsrfToken csrfToken = this.csrfTokenRepository.loadToken(exchange).block();
if (StringUtils.hasText(this.expectedCookieValue)) { if (StringUtils.hasText(this.expectedCookieValue)) {
assertThat(csrfToken).isNotNull(); assertThat(csrfToken).isNotNull();
assertThat(csrfToken.getHeaderName()).isEqualTo(this.expectedHeaderName); assertThat(csrfToken.getHeaderName()).isEqualTo(this.expectedHeaderName);
@ -198,8 +260,9 @@ public class CookieServerCsrfTokenRepositoryTests {
this.expectedMaxAge = Duration.ofSeconds(0); this.expectedMaxAge = Duration.ofSeconds(0);
this.expectedCookieValue = ""; this.expectedCookieValue = "";
} }
this.csrfTokenRepository.saveToken(this.exchange, token).block(); MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
ResponseCookie cookie = this.exchange.getResponse().getCookies().getFirst(this.expectedCookieName); this.csrfTokenRepository.saveToken(exchange, token).block();
ResponseCookie cookie = exchange.getResponse().getCookies().getFirst(this.expectedCookieName);
assertThat(cookie).isNotNull(); assertThat(cookie).isNotNull();
assertThat(cookie.getMaxAge()).isEqualTo(this.expectedMaxAge); assertThat(cookie.getMaxAge()).isEqualTo(this.expectedMaxAge);
assertThat(cookie.getDomain()).isEqualTo(this.expectedDomain); assertThat(cookie.getDomain()).isEqualTo(this.expectedDomain);
@ -211,7 +274,8 @@ public class CookieServerCsrfTokenRepositoryTests {
} }
private void generateTokenAndAssertExpectedValues() { private void generateTokenAndAssertExpectedValues() {
CsrfToken csrfToken = this.csrfTokenRepository.generateToken(this.exchange).block(); MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
CsrfToken csrfToken = this.csrfTokenRepository.generateToken(exchange).block();
assertThat(csrfToken).isNotNull(); assertThat(csrfToken).isNotNull();
assertThat(csrfToken.getHeaderName()).isEqualTo(this.expectedHeaderName); assertThat(csrfToken.getHeaderName()).isEqualTo(this.expectedHeaderName);
assertThat(csrfToken.getParameterName()).isEqualTo(this.expectedParameterName); assertThat(csrfToken.getParameterName()).isEqualTo(this.expectedParameterName);
@ -226,4 +290,18 @@ public class CookieServerCsrfTokenRepositoryTests {
return new DefaultCsrfToken(headerName, parameterName, tokenValue); return new DefaultCsrfToken(headerName, parameterName, tokenValue);
} }
static class MockSslInfo implements SslInfo {
@Override
public String getSessionId() {
return "sessionId";
}
@Override
public X509Certificate[] getPeerCertificates() {
return new X509Certificate[] {};
}
}
} }