Default to XorCsrfTokenRequestAttributeHandler
As of gh-11960, Xor CSRF tokens are the default in 6.0. This commit makes CsrfAuthenticationStrategy consistent with CsrfFilter. Issue gh-11960 Closes gh-12235
This commit is contained in:
parent
3f5d8b39ce
commit
fd547321e8
web/src
main/java/org/springframework/security/web/csrf
test/java/org/springframework/security/web/csrf
|
@ -41,7 +41,7 @@ public final class CsrfAuthenticationStrategy implements SessionAuthenticationSt
|
||||||
|
|
||||||
private final CsrfTokenRepository tokenRepository;
|
private final CsrfTokenRepository tokenRepository;
|
||||||
|
|
||||||
private CsrfTokenRequestHandler requestHandler = new CsrfTokenRequestAttributeHandler();
|
private CsrfTokenRequestHandler requestHandler = new XorCsrfTokenRequestAttributeHandler();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Creates a new instance
|
* Creates a new instance
|
||||||
|
|
|
@ -108,9 +108,10 @@ public class CsrfAuthenticationStrategyTests {
|
||||||
verify(this.csrfTokenRepository).loadDeferredToken(this.request, this.response);
|
verify(this.csrfTokenRepository).loadDeferredToken(this.request, this.response);
|
||||||
// SEC-2404, SEC-2832
|
// SEC-2404, SEC-2832
|
||||||
CsrfToken tokenInRequest = (CsrfToken) this.request.getAttribute(CsrfToken.class.getName());
|
CsrfToken tokenInRequest = (CsrfToken) this.request.getAttribute(CsrfToken.class.getName());
|
||||||
assertThat(tokenInRequest.getToken()).isSameAs(this.generatedToken.getToken());
|
assertThat(tokenInRequest.getToken()).isNotEmpty();
|
||||||
assertThat(tokenInRequest.getHeaderName()).isSameAs(this.generatedToken.getHeaderName());
|
assertThat(tokenInRequest.getToken()).isNotEqualTo(this.generatedToken.getToken());
|
||||||
assertThat(tokenInRequest.getParameterName()).isSameAs(this.generatedToken.getParameterName());
|
assertThat(tokenInRequest.getHeaderName()).isEqualTo(this.generatedToken.getHeaderName());
|
||||||
|
assertThat(tokenInRequest.getParameterName()).isEqualTo(this.generatedToken.getParameterName());
|
||||||
assertThat(this.request.getAttribute(this.generatedToken.getParameterName())).isSameAs(tokenInRequest);
|
assertThat(this.request.getAttribute(this.generatedToken.getParameterName())).isSameAs(tokenInRequest);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue