Default to XorCsrfTokenRequestAttributeHandler

As of gh-11960, Xor CSRF tokens are the default in 6.0. This commit
makes CsrfAuthenticationStrategy consistent with CsrfFilter.

Issue gh-11960
Closes gh-12235
This commit is contained in:
Steve Riesenberg 2022-11-18 22:33:02 -06:00
parent 3f5d8b39ce
commit fd547321e8
No known key found for this signature in database
GPG Key ID: 5F311AB48A55D521
2 changed files with 5 additions and 4 deletions
web/src
main/java/org/springframework/security/web/csrf
test/java/org/springframework/security/web/csrf

View File

@ -41,7 +41,7 @@ public final class CsrfAuthenticationStrategy implements SessionAuthenticationSt
private final CsrfTokenRepository tokenRepository; private final CsrfTokenRepository tokenRepository;
private CsrfTokenRequestHandler requestHandler = new CsrfTokenRequestAttributeHandler(); private CsrfTokenRequestHandler requestHandler = new XorCsrfTokenRequestAttributeHandler();
/** /**
* Creates a new instance * Creates a new instance

View File

@ -108,9 +108,10 @@ public class CsrfAuthenticationStrategyTests {
verify(this.csrfTokenRepository).loadDeferredToken(this.request, this.response); verify(this.csrfTokenRepository).loadDeferredToken(this.request, this.response);
// SEC-2404, SEC-2832 // SEC-2404, SEC-2832
CsrfToken tokenInRequest = (CsrfToken) this.request.getAttribute(CsrfToken.class.getName()); CsrfToken tokenInRequest = (CsrfToken) this.request.getAttribute(CsrfToken.class.getName());
assertThat(tokenInRequest.getToken()).isSameAs(this.generatedToken.getToken()); assertThat(tokenInRequest.getToken()).isNotEmpty();
assertThat(tokenInRequest.getHeaderName()).isSameAs(this.generatedToken.getHeaderName()); assertThat(tokenInRequest.getToken()).isNotEqualTo(this.generatedToken.getToken());
assertThat(tokenInRequest.getParameterName()).isSameAs(this.generatedToken.getParameterName()); assertThat(tokenInRequest.getHeaderName()).isEqualTo(this.generatedToken.getHeaderName());
assertThat(tokenInRequest.getParameterName()).isEqualTo(this.generatedToken.getParameterName());
assertThat(this.request.getAttribute(this.generatedToken.getParameterName())).isSameAs(tokenInRequest); assertThat(this.request.getAttribute(this.generatedToken.getParameterName())).isSameAs(tokenInRequest);
} }