Historically, Spring Security tests have set the servlet path
to indicate the path of a MockHttpServletRequest. This was needed
for AntPath and MvcRequestMatcher to correctly match the
specified request path.
This can leave MockHttpServletRequest in an inconsistent state
since requestURI is null while servletPath has a value.
For example, PathPatternRequestMatcher does not use the servlet path.
For tests to continue working both before and after the migration
from AntPath/MvcRequestMatcher to PathPatternRequestMatcher, the
mock requests should have a consistent representation of path
in getRequestURI and getServletPath.
This commit updates classes to use TestMockHttpServletRequests,
which ensures that the given path is applied to the servletPath and
requestURI, while also overriding with contextPath, servletPath,
and pathInfo when necessary.
This simplifies the logic when extracting the principal and allows
more flexibility in the future by allowing the format and regex to be
added as setters.
Clarify misleading SecurityContextRepository setter documentation.
Note that AbstractPreAuthenticatedProcessingFilter saves the
SecurityContext upon successful authentication, and this behavior
can be customized via the setSecurityContextRepository setter.
Closes gh-14137
Signed-off-by: Mark Putsiata <m.putsiata@gmail.com>
Add trace-level logging to show the logical path of CSRF token processing
- Log token source (header or parameter) in resolveCsrfTokenValue
- Log request attribute names in handle methods
- Log failures in XorCsrfTokenRequestAttributeHandler (especially Base64 decoding)
- Add similar logging to XorServerCsrfTokenRequestAttributeHandler
Improves debugging capabilities without changing functionality.
Closes gh-13626
Signed-off-by: yybmion <yunyubin54@gmail.com>
Add trace-level logging to show the logical path of CSRF token processing
- Log token source (header or parameter) in resolveCsrfTokenValue
- Log request attribute names in handle methods
- Log failures in XorCsrfTokenRequestAttributeHandler (especially Base64 decoding)
- Add similar logging to XorServerCsrfTokenRequestAttributeHandler
Improves debugging capabilities without changing functionality.
Closes gh-13626
Signed-off-by: yybmion <yunyubin54@gmail.com>
The test should not provide SavedCookie.class to the ObjectMapper
since this is not done in production. In particular, it provides the
type that it should be deserialized, but this must be provided in the
JSON since the type is unknown at the time of deserialization.
Issue gh-17006
The new specification represents Cookie attribute using HttpOnly: "" vs
HttpOnly: "true".
This updates the test to correspond to the new Servlet specification and
is a breaking change related to jakarta updates.
