CookieCsrfTokenRepository supports HttpOnly
CookieCsrfTokenRepository supports HttpOnly Fixes gh-3835 * Add Servlet 3 tests and javadocs Issue gh-3835 * Add copyright header Issue gh-3835
This commit is contained in:
@@ -0,0 +1,92 @@
|
||||
/*
|
||||
* Copyright 2012-2016 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.springframework.security.web.csrf;
|
||||
|
||||
import org.junit.Test;
|
||||
import org.junit.runner.RunWith;
|
||||
import org.mockito.ArgumentCaptor;
|
||||
import org.mockito.Mock;
|
||||
import org.powermock.core.classloader.annotations.PrepareForTest;
|
||||
import org.powermock.modules.junit4.PowerMockRunner;
|
||||
import org.springframework.util.ReflectionUtils;
|
||||
|
||||
import javax.servlet.http.Cookie;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import java.lang.reflect.Method;
|
||||
|
||||
import static org.mockito.Matchers.eq;
|
||||
import static org.mockito.Matchers.same;
|
||||
import static org.mockito.Mockito.mock;
|
||||
import static org.mockito.Mockito.*;
|
||||
import static org.powermock.api.mockito.PowerMockito.spy;
|
||||
import static org.powermock.api.mockito.PowerMockito.*;
|
||||
import static org.powermock.api.mockito.PowerMockito.when;
|
||||
|
||||
/**
|
||||
* @author Joe Grandja
|
||||
* @since 4.1
|
||||
*/
|
||||
@RunWith(PowerMockRunner.class)
|
||||
@PrepareForTest({ReflectionUtils.class, Method.class})
|
||||
public class CookieCsrfTokenRepositoryServlet3Tests {
|
||||
|
||||
@Mock
|
||||
private Method method;
|
||||
|
||||
@Test
|
||||
public void httpOnlyServlet30() throws Exception {
|
||||
spy(ReflectionUtils.class);
|
||||
when(ReflectionUtils.findMethod(Cookie.class, "setHttpOnly",
|
||||
boolean.class)).thenReturn(method);
|
||||
|
||||
HttpServletRequest request = mock(HttpServletRequest.class);
|
||||
when(request.getContextPath()).thenReturn("/contextpath");
|
||||
HttpServletResponse response = mock(HttpServletResponse.class);
|
||||
ArgumentCaptor<Cookie> cookie = ArgumentCaptor.forClass(Cookie.class);
|
||||
|
||||
CookieCsrfTokenRepository repository = new CookieCsrfTokenRepository();
|
||||
|
||||
CsrfToken token = repository.generateToken(request);
|
||||
repository.saveToken(token, request, response);
|
||||
|
||||
verify(response).addCookie(cookie.capture());
|
||||
verifyStatic();
|
||||
ReflectionUtils.invokeMethod(same(method), eq(cookie.getValue()), eq(true));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void httpOnlyPreServlet30() throws Exception {
|
||||
spy(ReflectionUtils.class);
|
||||
when(ReflectionUtils.findMethod(Cookie.class, "setHttpOnly",
|
||||
boolean.class)).thenReturn(null);
|
||||
|
||||
HttpServletRequest request = mock(HttpServletRequest.class);
|
||||
when(request.getContextPath()).thenReturn("/contextpath");
|
||||
HttpServletResponse response = mock(HttpServletResponse.class);
|
||||
ArgumentCaptor<Cookie> cookie = ArgumentCaptor.forClass(Cookie.class);
|
||||
|
||||
CookieCsrfTokenRepository repository = new CookieCsrfTokenRepository();
|
||||
|
||||
CsrfToken token = repository.generateToken(request);
|
||||
repository.saveToken(token, request, response);
|
||||
|
||||
verify(response).addCookie(cookie.capture());
|
||||
verifyStatic(never());
|
||||
ReflectionUtils.invokeMethod(same(method), eq(cookie.getValue()), eq(true));
|
||||
}
|
||||
|
||||
}
|
||||
@@ -16,14 +16,13 @@
|
||||
|
||||
package org.springframework.security.web.csrf;
|
||||
|
||||
import javax.servlet.http.Cookie;
|
||||
|
||||
import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
|
||||
import org.springframework.mock.web.MockHttpServletRequest;
|
||||
import org.springframework.mock.web.MockHttpServletResponse;
|
||||
|
||||
import javax.servlet.http.Cookie;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
|
||||
/**
|
||||
@@ -84,6 +83,7 @@ public class CookieCsrfTokenRepositoryTests {
|
||||
assertThat(tokenCookie.getPath()).isEqualTo(this.request.getContextPath());
|
||||
assertThat(tokenCookie.getSecure()).isEqualTo(this.request.isSecure());
|
||||
assertThat(tokenCookie.getValue()).isEqualTo(token.getToken());
|
||||
assertThat(tokenCookie.isHttpOnly()).isEqualTo(true);
|
||||
}
|
||||
|
||||
@Test
|
||||
@@ -114,6 +114,30 @@ public class CookieCsrfTokenRepositoryTests {
|
||||
assertThat(tokenCookie.getValue()).isEmpty();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void saveTokenHttpOnlyTrue() {
|
||||
this.repository.setCookieHttpOnly(true);
|
||||
CsrfToken token = this.repository.generateToken(this.request);
|
||||
this.repository.saveToken(token, this.request, this.response);
|
||||
|
||||
Cookie tokenCookie = this.response
|
||||
.getCookie(CookieCsrfTokenRepository.DEFAULT_CSRF_COOKIE_NAME);
|
||||
|
||||
assertThat(tokenCookie.isHttpOnly()).isTrue();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void saveTokenHttpOnlyFalse() {
|
||||
this.repository.setCookieHttpOnly(false);
|
||||
CsrfToken token = this.repository.generateToken(this.request);
|
||||
this.repository.saveToken(token, this.request, this.response);
|
||||
|
||||
Cookie tokenCookie = this.response
|
||||
.getCookie(CookieCsrfTokenRepository.DEFAULT_CSRF_COOKIE_NAME);
|
||||
|
||||
assertThat(tokenCookie.isHttpOnly()).isFalse();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void loadTokenNoCookiesNull() {
|
||||
assertThat(this.repository.loadToken(this.request)).isNull();
|
||||
|
||||
Reference in New Issue
Block a user