SEC-2276: Delay saving CsrfToken until token is accessed

This also removed the CsrfToken from the response headers to prevent the
token from being saved. If user's wish to return the CsrfToken in the
response headers, they should use the CsrfToken found on the request.
This commit is contained in:
Rob Winch
2013-08-24 23:28:15 -05:00
parent c131fb6379
commit 48283ec004
14 changed files with 355 additions and 159 deletions

View File

@@ -40,7 +40,6 @@ import org.springframework.context.annotation.Configuration;
import org.springframework.mock.web.MockFilterChain;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
@@ -96,7 +95,9 @@ public class SessionManagementConfigurerServlet31Tests {
request.setMethod("POST");
request.setParameter("username", "user");
request.setParameter("password", "password");
CsrfToken token = new HttpSessionCsrfTokenRepository().generateAndSaveToken(request, response);
HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
CsrfToken token = repository.generateToken(request);
repository.saveToken(token, request, response);
request.setParameter(token.getParameterName(),token.getToken());
when(ReflectionUtils.findMethod(HttpServletRequest.class, "changeSessionId")).thenReturn(method);