Add Cross Site Tracing (XST) & HTTP Method Tampering Protection

Fixes: gh-5377
This commit is contained in:
Rob Winch
2018-05-24 09:35:27 -05:00
parent 2c92496911
commit 73345e7434
35 changed files with 276 additions and 87 deletions

View File

@@ -152,7 +152,7 @@ public class FilterChainProxyConfigTests {
}
private void doNormalOperation(FilterChainProxy filterChainProxy) throws Exception {
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletRequest request = new MockHttpServletRequest("GET", "");
request.setServletPath("/foo/secure/super/somefile.html");
MockHttpServletResponse response = new MockHttpServletResponse();

View File

@@ -54,7 +54,7 @@ public class WebSecurityTests {
@Before
public void setup() {
this.request = new MockHttpServletRequest();
this.request = new MockHttpServletRequest("GET", "");
this.request.setMethod("GET");
this.response = new MockHttpServletResponse();
this.chain = new MockFilterChain();

View File

@@ -274,7 +274,7 @@ public class WebSecurityConfigurationTests {
public void securityExpressionHandlerWhenPermissionEvaluatorBeanThenPermissionEvaluatorUsed() throws Exception {
this.spring.register(WebSecurityExpressionHandlerPermissionEvaluatorBeanConfig.class).autowire();
TestingAuthenticationToken authentication = new TestingAuthenticationToken("user", "notused");
FilterInvocation invocation = new FilterInvocation(new MockHttpServletRequest(), new MockHttpServletResponse(), new MockFilterChain());
FilterInvocation invocation = new FilterInvocation(new MockHttpServletRequest("GET", ""), new MockHttpServletResponse(), new MockFilterChain());
AbstractSecurityExpressionHandler handler = this.spring.getContext().getBean(AbstractSecurityExpressionHandler.class);
EvaluationContext evaluationContext = handler.createEvaluationContext(authentication, invocation);

View File

@@ -68,7 +68,7 @@ public class AuthorizeRequestsTests {
@Before
public void setup() {
this.servletContext = spy(new MockServletContext());
this.request = new MockHttpServletRequest();
this.request = new MockHttpServletRequest("GET", "");
this.request.setMethod("GET");
this.response = new MockHttpServletResponse();
this.chain = new MockFilterChain();

View File

@@ -51,7 +51,7 @@ public class HttpSecurityAntMatchersTests {
@Before
public void setup() {
request = new MockHttpServletRequest();
request = new MockHttpServletRequest("GET", "");
response = new MockHttpServletResponse();
chain = new MockFilterChain();
}

View File

@@ -52,7 +52,7 @@ public class HttpSecurityLogoutTests {
@Before
public void setup() {
request = new MockHttpServletRequest();
request = new MockHttpServletRequest("GET", "");
response = new MockHttpServletResponse();
chain = new MockFilterChain();
}

View File

@@ -55,7 +55,7 @@ public class HttpSecurityRequestMatchersTests {
@Before
public void setup() {
this.request = new MockHttpServletRequest();
this.request = new MockHttpServletRequest("GET", "");
this.request.setMethod("GET");
this.response = new MockHttpServletResponse();
this.chain = new MockFilterChain();

View File

@@ -72,7 +72,7 @@ public class SessionManagementConfigurerServlet31Tests {
@Before
public void setup() {
request = new MockHttpServletRequest();
request = new MockHttpServletRequest("GET", "");
response = new MockHttpServletResponse();
chain = new MockFilterChain();
}
@@ -88,7 +88,7 @@ public class SessionManagementConfigurerServlet31Tests {
public void changeSessionIdDefaultsInServlet31Plus() throws Exception {
spy(ReflectionUtils.class);
Method method = mock(Method.class);
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletRequest request = new MockHttpServletRequest("GET", "");
request.getSession();
request.setServletPath("/login");
request.setMethod("POST");

View File

@@ -55,7 +55,7 @@ public class UrlAuthorizationConfigurerTests {
@Before
public void setup() {
this.request = new MockHttpServletRequest();
this.request = new MockHttpServletRequest("GET", "");
this.request.setMethod("GET");
this.response = new MockHttpServletResponse();
this.chain = new MockFilterChain();
@@ -211,4 +211,4 @@ public class UrlAuthorizationConfigurerTests {
this.context.getAutowireCapableBeanFactory().autowireBean(this);
}
}
}

View File

@@ -140,7 +140,7 @@ public class OAuth2ClientConfigurerTests {
AuthorizationRequestRepository<OAuth2AuthorizationRequest> authorizationRequestRepository =
new HttpSessionOAuth2AuthorizationRequestRepository();
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletRequest request = new MockHttpServletRequest("GET", "");
MockHttpServletResponse response = new MockHttpServletResponse();
authorizationRequestRepository.saveAuthorizationRequest(authorizationRequest, request, response);

View File

@@ -104,7 +104,7 @@ public class OAuth2LoginConfigurerTests {
@Before
public void setup() {
this.request = new MockHttpServletRequest();
this.request = new MockHttpServletRequest("GET", "");
this.response = new MockHttpServletResponse();
this.filterChain = new MockFilterChain();

View File

@@ -493,7 +493,7 @@ public class AbstractSecurityWebSocketMessageBrokerConfigurerTests {
}
private MockHttpServletRequest sockjsHttpRequest(String mapping) {
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletRequest request = new MockHttpServletRequest("GET", "");
request.setMethod("GET");
request.setAttribute(HandlerMapping.PATH_WITHIN_HANDLER_MAPPING_ATTRIBUTE,
"/289/tpyx6mde/websocket");

View File

@@ -65,7 +65,7 @@ public class GrantedAuthorityDefaultsJcTests {
public void setup() {
setup("USER");
request = new MockHttpServletRequest();
request = new MockHttpServletRequest("GET", "");
request.setMethod("GET");
response = new MockHttpServletResponse();
chain = new MockFilterChain();

View File

@@ -58,7 +58,7 @@ public class GrantedAuthorityDefaultsXmlTests {
public void setup() {
setup("USER");
request = new MockHttpServletRequest();
request = new MockHttpServletRequest("GET", "");
request.setMethod("GET");
response = new MockHttpServletResponse();
chain = new MockFilterChain();

View File

@@ -123,7 +123,7 @@ public class FilterSecurityMetadataSourceBeanDefinitionParserTests {
}
private FilterInvocation createFilterInvocation(String path, String method) {
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletRequest request = new MockHttpServletRequest("GET", "");
request.setRequestURI(null);
request.setMethod(method);

View File

@@ -52,7 +52,7 @@ public class NamespaceHttpBasicTests {
@Before
public void setup() {
this.request = new MockHttpServletRequest();
this.request = new MockHttpServletRequest("GET", "");
this.request.setMethod("GET");
this.response = new MockHttpServletResponse();
this.chain = new MockFilterChain();

View File

@@ -73,7 +73,7 @@ public class SessionManagementConfigServlet31Tests {
@Before
public void setup() {
request = new MockHttpServletRequest();
request = new MockHttpServletRequest("GET", "");
response = new MockHttpServletResponse();
chain = new MockFilterChain();
}
@@ -89,7 +89,7 @@ public class SessionManagementConfigServlet31Tests {
public void changeSessionIdDefaultsInServlet31Plus() throws Exception {
spy(ReflectionUtils.class);
Method method = mock(Method.class);
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletRequest request = new MockHttpServletRequest("GET", "");
request.getSession();
request.setServletPath("/login");
request.setMethod("POST");
@@ -112,7 +112,7 @@ public class SessionManagementConfigServlet31Tests {
public void changeSessionId() throws Exception {
spy(ReflectionUtils.class);
Method method = mock(Method.class);
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletRequest request = new MockHttpServletRequest("GET", "");
request.getSession();
request.setServletPath("/login");
request.setMethod("POST");

View File

@@ -55,7 +55,7 @@ public class CustomHttpSecurityConfigurerTests {
@Before
public void setup() {
request = new MockHttpServletRequest();
request = new MockHttpServletRequest("GET", "");
response = new MockHttpServletResponse();
chain = new MockFilterChain();
request.setMethod("GET");