Add Cross Site Tracing (XST) & HTTP Method Tampering Protection
Fixes: gh-5377
This commit is contained in:
@@ -152,7 +152,7 @@ public class FilterChainProxyConfigTests {
|
||||
}
|
||||
|
||||
private void doNormalOperation(FilterChainProxy filterChainProxy) throws Exception {
|
||||
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||
MockHttpServletRequest request = new MockHttpServletRequest("GET", "");
|
||||
request.setServletPath("/foo/secure/super/somefile.html");
|
||||
|
||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
|
||||
@@ -54,7 +54,7 @@ public class WebSecurityTests {
|
||||
|
||||
@Before
|
||||
public void setup() {
|
||||
this.request = new MockHttpServletRequest();
|
||||
this.request = new MockHttpServletRequest("GET", "");
|
||||
this.request.setMethod("GET");
|
||||
this.response = new MockHttpServletResponse();
|
||||
this.chain = new MockFilterChain();
|
||||
|
||||
@@ -274,7 +274,7 @@ public class WebSecurityConfigurationTests {
|
||||
public void securityExpressionHandlerWhenPermissionEvaluatorBeanThenPermissionEvaluatorUsed() throws Exception {
|
||||
this.spring.register(WebSecurityExpressionHandlerPermissionEvaluatorBeanConfig.class).autowire();
|
||||
TestingAuthenticationToken authentication = new TestingAuthenticationToken("user", "notused");
|
||||
FilterInvocation invocation = new FilterInvocation(new MockHttpServletRequest(), new MockHttpServletResponse(), new MockFilterChain());
|
||||
FilterInvocation invocation = new FilterInvocation(new MockHttpServletRequest("GET", ""), new MockHttpServletResponse(), new MockFilterChain());
|
||||
|
||||
AbstractSecurityExpressionHandler handler = this.spring.getContext().getBean(AbstractSecurityExpressionHandler.class);
|
||||
EvaluationContext evaluationContext = handler.createEvaluationContext(authentication, invocation);
|
||||
|
||||
@@ -68,7 +68,7 @@ public class AuthorizeRequestsTests {
|
||||
@Before
|
||||
public void setup() {
|
||||
this.servletContext = spy(new MockServletContext());
|
||||
this.request = new MockHttpServletRequest();
|
||||
this.request = new MockHttpServletRequest("GET", "");
|
||||
this.request.setMethod("GET");
|
||||
this.response = new MockHttpServletResponse();
|
||||
this.chain = new MockFilterChain();
|
||||
|
||||
@@ -51,7 +51,7 @@ public class HttpSecurityAntMatchersTests {
|
||||
|
||||
@Before
|
||||
public void setup() {
|
||||
request = new MockHttpServletRequest();
|
||||
request = new MockHttpServletRequest("GET", "");
|
||||
response = new MockHttpServletResponse();
|
||||
chain = new MockFilterChain();
|
||||
}
|
||||
|
||||
@@ -52,7 +52,7 @@ public class HttpSecurityLogoutTests {
|
||||
|
||||
@Before
|
||||
public void setup() {
|
||||
request = new MockHttpServletRequest();
|
||||
request = new MockHttpServletRequest("GET", "");
|
||||
response = new MockHttpServletResponse();
|
||||
chain = new MockFilterChain();
|
||||
}
|
||||
|
||||
@@ -55,7 +55,7 @@ public class HttpSecurityRequestMatchersTests {
|
||||
|
||||
@Before
|
||||
public void setup() {
|
||||
this.request = new MockHttpServletRequest();
|
||||
this.request = new MockHttpServletRequest("GET", "");
|
||||
this.request.setMethod("GET");
|
||||
this.response = new MockHttpServletResponse();
|
||||
this.chain = new MockFilterChain();
|
||||
|
||||
@@ -72,7 +72,7 @@ public class SessionManagementConfigurerServlet31Tests {
|
||||
|
||||
@Before
|
||||
public void setup() {
|
||||
request = new MockHttpServletRequest();
|
||||
request = new MockHttpServletRequest("GET", "");
|
||||
response = new MockHttpServletResponse();
|
||||
chain = new MockFilterChain();
|
||||
}
|
||||
@@ -88,7 +88,7 @@ public class SessionManagementConfigurerServlet31Tests {
|
||||
public void changeSessionIdDefaultsInServlet31Plus() throws Exception {
|
||||
spy(ReflectionUtils.class);
|
||||
Method method = mock(Method.class);
|
||||
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||
MockHttpServletRequest request = new MockHttpServletRequest("GET", "");
|
||||
request.getSession();
|
||||
request.setServletPath("/login");
|
||||
request.setMethod("POST");
|
||||
|
||||
@@ -55,7 +55,7 @@ public class UrlAuthorizationConfigurerTests {
|
||||
|
||||
@Before
|
||||
public void setup() {
|
||||
this.request = new MockHttpServletRequest();
|
||||
this.request = new MockHttpServletRequest("GET", "");
|
||||
this.request.setMethod("GET");
|
||||
this.response = new MockHttpServletResponse();
|
||||
this.chain = new MockFilterChain();
|
||||
@@ -211,4 +211,4 @@ public class UrlAuthorizationConfigurerTests {
|
||||
|
||||
this.context.getAutowireCapableBeanFactory().autowireBean(this);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -140,7 +140,7 @@ public class OAuth2ClientConfigurerTests {
|
||||
|
||||
AuthorizationRequestRepository<OAuth2AuthorizationRequest> authorizationRequestRepository =
|
||||
new HttpSessionOAuth2AuthorizationRequestRepository();
|
||||
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||
MockHttpServletRequest request = new MockHttpServletRequest("GET", "");
|
||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
authorizationRequestRepository.saveAuthorizationRequest(authorizationRequest, request, response);
|
||||
|
||||
|
||||
@@ -104,7 +104,7 @@ public class OAuth2LoginConfigurerTests {
|
||||
|
||||
@Before
|
||||
public void setup() {
|
||||
this.request = new MockHttpServletRequest();
|
||||
this.request = new MockHttpServletRequest("GET", "");
|
||||
this.response = new MockHttpServletResponse();
|
||||
this.filterChain = new MockFilterChain();
|
||||
|
||||
|
||||
@@ -493,7 +493,7 @@ public class AbstractSecurityWebSocketMessageBrokerConfigurerTests {
|
||||
}
|
||||
|
||||
private MockHttpServletRequest sockjsHttpRequest(String mapping) {
|
||||
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||
MockHttpServletRequest request = new MockHttpServletRequest("GET", "");
|
||||
request.setMethod("GET");
|
||||
request.setAttribute(HandlerMapping.PATH_WITHIN_HANDLER_MAPPING_ATTRIBUTE,
|
||||
"/289/tpyx6mde/websocket");
|
||||
|
||||
@@ -65,7 +65,7 @@ public class GrantedAuthorityDefaultsJcTests {
|
||||
public void setup() {
|
||||
setup("USER");
|
||||
|
||||
request = new MockHttpServletRequest();
|
||||
request = new MockHttpServletRequest("GET", "");
|
||||
request.setMethod("GET");
|
||||
response = new MockHttpServletResponse();
|
||||
chain = new MockFilterChain();
|
||||
|
||||
@@ -58,7 +58,7 @@ public class GrantedAuthorityDefaultsXmlTests {
|
||||
public void setup() {
|
||||
setup("USER");
|
||||
|
||||
request = new MockHttpServletRequest();
|
||||
request = new MockHttpServletRequest("GET", "");
|
||||
request.setMethod("GET");
|
||||
response = new MockHttpServletResponse();
|
||||
chain = new MockFilterChain();
|
||||
|
||||
@@ -123,7 +123,7 @@ public class FilterSecurityMetadataSourceBeanDefinitionParserTests {
|
||||
}
|
||||
|
||||
private FilterInvocation createFilterInvocation(String path, String method) {
|
||||
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||
MockHttpServletRequest request = new MockHttpServletRequest("GET", "");
|
||||
request.setRequestURI(null);
|
||||
request.setMethod(method);
|
||||
|
||||
|
||||
@@ -52,7 +52,7 @@ public class NamespaceHttpBasicTests {
|
||||
|
||||
@Before
|
||||
public void setup() {
|
||||
this.request = new MockHttpServletRequest();
|
||||
this.request = new MockHttpServletRequest("GET", "");
|
||||
this.request.setMethod("GET");
|
||||
this.response = new MockHttpServletResponse();
|
||||
this.chain = new MockFilterChain();
|
||||
|
||||
@@ -73,7 +73,7 @@ public class SessionManagementConfigServlet31Tests {
|
||||
|
||||
@Before
|
||||
public void setup() {
|
||||
request = new MockHttpServletRequest();
|
||||
request = new MockHttpServletRequest("GET", "");
|
||||
response = new MockHttpServletResponse();
|
||||
chain = new MockFilterChain();
|
||||
}
|
||||
@@ -89,7 +89,7 @@ public class SessionManagementConfigServlet31Tests {
|
||||
public void changeSessionIdDefaultsInServlet31Plus() throws Exception {
|
||||
spy(ReflectionUtils.class);
|
||||
Method method = mock(Method.class);
|
||||
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||
MockHttpServletRequest request = new MockHttpServletRequest("GET", "");
|
||||
request.getSession();
|
||||
request.setServletPath("/login");
|
||||
request.setMethod("POST");
|
||||
@@ -112,7 +112,7 @@ public class SessionManagementConfigServlet31Tests {
|
||||
public void changeSessionId() throws Exception {
|
||||
spy(ReflectionUtils.class);
|
||||
Method method = mock(Method.class);
|
||||
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||
MockHttpServletRequest request = new MockHttpServletRequest("GET", "");
|
||||
request.getSession();
|
||||
request.setServletPath("/login");
|
||||
request.setMethod("POST");
|
||||
|
||||
@@ -55,7 +55,7 @@ public class CustomHttpSecurityConfigurerTests {
|
||||
|
||||
@Before
|
||||
public void setup() {
|
||||
request = new MockHttpServletRequest();
|
||||
request = new MockHttpServletRequest("GET", "");
|
||||
response = new MockHttpServletResponse();
|
||||
chain = new MockFilterChain();
|
||||
request.setMethod("GET");
|
||||
|
||||
Reference in New Issue
Block a user