SEC-1761: Support HttpOnly Flag for Cookies when using Servlet 3.0
This commit is contained in:
@@ -0,0 +1,50 @@
|
||||
package org.springframework.security.web.authentication.rememberme;
|
||||
|
||||
import static org.junit.Assert.assertTrue;
|
||||
import static org.mockito.Mockito.mock;
|
||||
import static org.mockito.Mockito.verify;
|
||||
import static org.mockito.Mockito.when;
|
||||
|
||||
import javax.servlet.http.Cookie;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
|
||||
import org.junit.Test;
|
||||
import org.mockito.ArgumentCaptor;
|
||||
import org.springframework.security.core.userdetails.UserDetailsService;
|
||||
import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServicesTests.MockRememberMeServices;
|
||||
import org.springframework.util.ReflectionUtils;
|
||||
|
||||
/**
|
||||
* Note: This test will fail in the IDE since it needs to be ran with servlet 3.0 and servlet 2.5 is also on the classpath.
|
||||
*
|
||||
* @author Rob Winch
|
||||
*/
|
||||
public class AbstractRememberMeServicesServlet3Tests {
|
||||
|
||||
@Test
|
||||
public void httpOnlySetInServlet30DefaultConstructor() throws Exception {
|
||||
HttpServletRequest request = mock(HttpServletRequest.class);
|
||||
when(request.getContextPath()).thenReturn("/contextpath");
|
||||
HttpServletResponse response = mock(HttpServletResponse.class);
|
||||
ArgumentCaptor<Cookie> cookie = ArgumentCaptor.forClass(Cookie.class);
|
||||
MockRememberMeServices services = new MockRememberMeServices();
|
||||
services.setCookie(new String[] {"mycookie"}, 1000, request, response);
|
||||
verify(response).addCookie(cookie.capture());
|
||||
Cookie rememberme = cookie.getValue();
|
||||
assertTrue((Boolean)ReflectionUtils.invokeMethod(rememberme.getClass().getMethod("isHttpOnly"),rememberme));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void httpOnlySetInServlet30() throws Exception {
|
||||
HttpServletRequest request = mock(HttpServletRequest.class);
|
||||
when(request.getContextPath()).thenReturn("/contextpath");
|
||||
HttpServletResponse response = mock(HttpServletResponse.class);
|
||||
ArgumentCaptor<Cookie> cookie = ArgumentCaptor.forClass(Cookie.class);
|
||||
MockRememberMeServices services = new MockRememberMeServices("key",mock(UserDetailsService.class));
|
||||
services.setCookie(new String[] {"mycookie"}, 1000, request, response);
|
||||
verify(response).addCookie(cookie.capture());
|
||||
Cookie rememberme = cookie.getValue();
|
||||
assertTrue((Boolean)ReflectionUtils.invokeMethod(rememberme.getClass().getMethod("isHttpOnly"),rememberme));
|
||||
}
|
||||
}
|
||||
@@ -23,6 +23,7 @@ import org.springframework.security.web.authentication.rememberme.AbstractRememb
|
||||
import org.springframework.security.web.authentication.rememberme.CookieTheftException;
|
||||
import org.springframework.security.web.authentication.rememberme.InvalidCookieException;
|
||||
import org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationException;
|
||||
import org.springframework.test.util.ReflectionTestUtils;
|
||||
import org.springframework.util.StringUtils;
|
||||
|
||||
/**
|
||||
@@ -330,6 +331,15 @@ public class AbstractRememberMeServicesTests {
|
||||
assertTrue(cookie.getSecure());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void setHttpOnlyIgnoredForServlet25() throws Exception {
|
||||
MockRememberMeServices services = new MockRememberMeServices();
|
||||
assertNull(ReflectionTestUtils.getField(services, "setHttpOnlyMethod"));
|
||||
|
||||
services = new MockRememberMeServices("key",new MockUserDetailsService(joe, false));
|
||||
assertNull(ReflectionTestUtils.getField(services, "setHttpOnlyMethod"));
|
||||
}
|
||||
|
||||
private Cookie[] createLoginCookie(String cookieToken) {
|
||||
MockRememberMeServices services = new MockRememberMeServices();
|
||||
Cookie cookie = new Cookie(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
|
||||
@@ -346,10 +356,14 @@ public class AbstractRememberMeServicesTests {
|
||||
|
||||
//~ Inner Classes ==================================================================================================
|
||||
|
||||
private class MockRememberMeServices extends AbstractRememberMeServices {
|
||||
static class MockRememberMeServices extends AbstractRememberMeServices {
|
||||
boolean loginSuccessCalled;
|
||||
|
||||
private MockRememberMeServices() {
|
||||
MockRememberMeServices(String key, UserDetailsService userDetailsService) {
|
||||
super(key,userDetailsService);
|
||||
}
|
||||
|
||||
MockRememberMeServices() {
|
||||
setKey("key");
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user