Make Csrf cookie secure flag configurable (WebFlux)
Make the XSRF-TOKEN cookie secure flag configurable in CookieServerCsrfTokenRepository. Closes gh-9678
This commit is contained in:
committed by
Eleftheria Stein-Kousathana
parent
006b9b9607
commit
e2993d93e1
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2018 the original author or authors.
|
||||
* Copyright 2002-2021 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -16,12 +16,15 @@
|
||||
|
||||
package org.springframework.security.web.server.csrf;
|
||||
|
||||
import java.security.cert.X509Certificate;
|
||||
import java.time.Duration;
|
||||
|
||||
import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
|
||||
import org.springframework.http.HttpCookie;
|
||||
import org.springframework.http.ResponseCookie;
|
||||
import org.springframework.http.server.reactive.SslInfo;
|
||||
import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
|
||||
import org.springframework.mock.web.server.MockServerWebExchange;
|
||||
import org.springframework.util.StringUtils;
|
||||
@@ -30,13 +33,14 @@ import static org.assertj.core.api.Assertions.assertThat;
|
||||
|
||||
/**
|
||||
* @author Eric Deandrea
|
||||
* @author Thomas Vitale
|
||||
* @since 5.1
|
||||
*/
|
||||
public class CookieServerCsrfTokenRepositoryTests {
|
||||
|
||||
private MockServerWebExchange exchange = MockServerWebExchange.from(MockServerHttpRequest.get("/someUri"));
|
||||
private CookieServerCsrfTokenRepository csrfTokenRepository;
|
||||
|
||||
private CookieServerCsrfTokenRepository csrfTokenRepository = new CookieServerCsrfTokenRepository();
|
||||
private MockServerHttpRequest.BaseBuilder<?> request;
|
||||
|
||||
private String expectedHeaderName = CookieServerCsrfTokenRepository.DEFAULT_CSRF_HEADER_NAME;
|
||||
|
||||
@@ -56,6 +60,12 @@ public class CookieServerCsrfTokenRepositoryTests {
|
||||
|
||||
private String expectedCookieValue = "csrfToken";
|
||||
|
||||
@Before
|
||||
public void setUp() {
|
||||
this.csrfTokenRepository = new CookieServerCsrfTokenRepository();
|
||||
this.request = MockServerHttpRequest.get("/someUri");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void generateTokenWhenDefaultThenDefaults() {
|
||||
generateTokenAndAssertExpectedValues();
|
||||
@@ -82,8 +92,9 @@ public class CookieServerCsrfTokenRepositoryTests {
|
||||
|
||||
@Test
|
||||
public void saveTokenWhenNoSubscriptionThenNotWritten() {
|
||||
this.csrfTokenRepository.saveToken(this.exchange, createToken());
|
||||
assertThat(this.exchange.getResponse().getCookies().getFirst(this.expectedCookieName)).isNull();
|
||||
MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
|
||||
this.csrfTokenRepository.saveToken(exchange, createToken());
|
||||
assertThat(exchange.getResponse().getCookies().getFirst(this.expectedCookieName)).isNull();
|
||||
}
|
||||
|
||||
@Test
|
||||
@@ -112,6 +123,56 @@ public class CookieServerCsrfTokenRepositoryTests {
|
||||
saveAndAssertExpectedValues(createToken());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void saveTokenWhenSslInfoPresentThenSecure() {
|
||||
this.request.sslInfo(new MockSslInfo());
|
||||
MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
|
||||
this.csrfTokenRepository.saveToken(exchange, createToken()).block();
|
||||
ResponseCookie cookie = exchange.getResponse().getCookies().getFirst(this.expectedCookieName);
|
||||
assertThat(cookie).isNotNull();
|
||||
assertThat(cookie.isSecure()).isTrue();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void saveTokenWhenSslInfoNullThenNotSecure() {
|
||||
MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
|
||||
this.csrfTokenRepository.saveToken(exchange, createToken()).block();
|
||||
ResponseCookie cookie = exchange.getResponse().getCookies().getFirst(this.expectedCookieName);
|
||||
assertThat(cookie).isNotNull();
|
||||
assertThat(cookie.isSecure()).isFalse();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void saveTokenWhenSecureFlagTrueThenSecure() {
|
||||
MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
|
||||
this.csrfTokenRepository.setSecure(true);
|
||||
this.csrfTokenRepository.saveToken(exchange, createToken()).block();
|
||||
ResponseCookie cookie = exchange.getResponse().getCookies().getFirst(this.expectedCookieName);
|
||||
assertThat(cookie).isNotNull();
|
||||
assertThat(cookie.isSecure()).isTrue();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void saveTokenWhenSecureFlagFalseThenNotSecure() {
|
||||
MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
|
||||
this.csrfTokenRepository.setSecure(false);
|
||||
this.csrfTokenRepository.saveToken(exchange, createToken()).block();
|
||||
ResponseCookie cookie = exchange.getResponse().getCookies().getFirst(this.expectedCookieName);
|
||||
assertThat(cookie).isNotNull();
|
||||
assertThat(cookie.isSecure()).isFalse();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void saveTokenWhenSecureFlagFalseAndSslInfoThenNotSecure() {
|
||||
MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
|
||||
this.request.sslInfo(new MockSslInfo());
|
||||
this.csrfTokenRepository.setSecure(false);
|
||||
this.csrfTokenRepository.saveToken(exchange, createToken()).block();
|
||||
ResponseCookie cookie = exchange.getResponse().getCookies().getFirst(this.expectedCookieName);
|
||||
assertThat(cookie).isNotNull();
|
||||
assertThat(cookie.isSecure()).isFalse();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void loadTokenWhenCookieExistThenTokenFound() {
|
||||
loadAndAssertExpectedValues();
|
||||
@@ -127,7 +188,8 @@ public class CookieServerCsrfTokenRepositoryTests {
|
||||
|
||||
@Test
|
||||
public void loadTokenWhenNoCookiesThenNullToken() {
|
||||
CsrfToken csrfToken = this.csrfTokenRepository.loadToken(this.exchange).block();
|
||||
MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
|
||||
CsrfToken csrfToken = this.csrfTokenRepository.loadToken(exchange).block();
|
||||
assertThat(csrfToken).isNull();
|
||||
}
|
||||
|
||||
@@ -180,8 +242,8 @@ public class CookieServerCsrfTokenRepositoryTests {
|
||||
private void loadAndAssertExpectedValues() {
|
||||
MockServerHttpRequest.BodyBuilder request = MockServerHttpRequest.post("/someUri")
|
||||
.cookie(new HttpCookie(this.expectedCookieName, this.expectedCookieValue));
|
||||
this.exchange = MockServerWebExchange.from(request);
|
||||
CsrfToken csrfToken = this.csrfTokenRepository.loadToken(this.exchange).block();
|
||||
MockServerWebExchange exchange = MockServerWebExchange.from(request);
|
||||
CsrfToken csrfToken = this.csrfTokenRepository.loadToken(exchange).block();
|
||||
if (StringUtils.hasText(this.expectedCookieValue)) {
|
||||
assertThat(csrfToken).isNotNull();
|
||||
assertThat(csrfToken.getHeaderName()).isEqualTo(this.expectedHeaderName);
|
||||
@@ -198,8 +260,9 @@ public class CookieServerCsrfTokenRepositoryTests {
|
||||
this.expectedMaxAge = Duration.ofSeconds(0);
|
||||
this.expectedCookieValue = "";
|
||||
}
|
||||
this.csrfTokenRepository.saveToken(this.exchange, token).block();
|
||||
ResponseCookie cookie = this.exchange.getResponse().getCookies().getFirst(this.expectedCookieName);
|
||||
MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
|
||||
this.csrfTokenRepository.saveToken(exchange, token).block();
|
||||
ResponseCookie cookie = exchange.getResponse().getCookies().getFirst(this.expectedCookieName);
|
||||
assertThat(cookie).isNotNull();
|
||||
assertThat(cookie.getMaxAge()).isEqualTo(this.expectedMaxAge);
|
||||
assertThat(cookie.getDomain()).isEqualTo(this.expectedDomain);
|
||||
@@ -211,7 +274,8 @@ public class CookieServerCsrfTokenRepositoryTests {
|
||||
}
|
||||
|
||||
private void generateTokenAndAssertExpectedValues() {
|
||||
CsrfToken csrfToken = this.csrfTokenRepository.generateToken(this.exchange).block();
|
||||
MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
|
||||
CsrfToken csrfToken = this.csrfTokenRepository.generateToken(exchange).block();
|
||||
assertThat(csrfToken).isNotNull();
|
||||
assertThat(csrfToken.getHeaderName()).isEqualTo(this.expectedHeaderName);
|
||||
assertThat(csrfToken.getParameterName()).isEqualTo(this.expectedParameterName);
|
||||
@@ -226,4 +290,18 @@ public class CookieServerCsrfTokenRepositoryTests {
|
||||
return new DefaultCsrfToken(headerName, parameterName, tokenValue);
|
||||
}
|
||||
|
||||
static class MockSslInfo implements SslInfo {
|
||||
|
||||
@Override
|
||||
public String getSessionId() {
|
||||
return "sessionId";
|
||||
}
|
||||
|
||||
@Override
|
||||
public X509Certificate[] getPeerCertificates() {
|
||||
return new X509Certificate[] {};
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user