Add reactive interfaces for CSRF request handling

Issue gh-11959
This commit is contained in:
Steve Riesenberg
2022-09-01 15:11:04 -05:00
parent f3321c256c
commit f4ca90e719
10 changed files with 477 additions and 29 deletions

View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2021 the original author or authors.
* Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -64,8 +64,11 @@ import org.springframework.security.web.server.context.SecurityContextServerWebE
import org.springframework.security.web.server.context.ServerSecurityContextRepository;
import org.springframework.security.web.server.context.WebSessionServerSecurityContextRepository;
import org.springframework.security.web.server.csrf.CsrfServerLogoutHandler;
import org.springframework.security.web.server.csrf.CsrfToken;
import org.springframework.security.web.server.csrf.CsrfWebFilter;
import org.springframework.security.web.server.csrf.DefaultCsrfToken;
import org.springframework.security.web.server.csrf.ServerCsrfTokenRepository;
import org.springframework.security.web.server.csrf.ServerCsrfTokenRequestHandler;
import org.springframework.security.web.server.savedrequest.ServerRequestCache;
import org.springframework.security.web.server.savedrequest.WebSessionServerRequestCache;
import org.springframework.test.util.ReflectionTestUtils;
@@ -84,6 +87,7 @@ import static org.mockito.ArgumentMatchers.anyString;
import static org.mockito.BDDMockito.given;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.spy;
import static org.mockito.Mockito.times;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.verifyNoMoreInteractions;
import static org.springframework.security.config.Customizer.withDefaults;
@@ -500,6 +504,28 @@ public class ServerHttpSecurityTests {
verify(customServerCsrfTokenRepository).loadToken(any());
}
@Test
public void postWhenCustomRequestHandlerThenUsed() {
CsrfToken csrfToken = new DefaultCsrfToken("headerName", "paramName", "tokenValue");
given(this.csrfTokenRepository.loadToken(any(ServerWebExchange.class))).willReturn(Mono.just(csrfToken));
given(this.csrfTokenRepository.generateToken(any(ServerWebExchange.class))).willReturn(Mono.empty());
ServerCsrfTokenRequestHandler requestHandler = mock(ServerCsrfTokenRequestHandler.class);
given(requestHandler.resolveCsrfTokenValue(any(ServerWebExchange.class), any(CsrfToken.class)))
.willReturn(Mono.just(csrfToken.getToken()));
// @formatter:off
this.http.csrf((csrf) -> csrf
.csrfTokenRepository(this.csrfTokenRepository)
.csrfTokenRequestHandler(requestHandler)
);
// @formatter:on
WebTestClient client = buildClient();
client.post().uri("/").exchange().expectStatus().isOk();
verify(this.csrfTokenRepository, times(2)).loadToken(any(ServerWebExchange.class));
verify(this.csrfTokenRepository).generateToken(any(ServerWebExchange.class));
verify(requestHandler).handle(any(ServerWebExchange.class), any());
verify(requestHandler).resolveCsrfTokenValue(any(ServerWebExchange.class), any());
}
@Test
public void shouldConfigureRequestCacheForOAuth2LoginAuthenticationEntryPointAndSuccessHandler() {
ServerRequestCache requestCache = spy(new WebSessionServerRequestCache());