SEC-2569: SavedRequestAwareWrapper no longer overrides getCookies()

Previously SavedRequestAwareWrapper overrode the getCookies() method. This
meant that the cookies from the original request were used instead of the
new request. In general, this does not make sense since cookies are
automatically submitted in every request by a client. Additionally, this
caused problems with using a locale cookie that was specified after the
secured page was requested.

Now SavedRequestAwareWrapper uses the new incoming request for determining
the cookies.
This commit is contained in:
Rob Winch
2014-11-18 13:08:00 -06:00
parent 97df23e3b5
commit fa9e7999da
3 changed files with 6 additions and 118 deletions

View File

@@ -23,13 +23,16 @@ public class SavedRequestAwareWrapperTests {
return new SavedRequestAwareWrapper(saved, requestToWrap);
}
// SEC-2569
@Test
public void savedRequestCookiesAreReturnedIfSavedRequestIsSet() throws Exception {
public void savedRequestCookiesAreIgnored() throws Exception {
MockHttpServletRequest newRequest = new MockHttpServletRequest();
newRequest.setCookies(new Cookie[] {new Cookie("cookie", "fromnew")});
MockHttpServletRequest savedRequest = new MockHttpServletRequest();
savedRequest.setCookies(new Cookie[] {new Cookie("cookie", "fromsaved")});
SavedRequestAwareWrapper wrapper = createWrapper(savedRequest, new MockHttpServletRequest());
SavedRequestAwareWrapper wrapper = createWrapper(savedRequest, newRequest);
assertEquals(1, wrapper.getCookies().length);
assertEquals("fromsaved", wrapper.getCookies()[0].getValue());
assertEquals("fromnew", wrapper.getCookies()[0].getValue());
}
@Test