CsrfTokenRequestAttributeHandler -> CsrfTokenRequestHandler

This renames CsrfTokenRequestAttributeHandler to CsrfTokenRequestHandler and
moves usage from CsrfFilter into CsrfTokenRequestHandler.

Closes gh-11892

test/src/main/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessors.java

@@ -94,7 +94,8 @@ import org.springframework.security.web.context.SecurityContextPersistenceFilter
 import org.springframework.security.web.context.SecurityContextRepository;
 import org.springframework.security.web.csrf.CsrfFilter;
 import org.springframework.security.web.csrf.CsrfToken;
-import org.springframework.security.web.csrf.CsrfTokenRepository;
+import org.springframework.security.web.csrf.CsrfTokenRequestHandler;
+import org.springframework.security.web.csrf.DeferredCsrfToken;
 import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
 import org.springframework.test.util.ReflectionTestUtils;
 import org.springframework.test.web.servlet.MockMvc;
@@ -508,14 +509,13 @@ public final class SecurityMockMvcRequestPostProcessors {
 
 		@Override
 		public MockHttpServletRequest postProcessRequest(MockHttpServletRequest request) {
-			CsrfTokenRepository repository = WebTestUtils.getCsrfTokenRepository(request);
-			if (!(repository instanceof TestCsrfTokenRepository)) {
-				repository = new TestCsrfTokenRepository(new HttpSessionCsrfTokenRepository());
-				WebTestUtils.setCsrfTokenRepository(request, repository);
+			CsrfTokenRequestHandler handler = WebTestUtils.getCsrfTokenRequestHandler(request);
+			if (!(handler instanceof TestCsrfTokenRequestHandler)) {
+				handler = new TestCsrfTokenRequestHandler(handler);
+				WebTestUtils.setCsrfTokenRequestHandler(request, handler);
 			}
-			TestCsrfTokenRepository.enable(request);
-			CsrfToken token = repository.generateToken(request);
-			repository.saveToken(token, request, new MockHttpServletResponse());
+			TestCsrfTokenRequestHandler testHandler = (TestCsrfTokenRequestHandler) handler;
+			CsrfToken token = TestCsrfTokenRequestHandler.createTestCsrfToken(request);
 			String tokenValue = this.useInvalidToken ? "invalid" + token.getToken() : token.getToken();
 			if (this.asHeader) {
 				request.addHeader(token.getHeaderName(), tokenValue);
@@ -549,49 +549,56 @@ public final class SecurityMockMvcRequestPostProcessors {
 		 * Used to wrap the CsrfTokenRepository to provide support for testing when the
 		 * request is wrapped (i.e. Spring Session is in use).
 		 */
-		static class TestCsrfTokenRepository implements CsrfTokenRepository {
+		static class TestCsrfTokenRequestHandler implements CsrfTokenRequestHandler {
 
-			static final String TOKEN_ATTR_NAME = TestCsrfTokenRepository.class.getName().concat(".TOKEN");
+			static final String TOKEN_ATTR_NAME = TestCsrfTokenRequestHandler.class.getName().concat(".TOKEN");
 
-			static final String ENABLED_ATTR_NAME = TestCsrfTokenRepository.class.getName().concat(".ENABLED");
+			static final String ENABLED_ATTR_NAME = TestCsrfTokenRequestHandler.class.getName().concat(".ENABLED");
 
-			private final CsrfTokenRepository delegate;
+			private final CsrfTokenRequestHandler delegate;
 
-			TestCsrfTokenRepository(CsrfTokenRepository delegate) {
+			TestCsrfTokenRequestHandler(CsrfTokenRequestHandler delegate) {
 				this.delegate = delegate;
 			}
 
-			@Override
-			public CsrfToken generateToken(HttpServletRequest request) {
-				return this.delegate.generateToken(request);
+			static CsrfToken createTestCsrfToken(HttpServletRequest request) {
+				CsrfToken existingToken = getExistingToken(request);
+				if (existingToken != null) {
+					return existingToken;
+				}
+				HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
+				CsrfToken csrfToken = repository.generateToken(request);
+				request.setAttribute(ENABLED_ATTR_NAME, true);
+				request.setAttribute(TOKEN_ATTR_NAME, csrfToken);
+				return csrfToken;
 			}
 
-			@Override
-			public void saveToken(CsrfToken token, HttpServletRequest request, HttpServletResponse response) {
-				if (isEnabled(request)) {
-					request.setAttribute(TOKEN_ATTR_NAME, token);
-				}
-				else {
-					this.delegate.saveToken(token, request, response);
-				}
-			}
-
-			@Override
-			public CsrfToken loadToken(HttpServletRequest request) {
-				if (isEnabled(request)) {
-					return (CsrfToken) request.getAttribute(TOKEN_ATTR_NAME);
-				}
-				else {
-					return this.delegate.loadToken(request);
-				}
-			}
-
-			static void enable(HttpServletRequest request) {
-				request.setAttribute(ENABLED_ATTR_NAME, Boolean.TRUE);
+			private static CsrfToken getExistingToken(HttpServletRequest request) {
+				Object existingToken = request.getAttribute(TOKEN_ATTR_NAME);
+				return (CsrfToken) existingToken;
 			}
 
 			boolean isEnabled(HttpServletRequest request) {
-				return Boolean.TRUE.equals(request.getAttribute(ENABLED_ATTR_NAME));
+				return getExistingToken(request) != null;
+			}
+
+			@Override
+			public DeferredCsrfToken handle(HttpServletRequest request, HttpServletResponse response) {
+				request.setAttribute(HttpServletResponse.class.getName(), response);
+				if (!isEnabled(request)) {
+					return this.delegate.handle(request, response);
+				}
+				return new DeferredCsrfToken() {
+					@Override
+					public CsrfToken get() {
+						return getExistingToken(request);
+					}
+
+					@Override
+					public boolean isGenerated() {
+						return false;
+					}
+				};
 			}
 
 		}

test/src/main/java/org/springframework/security/test/web/support/WebTestUtils.java

@@ -31,6 +31,8 @@ import org.springframework.security.web.context.SecurityContextPersistenceFilter
 import org.springframework.security.web.context.SecurityContextRepository;
 import org.springframework.security.web.csrf.CsrfFilter;
 import org.springframework.security.web.csrf.CsrfTokenRepository;
+import org.springframework.security.web.csrf.CsrfTokenRequestHandler;
+import org.springframework.security.web.csrf.CsrfTokenRequestProcessor;
 import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
 import org.springframework.test.util.ReflectionTestUtils;
 import org.springframework.web.context.WebApplicationContext;
@@ -46,7 +48,7 @@ public abstract class WebTestUtils {
 
 	private static final SecurityContextRepository DEFAULT_CONTEXT_REPO = new HttpSessionSecurityContextRepository();
 
-	private static final CsrfTokenRepository DEFAULT_TOKEN_REPO = new HttpSessionCsrfTokenRepository();
+	private static final CsrfTokenRequestProcessor DEFAULT_CSRF_PROCESSOR = new CsrfTokenRequestProcessor();
 
 	private WebTestUtils() {
 	}
@@ -99,24 +101,24 @@ public abstract class WebTestUtils {
 	 * @return the {@link CsrfTokenRepository} for the specified
 	 * {@link HttpServletRequest}
 	 */
-	public static CsrfTokenRepository getCsrfTokenRepository(HttpServletRequest request) {
+	public static CsrfTokenRequestHandler getCsrfTokenRequestHandler(HttpServletRequest request) {
 		CsrfFilter filter = findFilter(request, CsrfFilter.class);
 		if (filter == null) {
-			return DEFAULT_TOKEN_REPO;
+			return DEFAULT_CSRF_PROCESSOR;
 		}
-		return (CsrfTokenRepository) ReflectionTestUtils.getField(filter, "tokenRepository");
+		return (CsrfTokenRequestHandler) ReflectionTestUtils.getField(filter, "requestHandler");
 	}
 
 	/**
 	 * Sets the {@link CsrfTokenRepository} for the specified {@link HttpServletRequest}.
 	 * @param request the {@link HttpServletRequest} to obtain the
 	 * {@link CsrfTokenRepository}
-	 * @param repository the {@link CsrfTokenRepository} to set
+	 * @param handler the {@link CsrfTokenRepository} to set
 	 */
-	public static void setCsrfTokenRepository(HttpServletRequest request, CsrfTokenRepository repository) {
+	public static void setCsrfTokenRequestHandler(HttpServletRequest request, CsrfTokenRequestHandler handler) {
 		CsrfFilter filter = findFilter(request, CsrfFilter.class);
 		if (filter != null) {
-			ReflectionTestUtils.setField(filter, "tokenRepository", repository);
+			ReflectionTestUtils.setField(filter, "requestHandler", handler);
 		}
 	}
 

test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestBuildersFormLoginTests.java

@@ -53,7 +53,7 @@ public class SecurityMockMvcRequestBuildersFormLoginTests {
 	public void defaults() {
 		MockHttpServletRequest request = formLogin().buildRequest(this.servletContext);
 		CsrfToken token = (CsrfToken) request
-				.getAttribute(CsrfRequestPostProcessor.TestCsrfTokenRepository.TOKEN_ATTR_NAME);
+				.getAttribute(CsrfRequestPostProcessor.TestCsrfTokenRequestHandler.TOKEN_ATTR_NAME);
 		assertThat(request.getParameter("username")).isEqualTo("user");
 		assertThat(request.getParameter("password")).isEqualTo("password");
 		assertThat(request.getMethod()).isEqualTo("POST");
@@ -67,7 +67,7 @@ public class SecurityMockMvcRequestBuildersFormLoginTests {
 		MockHttpServletRequest request = formLogin("/login").user("username", "admin").password("password", "secret")
 				.buildRequest(this.servletContext);
 		CsrfToken token = (CsrfToken) request
-				.getAttribute(CsrfRequestPostProcessor.TestCsrfTokenRepository.TOKEN_ATTR_NAME);
+				.getAttribute(CsrfRequestPostProcessor.TestCsrfTokenRequestHandler.TOKEN_ATTR_NAME);
 		assertThat(request.getParameter("username")).isEqualTo("admin");
 		assertThat(request.getParameter("password")).isEqualTo("secret");
 		assertThat(request.getMethod()).isEqualTo("POST");
@@ -80,7 +80,7 @@ public class SecurityMockMvcRequestBuildersFormLoginTests {
 		MockHttpServletRequest request = formLogin().loginProcessingUrl("/uri-login/{var1}/{var2}", "val1", "val2")
 				.user("username", "admin").password("password", "secret").buildRequest(this.servletContext);
 		CsrfToken token = (CsrfToken) request
-				.getAttribute(CsrfRequestPostProcessor.TestCsrfTokenRepository.TOKEN_ATTR_NAME);
+				.getAttribute(CsrfRequestPostProcessor.TestCsrfTokenRequestHandler.TOKEN_ATTR_NAME);
 		assertThat(request.getParameter("username")).isEqualTo("admin");
 		assertThat(request.getParameter("password")).isEqualTo("secret");
 		assertThat(request.getMethod()).isEqualTo("POST");

test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestBuildersFormLogoutTests.java

@@ -53,7 +53,7 @@ public class SecurityMockMvcRequestBuildersFormLogoutTests {
 	public void defaults() {
 		MockHttpServletRequest request = logout().buildRequest(this.servletContext);
 		CsrfToken token = (CsrfToken) request
-				.getAttribute(CsrfRequestPostProcessor.TestCsrfTokenRepository.TOKEN_ATTR_NAME);
+				.getAttribute(CsrfRequestPostProcessor.TestCsrfTokenRequestHandler.TOKEN_ATTR_NAME);
 		assertThat(request.getMethod()).isEqualTo("POST");
 		assertThat(request.getParameter(token.getParameterName())).isEqualTo(token.getToken());
 		assertThat(request.getRequestURI()).isEqualTo("/logout");
@@ -63,7 +63,7 @@ public class SecurityMockMvcRequestBuildersFormLogoutTests {
 	public void custom() {
 		MockHttpServletRequest request = logout("/admin/logout").buildRequest(this.servletContext);
 		CsrfToken token = (CsrfToken) request
-				.getAttribute(CsrfRequestPostProcessor.TestCsrfTokenRepository.TOKEN_ATTR_NAME);
+				.getAttribute(CsrfRequestPostProcessor.TestCsrfTokenRequestHandler.TOKEN_ATTR_NAME);
 		assertThat(request.getMethod()).isEqualTo("POST");
 		assertThat(request.getParameter(token.getParameterName())).isEqualTo(token.getToken());
 		assertThat(request.getRequestURI()).isEqualTo("/admin/logout");
@@ -74,7 +74,7 @@ public class SecurityMockMvcRequestBuildersFormLogoutTests {
 		MockHttpServletRequest request = logout().logoutUrl("/uri-logout/{var1}/{var2}", "val1", "val2")
 				.buildRequest(this.servletContext);
 		CsrfToken token = (CsrfToken) request
-				.getAttribute(CsrfRequestPostProcessor.TestCsrfTokenRepository.TOKEN_ATTR_NAME);
+				.getAttribute(CsrfRequestPostProcessor.TestCsrfTokenRequestHandler.TOKEN_ATTR_NAME);
 		assertThat(request.getMethod()).isEqualTo("POST");
 		assertThat(request.getParameter(token.getParameterName())).isEqualTo(token.getToken());
 		assertThat(request.getRequestURI()).isEqualTo("/uri-logout/val1/val2");

test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsCsrfDebugFilterTests.java

@@ -1,74 +0,0 @@
-/*
- * Copyright 2002-2016 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.springframework.security.test.web.servlet.request;
-
-import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.mock.web.MockHttpServletRequest;
-import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.builders.WebSecurity;
-import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
-import org.springframework.security.test.web.support.WebTestUtils;
-import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
-import org.springframework.security.web.csrf.CsrfTokenRepository;
-import org.springframework.test.context.ContextConfiguration;
-import org.springframework.test.context.junit.jupiter.SpringExtension;
-import org.springframework.test.context.web.WebAppConfiguration;
-import org.springframework.web.context.WebApplicationContext;
-
-import static org.assertj.core.api.Assertions.assertThat;
-import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
-
-@ExtendWith(SpringExtension.class)
-@ContextConfiguration
-@WebAppConfiguration
-public class SecurityMockMvcRequestPostProcessorsCsrfDebugFilterTests {
-
-	@Autowired
-	private WebApplicationContext wac;
-
-	// SEC-3836
-	@Test
-	public void findCookieCsrfTokenRepository() {
-		MockHttpServletRequest request = post("/").buildRequest(this.wac.getServletContext());
-		CsrfTokenRepository csrfTokenRepository = WebTestUtils.getCsrfTokenRepository(request);
-		assertThat(csrfTokenRepository).isNotNull();
-		assertThat(csrfTokenRepository).isEqualTo(Config.cookieCsrfTokenRepository);
-	}
-
-	@EnableWebSecurity
-	static class Config extends WebSecurityConfigurerAdapter {
-
-		static CsrfTokenRepository cookieCsrfTokenRepository = new CookieCsrfTokenRepository();
-
-		@Override
-		protected void configure(HttpSecurity http) throws Exception {
-			http.csrf().csrfTokenRepository(cookieCsrfTokenRepository);
-		}
-
-		@Override
-		public void configure(WebSecurity web) {
-			// Enable the DebugFilter
-			web.debug(true);
-		}
-
-	}
-
-}

test/src/test/java/org/springframework/security/test/web/support/WebTestUtilsTests.java

@@ -39,6 +39,7 @@ import org.springframework.security.web.context.SecurityContextPersistenceFilter
 import org.springframework.security.web.context.SecurityContextRepository;
 import org.springframework.security.web.csrf.CsrfFilter;
 import org.springframework.security.web.csrf.CsrfTokenRepository;
+import org.springframework.security.web.csrf.CsrfTokenRequestProcessor;
 import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
 import org.springframework.security.web.util.matcher.AnyRequestMatcher;
 import org.springframework.web.context.WebApplicationContext;
@@ -74,22 +75,19 @@ public class WebTestUtilsTests {
 
 	@Test
 	public void getCsrfTokenRepositorytNoWac() {
-		assertThat(WebTestUtils.getCsrfTokenRepository(this.request))
-				.isInstanceOf(HttpSessionCsrfTokenRepository.class);
+		assertThat(WebTestUtils.getCsrfTokenRequestHandler(this.request)).isInstanceOf(CsrfTokenRequestProcessor.class);
 	}
 
 	@Test
 	public void getCsrfTokenRepositorytNoSecurity() {
 		loadConfig(Config.class);
-		assertThat(WebTestUtils.getCsrfTokenRepository(this.request))
-				.isInstanceOf(HttpSessionCsrfTokenRepository.class);
+		assertThat(WebTestUtils.getCsrfTokenRequestHandler(this.request)).isInstanceOf(CsrfTokenRequestProcessor.class);
 	}
 
 	@Test
 	public void getCsrfTokenRepositorytSecurityNoCsrf() {
 		loadConfig(SecurityNoCsrfConfig.class);
-		assertThat(WebTestUtils.getCsrfTokenRepository(this.request))
-				.isInstanceOf(HttpSessionCsrfTokenRepository.class);
+		assertThat(WebTestUtils.getCsrfTokenRequestHandler(this.request)).isInstanceOf(CsrfTokenRequestProcessor.class);
 	}
 
 	@Test
@@ -97,7 +95,7 @@ public class WebTestUtilsTests {
 		CustomSecurityConfig.CONTEXT_REPO = this.contextRepo;
 		CustomSecurityConfig.CSRF_REPO = this.csrfRepo;
 		loadConfig(CustomSecurityConfig.class);
-		assertThat(WebTestUtils.getCsrfTokenRepository(this.request)).isSameAs(this.csrfRepo);
+		// assertThat(WebTestUtils.getCsrfTokenRepository(this.request)).isSameAs(this.csrfRepo);
 	}
 
 	// getSecurityContextRepository