Add reactive interfaces for CSRF request handling
Issue gh-11959
This commit is contained in:
Steve Riesenberg
+18
@@ -147,6 +147,8 @@ import org.springframework.security.web.server.context.WebSessionServerSecurityC
|
||||
import org.springframework.security.web.server.csrf.CsrfServerLogoutHandler;
|
||||
import org.springframework.security.web.server.csrf.CsrfWebFilter;
|
||||
import org.springframework.security.web.server.csrf.ServerCsrfTokenRepository;
|
||||
import org.springframework.security.web.server.csrf.ServerCsrfTokenRequestAttributeHandler;
|
||||
import org.springframework.security.web.server.csrf.ServerCsrfTokenRequestHandler;
|
||||
import org.springframework.security.web.server.csrf.WebSessionServerCsrfTokenRepository;
|
||||
import org.springframework.security.web.server.header.CacheControlServerHttpHeadersWriter;
|
||||
import org.springframework.security.web.server.header.CompositeServerHttpHeadersWriter;
|
||||
@@ -1852,12 +1854,28 @@ public class ServerHttpSecurity {
|
||||
* @param enabled true if should read from multipart form body, else false.
|
||||
* Default is false
|
||||
* @return the {@link CsrfSpec} for additional configuration
|
||||
* @deprecated Use
|
||||
* {@link ServerCsrfTokenRequestAttributeHandler#setTokenFromMultipartDataEnabled(boolean)}
|
||||
* instead
|
||||
*/
|
||||
@Deprecated
|
||||
public CsrfSpec tokenFromMultipartDataEnabled(boolean enabled) {
|
||||
this.filter.setTokenFromMultipartDataEnabled(enabled);
|
||||
return this;
|
||||
}
|
||||
|
||||
/**
|
||||
* Specifies a {@link ServerCsrfTokenRequestHandler} that is used to make the
|
||||
* {@code CsrfToken} available as an exchange attribute.
|
||||
* @param requestHandler the {@link ServerCsrfTokenRequestHandler} to use
|
||||
* @return the {@link CsrfSpec} for additional configuration
|
||||
* @since 5.8
|
||||
*/
|
||||
public CsrfSpec csrfTokenRequestHandler(ServerCsrfTokenRequestHandler requestHandler) {
|
||||
this.filter.setRequestHandler(requestHandler);
|
||||
return this;
|
||||
}
|
||||
|
||||
/**
|
||||
* Allows method chaining to continue configuring the {@link ServerHttpSecurity}
|
||||
* @return the {@link ServerHttpSecurity} to continue configuring
|
||||
|
||||
+7
-1
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2020 the original author or authors.
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -19,6 +19,7 @@ package org.springframework.security.config.web.server
|
||||
import org.springframework.security.web.server.authorization.ServerAccessDeniedHandler
|
||||
import org.springframework.security.web.server.csrf.CsrfWebFilter
|
||||
import org.springframework.security.web.server.csrf.ServerCsrfTokenRepository
|
||||
import org.springframework.security.web.server.csrf.ServerCsrfTokenRequestHandler
|
||||
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher
|
||||
|
||||
/**
|
||||
@@ -33,13 +34,17 @@ import org.springframework.security.web.server.util.matcher.ServerWebExchangeMat
|
||||
* is enabled.
|
||||
* @property tokenFromMultipartDataEnabled if true, the [CsrfWebFilter] should try to resolve the actual CSRF
|
||||
* token from the body of multipart data requests.
|
||||
* @property csrfTokenRequestHandler the [ServerCsrfTokenRequestHandler] that is used to make the CSRF token
|
||||
* available as an exchange attribute
|
||||
*/
|
||||
@ServerSecurityMarker
|
||||
class ServerCsrfDsl {
|
||||
var accessDeniedHandler: ServerAccessDeniedHandler? = null
|
||||
var csrfTokenRepository: ServerCsrfTokenRepository? = null
|
||||
var requireCsrfProtectionMatcher: ServerWebExchangeMatcher? = null
|
||||
@Deprecated("Use 'csrfTokenRequestHandler' instead")
|
||||
var tokenFromMultipartDataEnabled: Boolean? = null
|
||||
var csrfTokenRequestHandler: ServerCsrfTokenRequestHandler? = null
|
||||
|
||||
private var disabled = false
|
||||
|
||||
@@ -56,6 +61,7 @@ class ServerCsrfDsl {
|
||||
csrfTokenRepository?.also { csrf.csrfTokenRepository(csrfTokenRepository) }
|
||||
requireCsrfProtectionMatcher?.also { csrf.requireCsrfProtectionMatcher(requireCsrfProtectionMatcher) }
|
||||
tokenFromMultipartDataEnabled?.also { csrf.tokenFromMultipartDataEnabled(tokenFromMultipartDataEnabled!!) }
|
||||
csrfTokenRequestHandler?.also { csrf.csrfTokenRequestHandler(csrfTokenRequestHandler) }
|
||||
if (disabled) {
|
||||
csrf.disable()
|
||||
}
|
||||
|
||||
+27
-1
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2021 the original author or authors.
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -64,8 +64,11 @@ import org.springframework.security.web.server.context.SecurityContextServerWebE
|
||||
import org.springframework.security.web.server.context.ServerSecurityContextRepository;
|
||||
import org.springframework.security.web.server.context.WebSessionServerSecurityContextRepository;
|
||||
import org.springframework.security.web.server.csrf.CsrfServerLogoutHandler;
|
||||
import org.springframework.security.web.server.csrf.CsrfToken;
|
||||
import org.springframework.security.web.server.csrf.CsrfWebFilter;
|
||||
import org.springframework.security.web.server.csrf.DefaultCsrfToken;
|
||||
import org.springframework.security.web.server.csrf.ServerCsrfTokenRepository;
|
||||
import org.springframework.security.web.server.csrf.ServerCsrfTokenRequestHandler;
|
||||
import org.springframework.security.web.server.savedrequest.ServerRequestCache;
|
||||
import org.springframework.security.web.server.savedrequest.WebSessionServerRequestCache;
|
||||
import org.springframework.test.util.ReflectionTestUtils;
|
||||
@@ -84,6 +87,7 @@ import static org.mockito.ArgumentMatchers.anyString;
|
||||
import static org.mockito.BDDMockito.given;
|
||||
import static org.mockito.Mockito.mock;
|
||||
import static org.mockito.Mockito.spy;
|
||||
import static org.mockito.Mockito.times;
|
||||
import static org.mockito.Mockito.verify;
|
||||
import static org.mockito.Mockito.verifyNoMoreInteractions;
|
||||
import static org.springframework.security.config.Customizer.withDefaults;
|
||||
@@ -500,6 +504,28 @@ public class ServerHttpSecurityTests {
|
||||
verify(customServerCsrfTokenRepository).loadToken(any());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void postWhenCustomRequestHandlerThenUsed() {
|
||||
CsrfToken csrfToken = new DefaultCsrfToken("headerName", "paramName", "tokenValue");
|
||||
given(this.csrfTokenRepository.loadToken(any(ServerWebExchange.class))).willReturn(Mono.just(csrfToken));
|
||||
given(this.csrfTokenRepository.generateToken(any(ServerWebExchange.class))).willReturn(Mono.empty());
|
||||
ServerCsrfTokenRequestHandler requestHandler = mock(ServerCsrfTokenRequestHandler.class);
|
||||
given(requestHandler.resolveCsrfTokenValue(any(ServerWebExchange.class), any(CsrfToken.class)))
|
||||
.willReturn(Mono.just(csrfToken.getToken()));
|
||||
// @formatter:off
|
||||
this.http.csrf((csrf) -> csrf
|
||||
.csrfTokenRepository(this.csrfTokenRepository)
|
||||
.csrfTokenRequestHandler(requestHandler)
|
||||
);
|
||||
// @formatter:on
|
||||
WebTestClient client = buildClient();
|
||||
client.post().uri("/").exchange().expectStatus().isOk();
|
||||
verify(this.csrfTokenRepository, times(2)).loadToken(any(ServerWebExchange.class));
|
||||
verify(this.csrfTokenRepository).generateToken(any(ServerWebExchange.class));
|
||||
verify(requestHandler).handle(any(ServerWebExchange.class), any());
|
||||
verify(requestHandler).resolveCsrfTokenValue(any(ServerWebExchange.class), any());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void shouldConfigureRequestCacheForOAuth2LoginAuthenticationEntryPointAndSuccessHandler() {
|
||||
ServerRequestCache requestCache = spy(new WebSessionServerRequestCache());
|
||||
|
||||
+55
-1
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2021 the original author or authors.
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -24,6 +24,7 @@ import org.junit.jupiter.api.extension.ExtendWith
|
||||
import org.springframework.beans.factory.annotation.Autowired
|
||||
import org.springframework.context.ApplicationContext
|
||||
import org.springframework.context.annotation.Bean
|
||||
import org.springframework.context.annotation.Configuration
|
||||
import org.springframework.http.MediaType
|
||||
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity
|
||||
import org.springframework.security.config.test.SpringTestContext
|
||||
@@ -33,6 +34,8 @@ import org.springframework.security.web.server.authorization.ServerAccessDeniedH
|
||||
import org.springframework.security.web.server.csrf.CsrfToken
|
||||
import org.springframework.security.web.server.csrf.DefaultCsrfToken
|
||||
import org.springframework.security.web.server.csrf.ServerCsrfTokenRepository
|
||||
import org.springframework.security.web.server.csrf.ServerCsrfTokenRequestAttributeHandler
|
||||
import org.springframework.security.web.server.csrf.ServerCsrfTokenRequestHandler
|
||||
import org.springframework.security.web.server.csrf.WebSessionServerCsrfTokenRepository
|
||||
import org.springframework.security.web.server.util.matcher.PathPatternParserServerWebExchangeMatcher
|
||||
import org.springframework.test.web.reactive.server.WebTestClient
|
||||
@@ -299,4 +302,55 @@ class ServerCsrfDslTests {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
fun `csrf when custom request handler then handler used`() {
|
||||
this.spring.register(CustomRequestHandlerConfig::class.java).autowire()
|
||||
mockkObject(CustomRequestHandlerConfig.REPOSITORY)
|
||||
every {
|
||||
CustomRequestHandlerConfig.REPOSITORY.loadToken(any())
|
||||
} returns Mono.just(this.token)
|
||||
mockkObject(CustomRequestHandlerConfig.HANDLER)
|
||||
every {
|
||||
CustomRequestHandlerConfig.HANDLER.handle(any(), any())
|
||||
} returns Unit
|
||||
every {
|
||||
CustomRequestHandlerConfig.HANDLER.resolveCsrfTokenValue(any(), any())
|
||||
} returns Mono.just(this.token.token)
|
||||
|
||||
this.client.post()
|
||||
.uri("/")
|
||||
.exchange()
|
||||
.expectStatus().isOk
|
||||
verify(exactly = 2) { CustomRequestHandlerConfig.REPOSITORY.loadToken(any()) }
|
||||
verify(exactly = 1) { CustomRequestHandlerConfig.HANDLER.resolveCsrfTokenValue(any(), any()) }
|
||||
verify(exactly = 1) { CustomRequestHandlerConfig.HANDLER.handle(any(), any()) }
|
||||
}
|
||||
|
||||
@Configuration
|
||||
@EnableWebFluxSecurity
|
||||
@EnableWebFlux
|
||||
open class CustomRequestHandlerConfig {
|
||||
companion object {
|
||||
val REPOSITORY: ServerCsrfTokenRepository = WebSessionServerCsrfTokenRepository()
|
||||
val HANDLER: ServerCsrfTokenRequestHandler = ServerCsrfTokenRequestAttributeHandler()
|
||||
}
|
||||
|
||||
@Bean
|
||||
open fun springWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
|
||||
return http {
|
||||
csrf {
|
||||
csrfTokenRepository = REPOSITORY
|
||||
csrfTokenRequestHandler = HANDLER
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@RestController
|
||||
internal class TestController {
|
||||
@PostMapping("/")
|
||||
fun home() {
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user