Skip to content

Add reactive handle method to ServerCsrfTokenRequestHandler #18558

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
therepanic wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add reactive handle method to ServerCsrfTokenRequestHandler #18558

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion ...src/test/java/org/springframework/security/config/web/server/ServerHttpSecurityTests.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -552,6 +552,7 @@ public void postWhenCustomRequestHandlerThenUsed() {
given(this.csrfTokenRepository.loadToken(any(ServerWebExchange.class))).willReturn(Mono.just(csrfToken));
given(this.csrfTokenRepository.generateToken(any(ServerWebExchange.class))).willReturn(Mono.empty());
ServerCsrfTokenRequestHandler requestHandler = mock(ServerCsrfTokenRequestHandler.class);
given(requestHandler.handleAsync(any(ServerWebExchange.class), any())).willReturn(Mono.empty());
given(requestHandler.resolveCsrfTokenValue(any(ServerWebExchange.class), any(CsrfToken.class)))
.willReturn(Mono.just(csrfToken.getToken()));
// @formatter:off
Expand All @@ -564,7 +565,7 @@ public void postWhenCustomRequestHandlerThenUsed() {
client.post().uri("/").exchange().expectStatus().isOk();
verify(this.csrfTokenRepository, times(2)).loadToken(any(ServerWebExchange.class));
verify(this.csrfTokenRepository).generateToken(any(ServerWebExchange.class));
verify(requestHandler).handle(any(ServerWebExchange.class), any());
verify(requestHandler).handleAsync(any(ServerWebExchange.class), any());
verify(requestHandler).resolveCsrfTokenValue(any(ServerWebExchange.class), any());
}

Expand Down
4 changes: 2 additions & 2 deletions web/src/main/java/org/springframework/security/web/server/csrf/CsrfWebFilter.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,7 @@
* @author Rob Winch
* @author Parikshit Dutta
* @author Steve Riesenberg
* @author Andrey Litvitski
* @since 5.0
*/
public class CsrfWebFilter implements WebFilter {
Expand Down Expand Up @@ -147,8 +148,7 @@ private Mono<Boolean> containsValidCsrfToken(ServerWebExchange exchange, CsrfTok
private Mono<Void> continueFilterChain(ServerWebExchange exchange, WebFilterChain chain) {
return Mono.defer(() -> {
Mono<CsrfToken> csrfToken = csrfToken(exchange);
this.requestHandler.handle(exchange, csrfToken);
return chain.filter(exchange);
return this.requestHandler.handleAsync(exchange, csrfToken).then(chain.filter(exchange));
});
}

Expand Down
15 changes: 15 additions & 0 deletions ...main/java/org/springframework/security/web/server/csrf/ServerCsrfTokenRequestHandler.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@
* made available to the application through exchange attributes.
*
* @author Steve Riesenberg
* @author Andrey Litvitski
* @since 5.8
* @see ServerCsrfTokenRequestAttributeHandler
*/
Expand All @@ -40,9 +41,23 @@ public interface ServerCsrfTokenRequestHandler extends ServerCsrfTokenRequestRes
* @param exchange the {@code ServerWebExchange} with the request being handled
* @param csrfToken the {@code Mono<CsrfToken>} created by the
* {@link ServerCsrfTokenRepository}
* @deprecated since 7.0 in favor of {@link #handleAsync(ServerWebExchange, Mono)}
*/
@Deprecated(since = "7.0", forRemoval = true)
void handle(ServerWebExchange exchange, Mono<CsrfToken> csrfToken);

/**
* Handles a request using a {@link CsrfToken}.
* @param exchange the {@code ServerWebExchange} with the request being handled
* @param csrfToken the {@code Mono<CsrfToken>} created by the
* {@link ServerCsrfTokenRepository}
* @return a {@code Mono} that completes when handling is finished
*/
default Mono<Void> handleAsync(ServerWebExchange exchange, Mono<CsrfToken> csrfToken) {
handle(exchange, csrfToken);
return Mono.empty();
}

@Override
default Mono<String> resolveCsrfTokenValue(ServerWebExchange exchange, CsrfToken csrfToken) {
Assert.notNull(exchange, "exchange cannot be null");
Expand Down
3 changes: 2 additions & 1 deletion web/src/test/java/org/springframework/security/web/server/csrf/CsrfWebFilterTests.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -164,6 +164,7 @@ public void filterWhenPostAndEstablishedCsrfTokenAndHeaderValidTokenThenContinue
@Test
public void filterWhenRequestHandlerSetThenUsed() {
ServerCsrfTokenRequestHandler requestHandler = mock(ServerCsrfTokenRequestHandler.class);
given(requestHandler.handleAsync(any(ServerWebExchange.class), any())).willReturn(Mono.empty());
given(requestHandler.resolveCsrfTokenValue(any(ServerWebExchange.class), any(CsrfToken.class)))
.willReturn(Mono.just(this.token.getToken()));
this.csrfFilter.setRequestHandler(requestHandler);
Expand All @@ -179,7 +180,7 @@ public void filterWhenRequestHandlerSetThenUsed() {
StepVerifier.create(result).verifyComplete();
chainResult.assertWasSubscribed();

verify(requestHandler).handle(eq(this.post), any());
verify(requestHandler).handleAsync(eq(this.post), any());
verify(requestHandler).resolveCsrfTokenValue(this.post, this.token);
}

Expand Down
Loading