Description
Describe the bug
This issue was already mentionend in #12813, but the comment to resolve it is not addressing the actual problem.
A CookieCsrfTokenRepository is in particular used with SPAs:
https://docs.spring.io/spring-security/reference/servlet/exploits/csrf.html#csrf-integration-javascript-spa
So given an SPA, the first request to some endpoint (even a GET endpoint) should set a cookie that is later on used in POST requests along with a form field _csrf.
When the CsrfRepository set in production code is not honored by tests, then we cannot test the correct return of CsrfTokens using Cookies and we get coupled tests that work in Isolation but do not work, when org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.CsrfRequestPostProcessor is used.
To Reproduce
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
// ...
.csrf((csrf) -> csrf
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.csrfTokenRequestHandler(new SpaCsrfTokenRequestHandler())
);
return http.build();
}
}
final class SpaCsrfTokenRequestHandler implements CsrfTokenRequestHandler {
private final CsrfTokenRequestHandler plain = new CsrfTokenRequestAttributeHandler();
private final CsrfTokenRequestHandler xor = new XorCsrfTokenRequestAttributeHandler();
@Override
public void handle(HttpServletRequest request, HttpServletResponse response, Supplier<CsrfToken> csrfToken) {
/*
* Always use XorCsrfTokenRequestAttributeHandler to provide BREACH protection of
* the CsrfToken when it is rendered in the response body.
*/
this.xor.handle(request, response, csrfToken);
/*
* Render the token value to a cookie by causing the deferred token to be loaded.
*/
csrfToken.get();
}
@Override
public String resolveCsrfTokenValue(HttpServletRequest request, CsrfToken csrfToken) {
String headerValue = request.getHeader(csrfToken.getHeaderName());
/*
* If the request contains a request header, use CsrfTokenRequestAttributeHandler
* to resolve the CsrfToken. This applies when a single-page application includes
* the header value automatically, which was obtained via a cookie containing the
* raw CsrfToken.
*
* In all other cases (e.g. if the request contains a request parameter), use
* XorCsrfTokenRequestAttributeHandler to resolve the CsrfToken. This applies
* when a server-side rendered form includes the _csrf request parameter as a
* hidden input.
*/
return (StringUtils.hasText(headerValue) ? this.plain : this.xor).resolveCsrfTokenValue(request, csrfToken);
}
}
With tests:
@Test
void returns_xsrf_cookie() throws Exception {
mockMvc.perform(get("/logout"))
.andExpect(status().isOk())
.andExpect(cookie().httpOnly("XSRF-TOKEN", false));
}
@Test
void logout_post_redirectsToOauthLogout() throws Exception {
mockMvc.perform(post("/logout").with(csrf()))
.andExpect(status().is3xxRedirection());
}
Actual behaviour: returns_xsrf_cookiefails because no token is set in a Cookie because .with(csrf()) calls the lines
if (!(repository instanceof TestCsrfTokenRepository)) {
repository = new TestCsrfTokenRepository(new HttpSessionCsrfTokenRepository());
WebTestUtils.setCsrfTokenRepository(request, repository);
}
Expected behavior
Both tests are green.