13 년 전 · 0a2fa03160
--- a/web/src/main/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandler.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandler.java
@@ -7,6 +7,7 @@ import javax.servlet.http.HttpServletResponse;
 
															 import org.springframework.security.core.Authentication;
														
 
															 import org.springframework.util.Assert;
														
 
															+import org.springframework.util.StringUtils;
														
 
															 /**
														
 
															  * A logout handler which clears a defined list of cookies, using the context path as the
														
@@ -26,7 +27,11 @@ public final class CookieClearingLogoutHandler implements LogoutHandler {
 
															     public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
														
 
															         for (String cookieName : cookiesToClear) {
														
 
															             Cookie cookie = new Cookie(cookieName, null);
														
 
															-            cookie.setPath(request.getContextPath());
														
 
															+            String cookiePath = request.getContextPath();
														
 
															+            if(!StringUtils.hasLength(cookiePath)) {
														
 
															+                cookiePath = "/";
														
 
															+            }
														
 
															+            cookie.setPath(cookiePath);
														
 
															             cookie.setMaxAge(0);
														
 
															             response.addCookie(cookie);
														
 
															         }
														
--- a/web/src/test/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandlerTests.java
+++ b/web/src/test/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandlerTests.java
@@ -14,6 +14,22 @@ import org.springframework.security.core.Authentication;
 
															  * @author Luke Taylor
														
 
															  */
														
 
															 public class CookieClearingLogoutHandlerTests {
														
 
															+
														
 
															+    // SEC-2036
														
 
															+    @Test
														
 
															+    public void emptyContextRootIsConverted() {
														
 
															+        MockHttpServletResponse response = new MockHttpServletResponse();
														
 
															+        MockHttpServletRequest request = new MockHttpServletRequest();
														
 
															+        request.setContextPath("");
														
 
															+        CookieClearingLogoutHandler handler = new CookieClearingLogoutHandler("my_cookie");
														
 
															+        handler.logout(request, response, mock(Authentication.class));
														
 
															+        assertEquals(1, response.getCookies().length);
														
 
															+        for (Cookie c : response.getCookies()) {
														
 
															+            assertEquals("/", c.getPath());
														
 
															+            assertEquals(0, c.getMaxAge());
														
 
															+        }
														
 
															+    }
														
 
															+
														
 
															     @Test
														
 
															     public void configuredCookiesAreCleared() {
														
 
															         MockHttpServletResponse response = new MockHttpServletResponse();