Halaman utama Jelajahi Bantuan
Daftar Masuk
github
/
spring-security
cermin dari https://github.com/spring-projects/spring-security
2
0
Fork 0
Berkas Masalah 0 Wiki
Jelajahi Sumber

SEC-2325: Polish CSRF Tag support

- Rename csrfField to csrfInput
- Make AbstractCsrfTag package scope
- rename FormFieldTag to CsrfInputTag
- rename MetaTagsTag to CsrfMetaTagsTag
- removed whitespace from tag output so output is
  minimized & improving browser performance
- Update @since
- changed test names to be more meaningful
Rob Winch 11 tahun lalu
induk
a3e0475998
melakukan
32d3e29c65
8 mengubah file dengan 39 tambahan dan 39 penghapusan
Tampilan Split Tampilkan Statistik Diff
  1. 4 4
      docs/manual/src/asciidoc/index.adoc
  2. 2 2
      taglibs/src/main/java/org/springframework/security/taglibs/csrf/AbstractCsrfTag.java
  3. 3 3
      taglibs/src/main/java/org/springframework/security/taglibs/csrf/CsrfInputTag.java
  4. 5 5
      taglibs/src/main/java/org/springframework/security/taglibs/csrf/CsrfMetaTagsTag.java
  5. 3 3
      taglibs/src/main/resources/META-INF/security.tld
  6. 4 4
      taglibs/src/test/java/org/springframework/security/taglibs/csrf/AbstractCsrfTagTests.java
  7. 7 7
      taglibs/src/test/java/org/springframework/security/taglibs/csrf/CsrfInputTagTests.java
  8. 11 11
      taglibs/src/test/java/org/springframework/security/taglibs/csrf/CsrfMetaTagsTagTests.java

+ 4 - 4
docs/manual/src/asciidoc/index.adoc
Tampilan Berkas 

@@ -3139,7 +3139,7 @@ The last step is to ensure that you include the CSRF token in all PATCH, POST, P
 
 </form>
 
 ----
 
 
-An easier approach is to use <<the-csrffield-tag,the csrfField tag>> from the Spring Security JSP tag library.
 
+An easier approach is to use <<the-csrfInput-tag,the csrfInput tag>> from the Spring Security JSP tag library.
 
 
 [NOTE]
 
 ====
 
@@ -5037,17 +5037,17 @@ The permissions are passed to the `PermissionFactory` defined in the application
 
 This tag also supports the `var` attribute, in the same way as the `authorize` tag.
 
 
 
-=== The csrfField Tag
 
+=== The csrfInput Tag
 
 If CSRF protection is enabled, this tag inserts a hidden form field with the correct name and value for the CSRF protection token. If CSRF protection is not enabled, this tag outputs nothing.
 
 
-Normally Spring Security automatically inserts a CSRF form field for any `<form:form>` tags you use, but if for some reason you cannot use `<form:form>`, `csrfField` is a handy replacement.
 
+Normally Spring Security automatically inserts a CSRF form field for any `<form:form>` tags you use, but if for some reason you cannot use `<form:form>`, `csrfInput` is a handy replacement.
 
 
 You should place this tag within an HTML `<form></form>` block, where you would normally place other input fields. Do NOT place this tag within a Spring `<form:form></form:form>` block—Spring Security handles Spring forms automatically.
 
 
 [source,xml]
 
 ----
 
     <form method="post" action="/do/something">
 
-        <sec:csrfField />
 
+        <sec:csrfInput />
 
         Name:<br />
 
         <input type="text" name="name" />
 
         ...

+ 2 - 2
taglibs/src/main/java/org/springframework/security/taglibs/csrf/AbstractCsrfTag.java
Tampilan Berkas 

@@ -25,10 +25,10 @@ import java.io.IOException;
 
 /**
 
  * An abstract tag for handling CSRF operations.
 
  *
 
- * @since 3.2.1
 
+ * @since 3.2.2
 
  * @author Nick Williams
 
  */
 
-public abstract class AbstractCsrfTag extends TagSupport {
 
+abstract class AbstractCsrfTag extends TagSupport {
 
 
     @Override
 
     public int doEndTag() throws JspException {

+ 3 - 3
taglibs/src/main/java/org/springframework/security/taglibs/csrf/FormFieldTag.java → taglibs/src/main/java/org/springframework/security/taglibs/csrf/CsrfInputTag.java
Tampilan Berkas 

@@ -22,14 +22,14 @@ import org.springframework.security.web.csrf.CsrfToken;
 
  * A JSP tag that prints out a hidden form field for the CSRF token. See the JSP Tab Library documentation for more
 
  * information.
 
  *
 
- * @since 3.2.1
 
+ * @since 3.2.2
 
  * @author Nick Williams
 
  */
 
-public class FormFieldTag extends AbstractCsrfTag {
 
+public class CsrfInputTag extends AbstractCsrfTag {
 
 
     @Override
 
     public String handleToken(CsrfToken token) {
 
         return "<input type=\"hidden\" name=\"" + token.getParameterName() + "\" value=\"" + token.getToken() +
 
-                "\" />\n";
 
+                "\" />";
 
     }
 
 }

+ 5 - 5
taglibs/src/main/java/org/springframework/security/taglibs/csrf/MetaTagsTag.java → taglibs/src/main/java/org/springframework/security/taglibs/csrf/CsrfMetaTagsTag.java
Tampilan Berkas 

@@ -22,15 +22,15 @@ import org.springframework.security.web.csrf.CsrfToken;
 
  * A JSP tag that prints out a meta tags holding the CSRF form field name and token value for use in JavaScrip code.
 
  * See the JSP Tab Library documentation for more information.
 
  *
 
- * @since 3.2.1
 
+ * @since 3.2.2
 
  * @author Nick Williams
 
  */
 
-public class MetaTagsTag extends AbstractCsrfTag {
 
+public class CsrfMetaTagsTag extends AbstractCsrfTag {
 
 
     @Override
 
     public String handleToken(CsrfToken token) {
 
-        return "<meta name=\"_csrf_parameter\" content=\"" + token.getParameterName() + "\" />\n" +
 
-                "        <meta name=\"_csrf_header\" content=\"" + token.getHeaderName() + "\" />\n" +
 
-                "        <meta name=\"_csrf\" content=\"" + token.getToken() + "\" />\n";
 
+        return "<meta name=\"_csrf_parameter\" content=\"" + token.getParameterName() + "\" />" +
 
+               "<meta name=\"_csrf_header\" content=\"" + token.getHeaderName() + "\" />" +
 
+               "<meta name=\"_csrf\" content=\"" + token.getToken() + "\" />";
 
     }
 
 }

+ 3 - 3
taglibs/src/main/resources/META-INF/security.tld
Tampilan Berkas 

@@ -200,8 +200,8 @@
 
             where you would normally place other <input>s. Do NOT place this tag within a Spring <form:form></form:form>
 
             block—Spring Security handles Spring forms automatically.
 
         ]]></description>
 
-        <name>csrfField</name>
 
-        <tag-class>org.springframework.security.taglibs.csrf.FormFieldTag</tag-class>
 
+        <name>csrfInput</name>
 
+        <tag-class>org.springframework.security.taglibs.csrf.CsrfInputTag</tag-class>
 
         <body-content>empty</body-content>
 
     </tag>
 
 
@@ -218,7 +218,7 @@
 
             tag outputs nothing.
 
         ]]></description>
 
         <name>csrfMetaTags</name>
 
-        <tag-class>org.springframework.security.taglibs.csrf.MetaTagsTag</tag-class>
 
+        <tag-class>org.springframework.security.taglibs.csrf.CsrfMetaTagsTag</tag-class>
 
         <body-content>empty</body-content>
 
     </tag>

+ 4 - 4
taglibs/src/test/java/org/springframework/security/taglibs/csrf/AbstractCsrfTagTests.java
Tampilan Berkas 

@@ -36,9 +36,9 @@ public class AbstractCsrfTagTests {
 
     }
 
 
     @Test
 
-    public void testDoEndTag01() throws JspException, UnsupportedEncodingException {
 
+    public void noCsrfDoesNotRender() throws JspException, UnsupportedEncodingException {
 
 
-        this.tag.handleReturn = "fooBarBazQux";
 
+        this.tag.handleReturn = "shouldNotBeRendered";
 
 
         int returned = this.tag.doEndTag();
 
 
@@ -47,7 +47,7 @@ public class AbstractCsrfTagTests {
 
     }
 
 
     @Test
 
-    public void testDoEndTag02() throws JspException, UnsupportedEncodingException {
 
+    public void hasCsrfRendersReturnedValue() throws JspException, UnsupportedEncodingException {
 
 
         CsrfToken token = new DefaultCsrfToken("X-Csrf-Token", "_csrf", "abc123def456ghi789");
 
         this.request.setAttribute(CsrfToken.class.getName(), token);
 
@@ -62,7 +62,7 @@ public class AbstractCsrfTagTests {
 
     }
 
 
     @Test
 
-    public void testDoEndTag03() throws JspException, UnsupportedEncodingException {
 
+    public void hasCsrfRendersDifferentValue() throws JspException, UnsupportedEncodingException {
 
 
         CsrfToken token = new DefaultCsrfToken("X-Csrf-Token", "_csrf", "abc123def456ghi789");
 
         this.request.setAttribute(CsrfToken.class.getName(), token);

+ 7 - 7
taglibs/src/test/java/org/springframework/security/taglibs/csrf/FormFieldTagTests.java → taglibs/src/test/java/org/springframework/security/taglibs/csrf/CsrfInputTagTests.java
Tampilan Berkas 

@@ -10,36 +10,36 @@ import static org.junit.Assert.*;
 
 /**
 
  * @author Nick Williams
 
  */
 
-public class FormFieldTagTests {
 
+public class CsrfInputTagTests {
 
 
-    public FormFieldTag tag;
 
+    public CsrfInputTag tag;
 
 
     @Before
 
     public void setUp() {
 
-        this.tag = new FormFieldTag();
 
+        this.tag = new CsrfInputTag();
 
     }
 
 
     @Test
 
-    public void testHandleToken01() {
 
+    public void handleTokenReturnsHiddenInput() {
 
         CsrfToken token = new DefaultCsrfToken("X-Csrf-Token", "_csrf", "abc123def456ghi789");
 
 
         String value = this.tag.handleToken(token);
 
 
         assertNotNull("The returned value should not be null.", value);
 
         assertEquals("The output is not correct.",
 
-                "<input type=\"hidden\" name=\"_csrf\" value=\"abc123def456ghi789\" />\n",
 
+                "<input type=\"hidden\" name=\"_csrf\" value=\"abc123def456ghi789\" />",
 
                 value);
 
     }
 
 
     @Test
 
-    public void testHandleToken() {
 
+    public void handleTokenReturnsHiddenInputDifferentTokenValue() {
 
         CsrfToken token = new DefaultCsrfToken("X-Csrf-Token", "csrfParameter", "fooBarBazQux");
 
 
         String value = this.tag.handleToken(token);
 
 
         assertNotNull("The returned value should not be null.", value);
 
         assertEquals("The output is not correct.",
 
-                "<input type=\"hidden\" name=\"csrfParameter\" value=\"fooBarBazQux\" />\n",
 
+                "<input type=\"hidden\" name=\"csrfParameter\" value=\"fooBarBazQux\" />",
 
                 value);
 
     }
 
 }

+ 11 - 11
taglibs/src/test/java/org/springframework/security/taglibs/csrf/MetaTagsTagTests.java → taglibs/src/test/java/org/springframework/security/taglibs/csrf/CsrfMetaTagsTagTests.java
Tampilan Berkas 

@@ -10,40 +10,40 @@ import static org.junit.Assert.*;
 
 /**
 
  * @author Nick Williams
 
  */
 
-public class MetaTagsTagTests {
 
+public class CsrfMetaTagsTagTests {
 
 
-    public MetaTagsTag tag;
 
+    public CsrfMetaTagsTag tag;
 
 
     @Before
 
     public void setUp() {
 
-        this.tag = new MetaTagsTag();
 
+        this.tag = new CsrfMetaTagsTag();
 
     }
 
 
     @Test
 
-    public void testHandleToken01() {
 
+    public void handleTokenRendersTags() {
 
         CsrfToken token = new DefaultCsrfToken("X-Csrf-Token", "_csrf", "abc123def456ghi789");
 
 
         String value = this.tag.handleToken(token);
 
 
         assertNotNull("The returned value should not be null.", value);
 
         assertEquals("The output is not correct.",
 
-                "<meta name=\"_csrf_parameter\" content=\"_csrf\" />\n" +
 
-                        "        <meta name=\"_csrf_header\" content=\"X-Csrf-Token\" />\n" +
 
-                        "        <meta name=\"_csrf\" content=\"abc123def456ghi789\" />\n",
 
+                "<meta name=\"_csrf_parameter\" content=\"_csrf\" />" +
 
+                        "<meta name=\"_csrf_header\" content=\"X-Csrf-Token\" />" +
 
+                        "<meta name=\"_csrf\" content=\"abc123def456ghi789\" />",
 
                 value);
 
     }
 
 
     @Test
 
-    public void testHandleToken02() {
 
+    public void handleTokenRendersTagsDifferentToken() {
 
         CsrfToken token = new DefaultCsrfToken("csrfHeader", "csrfParameter", "fooBarBazQux");
 
 
         String value = this.tag.handleToken(token);
 
 
         assertNotNull("The returned value should not be null.", value);
 
         assertEquals("The output is not correct.",
 
-                "<meta name=\"_csrf_parameter\" content=\"csrfParameter\" />\n" +
 
-                        "        <meta name=\"_csrf_header\" content=\"csrfHeader\" />\n" +
 
-                        "        <meta name=\"_csrf\" content=\"fooBarBazQux\" />\n",
 
+                "<meta name=\"_csrf_parameter\" content=\"csrfParameter\" />" +
 
+                        "<meta name=\"_csrf_header\" content=\"csrfHeader\" />" +
 
+                        "<meta name=\"_csrf\" content=\"fooBarBazQux\" />",
 
                 value);
 
     }
 
 }