5 anni fa · 61060b3a4f
--- a/config/src/main/kotlin/org/springframework/security/config/web/server/ServerCsrfDsl.kt
+++ b/config/src/main/kotlin/org/springframework/security/config/web/server/ServerCsrfDsl.kt
@@ -17,6 +17,7 @@
 
				 package org.springframework.security.config.web.server
			
 
				 
			
 
				 import org.springframework.security.web.server.authorization.ServerAccessDeniedHandler
			
 
				+import org.springframework.security.web.server.csrf.CsrfWebFilter
			
 
				 import org.springframework.security.web.server.csrf.ServerCsrfTokenRepository
			
 
				 import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher
			
 
				 
			
@@ -30,12 +31,15 @@ import org.springframework.security.web.server.util.matcher.ServerWebExchangeMat
 
				  * @property csrfTokenRepository the [ServerCsrfTokenRepository] used to persist the CSRF token.
			
 
				  * @property requireCsrfProtectionMatcher the [ServerWebExchangeMatcher] used to determine when CSRF protection
			
 
				  * is enabled.
			
 
				+ * @property tokenFromMultipartDataEnabled if true, the [CsrfWebFilter] should try to resolve the actual CSRF
			
 
				+ * token from the body of multipart data requests.
			
 
				  */
			
 
				 @ServerSecurityMarker
			
 
				 class ServerCsrfDsl {
			
 
				     var accessDeniedHandler: ServerAccessDeniedHandler? = null
			
 
				     var csrfTokenRepository: ServerCsrfTokenRepository? = null
			
 
				     var requireCsrfProtectionMatcher: ServerWebExchangeMatcher? = null
			
 
				+    var tokenFromMultipartDataEnabled: Boolean? = null
			
 
				 
			
 
				     private var disabled = false
			
 
				 
			
@@ -51,6 +55,7 @@ class ServerCsrfDsl {
 
				             accessDeniedHandler?.also { csrf.accessDeniedHandler(accessDeniedHandler) }
			
 
				             csrfTokenRepository?.also { csrf.csrfTokenRepository(csrfTokenRepository) }
			
 
				             requireCsrfProtectionMatcher?.also { csrf.requireCsrfProtectionMatcher(requireCsrfProtectionMatcher) }
			
 
				+            tokenFromMultipartDataEnabled?.also { csrf.tokenFromMultipartDataEnabled(tokenFromMultipartDataEnabled!!) }
			
 
				             if (disabled) {
			
 
				                 csrf.disable()
			
 
				             }
			
--- a/config/src/test/kotlin/org/springframework/security/config/web/server/ServerCsrfDslTests.kt
+++ b/config/src/test/kotlin/org/springframework/security/config/web/server/ServerCsrfDslTests.kt
@@ -217,4 +217,78 @@ class ServerCsrfDslTests {
 
				             }
			
 
				         }
			
 
				     }
			
 
				+
			
 
				+    @Test
			
 
				+    fun `csrf when multipart form data and not enabled then denied`() {
			
 
				+        `when`(MultipartFormDataNotEnabledConfig.TOKEN_REPOSITORY.loadToken(any()))
			
 
				+                .thenReturn(Mono.just(this.token))
			
 
				+        `when`(MultipartFormDataNotEnabledConfig.TOKEN_REPOSITORY.generateToken(any()))
			
 
				+                .thenReturn(Mono.just(this.token))
			
 
				+        this.spring.register(MultipartFormDataNotEnabledConfig::class.java).autowire()
			
 
				+
			
 
				+        this.client.post()
			
 
				+                .uri("/")
			
 
				+                .contentType(MediaType.MULTIPART_FORM_DATA)
			
 
				+                .body(fromMultipartData(this.token.parameterName, this.token.token))
			
 
				+                .exchange()
			
 
				+                .expectStatus().isForbidden
			
 
				+    }
			
 
				+
			
 
				+    @EnableWebFluxSecurity
			
 
				+    @EnableWebFlux
			
 
				+    open class MultipartFormDataNotEnabledConfig {
			
 
				+        companion object {
			
 
				+            var TOKEN_REPOSITORY: ServerCsrfTokenRepository = mock(ServerCsrfTokenRepository::class.java)
			
 
				+        }
			
 
				+
			
 
				+        @Bean
			
 
				+        open fun springWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
			
 
				+            return http {
			
 
				+                csrf {
			
 
				+                    csrfTokenRepository = TOKEN_REPOSITORY
			
 
				+                }
			
 
				+            }
			
 
				+        }
			
 
				+    }
			
 
				+
			
 
				+    @Test
			
 
				+    fun `csrf when multipart form data and enabled then granted`() {
			
 
				+        `when`(MultipartFormDataEnabledConfig.TOKEN_REPOSITORY.loadToken(any()))
			
 
				+                .thenReturn(Mono.just(this.token))
			
 
				+        `when`(MultipartFormDataEnabledConfig.TOKEN_REPOSITORY.generateToken(any()))
			
 
				+                .thenReturn(Mono.just(this.token))
			
 
				+        this.spring.register(MultipartFormDataEnabledConfig::class.java).autowire()
			
 
				+
			
 
				+        this.client.post()
			
 
				+                .uri("/")
			
 
				+                .contentType(MediaType.MULTIPART_FORM_DATA)
			
 
				+                .body(fromMultipartData(this.token.parameterName, this.token.token))
			
 
				+                .exchange()
			
 
				+                .expectStatus().isOk
			
 
				+    }
			
 
				+
			
 
				+    @EnableWebFluxSecurity
			
 
				+    @EnableWebFlux
			
 
				+    open class MultipartFormDataEnabledConfig {
			
 
				+        companion object {
			
 
				+            var TOKEN_REPOSITORY: ServerCsrfTokenRepository = mock(ServerCsrfTokenRepository::class.java)
			
 
				+        }
			
 
				+
			
 
				+        @Bean
			
 
				+        open fun springWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
			
 
				+            return http {
			
 
				+                csrf {
			
 
				+                    csrfTokenRepository = TOKEN_REPOSITORY
			
 
				+                    tokenFromMultipartDataEnabled = true
			
 
				+                }
			
 
				+            }
			
 
				+        }
			
 
				+
			
 
				+        @RestController
			
 
				+        internal class TestController {
			
 
				+            @PostMapping("/")
			
 
				+            fun home() {
			
 
				+            }
			
 
				+        }
			
 
				+    }
			
 
				 }