Головна сторінка Огляд Довідка
Реєстрація Увійти
github
/
spring-security
дзеркало https://github.com/spring-projects/spring-security
2
0
Відгалуження 0
Файли Проблеми 0 Wiki
Переглянути джерело

WithHttpOnlyCookie defaults to false

Closes gh-16820

Signed-off-by: DingHao <dh.hiekn@gmail.com>
DingHao 5 місяців тому
батько
b7df86197c
коміт
857ef6fe08
2 змінених файлів з 18 додано та 3 видалено
Розділений вигляд Показати статистику Diff
  1. 2 2
      web/src/main/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepository.java
  2. 16 1
      web/src/test/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepositoryTests.java

+ 2 - 2
web/src/main/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepository.java
Переглянути файл 

@@ -1,5 +1,5 @@
 
 /*
 
- * Copyright 2002-2022 the original author or authors.
 
+ * Copyright 2002-2025 the original author or authors.
 
  *
 
  * Licensed under the Apache License, Version 2.0 (the "License");
 
  * you may not use this file except in compliance with the License.
 
@@ -84,7 +84,7 @@ public final class CookieServerCsrfTokenRepository implements ServerCsrfTokenRep
 
 	 */
 
 	public static CookieServerCsrfTokenRepository withHttpOnlyFalse() {
 
 		CookieServerCsrfTokenRepository result = new CookieServerCsrfTokenRepository();
 
-		result.setCookieCustomizer((cookie) -> cookie.httpOnly(false));
 
+		result.cookieHttpOnly = false;
 
 		return result;
 
 	}

+ 16 - 1
web/src/test/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepositoryTests.java
Переглянути файл 

@@ -1,5 +1,5 @@
 
 /*
 
- * Copyright 2002-2022 the original author or authors.
 
+ * Copyright 2002-2025 the original author or authors.
 
  *
 
  * Licensed under the Apache License, Version 2.0 (the "License");
 
  * you may not use this file except in compliance with the License.
 
@@ -290,6 +290,21 @@ class CookieServerCsrfTokenRepositoryTests {
 
 		loadAndAssertExpectedValues();
 
 	}
 
 
+	// gh-16820
 
+	@Test
 
+	void withHttpOnlyFalseWhenCookieCustomizerThenStillDefaultsToFalse() {
 
+		CookieServerCsrfTokenRepository repository = CookieServerCsrfTokenRepository.withHttpOnlyFalse();
 
+		repository.setCookieCustomizer((customizer) -> customizer.maxAge(1000));
 
+		MockServerHttpRequest.BaseBuilder<?> request = MockServerHttpRequest.get("/dummy");
 
+		MockServerWebExchange exchange = MockServerWebExchange.from(request);
 
+		CsrfToken csrfToken = repository.generateToken(exchange).block();
 
+		repository.saveToken(exchange, csrfToken).block();
 
+		ResponseCookie cookie = exchange.getResponse().getCookies().getFirst("XSRF-TOKEN");
 
+		assertThat(cookie).isNotNull();
 
+		assertThat(cookie.getMaxAge().getSeconds()).isEqualTo(1000);
 
+		assertThat(cookie.isHttpOnly()).isEqualTo(Boolean.FALSE);
 
+	}
 
+
 
 	private void setExpectedHeaderName(String expectedHeaderName) {
 
 		this.csrfTokenRepository.setHeaderName(expectedHeaderName);
 
 		this.expectedHeaderName = expectedHeaderName;