New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[2.4.0-M3] Bug: CSRF cookie not set when using application.context #4154
Conversation
application.context
Does it happen if you go to a sub path of the application context? Eg, |
@jroper Just tested it: No, it does not happen on a sub path. |
Thanks for verifying that, should hopefully be straight forward to track down and fix. |
Fixes playframework#4154 * Ensured that when the context equals the path, the filters are applied * Also fixed a bug in the DefaultHttpErrorHandler that ensured that the not found handler uses the request from the upstream filters that didn't exist in the GlobalSettings implementation
PR attached. Also found a bug in our error handling where filters weren't applied to the not found handler. |
Since I was just working on optimizing this (#4164), I have a suggestion for a faster check for the context. It should be faster than the regex used in def inContext(context: String, path: String): Boolean = {
// Assume context is a string without a trailing '/'.
// Handle three cases:
// * !path.startsWith(context)
// - Either path is shorter than context or starts with a different prefix.
// * path.startsWith(context) && path.length == context.length
// - Path is equal to context.
// * path.startsWith(context) && path.charAt(context.length) == '/')
// - Path starts with context followed by a '/' character.
path.startsWith(context) && (path.length == context.length || path.charAt(context.length) == '/')
} |
7d22bf1
to
c042635
Compare
Fixes playframework#4154 * Ensured that when the context equals the path, the filters are applied * Also fixed a bug in the DefaultHttpErrorHandler that ensured that the not found handler uses the request from the upstream filters that didn't exist in the GlobalSettings implementation
@richdougherty I used your logic, plus an additional check - if the context is empty (which is by far the most common Play configuration, not many people use application contexts), then there's no context so everything is in context. So I used |
|
Fixes playframework#4154 * Ensured that when the context equals the path, the filters are applied * Also fixed a bug in the DefaultHttpErrorHandler that ensured that the not found handler uses the request from the upstream filters that didn't exist in the GlobalSettings implementation
c042635
to
efda085
Compare
Maybe I should try compiling before pushing? Nah... that's what CI is for. |
;) |
[2.4.0-M3] Bug: CSRF cookie not set when using application.context
Fixes playframework#4154 * Ensured that when the context equals the path, the filters are applied * Also fixed a bug in the DefaultHttpErrorHandler that ensured that the not found handler uses the request from the upstream filters that didn't exist in the GlobalSettings implementation
To reproduce:
play-java
project.Global.java
like shown in the docsfilters
to thelibraryDependencies
inbuild.sbt
application.conf
setproject/plugins.sbt
Result: The
csrfcookie
does not get set (which also causes"Missing CSRF Token"
exceptions when e.g. using@CSRF.formField
in a view).When using the exact same project and switching to
2.3.8
it works.(Make sure you always clean the cookies between browser refreshes.)