Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEC-2569: SavedRequestAwareWrapper should not override cookies #2781

Closed
spring-issuemaster opened this issue Apr 19, 2014 · 8 comments
Closed

SEC-2569: SavedRequestAwareWrapper should not override cookies #2781

spring-issuemaster opened this issue Apr 19, 2014 · 8 comments

Comments

@spring-issuemaster
Copy link

@spring-issuemaster spring-issuemaster commented Apr 19, 2014

Igor Mukhin (Migrated from SEC-2569) said:

Motivation is described in SPR-11698

@spring-issuemaster

This comment has been minimized.

Copy link
Author

@spring-issuemaster spring-issuemaster commented Apr 21, 2014

Rob Winch said:

This does seem to be a bit strange to store the cookies in the saved request since the client should resubmit the cookies automatically anyways. I tried to track down why the cookies might be saved but it appears that it has been this way since its inception in 2006 so there is no detailed explanation of why it was included.

I have scheduled this for the 4.0.x release as this will be a non-passive change. In the meantime, a workaround could be to create your own RequestCache implementation. The implementation would delegate to HttpSessionRequestCache for every method. However, it could override the cookies for the getRequest method to be the cookies in the current request. For example:

public class RequestCacheAdapter implements RequestCache {

    private final RequestCache delegate;

    public RequestCacheAdapter() {
        this(new HttpSessionRequestCache());
    }

    public RequestCacheAdapter(RequestCache delegate) {
        Assert.notNull(delegate, "delegate cannot be null");
        this.delegate = delegate;
    }

    public void saveRequest(HttpServletRequest request,
            HttpServletResponse response) {
        delegate.saveRequest(request, response);
    }

    public SavedRequest getRequest(HttpServletRequest request,
            HttpServletResponse response) {
        SavedRequest result = delegate.getRequest(request, response);
        Cookie[] cookies = request.getCookies();
        return new SavedRequestAdapter(result, cookies == null ? null : Arrays.asList(cookies));
    }

    public HttpServletRequest getMatchingRequest(HttpServletRequest request,
            HttpServletResponse response) {
        return delegate.getMatchingRequest(request, response);
    }

    public void removeRequest(HttpServletRequest request,
            HttpServletResponse response) {
        delegate.removeRequest(request, response);
    }

    private static class SavedRequestAdapter implements SavedRequest {
        private SavedRequest delegate;
        private List<Cookie> cookies;

        public SavedRequestAdapter(SavedRequest delegate, List<Cookie> cookies) {
            this.delegate = delegate;
            this.cookies = cookies;
        }

        public String getRedirectUrl() {
            return delegate.getRedirectUrl();
        }

        public List<Cookie> getCookies() {
            return cookies;
        }

        public String getMethod() {
            return delegate.getMethod();
        }

        public List<String> getHeaderValues(String name) {
            return delegate.getHeaderValues(name);
        }

        public Collection<String> getHeaderNames() {
            return delegate.getHeaderNames();
        }

        public List<Locale> getLocales() {
            return delegate.getLocales();
        }

        public String[] getParameterValues(String name) {
            return delegate.getParameterValues(name);
        }

        public Map<String, String[]> getParameterMap() {
            return delegate.getParameterMap();
        }

        private static final long serialVersionUID = 1184951442151447331L;
    }
}

If you are using XML configuration you can wire it using request-cache element.

<http ...>
    <request-cache ref="requestCacheAdapter"/>
    ...
</http>

<b:bean id="requestCacheAdapter" class="RequestCacheAdapter"/>

If you are using Java Configuration, you can use http.requestCache()

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    protected void configure(HttpSecurity http) {
        http
            // ...
            .requestCache()
                .requestCache(new RequestCacheAdapter());
    }
}
@spring-issuemaster

This comment has been minimized.

Copy link
Author

@spring-issuemaster spring-issuemaster commented Apr 21, 2014

Rob Winch said:

Note I updated the summary to be more explicit. Specifically that SavedRequestAwareWrapper should not override cookies. This is since the SecurityContextHolderAwareRequestWrapper was not overriding the cookies. Also I wanted to be more clear that more than just parameters are overridden (i.e. the HTTP method).

@spring-issuemaster

This comment has been minimized.

Copy link
Author

@spring-issuemaster spring-issuemaster commented Feb 6, 2016

5 similar comments
@spring-issuemaster

This comment has been minimized.

Copy link
Author

@spring-issuemaster spring-issuemaster commented Feb 6, 2016

@spring-issuemaster

This comment has been minimized.

Copy link
Author

@spring-issuemaster spring-issuemaster commented Feb 6, 2016

@spring-issuemaster

This comment has been minimized.

Copy link
Author

@spring-issuemaster spring-issuemaster commented Feb 6, 2016

@spring-issuemaster

This comment has been minimized.

Copy link
Author

@spring-issuemaster spring-issuemaster commented Feb 6, 2016

@spring-issuemaster

This comment has been minimized.

Copy link
Author

@spring-issuemaster spring-issuemaster commented Feb 6, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.