Merge branch '5.8.x'

Steve Riesenberg · Steve Riesenberg · commit 9b43950e13a5 · 2022-10-12T13:14:20.000-05:00
diff --git a/web/src/main/java/org/springframework/security/web/csrf/XorCsrfTokenRequestAttributeHandler.java b/web/src/main/java/org/springframework/security/web/csrf/XorCsrfTokenRequestAttributeHandler.java
@@ -59,12 +59,12 @@ public void handle(HttpServletRequest request, HttpServletResponse response,
 	}
 
 	private Supplier<CsrfToken> deferCsrfTokenUpdate(Supplier<CsrfToken> csrfTokenSupplier) {
-		return () -> {
+		return new CachedCsrfTokenSupplier(() -> {
 			CsrfToken csrfToken = csrfTokenSupplier.get();
 			Assert.state(csrfToken != null, "csrfToken supplier returned null");
 			String updatedToken = createXoredCsrfToken(this.secureRandom, csrfToken.getToken());
 			return new DefaultCsrfToken(csrfToken.getHeaderName(), csrfToken.getParameterName(), updatedToken);
-		};
+		});
 	}
 
 	@Override
@@ -123,4 +123,24 @@ private static byte[] xorCsrf(byte[] randomBytes, byte[] csrfBytes) {
 		return xoredCsrf;
 	}
 
+	private static final class CachedCsrfTokenSupplier implements Supplier<CsrfToken> {
+
+		private final Supplier<CsrfToken> delegate;
+
+		private CsrfToken csrfToken;
+
+		private CachedCsrfTokenSupplier(Supplier<CsrfToken> delegate) {
+			this.delegate = delegate;
+		}
+
+		@Override
+		public CsrfToken get() {
+			if (this.csrfToken == null) {
+				this.csrfToken = this.delegate.get();
+			}
+			return this.csrfToken;
+		}
+
+	}
+
 }
diff --git a/web/src/main/java/org/springframework/security/web/server/csrf/XorServerCsrfTokenRequestAttributeHandler.java b/web/src/main/java/org/springframework/security/web/server/csrf/XorServerCsrfTokenRequestAttributeHandler.java
@@ -53,7 +53,8 @@ public void handle(ServerWebExchange exchange, Mono<CsrfToken> csrfToken) {
 		Assert.notNull(exchange, "exchange cannot be null");
 		Assert.notNull(csrfToken, "csrfToken cannot be null");
 		Mono<CsrfToken> updatedCsrfToken = csrfToken.map((token) -> new DefaultCsrfToken(token.getHeaderName(),
-				token.getParameterName(), createXoredCsrfToken(this.secureRandom, token.getToken())));
+				token.getParameterName(), createXoredCsrfToken(this.secureRandom, token.getToken())))
+				.cast(CsrfToken.class).cache();
 		super.handle(exchange, updatedCsrfToken);
 	}
 
diff --git a/web/src/test/java/org/springframework/security/web/csrf/XorCsrfTokenRequestAttributeHandlerTests.java b/web/src/test/java/org/springframework/security/web/csrf/XorCsrfTokenRequestAttributeHandlerTests.java
@@ -153,16 +153,31 @@ public void handleWhenValidParametersThenRequestAttributesSet() {
 		assertThat(this.request.getAttribute("_csrf")).isNotNull();
 	}
 
+	@Test
+	public void handleWhenCsrfTokenRequestedTwiceThenCached() {
+		this.handler.handle(this.request, this.response, () -> this.token);
+
+		CsrfToken csrfTokenAttribute = (CsrfToken) this.request.getAttribute(CsrfToken.class.getName());
+		assertThat(csrfTokenAttribute.getToken()).isNotEqualTo(this.token.getToken());
+		assertThat(csrfTokenAttribute.getToken()).isEqualTo(csrfTokenAttribute.getToken());
+	}
+
 	@Test
 	public void resolveCsrfTokenValueWhenRequestIsNullThenThrowsIllegalArgumentException() {
-		assertThatIllegalArgumentException().isThrownBy(() -> this.handler.resolveCsrfTokenValue(null, this.token))
+		// @formatter:off
+		assertThatIllegalArgumentException()
+				.isThrownBy(() -> this.handler.resolveCsrfTokenValue(null, this.token))
 				.withMessage("request cannot be null");
+		// @formatter:on
 	}
 
 	@Test
 	public void resolveCsrfTokenValueWhenCsrfTokenIsNullThenThrowsIllegalArgumentException() {
-		assertThatIllegalArgumentException().isThrownBy(() -> this.handler.resolveCsrfTokenValue(this.request, null))
+		// @formatter:off
+		assertThatIllegalArgumentException()
+				.isThrownBy(() -> this.handler.resolveCsrfTokenValue(this.request, null))
 				.withMessage("csrfToken cannot be null");
+		// @formatter:on
 	}
 
 	@Test
diff --git a/web/src/test/java/org/springframework/security/web/server/csrf/XorServerCsrfTokenRequestAttributeHandlerTests.java b/web/src/test/java/org/springframework/security/web/server/csrf/XorServerCsrfTokenRequestAttributeHandlerTests.java
@@ -68,20 +68,29 @@ public void setUp() {
 
 	@Test
 	public void setSecureRandomWhenNullThenThrowsIllegalArgumentException() {
-		assertThatIllegalArgumentException().isThrownBy(() -> this.handler.setSecureRandom(null))
+		// @formatter:off
+		assertThatIllegalArgumentException()
+				.isThrownBy(() -> this.handler.setSecureRandom(null))
 				.withMessage("secureRandom cannot be null");
+		// @formatter:on
 	}
 
 	@Test
 	public void handleWhenExchangeIsNullThenThrowsIllegalArgumentException() {
-		assertThatIllegalArgumentException().isThrownBy(() -> this.handler.handle(null, Mono.just(this.token)))
+		// @formatter:off
+		assertThatIllegalArgumentException()
+				.isThrownBy(() -> this.handler.handle(null, Mono.just(this.token)))
 				.withMessage("exchange cannot be null");
+		// @formatter:on
 	}
 
 	@Test
 	public void handleWhenCsrfTokenIsNullThenThrowsIllegalArgumentException() {
-		assertThatIllegalArgumentException().isThrownBy(() -> this.handler.handle(this.exchange, null))
+		// @formatter:off
+		assertThatIllegalArgumentException()
+				.isThrownBy(() -> this.handler.handle(this.exchange, null))
 				.withMessage("csrfToken cannot be null");
+		// @formatter:on
 	}
 
 	@Test
@@ -110,16 +119,33 @@ public void handleWhenValidParametersThenExchangeAttributeSet() {
 		verify(this.secureRandom).nextBytes(anyByteArray());
 	}
 
+	@Test
+	public void handleWhenCsrfTokenRequestedTwiceThenCached() {
+		this.handler.handle(this.exchange, Mono.just(this.token));
+		Mono<CsrfToken> csrfTokenAttribute = this.exchange.getAttribute(CsrfToken.class.getName());
+		assertThat(csrfTokenAttribute).isNotNull();
+		CsrfToken csrfToken1 = csrfTokenAttribute.block();
+		CsrfToken csrfToken2 = csrfTokenAttribute.block();
+		assertThat(csrfToken1.getToken()).isNotEqualTo(this.token.getToken());
+		assertThat(csrfToken1.getToken()).isEqualTo(csrfToken2.getToken());
+	}
+
 	@Test
 	public void resolveCsrfTokenValueWhenExchangeIsNullThenThrowsIllegalArgumentException() {
-		assertThatIllegalArgumentException().isThrownBy(() -> this.handler.resolveCsrfTokenValue(null, this.token))
+		// @formatter:off
+		assertThatIllegalArgumentException()
+				.isThrownBy(() -> this.handler.resolveCsrfTokenValue(null, this.token))
 				.withMessage("exchange cannot be null");
+		// @formatter:on
 	}
 
 	@Test
 	public void resolveCsrfTokenValueWhenCsrfTokenIsNullThenThrowsIllegalArgumentException() {
-		assertThatIllegalArgumentException().isThrownBy(() -> this.handler.resolveCsrfTokenValue(this.exchange, null))
+		// @formatter:off
+		assertThatIllegalArgumentException()
+				.isThrownBy(() -> this.handler.resolveCsrfTokenValue(this.exchange, null))
 				.withMessage("csrfToken cannot be null");
+		// @formatter:on
 	}
 
 	@Test

Original file line number	Diff line number	Diff line change
`@@ -53,7 +53,8 @@ public void handle(ServerWebExchange exchange, Mono<CsrfToken> csrfToken) {`
`53`	`53`	`Assert.notNull(exchange, "exchange cannot be null");`
`54`	`54`	`Assert.notNull(csrfToken, "csrfToken cannot be null");`
`55`	`55`	`Mono<CsrfToken> updatedCsrfToken = csrfToken.map((token) -> new DefaultCsrfToken(token.getHeaderName(),`
`56`		`- token.getParameterName(), createXoredCsrfToken(this.secureRandom, token.getToken())));`
	`56`	`+ token.getParameterName(), createXoredCsrfToken(this.secureRandom, token.getToken())))`
	`57`	`+ .cast(CsrfToken.class).cache();`
`57`	`58`	`super.handle(exchange, updatedCsrfToken);`
`58`	`59`	`}`
`59`	`60`