use of jakarta.servlet.http.HttpServletRequest in project spring-security by spring-projects.
the class StrictHttpFirewallTests method getFirewalledRequestGetParameterValuesWhenNotAllowedInParameterValueThenException.
@Test
public void getFirewalledRequestGetParameterValuesWhenNotAllowedInParameterValueThenException() {
this.firewall.setAllowedParameterValues((value) -> !value.equals("bad value"));
this.request.addParameter("Something", "bad value");
HttpServletRequest request = this.firewall.getFirewalledRequest(this.request);
assertThatExceptionOfType(RequestRejectedException.class).isThrownBy(() -> request.getParameterValues("Something"));
}
use of jakarta.servlet.http.HttpServletRequest in project spring-security by spring-projects.
the class DefaultOAuth2AuthorizationRequestResolverTests method resolveWhenNotAuthorizationRequestThenRequestBodyNotConsumed.
// gh-8650
@Test
public void resolveWhenNotAuthorizationRequestThenRequestBodyNotConsumed() throws IOException {
String requestUri = "/path";
MockHttpServletRequest request = new MockHttpServletRequest("POST", requestUri);
request.setContent("foo".getBytes(StandardCharsets.UTF_8));
request.setCharacterEncoding(StandardCharsets.UTF_8.name());
HttpServletRequest spyRequest = Mockito.spy(request);
this.resolver.resolve(spyRequest);
Mockito.verify(spyRequest, Mockito.never()).getReader();
Mockito.verify(spyRequest, Mockito.never()).getInputStream();
Mockito.verify(spyRequest, Mockito.never()).getParameter(ArgumentMatchers.anyString());
Mockito.verify(spyRequest, Mockito.never()).getParameterMap();
Mockito.verify(spyRequest, Mockito.never()).getParameterNames();
Mockito.verify(spyRequest, Mockito.never()).getParameterValues(ArgumentMatchers.anyString());
}
use of jakarta.servlet.http.HttpServletRequest in project spring-security by spring-projects.
the class Saml2LogoutResponseFilter method doFilterInternal.
/**
* {@inheritDoc}
*/
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException {
if (!this.logoutRequestMatcher.matches(request)) {
chain.doFilter(request, response);
return;
}
if (request.getParameter(Saml2ParameterNames.SAML_RESPONSE) == null) {
chain.doFilter(request, response);
return;
}
Saml2LogoutRequest logoutRequest = this.logoutRequestRepository.removeLogoutRequest(request, response);
if (logoutRequest == null) {
this.logger.trace("Did not process logout response since could not find associated LogoutRequest");
response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Failed to find associated LogoutRequest");
return;
}
RelyingPartyRegistration registration = this.relyingPartyRegistrationResolver.resolve(request, logoutRequest.getRelyingPartyRegistrationId());
if (registration == null) {
this.logger.trace("Did not process logout request since failed to find associated RelyingPartyRegistration");
Saml2Error error = new Saml2Error(Saml2ErrorCodes.RELYING_PARTY_REGISTRATION_NOT_FOUND, "Failed to find associated RelyingPartyRegistration");
response.sendError(HttpServletResponse.SC_BAD_REQUEST, error.toString());
return;
}
if (registration.getSingleLogoutServiceResponseLocation() == null) {
this.logger.trace("Did not process logout response since RelyingPartyRegistration has not been configured with a logout response endpoint");
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return;
}
if (!isCorrectBinding(request, registration)) {
this.logger.trace("Did not process logout request since used incorrect binding");
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return;
}
String serialized = request.getParameter(Saml2ParameterNames.SAML_RESPONSE);
Saml2LogoutResponse logoutResponse = Saml2LogoutResponse.withRelyingPartyRegistration(registration).samlResponse(serialized).relayState(request.getParameter(Saml2ParameterNames.RELAY_STATE)).binding(registration.getSingleLogoutServiceBinding()).location(registration.getSingleLogoutServiceResponseLocation()).parameters((params) -> params.put(Saml2ParameterNames.SIG_ALG, request.getParameter(Saml2ParameterNames.SIG_ALG))).parameters((params) -> params.put(Saml2ParameterNames.SIGNATURE, request.getParameter(Saml2ParameterNames.SIGNATURE))).build();
Saml2LogoutResponseValidatorParameters parameters = new Saml2LogoutResponseValidatorParameters(logoutResponse, logoutRequest, registration);
Saml2LogoutValidatorResult result = this.logoutResponseValidator.validate(parameters);
if (result.hasErrors()) {
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, result.getErrors().iterator().next().toString());
this.logger.debug(LogMessage.format("Failed to validate LogoutResponse: %s", result.getErrors()));
return;
}
this.logoutSuccessHandler.onLogoutSuccess(request, response, null);
}
use of jakarta.servlet.http.HttpServletRequest in project spring-security by spring-projects.
the class HttpSessionSecurityContextRepository method loadContext.
/**
* Gets the security context for the current request (if available) and returns it.
* <p>
* If the session is null, the context object is null or the context object stored in
* the session is not an instance of {@code SecurityContext}, a new context object
* will be generated and returned.
*/
@Override
public SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder) {
HttpServletRequest request = requestResponseHolder.getRequest();
HttpServletResponse response = requestResponseHolder.getResponse();
HttpSession httpSession = request.getSession(false);
SecurityContext context = readSecurityContextFromSession(httpSession);
if (context == null) {
context = generateNewContext();
if (this.logger.isTraceEnabled()) {
this.logger.trace(LogMessage.format("Created %s", context));
}
}
SaveToSessionResponseWrapper wrappedResponse = new SaveToSessionResponseWrapper(response, request, httpSession != null, context);
requestResponseHolder.setResponse(wrappedResponse);
requestResponseHolder.setRequest(new SaveToSessionRequestWrapper(request, wrappedResponse));
return context;
}
use of jakarta.servlet.http.HttpServletRequest in project spring-security by spring-projects.
the class CookieRequestCacheTests method matchingRequestWhenRequestDoesNotContainSavedRequestCookieThenReturnsNull.
@Test
public void matchingRequestWhenRequestDoesNotContainSavedRequestCookieThenReturnsNull() {
CookieRequestCache cookieRequestCache = new CookieRequestCache();
MockHttpServletResponse response = new MockHttpServletResponse();
HttpServletRequest matchingRequest = cookieRequestCache.getMatchingRequest(new MockHttpServletRequest(), response);
assertThat(matchingRequest).isNull();
assertThat(response.getCookie(DEFAULT_COOKIE_NAME)).isNull();
}
Aggregations