diff --git a/web/src/main/java/org/springframework/security/web/csrf/CookieCsrfTokenRepository.java b/web/src/main/java/org/springframework/security/web/csrf/CookieCsrfTokenRepository.java index 1c77c9bbad8..1ffc01a6068 100644 --- a/web/src/main/java/org/springframework/security/web/csrf/CookieCsrfTokenRepository.java +++ b/web/src/main/java/org/springframework/security/web/csrf/CookieCsrfTokenRepository.java @@ -18,6 +18,7 @@ import java.util.UUID; +import javax.servlet.ServletRequest; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -53,6 +54,8 @@ public final class CookieCsrfTokenRepository implements CsrfTokenRepository { private String cookieDomain; + private Boolean secure; + public CookieCsrfTokenRepository() { } @@ -67,7 +70,12 @@ public void saveToken(CsrfToken token, HttpServletRequest request, HttpServletResponse response) { String tokenValue = token == null ? "" : token.getToken(); Cookie cookie = new Cookie(this.cookieName, tokenValue); - cookie.setSecure(request.isSecure()); + if (secure == null) { + cookie.setSecure(request.isSecure()); + } else { + cookie.setSecure(secure); + } + if (this.cookiePath != null && !this.cookiePath.isEmpty()) { cookie.setPath(this.cookiePath); } else { @@ -195,4 +203,17 @@ public void setCookieDomain(String cookieDomain) { this.cookieDomain = cookieDomain; } + /** + * Sets secure flag of the cookie that the expected CSRF token is saved to and read from. + * By default secure flag depends on {@link ServletRequest#isSecure()} + * + * @since 5.4 + * @param secure the secure flag of the cookie that the expected CSRF token is saved to + * and read from + */ + public void setSecure(Boolean secure) { + this.secure = secure; + } + + } diff --git a/web/src/test/java/org/springframework/security/web/csrf/CookieCsrfTokenRepositoryTests.java b/web/src/test/java/org/springframework/security/web/csrf/CookieCsrfTokenRepositoryTests.java index 7ec2fdb3890..7f40afde2ea 100644 --- a/web/src/test/java/org/springframework/security/web/csrf/CookieCsrfTokenRepositoryTests.java +++ b/web/src/test/java/org/springframework/security/web/csrf/CookieCsrfTokenRepositoryTests.java @@ -98,6 +98,33 @@ public void saveTokenSecure() { assertThat(tokenCookie.getSecure()).isTrue(); } + @Test + public void saveTokenSecureFlagTrue() { + this.request.setSecure(false); + this.repository.setSecure(Boolean.TRUE); + CsrfToken token = this.repository.generateToken(this.request); + this.repository.saveToken(token, this.request, this.response); + + Cookie tokenCookie = this.response + .getCookie(CookieCsrfTokenRepository.DEFAULT_CSRF_COOKIE_NAME); + + assertThat(tokenCookie.getSecure()).isTrue(); + } + + @Test + public void saveTokenSecureFlagFalse() { + this.request.setSecure(true); + this.repository.setSecure(Boolean.FALSE); + CsrfToken token = this.repository.generateToken(this.request); + this.repository.saveToken(token, this.request, this.response); + + Cookie tokenCookie = this.response + .getCookie(CookieCsrfTokenRepository.DEFAULT_CSRF_COOKIE_NAME); + + assertThat(tokenCookie.getSecure()).isFalse(); + } + + @Test public void saveTokenNull() { this.request.setSecure(true);