From 84bc4a1b108b02c46e06cbd96a316b5742a8cc5d Mon Sep 17 00:00:00 2001 From: Johannes Edmeier Date: Sat, 14 Dec 2019 10:58:48 +0100 Subject: [PATCH] Don't cache requests with `Accept: text/event-stream` by default. The eventstream requests is typically not directly invoked by the browser. And even more unfortunately the Browser-Api doesn't allow the set additional headers as `XMLHttpRequest`.. --- .../web/configurers/RequestCacheConfigurer.java | 1 + .../configurers/RequestCacheConfigurerTests.java | 15 +++++++++++++++ 2 files changed, 16 insertions(+) diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/RequestCacheConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/RequestCacheConfigurer.java index 0e5322634a7..3ac5d73e89e 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/RequestCacheConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/RequestCacheConfigurer.java @@ -162,6 +162,7 @@ private RequestMatcher createDefaultSavedRequestMatcher(H http) { matchers.add(notMatchingMediaType(http, MediaType.APPLICATION_JSON)); matchers.add(notXRequestedWith); matchers.add(notMatchingMediaType(http, MediaType.MULTIPART_FORM_DATA)); + matchers.add(notMatchingMediaType(http, MediaType.TEXT_EVENT_STREAM)); return new AndRequestMatcher(matchers); } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/RequestCacheConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/RequestCacheConfigurerTests.java index 567fe98107d..c2ec1211f51 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/RequestCacheConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/RequestCacheConfigurerTests.java @@ -183,6 +183,21 @@ public void getWhenBookmarkedRequestIsXRequestedWithThenPostAuthenticationRedire // This is desirable since XHR requests are typically not invoked directly from the browser and we don't want the browser to replay them } + @Test + public void getWhenBookmarkedRequestIsTextEventStreamThenPostAuthenticationRedirectsToRoot() throws Exception { + this.spring.register(RequestCacheDefaultsConfig.class, DefaultSecurityConfig.class).autowire(); + + MockHttpSession session = (MockHttpSession) + this.mvc.perform(get("/messages") + .header(HttpHeaders.ACCEPT, MediaType.TEXT_EVENT_STREAM)) + .andExpect(redirectedUrl("http://localhost/login")) + .andReturn().getRequest().getSession(); + + this.mvc.perform(formLogin(session)) + .andExpect(redirectedUrl("/")); // ignores text/event-stream + + // This is desirable since event-stream requests are typically not invoked directly from the browser and we don't want the browser to replay them + } @Test public void getWhenBookmarkedRequestIsAllMediaTypeThenPostAuthenticationRemembers() throws Exception {