From d1b72ca69f5cf697810cc5f179874d84a1912508 Mon Sep 17 00:00:00 2001 From: Daeho Kwon Date: Tue, 4 Feb 2025 03:36:59 +0900 Subject: [PATCH 1/2] Replace dynamic error message with static "Access Denied" Closes gh-16514 Signed-off-by: Daeho Kwon --- .../HttpStatusServerAccessDeniedHandler.java | 4 ++-- .../HttpStatusServerAccessDeniedHandlerTests.java | 14 +++++++++----- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/web/src/main/java/org/springframework/security/web/server/authorization/HttpStatusServerAccessDeniedHandler.java b/web/src/main/java/org/springframework/security/web/server/authorization/HttpStatusServerAccessDeniedHandler.java index 2e47dace442..a1c67989a16 100644 --- a/web/src/main/java/org/springframework/security/web/server/authorization/HttpStatusServerAccessDeniedHandler.java +++ b/web/src/main/java/org/springframework/security/web/server/authorization/HttpStatusServerAccessDeniedHandler.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2017 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -54,7 +54,7 @@ public Mono handle(ServerWebExchange exchange, AccessDeniedException ex) { response.setStatusCode(this.httpStatus); response.getHeaders().setContentType(MediaType.TEXT_PLAIN); DataBufferFactory dataBufferFactory = response.bufferFactory(); - DataBuffer buffer = dataBufferFactory.wrap(ex.getMessage().getBytes(Charset.defaultCharset())); + DataBuffer buffer = dataBufferFactory.wrap("Access Denied".getBytes(Charset.defaultCharset())); return response.writeWith(Mono.just(buffer)).doOnError((error) -> DataBufferUtils.release(buffer)); }); } diff --git a/web/src/test/java/org/springframework/security/web/server/authorization/HttpStatusServerAccessDeniedHandlerTests.java b/web/src/test/java/org/springframework/security/web/server/authorization/HttpStatusServerAccessDeniedHandlerTests.java index 4a59d381b72..440f3d04907 100644 --- a/web/src/test/java/org/springframework/security/web/server/authorization/HttpStatusServerAccessDeniedHandlerTests.java +++ b/web/src/test/java/org/springframework/security/web/server/authorization/HttpStatusServerAccessDeniedHandlerTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2017 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -23,9 +23,9 @@ import org.springframework.http.HttpStatus; import org.springframework.mock.http.server.reactive.MockServerHttpRequest; +import org.springframework.mock.http.server.reactive.MockServerHttpResponse; import org.springframework.mock.web.server.MockServerWebExchange; import org.springframework.security.access.AccessDeniedException; -import org.springframework.web.server.ServerWebExchange; import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException; @@ -39,7 +39,7 @@ public class HttpStatusServerAccessDeniedHandlerTests { @Mock - private ServerWebExchange exchange; + private MockServerWebExchange exchange; private HttpStatus httpStatus = HttpStatus.FORBIDDEN; @@ -62,7 +62,9 @@ public void commenceWhenNoSubscribersThenNoActions() { public void commenceWhenSubscribeThenStatusSet() { this.exchange = MockServerWebExchange.from(MockServerHttpRequest.get("/").build()); this.handler.handle(this.exchange, this.exception).block(); - assertThat(this.exchange.getResponse().getStatusCode()).isEqualTo(this.httpStatus); + MockServerHttpResponse response = this.exchange.getResponse(); + assertThat(response.getStatusCode()).isEqualTo(this.httpStatus); + assertThat(response.getBodyAsString().block()).isEqualTo("Access Denied"); } @Test @@ -71,7 +73,9 @@ public void commenceWhenCustomStatusSubscribeThenStatusSet() { this.handler = new HttpStatusServerAccessDeniedHandler(this.httpStatus); this.exchange = MockServerWebExchange.from(MockServerHttpRequest.get("/").build()); this.handler.handle(this.exchange, this.exception).block(); - assertThat(this.exchange.getResponse().getStatusCode()).isEqualTo(this.httpStatus); + MockServerHttpResponse response = this.exchange.getResponse(); + assertThat(response.getStatusCode()).isEqualTo(this.httpStatus); + assertThat(response.getBodyAsString().block()).isEqualTo("Access Denied"); } } From 7037dd899940ab03a520d133c4bdf03ef858170a Mon Sep 17 00:00:00 2001 From: Daeho Kwon Date: Tue, 4 Feb 2025 20:39:29 +0900 Subject: [PATCH 2/2] Replace dynamic error message with static "Access Denied" Closes gh-16514 Signed-off-by: Daeho Kwon --- .../web/reactive/server/SecurityMockServerConfigurersTests.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/src/test/java/org/springframework/security/test/web/reactive/server/SecurityMockServerConfigurersTests.java b/test/src/test/java/org/springframework/security/test/web/reactive/server/SecurityMockServerConfigurersTests.java index 20ec9444e39..9335e0781af 100644 --- a/test/src/test/java/org/springframework/security/test/web/reactive/server/SecurityMockServerConfigurersTests.java +++ b/test/src/test/java/org/springframework/security/test/web/reactive/server/SecurityMockServerConfigurersTests.java @@ -136,7 +136,7 @@ public void csrfWhenMutateWithThenDisablesCsrf() { .expectStatus() .isEqualTo(HttpStatus.FORBIDDEN) .expectBody() - .consumeWith((b) -> assertThat(new String(b.getResponseBody())).contains("CSRF")); + .consumeWith((b) -> assertThat(new String(b.getResponseBody())).contains("Access Denied")); this.client.mutateWith(SecurityMockServerConfigurers.csrf()).post().exchange().expectStatus().isOk(); }