Cache request URI in cookie instead of session

Fixes: spring-projectsgh-7157

Author: eleftherias

config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java

@@ -152,7 +152,7 @@
 import org.springframework.security.web.server.savedrequest.NoOpServerRequestCache;
 import org.springframework.security.web.server.savedrequest.ServerRequestCache;
 import org.springframework.security.web.server.savedrequest.ServerRequestCacheWebFilter;
-import org.springframework.security.web.server.savedrequest.WebSessionServerRequestCache;
+import org.springframework.security.web.server.savedrequest.CookieServerRequestCache;
 import org.springframework.security.web.server.transport.HttpsRedirectWebFilter;
 import org.springframework.security.web.server.ui.LoginPageGeneratingWebFilter;
 import org.springframework.security.web.server.ui.LogoutPageGeneratingWebFilter;
@@ -2824,7 +2824,7 @@ private ExceptionHandlingSpec() {}
 	 * @see #requestCache()
 	 */
 	public class RequestCacheSpec {
-		private ServerRequestCache requestCache = new WebSessionServerRequestCache();
+		private ServerRequestCache requestCache = new CookieServerRequestCache();
 
 		/**
 		 * Configures the cache used

config/src/test/java/org/springframework/security/config/web/server/ServerHttpSecurityTests.java

@@ -109,7 +109,8 @@ public void defaults() {
 			.expectHeader().valueMatches(HttpHeaders.CACHE_CONTROL, ".+")
 			.returnResult(String.class);
 
-		assertThat(result.getResponseCookies()).isEmpty();
+		assertThat(result.getResponseCookies()).hasSize(1);
+		assertThat(result.getResponseCookies().getFirst("REDIRECT_URI")).isNotNull();
 		// there is no need to try and load the SecurityContext by default
 		securityContext.assertWasNotSubscribed();
 	}

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/server/OAuth2AuthorizationRequestRedirectWebFilter.java

@@ -24,8 +24,8 @@
 import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
 import org.springframework.security.web.server.DefaultServerRedirectStrategy;
 import org.springframework.security.web.server.ServerRedirectStrategy;
+import org.springframework.security.web.server.savedrequest.CookieServerRequestCache;
 import org.springframework.security.web.server.savedrequest.ServerRequestCache;
-import org.springframework.security.web.server.savedrequest.WebSessionServerRequestCache;
 import org.springframework.util.Assert;
 import org.springframework.web.server.ServerWebExchange;
 import org.springframework.web.server.WebFilter;
@@ -69,7 +69,7 @@ public class OAuth2AuthorizationRequestRedirectWebFilter implements WebFilter {
 	private final ServerOAuth2AuthorizationRequestResolver authorizationRequestResolver;
 	private ServerAuthorizationRequestRepository<OAuth2AuthorizationRequest> authorizationRequestRepository =
 		new WebSessionOAuth2ServerAuthorizationRequestRepository();
-	private ServerRequestCache requestCache = new WebSessionServerRequestCache();
+	private ServerRequestCache requestCache = new CookieServerRequestCache();
 
 	/**
 	 * Constructs an {@code OAuth2AuthorizationRequestRedirectFilter} using the provided parameters.

web/src/main/java/org/springframework/security/web/server/authentication/RedirectServerAuthenticationEntryPoint.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -20,8 +20,8 @@
 
 import org.springframework.security.web.server.DefaultServerRedirectStrategy;
 import org.springframework.security.web.server.ServerRedirectStrategy;
+import org.springframework.security.web.server.savedrequest.CookieServerRequestCache;
 import org.springframework.security.web.server.savedrequest.ServerRequestCache;
-import org.springframework.security.web.server.savedrequest.WebSessionServerRequestCache;
 import reactor.core.publisher.Mono;
 
 import org.springframework.security.core.AuthenticationException;
@@ -41,7 +41,7 @@ public class RedirectServerAuthenticationEntryPoint
 
 	private ServerRedirectStrategy redirectStrategy = new DefaultServerRedirectStrategy();
 
-	private ServerRequestCache requestCache = new WebSessionServerRequestCache();
+	private ServerRequestCache requestCache = new CookieServerRequestCache();
 
 	/**
 	 * Creates an instance

web/src/main/java/org/springframework/security/web/server/authentication/RedirectServerAuthenticationSuccessHandler.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -20,8 +20,8 @@
 import org.springframework.security.web.server.DefaultServerRedirectStrategy;
 import org.springframework.security.web.server.ServerRedirectStrategy;
 import org.springframework.security.web.server.WebFilterExchange;
+import org.springframework.security.web.server.savedrequest.CookieServerRequestCache;
 import org.springframework.security.web.server.savedrequest.ServerRequestCache;
-import org.springframework.security.web.server.savedrequest.WebSessionServerRequestCache;
 import org.springframework.util.Assert;
 import org.springframework.web.server.ServerWebExchange;
 import reactor.core.publisher.Mono;
@@ -40,7 +40,7 @@ public class RedirectServerAuthenticationSuccessHandler
 
 	private ServerRedirectStrategy redirectStrategy = new DefaultServerRedirectStrategy();
 
-	private ServerRequestCache requestCache = new WebSessionServerRequestCache();
+	private ServerRequestCache requestCache = new CookieServerRequestCache();
 
 	/**
 	 * Creates a new instance with location of "/"
@@ -57,7 +57,7 @@ public RedirectServerAuthenticationSuccessHandler(String location) {
 	}
 
 	/**
-	 * Sets the {@link ServerRequestCache} used to redirect to. Default is {@link WebSessionServerRequestCache}.
+	 * Sets the {@link ServerRequestCache} used to redirect to. Default is {@link CookieServerRequestCache}.
 	 * @param requestCache the cache to use
 	 */
 	public void setRequestCache(ServerRequestCache requestCache) {

web/src/main/java/org/springframework/security/web/server/savedrequest/CookieServerRequestCache.java

@@ -0,0 +1,131 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.server.savedrequest;
+
+import org.springframework.http.HttpCookie;
+import org.springframework.http.HttpMethod;
+import org.springframework.http.MediaType;
+import org.springframework.http.ResponseCookie;
+import org.springframework.http.server.reactive.ServerHttpRequest;
+import org.springframework.http.server.reactive.ServerHttpResponse;
+import org.springframework.security.web.server.util.matcher.AndServerWebExchangeMatcher;
+import org.springframework.security.web.server.util.matcher.MediaTypeServerWebExchangeMatcher;
+import org.springframework.security.web.server.util.matcher.NegatedServerWebExchangeMatcher;
+import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
+import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers;
+import org.springframework.util.Assert;
+import org.springframework.util.MultiValueMap;
+import org.springframework.web.server.ServerWebExchange;
+import reactor.core.publisher.Mono;
+
+import java.net.URI;
+import java.time.Duration;
+import java.util.Base64;
+import java.util.Collections;
+
+/**
+ * An implementation of {@link ServerRequestCache} that saves the
+ * requested URI in a cookie.
+ *
+ * @author Eleftheria Stein
+ * @since 5.3
+ */
+public class CookieServerRequestCache implements ServerRequestCache {
+	private static final String REDIRECT_URI_COOKIE_NAME = "REDIRECT_URI";
+
+	private static final Duration COOKIE_MAX_AGE = Duration.ofSeconds(-1);
+
+	private ServerWebExchangeMatcher saveRequestMatcher = createDefaultRequestMatcher();
+
+	/**
+	 * Sets the matcher to determine if the request should be saved. The default is to match
+	 * on any GET request.
+	 *
+	 * @param saveRequestMatcher the {@link ServerWebExchangeMatcher} that determines if
+	 *                           the request should be saved
+	 */
+	public void setSaveRequestMatcher(ServerWebExchangeMatcher saveRequestMatcher) {
+		Assert.notNull(saveRequestMatcher, "saveRequestMatcher cannot be null");
+		this.saveRequestMatcher = saveRequestMatcher;
+	}
+
+	@Override
+	public Mono<Void> saveRequest(ServerWebExchange exchange) {
+		return this.saveRequestMatcher.matches(exchange)
+				.filter(m -> m.isMatch())
+				.map(m -> exchange.getResponse())
+				.map(ServerHttpResponse::getCookies)
+				.doOnNext(cookies -> cookies.add(REDIRECT_URI_COOKIE_NAME, createRedirectUriCookie(exchange.getRequest())))
+				.then();
+	}
+
+	@Override
+	public Mono<URI> getRedirectUri(ServerWebExchange exchange) {
+		MultiValueMap<String, HttpCookie> cookieMap = exchange.getRequest().getCookies();
+		return Mono.justOrEmpty(cookieMap.getFirst(REDIRECT_URI_COOKIE_NAME))
+				.map(HttpCookie::getValue)
+				.map(CookieServerRequestCache::decodeCookie)
+				.onErrorResume(IllegalArgumentException.class, e -> Mono.empty())
+				.map(URI::create);
+	}
+
+	@Override
+	public Mono<ServerHttpRequest> removeMatchingRequest(ServerWebExchange exchange) {
+		return Mono.just(exchange.getResponse())
+				.map(ServerHttpResponse::getCookies)
+				.doOnNext(cookies -> cookies.add(REDIRECT_URI_COOKIE_NAME, invalidateRedirectUriCookie(exchange.getRequest())))
+				.thenReturn(exchange.getRequest());
+	}
+
+	private static ResponseCookie createRedirectUriCookie(ServerHttpRequest request) {
+		String path = request.getPath().pathWithinApplication().value();
+		String query = request.getURI().getRawQuery();
+		String redirectUri = path + (query != null ? "?" + query : "");
+
+		return createResponseCookie(request, encodeCookie(redirectUri), COOKIE_MAX_AGE);
+	}
+
+	private static ResponseCookie invalidateRedirectUriCookie(ServerHttpRequest request) {
+		return createResponseCookie(request, null, Duration.ZERO);
+	}
+
+	private static ResponseCookie createResponseCookie(ServerHttpRequest request, String cookieValue, Duration age) {
+		return ResponseCookie.from(REDIRECT_URI_COOKIE_NAME, cookieValue)
+				.path(request.getPath().contextPath().value() + "/")
+				.maxAge(age)
+				.httpOnly(true)
+				.secure("https".equalsIgnoreCase(request.getURI().getScheme()))
+				.sameSite("Lax")
+				.build();
+	}
+
+	private static String encodeCookie(String cookieValue) {
+		return new String(Base64.getEncoder().encode(cookieValue.getBytes()));
+	}
+
+	private static String decodeCookie(String encodedCookieValue) {
+		return new String(Base64.getDecoder().decode(encodedCookieValue.getBytes()));
+	}
+
+	private static ServerWebExchangeMatcher createDefaultRequestMatcher() {
+		ServerWebExchangeMatcher get = ServerWebExchangeMatchers.pathMatchers(HttpMethod.GET, "/**");
+		ServerWebExchangeMatcher notFavicon = new NegatedServerWebExchangeMatcher(ServerWebExchangeMatchers.pathMatchers("/favicon.*"));
+		MediaTypeServerWebExchangeMatcher html = new MediaTypeServerWebExchangeMatcher(MediaType.TEXT_HTML);
+		html.setIgnoredMediaTypes(Collections.singleton(MediaType.ALL));
+		return new AndServerWebExchangeMatcher(get, notFavicon, html);
+	}
+}

web/src/main/java/org/springframework/security/web/server/savedrequest/ServerRequestCacheWebFilter.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -29,7 +29,7 @@
  * @since 5.0
  */
 public class ServerRequestCacheWebFilter implements WebFilter {
-	private ServerRequestCache requestCache = new WebSessionServerRequestCache();
+	private ServerRequestCache requestCache = new CookieServerRequestCache();
 
 	@Override
 	public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {