Merge remote-tracking branch 'origin/907-security-validation' into 90…

…7-security-validation

# Conflicts:
#	core/src/test/java/com/predic8/membrane/core/interceptor/oauth2/client/b2c/OAuth2ResourceB2CTest.java

core/src/main/java/com/predic8/membrane/core/interceptor/oauth2client/OAuth2Resource2Interceptor.java

@@ -238,7 +238,7 @@ private void applyBackendAuthorization(Exchange exc, Session s) {
     public Outcome respondWithRedirect(Exchange exc) throws Exception {
         Integer errorStatus = (Integer) exc.getProperty(ERROR_STATUS);
         if (errorStatus != null) {
-            exc.setResponse(Response.statusCode(errorStatus).build());
+            exc.setResponse(Response.statusCode(errorStatus).header(CONTENT_LENGTH, "0").build());
             return RETURN;
         }
 

core/src/main/java/com/predic8/membrane/core/interceptor/oauth2client/RequireAuth.java

@@ -120,7 +120,7 @@ public Integer getErrorStatus() {
     }
 
     @MCAttribute
-    public void setErrorStatus(Integer errorStatus) {
+    public void setErrorStatus(int errorStatus) {
         this.errorStatus = errorStatus;
     }
 

core/src/main/java/com/predic8/membrane/core/interceptor/oauth2client/rf/token/AccessTokenRefresher.java

@@ -18,6 +18,7 @@
 import com.google.common.cache.Cache;
 import com.google.common.cache.CacheBuilder;
 import com.predic8.membrane.core.exchange.Exchange;
+import com.predic8.membrane.core.interceptor.oauth2.OAuth2AnswerParameters;
 import com.predic8.membrane.core.interceptor.oauth2.authorizationservice.AuthorizationService;
 import com.predic8.membrane.core.interceptor.session.Session;
 import org.slf4j.Logger;
@@ -58,16 +59,15 @@ public void refreshIfNeeded(Session session, Exchange exc) {
 
         synchronized (getTokenSynchronizer(session)) {
             try {
-                refreshAccessToken(session, wantedScope);
-                exc.setProperty(Exchange.OAUTH2, session.getOAuth2AnswerParameters(wantedScope));
+                exc.setProperty(Exchange.OAUTH2, refreshAccessToken(session, wantedScope));
             } catch (Exception e) {
                 log.warn("Failed to refresh access token, clearing session and restarting OAuth2 flow.", e);
                 session.clearAuthentication();
             }
         }
     }
 
-    private void refreshAccessToken(Session session, String wantedScope) throws Exception {
+    private OAuth2AnswerParameters refreshAccessToken(Session session, String wantedScope) throws Exception {
         var params = session.getOAuth2AnswerParameters();
         var response = auth.refreshTokenRequest(session, params, wantedScope);
 
@@ -91,6 +91,8 @@ private void refreshAccessToken(Session session, String wantedScope) throws Exce
         tokenResponseHandler.handleTokenResponse(session, wantedScope, json, params);
 
         session.setOAuth2Answer(wantedScope, params.serialize());
+
+        return params;
     }
 
     private boolean refreshingOfAccessTokenIsNeeded(Session session, String wantedScope) {

core/src/main/java/com/predic8/membrane/core/interceptor/session/SessionManager.java

@@ -143,6 +143,9 @@ private void createDefaultResponseIfNeeded(Exchange exc) {
     private void handleSetCookieHeaderForResponse(Exchange exc, Session session) throws Exception {
         Optional<Object> originalCookieValueAtBeginning = Optional.ofNullable(exc.getProperty(SESSION_COOKIE_ORIGINAL));
 
+        if (originalCookieValueAtBeginning.isEmpty() && !session.isDirty)
+            return;
+
         if(ttlExpiryRefreshOnAccess || session.isDirty() || originalCookieValueAtBeginning.isEmpty() || cookieRenewalNeeded(originalCookieValueAtBeginning.get().toString())){
             String currentCookieValueOfSession = getCookieValue(session);
             if (!ttlExpiryRefreshOnAccess && originalCookieValueAtBeginning.isPresent() &&

core/src/test/java/com/predic8/membrane/core/interceptor/oauth2/client/b2c/OAuth2ResourceB2CTest.java

@@ -46,6 +46,9 @@
 
 import static com.predic8.membrane.core.RuleManager.RuleDefinitionSource.*;
 import static com.predic8.membrane.core.http.MimeType.*;
+import static com.predic8.membrane.core.RuleManager.RuleDefinitionSource.MANUAL;
+import static com.predic8.membrane.core.http.Header.SET_COOKIE;
+import static com.predic8.membrane.core.http.MimeType.APPLICATION_JSON;
 import static org.junit.jupiter.api.Assertions.*;
 
 public abstract class OAuth2ResourceB2CTest {
@@ -380,6 +383,7 @@ public void returning4xx() throws Exception {
 
         assertEquals(403, exc.getResponse().getStatusCode());
         assertEquals("Forbidden", exc.getResponse().getStatusMessage());
+        assertNull(exc.getResponse().getHeader().getFirstValue(SET_COOKIE));
 
         browser.apply(new Request.Builder().get(getClientAddress() + "/pe/init").buildExchange());
 
@@ -732,6 +736,7 @@ public Outcome handleRequest(Exchange exc) throws Exception {
                 body.put("path", exc.getRequestURI());
                 body.put("method", exc.getRequest().getMethod());
                 body.put("body", exc.getRequest().getBodyAsStringDecoded());
+
                 exc.setResponse(Response.ok(om.writeValueAsString(body)).build());
                 return Outcome.RETURN;
             }

distribution/examples/basic-xml-interceptor/pom.xml

@@ -21,7 +21,7 @@
         <dependency>
             <groupId>org.membrane-soa</groupId>
             <artifactId>service-proxy-core</artifactId>
-            <version>4.9.1</version>
+            <version>5.3.4</version>
         </dependency>
     </dependencies>
 

distribution/examples/custom-interceptor/pom.xml

@@ -28,7 +28,7 @@
     <dependency>
       <groupId>org.membrane-soa</groupId>
       <artifactId>service-proxy-core</artifactId>
-      <version>4.9.1</version>
+      <version>5.3.4</version>
     </dependency>
 
   </dependencies>

distribution/examples/soap/add-soap-header/pom.xml

@@ -21,7 +21,7 @@
         <dependency>
             <groupId>org.membrane-soa</groupId>
             <artifactId>service-proxy-core</artifactId>
-            <version>4.9.1</version>
+            <version>5.3.4</version>
         </dependency>
 
     </dependencies>