Steve Riesenberg
parent
60aa799498
commit
2a2051cd7b
|
|
@ -51,8 +51,11 @@ import org.springframework.security.web.context.SecurityContextHolderFilter;
|
|||
import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter;
|
||||
import org.springframework.security.web.csrf.CsrfFilter;
|
||||
import org.springframework.security.web.csrf.CsrfToken;
|
||||
import org.springframework.security.web.csrf.CsrfTokenRepository;
|
||||
import org.springframework.security.web.csrf.CsrfTokenRequestHandler;
|
||||
import org.springframework.security.web.csrf.DefaultCsrfToken;
|
||||
import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
|
||||
import org.springframework.security.web.csrf.XorCsrfTokenRequestAttributeHandler;
|
||||
import org.springframework.security.web.header.HeaderWriterFilter;
|
||||
import org.springframework.security.web.savedrequest.RequestCacheAwareFilter;
|
||||
import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter;
|
||||
|
|
@ -121,8 +124,12 @@ public class DefaultFiltersTests {
|
|||
MockHttpServletRequest request = new MockHttpServletRequest("POST", "");
|
||||
request.setServletPath("/logout");
|
||||
CsrfToken csrfToken = new DefaultCsrfToken("X-CSRF-TOKEN", "_csrf", "BaseSpringSpec_CSRFTOKEN");
|
||||
new HttpSessionCsrfTokenRepository().saveToken(csrfToken, request, response);
|
||||
request.setParameter(csrfToken.getParameterName(), csrfToken.getToken());
|
||||
CsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
|
||||
repository.saveToken(csrfToken, request, response);
|
||||
CsrfTokenRequestHandler handler = new XorCsrfTokenRequestAttributeHandler();
|
||||
handler.handle(request, response, () -> csrfToken);
|
||||
CsrfToken token = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
|
||||
request.setParameter(token.getParameterName(), token.getToken());
|
||||
this.spring.getContext().getBean("springSecurityFilterChain", Filter.class).doFilter(request, response,
|
||||
new MockFilterChain());
|
||||
assertThat(response.getRedirectedUrl()).isEqualTo("/login?logout");
|
||||
|
|
|
|||
|
|
@ -85,7 +85,9 @@ public class DefaultLoginPageConfigurerTests {
|
|||
String csrfAttributeName = HttpSessionCsrfTokenRepository.class.getName().concat(".CSRF_TOKEN");
|
||||
// @formatter:off
|
||||
this.mvc.perform(get("/login").sessionAttr(csrfAttributeName, csrfToken))
|
||||
.andExpect(content().string("<!DOCTYPE html>\n"
|
||||
.andExpect((result) -> {
|
||||
CsrfToken token = (CsrfToken) result.getRequest().getAttribute(CsrfToken.class.getName());
|
||||
assertThat(result.getResponse().getContentAsString()).isEqualTo("<!DOCTYPE html>\n"
|
||||
+ "<html lang=\"en\">\n"
|
||||
+ " <head>\n"
|
||||
+ " <meta charset=\"utf-8\">\n"
|
||||
|
|
@ -108,11 +110,12 @@ public class DefaultLoginPageConfigurerTests {
|
|||
+ " <label for=\"password\" class=\"sr-only\">Password</label>\n"
|
||||
+ " <input type=\"password\" id=\"password\" name=\"password\" class=\"form-control\" placeholder=\"Password\" required>\n"
|
||||
+ " </p>\n"
|
||||
+ "<input name=\"" + csrfToken.getParameterName() + "\" type=\"hidden\" value=\"" + csrfToken.getToken() + "\" />\n"
|
||||
+ "<input name=\"" + token.getParameterName() + "\" type=\"hidden\" value=\"" + token.getToken() + "\" />\n"
|
||||
+ " <button class=\"btn btn-lg btn-primary btn-block\" type=\"submit\">Sign in</button>\n"
|
||||
+ " </form>\n"
|
||||
+ "</div>\n"
|
||||
+ "</body></html>"));
|
||||
+ "</body></html>");
|
||||
});
|
||||
// @formatter:on
|
||||
}
|
||||
|
||||
|
|
@ -131,7 +134,9 @@ public class DefaultLoginPageConfigurerTests {
|
|||
// @formatter:off
|
||||
this.mvc.perform(get("/login?error").session((MockHttpSession) mvcResult.getRequest().getSession())
|
||||
.sessionAttr(csrfAttributeName, csrfToken))
|
||||
.andExpect(content().string("<!DOCTYPE html>\n"
|
||||
.andExpect((result) -> {
|
||||
CsrfToken token = (CsrfToken) result.getRequest().getAttribute(CsrfToken.class.getName());
|
||||
assertThat(result.getResponse().getContentAsString()).isEqualTo("<!DOCTYPE html>\n"
|
||||
+ "<html lang=\"en\">\n"
|
||||
+ " <head>\n"
|
||||
+ " <meta charset=\"utf-8\">\n"
|
||||
|
|
@ -153,11 +158,12 @@ public class DefaultLoginPageConfigurerTests {
|
|||
+ " <label for=\"password\" class=\"sr-only\">Password</label>\n"
|
||||
+ " <input type=\"password\" id=\"password\" name=\"password\" class=\"form-control\" placeholder=\"Password\" required>\n"
|
||||
+ " </p>\n"
|
||||
+ "<input name=\"" + csrfToken.getParameterName() + "\" type=\"hidden\" value=\"" + csrfToken.getToken() + "\" />\n"
|
||||
+ "<input name=\"" + token.getParameterName() + "\" type=\"hidden\" value=\"" + token.getToken() + "\" />\n"
|
||||
+ " <button class=\"btn btn-lg btn-primary btn-block\" type=\"submit\">Sign in</button>\n"
|
||||
+ " </form>\n"
|
||||
+ "</div>\n"
|
||||
+ "</body></html>"));
|
||||
+ "</body></html>");
|
||||
});
|
||||
// @formatter:on
|
||||
}
|
||||
|
||||
|
|
@ -180,7 +186,9 @@ public class DefaultLoginPageConfigurerTests {
|
|||
String csrfAttributeName = HttpSessionCsrfTokenRepository.class.getName().concat(".CSRF_TOKEN");
|
||||
// @formatter:off
|
||||
this.mvc.perform(get("/login?logout").sessionAttr(csrfAttributeName, csrfToken))
|
||||
.andExpect(content().string("<!DOCTYPE html>\n"
|
||||
.andExpect((result) -> {
|
||||
CsrfToken token = (CsrfToken) result.getRequest().getAttribute(CsrfToken.class.getName());
|
||||
assertThat(result.getResponse().getContentAsString()).isEqualTo("<!DOCTYPE html>\n"
|
||||
+ "<html lang=\"en\">\n"
|
||||
+ " <head>\n"
|
||||
+ " <meta charset=\"utf-8\">\n"
|
||||
|
|
@ -203,11 +211,12 @@ public class DefaultLoginPageConfigurerTests {
|
|||
+ " <label for=\"password\" class=\"sr-only\">Password</label>\n"
|
||||
+ " <input type=\"password\" id=\"password\" name=\"password\" class=\"form-control\" placeholder=\"Password\" required>\n"
|
||||
+ " </p>\n"
|
||||
+ "<input name=\"" + csrfToken.getParameterName() + "\" type=\"hidden\" value=\"" + csrfToken.getToken() + "\" />\n"
|
||||
+ "<input name=\"" + token.getParameterName() + "\" type=\"hidden\" value=\"" + token.getToken() + "\" />\n"
|
||||
+ " <button class=\"btn btn-lg btn-primary btn-block\" type=\"submit\">Sign in</button>\n"
|
||||
+ " </form>\n"
|
||||
+ "</div>\n"
|
||||
+ "</body></html>"));
|
||||
+ "</body></html>");
|
||||
});
|
||||
// @formatter:on
|
||||
}
|
||||
|
||||
|
|
@ -230,7 +239,9 @@ public class DefaultLoginPageConfigurerTests {
|
|||
String csrfAttributeName = HttpSessionCsrfTokenRepository.class.getName().concat(".CSRF_TOKEN");
|
||||
// @formatter:off
|
||||
this.mvc.perform(get("/login").sessionAttr(csrfAttributeName, csrfToken))
|
||||
.andExpect(content().string("<!DOCTYPE html>\n"
|
||||
.andExpect((result) -> {
|
||||
CsrfToken token = (CsrfToken) result.getRequest().getAttribute(CsrfToken.class.getName());
|
||||
assertThat(result.getResponse().getContentAsString()).isEqualTo("<!DOCTYPE html>\n"
|
||||
+ "<html lang=\"en\">\n"
|
||||
+ " <head>\n"
|
||||
+ " <meta charset=\"utf-8\">\n"
|
||||
|
|
@ -254,11 +265,12 @@ public class DefaultLoginPageConfigurerTests {
|
|||
+ " <input type=\"password\" id=\"password\" name=\"password\" class=\"form-control\" placeholder=\"Password\" required>\n"
|
||||
+ " </p>\n"
|
||||
+ "<p><input type='checkbox' name='remember-me'/> Remember me on this computer.</p>\n"
|
||||
+ "<input name=\"" + csrfToken.getParameterName() + "\" type=\"hidden\" value=\"" + csrfToken.getToken() + "\" />\n"
|
||||
+ "<input name=\"" + token.getParameterName() + "\" type=\"hidden\" value=\"" + token.getToken() + "\" />\n"
|
||||
+ " <button class=\"btn btn-lg btn-primary btn-block\" type=\"submit\">Sign in</button>\n"
|
||||
+ " </form>\n"
|
||||
+ "</div>\n"
|
||||
+ "</body></html>"));
|
||||
+ "</body></html>");
|
||||
});
|
||||
// @formatter:on
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -39,7 +39,10 @@ import org.springframework.security.web.SecurityFilterChain;
|
|||
import org.springframework.security.web.context.HttpRequestResponseHolder;
|
||||
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
|
||||
import org.springframework.security.web.csrf.CsrfToken;
|
||||
import org.springframework.security.web.csrf.CsrfTokenRequestHandler;
|
||||
import org.springframework.security.web.csrf.DeferredCsrfToken;
|
||||
import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
|
||||
import org.springframework.security.web.csrf.XorCsrfTokenRequestAttributeHandler;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
|
||||
|
|
@ -82,8 +85,10 @@ public class SessionManagementConfigurerServlet31Tests {
|
|||
request.setParameter("username", "user");
|
||||
request.setParameter("password", "password");
|
||||
HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
|
||||
CsrfToken token = repository.generateToken(request);
|
||||
repository.saveToken(token, request, this.response);
|
||||
CsrfTokenRequestHandler handler = new XorCsrfTokenRequestAttributeHandler();
|
||||
DeferredCsrfToken deferredCsrfToken = repository.loadDeferredToken(request, this.response);
|
||||
handler.handle(request, this.response, deferredCsrfToken::get);
|
||||
CsrfToken token = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
|
||||
request.setParameter(token.getParameterName(), token.getToken());
|
||||
request.getSession().setAttribute("attribute1", "value1");
|
||||
loadConfig(SessionManagementDefaultSessionFixationServlet31Config.class);
|
||||
|
|
|
|||
|
|
@ -40,7 +40,10 @@ import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequ
|
|||
import org.springframework.security.web.FilterChainProxy;
|
||||
import org.springframework.security.web.SecurityFilterChain;
|
||||
import org.springframework.security.web.csrf.CsrfToken;
|
||||
import org.springframework.security.web.csrf.CsrfTokenRequestHandler;
|
||||
import org.springframework.security.web.csrf.DeferredCsrfToken;
|
||||
import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
|
||||
import org.springframework.security.web.csrf.XorCsrfTokenRequestAttributeHandler;
|
||||
import org.springframework.test.context.ContextConfiguration;
|
||||
import org.springframework.test.context.junit.jupiter.SpringExtension;
|
||||
import org.springframework.test.context.web.WebAppConfiguration;
|
||||
|
|
@ -157,9 +160,12 @@ public class SecurityMockMvcRequestPostProcessorsCsrfTests {
|
|||
// @formatter:off
|
||||
this.mockMvc.perform(post("/").with(csrf()));
|
||||
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
HttpSessionCsrfTokenRepository repo = new HttpSessionCsrfTokenRepository();
|
||||
CsrfToken token = repo.generateToken(request);
|
||||
repo.saveToken(token, request, new MockHttpServletResponse());
|
||||
CsrfTokenRequestHandler handler = new XorCsrfTokenRequestAttributeHandler();
|
||||
DeferredCsrfToken deferredCsrfToken = repo.loadDeferredToken(request, response);
|
||||
handler.handle(request, response, deferredCsrfToken::get);
|
||||
CsrfToken token = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
|
||||
MockHttpServletRequestBuilder requestWithCsrf = post("/")
|
||||
.param(token.getParameterName(), token.getToken())
|
||||
.session((MockHttpSession) request.getSession());
|
||||
|
|
|
|||
|
|
@ -87,7 +87,7 @@ public final class CsrfFilter extends OncePerRequestFilter {
|
|||
|
||||
private AccessDeniedHandler accessDeniedHandler = new AccessDeniedHandlerImpl();
|
||||
|
||||
private CsrfTokenRequestHandler requestHandler = new CsrfTokenRequestAttributeHandler();
|
||||
private CsrfTokenRequestHandler requestHandler = new XorCsrfTokenRequestAttributeHandler();
|
||||
|
||||
/**
|
||||
* Creates a new instance.
|
||||
|
|
|
|||
|
|
@ -130,8 +130,8 @@ public class CsrfFilterTests {
|
|||
given(this.tokenRepository.loadDeferredToken(this.request, this.response))
|
||||
.willReturn(new TestDeferredCsrfToken(this.token, false));
|
||||
this.filter.doFilter(this.request, this.response, this.filterChain);
|
||||
assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isNotNull();
|
||||
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isNotNull();
|
||||
verify(this.deniedHandler).handle(eq(this.request), eq(this.response), any(InvalidCsrfTokenException.class));
|
||||
verifyNoMoreInteractions(this.filterChain);
|
||||
}
|
||||
|
|
@ -143,8 +143,8 @@ public class CsrfFilterTests {
|
|||
.willReturn(new TestDeferredCsrfToken(this.token, false));
|
||||
this.request.setParameter(this.token.getParameterName(), this.token.getToken() + " INVALID");
|
||||
this.filter.doFilter(this.request, this.response, this.filterChain);
|
||||
assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isNotNull();
|
||||
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isNotNull();
|
||||
verify(this.deniedHandler).handle(eq(this.request), eq(this.response), any(InvalidCsrfTokenException.class));
|
||||
verifyNoMoreInteractions(this.filterChain);
|
||||
}
|
||||
|
|
@ -156,8 +156,8 @@ public class CsrfFilterTests {
|
|||
.willReturn(new TestDeferredCsrfToken(this.token, false));
|
||||
this.request.addHeader(this.token.getHeaderName(), this.token.getToken() + " INVALID");
|
||||
this.filter.doFilter(this.request, this.response, this.filterChain);
|
||||
assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isNotNull();
|
||||
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isNotNull();
|
||||
verify(this.deniedHandler).handle(eq(this.request), eq(this.response), any(InvalidCsrfTokenException.class));
|
||||
verifyNoMoreInteractions(this.filterChain);
|
||||
}
|
||||
|
|
@ -168,11 +168,14 @@ public class CsrfFilterTests {
|
|||
given(this.requestMatcher.matches(this.request)).willReturn(true);
|
||||
given(this.tokenRepository.loadDeferredToken(this.request, this.response))
|
||||
.willReturn(new TestDeferredCsrfToken(this.token, false));
|
||||
this.request.setParameter(this.token.getParameterName(), this.token.getToken());
|
||||
this.request.addHeader(this.token.getHeaderName(), this.token.getToken() + " INVALID");
|
||||
CsrfTokenRequestHandler handler = new XorCsrfTokenRequestAttributeHandler();
|
||||
handler.handle(this.request, this.response, () -> this.token);
|
||||
CsrfToken csrfToken = (CsrfToken) this.request.getAttribute(CsrfToken.class.getName());
|
||||
this.request.setParameter(csrfToken.getParameterName(), csrfToken.getToken());
|
||||
this.request.addHeader(csrfToken.getHeaderName(), csrfToken.getToken() + " INVALID");
|
||||
this.filter.doFilter(this.request, this.response, this.filterChain);
|
||||
assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isNotNull();
|
||||
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isNotNull();
|
||||
verify(this.deniedHandler).handle(eq(this.request), eq(this.response), any(InvalidCsrfTokenException.class));
|
||||
verifyNoMoreInteractions(this.filterChain);
|
||||
}
|
||||
|
|
@ -183,8 +186,8 @@ public class CsrfFilterTests {
|
|||
given(this.tokenRepository.loadDeferredToken(this.request, this.response))
|
||||
.willReturn(new TestDeferredCsrfToken(this.token, false));
|
||||
this.filter.doFilter(this.request, this.response, this.filterChain);
|
||||
assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isNotNull();
|
||||
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isNotNull();
|
||||
verify(this.filterChain).doFilter(this.request, this.response);
|
||||
verifyNoMoreInteractions(this.deniedHandler);
|
||||
}
|
||||
|
|
@ -195,8 +198,8 @@ public class CsrfFilterTests {
|
|||
given(this.tokenRepository.loadDeferredToken(this.request, this.response))
|
||||
.willReturn(new TestDeferredCsrfToken(this.token, true));
|
||||
this.filter.doFilter(this.request, this.response, this.filterChain);
|
||||
assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isNotNull();
|
||||
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isNotNull();
|
||||
verify(this.filterChain).doFilter(this.request, this.response);
|
||||
verifyNoMoreInteractions(this.deniedHandler);
|
||||
}
|
||||
|
|
@ -206,10 +209,13 @@ public class CsrfFilterTests {
|
|||
given(this.requestMatcher.matches(this.request)).willReturn(true);
|
||||
given(this.tokenRepository.loadDeferredToken(this.request, this.response))
|
||||
.willReturn(new TestDeferredCsrfToken(this.token, false));
|
||||
this.request.addHeader(this.token.getHeaderName(), this.token.getToken());
|
||||
CsrfTokenRequestHandler handler = new XorCsrfTokenRequestAttributeHandler();
|
||||
handler.handle(this.request, this.response, () -> this.token);
|
||||
CsrfToken csrfToken = (CsrfToken) this.request.getAttribute(CsrfToken.class.getName());
|
||||
this.request.addHeader(csrfToken.getHeaderName(), csrfToken.getToken());
|
||||
this.filter.doFilter(this.request, this.response, this.filterChain);
|
||||
assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isNotNull();
|
||||
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isNotNull();
|
||||
verify(this.filterChain).doFilter(this.request, this.response);
|
||||
verifyNoMoreInteractions(this.deniedHandler);
|
||||
}
|
||||
|
|
@ -220,11 +226,14 @@ public class CsrfFilterTests {
|
|||
given(this.requestMatcher.matches(this.request)).willReturn(true);
|
||||
given(this.tokenRepository.loadDeferredToken(this.request, this.response))
|
||||
.willReturn(new TestDeferredCsrfToken(this.token, false));
|
||||
this.request.setParameter(this.token.getParameterName(), this.token.getToken() + " INVALID");
|
||||
this.request.addHeader(this.token.getHeaderName(), this.token.getToken());
|
||||
CsrfTokenRequestHandler handler = new XorCsrfTokenRequestAttributeHandler();
|
||||
handler.handle(this.request, this.response, () -> this.token);
|
||||
CsrfToken csrfToken = (CsrfToken) this.request.getAttribute(CsrfToken.class.getName());
|
||||
this.request.setParameter(csrfToken.getParameterName(), csrfToken.getToken() + " INVALID");
|
||||
this.request.addHeader(csrfToken.getHeaderName(), csrfToken.getToken());
|
||||
this.filter.doFilter(this.request, this.response, this.filterChain);
|
||||
assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isNotNull();
|
||||
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isNotNull();
|
||||
verify(this.filterChain).doFilter(this.request, this.response);
|
||||
verifyNoMoreInteractions(this.deniedHandler);
|
||||
}
|
||||
|
|
@ -234,10 +243,13 @@ public class CsrfFilterTests {
|
|||
given(this.requestMatcher.matches(this.request)).willReturn(true);
|
||||
given(this.tokenRepository.loadDeferredToken(this.request, this.response))
|
||||
.willReturn(new TestDeferredCsrfToken(this.token, false));
|
||||
this.request.setParameter(this.token.getParameterName(), this.token.getToken());
|
||||
CsrfTokenRequestHandler handler = new XorCsrfTokenRequestAttributeHandler();
|
||||
handler.handle(this.request, this.response, () -> this.token);
|
||||
CsrfToken csrfToken = (CsrfToken) this.request.getAttribute(CsrfToken.class.getName());
|
||||
this.request.setParameter(csrfToken.getParameterName(), csrfToken.getToken());
|
||||
this.filter.doFilter(this.request, this.response, this.filterChain);
|
||||
assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isNotNull();
|
||||
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isNotNull();
|
||||
verify(this.filterChain).doFilter(this.request, this.response);
|
||||
verifyNoMoreInteractions(this.deniedHandler);
|
||||
verify(this.tokenRepository, never()).saveToken(any(CsrfToken.class), any(HttpServletRequest.class),
|
||||
|
|
@ -249,10 +261,13 @@ public class CsrfFilterTests {
|
|||
given(this.requestMatcher.matches(this.request)).willReturn(true);
|
||||
given(this.tokenRepository.loadDeferredToken(this.request, this.response))
|
||||
.willReturn(new TestDeferredCsrfToken(this.token, true));
|
||||
this.request.setParameter(this.token.getParameterName(), this.token.getToken());
|
||||
CsrfTokenRequestHandler handler = new XorCsrfTokenRequestAttributeHandler();
|
||||
handler.handle(this.request, this.response, () -> this.token);
|
||||
CsrfToken csrfToken = (CsrfToken) this.request.getAttribute(CsrfToken.class.getName());
|
||||
this.request.setParameter(csrfToken.getParameterName(), csrfToken.getToken());
|
||||
this.filter.doFilter(this.request, this.response, this.filterChain);
|
||||
assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isNotNull();
|
||||
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isNotNull();
|
||||
// LazyCsrfTokenRepository requires the response as an attribute
|
||||
assertThat(this.request.getAttribute(HttpServletResponse.class.getName())).isEqualTo(this.response);
|
||||
verify(this.filterChain).doFilter(this.request, this.response);
|
||||
|
|
@ -320,8 +335,8 @@ public class CsrfFilterTests {
|
|||
given(this.tokenRepository.loadDeferredToken(this.request, this.response))
|
||||
.willReturn(new TestDeferredCsrfToken(this.token, false));
|
||||
this.filter.doFilter(this.request, this.response, this.filterChain);
|
||||
assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isNotNull();
|
||||
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isNotNull();
|
||||
assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_FORBIDDEN);
|
||||
verifyNoMoreInteractions(this.filterChain);
|
||||
}
|
||||
|
|
@ -371,12 +386,9 @@ public class CsrfFilterTests {
|
|||
given(this.requestMatcher.matches(this.request)).willReturn(false);
|
||||
given(this.tokenRepository.loadDeferredToken(this.request, this.response))
|
||||
.willReturn(new TestDeferredCsrfToken(this.token, false));
|
||||
XorCsrfTokenRequestAttributeHandler requestHandler = new XorCsrfTokenRequestAttributeHandler();
|
||||
requestHandler.setCsrfRequestAttributeName(this.token.getParameterName());
|
||||
this.filter.setRequestHandler(requestHandler);
|
||||
this.filter.doFilter(this.request, this.response, this.filterChain);
|
||||
assertThat(this.request.getAttribute(CsrfToken.class.getName())).isNotNull();
|
||||
assertThat(this.request.getAttribute(this.token.getParameterName())).isNotNull();
|
||||
assertThat(this.request.getAttribute("_csrf")).isNotNull();
|
||||
verify(this.filterChain).doFilter(this.request, this.response);
|
||||
assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_OK);
|
||||
|
||||
|
|
@ -397,8 +409,6 @@ public class CsrfFilterTests {
|
|||
given(this.requestMatcher.matches(this.request)).willReturn(true);
|
||||
given(this.tokenRepository.loadDeferredToken(this.request, this.response))
|
||||
.willReturn(new TestDeferredCsrfToken(this.token, false));
|
||||
XorCsrfTokenRequestAttributeHandler requestHandler = new XorCsrfTokenRequestAttributeHandler();
|
||||
this.filter.setRequestHandler(requestHandler);
|
||||
this.request.setParameter(this.token.getParameterName(), this.token.getToken());
|
||||
this.filter.doFilter(this.request, this.response, this.filterChain);
|
||||
verify(this.deniedHandler).handle(eq(this.request), eq(this.response), any(AccessDeniedException.class));
|
||||
|
|
@ -421,7 +431,7 @@ public class CsrfFilterTests {
|
|||
throws ServletException, IOException {
|
||||
CsrfFilter filter = createCsrfFilter(this.tokenRepository);
|
||||
String csrfAttrName = "_csrf";
|
||||
CsrfTokenRequestAttributeHandler requestHandler = new CsrfTokenRequestAttributeHandler();
|
||||
CsrfTokenRequestAttributeHandler requestHandler = new XorCsrfTokenRequestAttributeHandler();
|
||||
requestHandler.setCsrfRequestAttributeName(csrfAttrName);
|
||||
filter.setRequestHandler(requestHandler);
|
||||
CsrfToken expectedCsrfToken = mock(CsrfToken.class);
|
||||
|
|
@ -432,7 +442,7 @@ public class CsrfFilterTests {
|
|||
|
||||
verifyNoInteractions(expectedCsrfToken);
|
||||
CsrfToken tokenFromRequest = (CsrfToken) this.request.getAttribute(csrfAttrName);
|
||||
assertThatCsrfToken(tokenFromRequest).isEqualTo(expectedCsrfToken);
|
||||
assertThatCsrfToken(tokenFromRequest).isNotNull();
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue