Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Test that form log in requires CSRF

This commit is contained in:
Rob Winch 2015-08-03 12:24:37 -05:00
parent 453e6332da
commit 41c9431fcc
1 changed files with 33 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
config/src/test/groovy/org/springframework/security/config/http/FormLoginConfigTests.groovy
View File

@ -1,14 +1,19 @@
package org.springframework.security.config.http
import javax.servlet.http.HttpServletResponse
import org.springframework.beans.factory.BeanCreationException
import org.springframework.mock.web.MockFilterChain
import org.springframework.mock.web.MockHttpServletRequest
import org.springframework.mock.web.MockHttpServletResponse
import org.springframework.security.util.FieldUtils
import org.springframework.security.web.access.ExceptionTranslationFilter
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
import org.springframework.test.util.ReflectionTestUtils;
import org.springframework.util.ReflectionUtils;
import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter
import spock.lang.Unroll;
/**
*
@ -116,4 +121,27 @@ class FormLoginConfigTests extends AbstractHttpConfigTests {
then:
getFilter(DefaultLoginPageGeneratingFilter) == null
}
@Unroll
def 'Form Login requires CSRF Token #csrfDisabled'(int status, boolean csrfDisabled) {
setup:
MockHttpServletRequest request = new MockHttpServletRequest(method:'POST',servletPath:'/login')
request.setParameter('username','user')
request.setParameter('password','password')
MockHttpServletResponse response = new MockHttpServletResponse()
MockFilterChain chain = new MockFilterChain()
httpAutoConfig {
'form-login'()
csrf(disabled:csrfDisabled) {}
}
createAppContext()
when:
springSecurityFilterChain.doFilter(request,response,chain)
then:
response.status == status
where:
status | csrfDisabled
HttpServletResponse.SC_FORBIDDEN | false
HttpServletResponse.SC_MOVED_TEMPORARILY | true
}
}