Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-29 07:12:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '6.1.x' into 6.2.x

Browse Source 
Closes gh-14805
This commit is contained in:
Steve Riesenberg 2024-03-26 12:18:42 -05:00
commit 6f8cc920cd
No known key found for this signature in database
GPG Key ID: 3D0169B18AB8F0A9
1 changed files with 37 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
docs/modules/ROOT/pages/servlet/exploits/csrf.adoc
View File

@ -876,7 +876,7 @@ class SpaCsrfTokenRequestHandler : CsrfTokenRequestAttributeHandler() {
delegate.handle(request, response, csrfToken) delegate.handle(request, response, csrfToken)
} }
override fun resolveCsrfTokenValue(request: HttpServletRequest, csrfToken: CsrfToken): String { override fun resolveCsrfTokenValue(request: HttpServletRequest, csrfToken: CsrfToken): String? {
/* /*
* If the request contains a request header, use CsrfTokenRequestAttributeHandler * If the request contains a request header, use CsrfTokenRequestAttributeHandler
* to resolve the CsrfToken. This applies when a single-page application includes * to resolve the CsrfToken. This applies when a single-page application includes
@ -1221,6 +1221,24 @@ public class CsrfTests {
.andExpect(header().string(HttpHeaders.LOCATION, "/")); .andExpect(header().string(HttpHeaders.LOCATION, "/"));
} }
@Test
public void loginWhenInvalidCsrfTokenThenForbidden() throws Exception {
this.mockMvc.perform(post("/login").with(csrf().useInvalidToken())
.accept(MediaType.TEXT_HTML)
.param("username", "user")
.param("password", "password"))
.andExpect(status().isForbidden());
}
@Test
public void loginWhenMissingCsrfTokenThenForbidden() throws Exception {
this.mockMvc.perform(post("/login")
.accept(MediaType.TEXT_HTML)
.param("username", "user")
.param("password", "password"))
.andExpect(status().isForbidden());
}
@Test @Test
@WithMockUser @WithMockUser
public void logoutWhenValidCsrfTokenThenSuccess() throws Exception { public void logoutWhenValidCsrfTokenThenSuccess() throws Exception {
@ -1264,6 +1282,24 @@ class CsrfTests {
.andExpect(header().string(HttpHeaders.LOCATION, "/")) .andExpect(header().string(HttpHeaders.LOCATION, "/"))
} }
@Test
fun loginWhenInvalidCsrfTokenThenForbidden() {
mockMvc.perform(post("/login").with(csrf().useInvalidToken())
.accept(MediaType.TEXT_HTML)
.param("username", "user")
.param("password", "password"))
.andExpect(status().isForbidden)
}
@Test
fun loginWhenMissingCsrfTokenThenForbidden() {
mockMvc.perform(post("/login")
.accept(MediaType.TEXT_HTML)
.param("username", "user")
.param("password", "password"))
.andExpect(status().isForbidden)
}
@Test @Test
@WithMockUser @WithMockUser
@Throws(Exception::class) @Throws(Exception::class)