From b55b2914c2bd10e3ff174767cda95e3c0adc6031 Mon Sep 17 00:00:00 2001 From: Josh Cummings Date: Thu, 5 Sep 2019 05:23:13 -0600 Subject: [PATCH] Mock Jwt Disables CSRF Fixes gh-7170 --- .../OAuth2ResourceServerControllerTests.java | 24 +++---------------- .../server/SecurityMockServerConfigurers.java | 4 ++++ .../SecurityMockMvcRequestPostProcessors.java | 7 ++++-- 3 files changed, 12 insertions(+), 23 deletions(-) diff --git a/samples/boot/oauth2resourceserver/src/test/java/sample/OAuth2ResourceServerControllerTests.java b/samples/boot/oauth2resourceserver/src/test/java/sample/OAuth2ResourceServerControllerTests.java index dcb340f77a..8c15fea8de 100644 --- a/samples/boot/oauth2resourceserver/src/test/java/sample/OAuth2ResourceServerControllerTests.java +++ b/samples/boot/oauth2resourceserver/src/test/java/sample/OAuth2ResourceServerControllerTests.java @@ -25,7 +25,6 @@ import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.oauth2.jwt.JwtDecoder; import org.springframework.test.context.junit4.SpringRunner; import org.springframework.test.web.servlet.MockMvc; -import org.springframework.security.oauth2.jwt.Jwt; import static org.hamcrest.CoreMatchers.is; import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.jwt; @@ -33,8 +32,6 @@ import static org.springframework.test.web.servlet.request.MockMvcRequestBuilder import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; -import static org.mockito.ArgumentMatchers.anyString; -import static org.mockito.Mockito.when; /** * @@ -77,41 +74,26 @@ public class OAuth2ResourceServerControllerTests { @Test public void messageCanNotBeCreatedWithoutAnyScope() throws Exception { - Jwt jwt = Jwt.withTokenValue("token") - .header("alg", "none") - .claim("scope", "") - .build(); - when(jwtDecoder.decode(anyString())).thenReturn(jwt); mockMvc.perform(post("/message") .content("Hello message") - .header("Authorization", "Bearer " + jwt.getTokenValue())) + .with(jwt())) .andExpect(status().isForbidden()); } @Test public void messageCanNotBeCreatedWithScopeMessageReadAuthority() throws Exception { - Jwt jwt = Jwt.withTokenValue("token") - .header("alg", "none") - .claim("scope", "message:read") - .build(); - when(jwtDecoder.decode(anyString())).thenReturn(jwt); mockMvc.perform(post("/message") .content("Hello message") - .header("Authorization", "Bearer " + jwt.getTokenValue())) + .with(jwt(jwt -> jwt.claim("scope", "message:read")))) .andExpect(status().isForbidden()); } @Test public void messageCanBeCreatedWithScopeMessageWriteAuthority() throws Exception { - Jwt jwt = Jwt.withTokenValue("token") - .header("alg", "none") - .claim("scope", "message:write") - .build(); - when(jwtDecoder.decode(anyString())).thenReturn(jwt); mockMvc.perform(post("/message") .content("Hello message") - .header("Authorization", "Bearer " + jwt.getTokenValue())) + .with(jwt(jwt -> jwt.claim("scope", "message:write")))) .andExpect(status().isOk()) .andExpect(content().string(is("Message was created. Content: Hello message"))); } diff --git a/test/src/main/java/org/springframework/security/test/web/reactive/server/SecurityMockServerConfigurers.java b/test/src/main/java/org/springframework/security/test/web/reactive/server/SecurityMockServerConfigurers.java index adbf8ac4db..312d511749 100644 --- a/test/src/main/java/org/springframework/security/test/web/reactive/server/SecurityMockServerConfigurers.java +++ b/test/src/main/java/org/springframework/security/test/web/reactive/server/SecurityMockServerConfigurers.java @@ -419,6 +419,10 @@ public class SecurityMockServerConfigurers { WebTestClient.Builder builder, @Nullable WebHttpHandlerBuilder httpHandlerBuilder, @Nullable ClientHttpConnector connector) { + httpHandlerBuilder.filter((exchange, chain) -> { + CsrfWebFilter.skipExchange(exchange); + return chain.filter(exchange); + }); configurer().afterConfigurerAdded(builder, httpHandlerBuilder, connector); } diff --git a/test/src/main/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessors.java b/test/src/main/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessors.java index 2d3bf57a10..f66a9ddc34 100644 --- a/test/src/main/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessors.java +++ b/test/src/main/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessors.java @@ -55,6 +55,7 @@ import org.springframework.security.test.web.support.WebTestUtils; import org.springframework.security.web.context.HttpRequestResponseHolder; import org.springframework.security.web.context.SecurityContextPersistenceFilter; import org.springframework.security.web.context.SecurityContextRepository; +import org.springframework.security.web.csrf.CsrfFilter; import org.springframework.security.web.csrf.CsrfToken; import org.springframework.security.web.csrf.CsrfTokenRepository; import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository; @@ -63,6 +64,7 @@ import org.springframework.test.web.servlet.request.RequestPostProcessor; import org.springframework.util.Assert; import org.springframework.util.DigestUtils; +import static java.lang.Boolean.TRUE; import static org.springframework.security.oauth2.jwt.JwtClaimNames.SUB; /** @@ -502,11 +504,11 @@ public final class SecurityMockMvcRequestPostProcessors { } public static void enable(HttpServletRequest request) { - request.setAttribute(ENABLED_ATTR_NAME, Boolean.TRUE); + request.setAttribute(ENABLED_ATTR_NAME, TRUE); } public boolean isEnabled(HttpServletRequest request) { - return Boolean.TRUE.equals(request.getAttribute(ENABLED_ATTR_NAME)); + return TRUE.equals(request.getAttribute(ENABLED_ATTR_NAME)); } } } @@ -1043,6 +1045,7 @@ public final class SecurityMockMvcRequestPostProcessors { @Override public MockHttpServletRequest postProcessRequest(MockHttpServletRequest request) { + CsrfFilter.skipRequest(request); JwtAuthenticationToken token = new JwtAuthenticationToken(this.jwt, this.authorities); return new AuthenticationRequestPostProcessor(token).postProcessRequest(request); }