Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Mock Jwt Disables CSRF 

Fixes gh-7170
This commit is contained in:
Josh Cummings 2019-09-05 05:23:13 -06:00
parent aa12748c9b
commit b55b2914c2
3 changed files with 12 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
samples/boot/oauth2resourceserver/src/test/java/sample/OAuth2ResourceServerControllerTests.java
View File

@ -25,7 +25,6 @@ import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.oauth2.jwt.JwtDecoder; import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.test.context.junit4.SpringRunner; import org.springframework.test.context.junit4.SpringRunner;
import org.springframework.test.web.servlet.MockMvc; import org.springframework.test.web.servlet.MockMvc;
import org.springframework.security.oauth2.jwt.Jwt;
import static org.hamcrest.CoreMatchers.is; import static org.hamcrest.CoreMatchers.is;
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.jwt; import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.jwt;
@ -33,8 +32,6 @@ import static org.springframework.test.web.servlet.request.MockMvcRequestBuilder
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
import static org.mockito.ArgumentMatchers.anyString;
import static org.mockito.Mockito.when;
/** /**
* *
@ -77,41 +74,26 @@ public class OAuth2ResourceServerControllerTests {
@Test @Test
public void messageCanNotBeCreatedWithoutAnyScope() throws Exception { public void messageCanNotBeCreatedWithoutAnyScope() throws Exception {
Jwt jwt = Jwt.withTokenValue("token")
.header("alg", "none")
.claim("scope", "")
.build();
when(jwtDecoder.decode(anyString())).thenReturn(jwt);
mockMvc.perform(post("/message") mockMvc.perform(post("/message")
.content("Hello message") .content("Hello message")
.header("Authorization", "Bearer " + jwt.getTokenValue())) .with(jwt()))
.andExpect(status().isForbidden()); .andExpect(status().isForbidden());
} }
@Test @Test
public void messageCanNotBeCreatedWithScopeMessageReadAuthority() throws Exception { public void messageCanNotBeCreatedWithScopeMessageReadAuthority() throws Exception {
Jwt jwt = Jwt.withTokenValue("token")
.header("alg", "none")
.claim("scope", "message:read")
.build();
when(jwtDecoder.decode(anyString())).thenReturn(jwt);
mockMvc.perform(post("/message") mockMvc.perform(post("/message")
.content("Hello message") .content("Hello message")
.header("Authorization", "Bearer " + jwt.getTokenValue())) .with(jwt(jwt -> jwt.claim("scope", "message:read"))))
.andExpect(status().isForbidden()); .andExpect(status().isForbidden());
} }
@Test @Test
public void messageCanBeCreatedWithScopeMessageWriteAuthority() public void messageCanBeCreatedWithScopeMessageWriteAuthority()
throws Exception { throws Exception {
Jwt jwt = Jwt.withTokenValue("token")
.header("alg", "none")
.claim("scope", "message:write")
.build();
when(jwtDecoder.decode(anyString())).thenReturn(jwt);
mockMvc.perform(post("/message") mockMvc.perform(post("/message")
.content("Hello message") .content("Hello message")
.header("Authorization", "Bearer " + jwt.getTokenValue())) .with(jwt(jwt -> jwt.claim("scope", "message:write"))))
.andExpect(status().isOk()) .andExpect(status().isOk())
.andExpect(content().string(is("Message was created. Content: Hello message"))); .andExpect(content().string(is("Message was created. Content: Hello message")));
} }

4
test/src/main/java/org/springframework/security/test/web/reactive/server/SecurityMockServerConfigurers.java
View File

@ -419,6 +419,10 @@ public class SecurityMockServerConfigurers {
WebTestClient.Builder builder, WebTestClient.Builder builder,
@Nullable WebHttpHandlerBuilder httpHandlerBuilder, @Nullable WebHttpHandlerBuilder httpHandlerBuilder,
@Nullable ClientHttpConnector connector) { @Nullable ClientHttpConnector connector) {
httpHandlerBuilder.filter((exchange, chain) -> {
CsrfWebFilter.skipExchange(exchange);
return chain.filter(exchange);
});
configurer().afterConfigurerAdded(builder, httpHandlerBuilder, connector); configurer().afterConfigurerAdded(builder, httpHandlerBuilder, connector);
} }

7
test/src/main/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessors.java
View File

@ -55,6 +55,7 @@ import org.springframework.security.test.web.support.WebTestUtils;
import org.springframework.security.web.context.HttpRequestResponseHolder; import org.springframework.security.web.context.HttpRequestResponseHolder;
import org.springframework.security.web.context.SecurityContextPersistenceFilter; import org.springframework.security.web.context.SecurityContextPersistenceFilter;
import org.springframework.security.web.context.SecurityContextRepository; import org.springframework.security.web.context.SecurityContextRepository;
import org.springframework.security.web.csrf.CsrfFilter;
import org.springframework.security.web.csrf.CsrfToken; import org.springframework.security.web.csrf.CsrfToken;
import org.springframework.security.web.csrf.CsrfTokenRepository; import org.springframework.security.web.csrf.CsrfTokenRepository;
import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository; import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
@ -63,6 +64,7 @@ import org.springframework.test.web.servlet.request.RequestPostProcessor;
import org.springframework.util.Assert; import org.springframework.util.Assert;
import org.springframework.util.DigestUtils; import org.springframework.util.DigestUtils;
import static java.lang.Boolean.TRUE;
import static org.springframework.security.oauth2.jwt.JwtClaimNames.SUB; import static org.springframework.security.oauth2.jwt.JwtClaimNames.SUB;
/** /**
@ -502,11 +504,11 @@ public final class SecurityMockMvcRequestPostProcessors {
} }
public static void enable(HttpServletRequest request) { public static void enable(HttpServletRequest request) {
request.setAttribute(ENABLED_ATTR_NAME, Boolean.TRUE); request.setAttribute(ENABLED_ATTR_NAME, TRUE);
} }
public boolean isEnabled(HttpServletRequest request) { public boolean isEnabled(HttpServletRequest request) {
return Boolean.TRUE.equals(request.getAttribute(ENABLED_ATTR_NAME)); return TRUE.equals(request.getAttribute(ENABLED_ATTR_NAME));
} }
} }
} }
@ -1043,6 +1045,7 @@ public final class SecurityMockMvcRequestPostProcessors {
@Override @Override
public MockHttpServletRequest postProcessRequest(MockHttpServletRequest request) { public MockHttpServletRequest postProcessRequest(MockHttpServletRequest request) {
CsrfFilter.skipRequest(request);
JwtAuthenticationToken token = new JwtAuthenticationToken(this.jwt, this.authorities); JwtAuthenticationToken token = new JwtAuthenticationToken(this.jwt, this.authorities);
return new AuthenticationRequestPostProcessor(token).postProcessRequest(request); return new AuthenticationRequestPostProcessor(token).postProcessRequest(request);
} }