mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-02-28 18:39:06 +00:00
70 lines
1.1 KiB
Plaintext
70 lines
1.1 KiB
Plaintext
[[test-mockmvc-csrf]]
|
|
= Testing with CSRF Protection
|
|
|
|
When testing any non-safe HTTP methods and using Spring Security's CSRF protection, you must be sure to include a valid CSRF Token in the request.
|
|
To specify a valid CSRF token as a request parameter use the CSRF xref:servlet/test/mockmvc/request-post-processors.adoc[`RequestPostProcessor`] like so:
|
|
|
|
[tabs]
|
|
======
|
|
Java::
|
|
+
|
|
[source,java,role="primary"]
|
|
----
|
|
mvc
|
|
.perform(post("/").with(csrf()))
|
|
----
|
|
|
|
Kotlin::
|
|
+
|
|
[source,kotlin,role="secondary"]
|
|
----
|
|
mvc.post("/") {
|
|
with(csrf())
|
|
}
|
|
----
|
|
======
|
|
|
|
If you like you can include CSRF token in the header instead:
|
|
|
|
[tabs]
|
|
======
|
|
Java::
|
|
+
|
|
[source,java,role="primary"]
|
|
----
|
|
mvc
|
|
.perform(post("/").with(csrf().asHeader()))
|
|
----
|
|
|
|
Kotlin::
|
|
+
|
|
[source,kotlin,role="secondary"]
|
|
----
|
|
mvc.post("/") {
|
|
with(csrf().asHeader())
|
|
}
|
|
----
|
|
======
|
|
|
|
You can also test providing an invalid CSRF token using the following:
|
|
|
|
[tabs]
|
|
======
|
|
Java::
|
|
+
|
|
[source,java,role="primary"]
|
|
----
|
|
mvc
|
|
.perform(post("/").with(csrf().useInvalidToken()))
|
|
----
|
|
|
|
Kotlin::
|
|
+
|
|
[source,kotlin,role="secondary"]
|
|
----
|
|
mvc.post("/") {
|
|
with(csrf().useInvalidToken())
|
|
}
|
|
----
|
|
======
|