Examples with CsrfToken org.springframework.security.web.csrf.CsrfToken used on opensource projects

Example 16 with CsrfToken

use of org.springframework.security.web.csrf.CsrfToken in project spring-security by spring-projects.

the class DefaultLoginPageConfigurerTests method loginPageWhenErrorThenDefaultLoginPageWithError.

@Test
public void loginPageWhenErrorThenDefaultLoginPageWithError() throws Exception {
    this.spring.register(DefaultLoginPageConfig.class).autowire();
    CsrfToken csrfToken = new DefaultCsrfToken("X-CSRF-TOKEN", "_csrf", "BaseSpringSpec_CSRFTOKEN");
    String csrfAttributeName = HttpSessionCsrfTokenRepository.class.getName().concat(".CSRF_TOKEN");
    MvcResult mvcResult = this.mvc.perform(post("/login").with(csrf())).andReturn();
    // @formatter:off
    this.mvc.perform(get("/login?error").session((MockHttpSession) mvcResult.getRequest().getSession()).sessionAttr(csrfAttributeName, csrfToken)).andExpect(content().string("<!DOCTYPE html>\n" + "<html lang=\"en\">\n" + "  <head>\n" + "    <meta charset=\"utf-8\">\n" + "    <meta name=\"viewport\" content=\"width=device-width, initial-scale=1, shrink-to-fit=no\">\n" + "    <meta name=\"description\" content=\"\">\n" + "    <meta name=\"author\" content=\"\">\n" + "    <title>Please sign in</title>\n" + "    <link href=\"https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0-beta/css/bootstrap.min.css\" rel=\"stylesheet\" integrity=\"sha384-/Y6pD6FV/Vv2HJnA6t+vslU6fwYXjCFtcEpHbNJ0lyAFsXTsjBbfaDjzALeQsN6M\" crossorigin=\"anonymous\">\n" + "    <link href=\"https://getbootstrap.com/docs/4.0/examples/signin/signin.css\" rel=\"stylesheet\" crossorigin=\"anonymous\"/>\n" + "  </head>\n" + "  <body>\n" + "     <div class=\"container\">\n" + "      <form class=\"form-signin\" method=\"post\" action=\"/login\">\n" + "        <h2 class=\"form-signin-heading\">Please sign in</h2>\n" + "<div class=\"alert alert-danger\" role=\"alert\">Bad credentials</div>        <p>\n" + "          <label for=\"username\" class=\"sr-only\">Username</label>\n" + "          <input type=\"text\" id=\"username\" name=\"username\" class=\"form-control\" placeholder=\"Username\" required autofocus>\n" + "        </p>\n" + "        <p>\n" + "          <label for=\"password\" class=\"sr-only\">Password</label>\n" + "          <input type=\"password\" id=\"password\" name=\"password\" class=\"form-control\" placeholder=\"Password\" required>\n" + "        </p>\n" + "<input name=\"" + csrfToken.getParameterName() + "\" type=\"hidden\" value=\"" + csrfToken.getToken() + "\" />\n" + "        <button class=\"btn btn-lg btn-primary btn-block\" type=\"submit\">Sign in</button>\n" + "      </form>\n" + "</div>\n" + "</body></html>"));
// @formatter:on
}

Example 17 with CsrfToken

use of org.springframework.security.web.csrf.CsrfToken in project spring-security by spring-projects.

the class CsrfTokenHandshakeInterceptorTests method beforeHandshake.

@Test
public void beforeHandshake() throws Exception {
    CsrfToken token = new DefaultCsrfToken("header", "param", "token");
    this.httpRequest.setAttribute(CsrfToken.class.getName(), token);
    this.interceptor.beforeHandshake(this.request, this.response, this.wsHandler, this.attributes);
    assertThat(this.attributes.keySet()).containsOnly(CsrfToken.class.getName());
    assertThat(this.attributes.values()).containsOnly(token);
}

Example 18 with CsrfToken

use of org.springframework.security.web.csrf.CsrfToken in project spring-security by spring-projects.

the class CsrfTokenHandshakeInterceptor method beforeHandshake.

@Override
public boolean beforeHandshake(ServerHttpRequest request, ServerHttpResponse response, WebSocketHandler wsHandler, Map<String, Object> attributes) {
    HttpServletRequest httpRequest = ((ServletServerHttpRequest) request).getServletRequest();
    CsrfToken token = (CsrfToken) httpRequest.getAttribute(CsrfToken.class.getName());
    if (token == null) {
        return true;
    }
    attributes.put(CsrfToken.class.getName(), token);
    return true;
}

Example 19 with CsrfToken

use of org.springframework.security.web.csrf.CsrfToken in project midpoint by Evolveum.

the class SecurityUtils method appendHiddenInputForCsrf.

public static void appendHiddenInputForCsrf(Response resp) {
    CsrfToken csrfToken = getCsrfToken();
    if (csrfToken == null) {
        return;
    }
    String parameterName = csrfToken.getParameterName();
    String value = csrfToken.getToken();
    resp.write("<input type=\"hidden\" name=\"" + parameterName + "\" value=\"" + value + "\"/>");
}

Example 20 with CsrfToken

use of org.springframework.security.web.csrf.CsrfToken in project uPortal by Jasig.

the class UrlSyntaxProviderImpl method generateUrl.

@Override
public String generateUrl(HttpServletRequest request, IPortalUrlBuilder portalUrlBuilder) {
    Validate.notNull(request, "HttpServletRequest was null");
    Validate.notNull(portalUrlBuilder, "IPortalPortletUrl was null");
    // Convert the callback request to the portal request
    request = this.portalRequestUtils.getOriginalPortalRequest(request);
    final IUrlNodeSyntaxHelper urlNodeSyntaxHelper = this.urlNodeSyntaxHelperRegistry.getCurrentUrlNodeSyntaxHelper(request);
    // Get the encoding and create a new URL string builder
    final String encoding = this.getEncoding(request);
    // Add the portal's context path
    final String contextPath = this.getCleanedContextPath(request);
    final UrlStringBuilder url = new UrlStringBuilder(encoding, contextPath.length() > 0 ? contextPath : null);
    final Map<IPortletWindowId, IPortletUrlBuilder> portletUrlBuilders = portalUrlBuilder.getPortletUrlBuilders();
    // Build folder path based on targeted portlet or targeted folder
    final IPortletWindowId targetedPortletWindowId = portalUrlBuilder.getTargetPortletWindowId();
    final UrlType urlType = portalUrlBuilder.getUrlType();
    final UrlState urlState;
    final String resourceId;
    if (targetedPortletWindowId != null) {
        final IPortletWindow portletWindow = this.portletWindowRegistry.getPortletWindow(request, targetedPortletWindowId);
        final IPortletEntity portletEntity = portletWindow.getPortletEntity();
        // Add folder information if available: /f/tabId
        final String channelSubscribeId = portletEntity.getLayoutNodeId();
        final List<String> folderNames = urlNodeSyntaxHelper.getFolderNamesForLayoutNode(request, channelSubscribeId);
        if (!folderNames.isEmpty()) {
            url.addPath(FOLDER_PATH_PREFIX);
            for (final String folderName : folderNames) {
                url.addPath(folderName);
            }
        }
        final IPortletUrlBuilder targetedPortletUrlBuilder = portletUrlBuilders.get(targetedPortletWindowId);
        // Determine the resourceId for resource requests
        if (urlType == UrlType.RESOURCE && targetedPortletUrlBuilder != null) {
            resourceId = targetedPortletUrlBuilder.getResourceId();
        } else {
            resourceId = null;
        }
        // Resource requests will never have a requested window state
        urlState = this.determineUrlState(portletWindow, targetedPortletUrlBuilder);
        final String targetedPortletString = urlNodeSyntaxHelper.getFolderNameForPortlet(request, targetedPortletWindowId);
        // path
        if ((urlType == UrlType.RENDER && urlState != UrlState.NORMAL) || urlType == UrlType.ACTION || urlType == UrlType.RESOURCE) {
            url.addPath(PORTLET_PATH_PREFIX);
            url.addPath(targetedPortletString);
        } else // For normal render requests (generally multiple portlets on a page) add the targeted
        // portlet as a parameter
        {
            url.addParameter(PARAM_TARGET_PORTLET, targetedPortletString);
        }
        /*
             * CSRF Prevention
             *
             * Add the Spring-managed CSRF token to requests that need them.  This list _should_
             * include Action URLs only, but several Resource URLs are currently being used with
             * POST requests in Apereo portlets.  We need to include Resource URLs as well, since
             * (just now) we don't have the time to correct all those usages.  We should work to
             * correct those cases, and remove handling of Resource URLs when we can.
             */
        if (UrlType.ACTION.equals(urlType) || UrlType.RESOURCE.equals(urlType)) {
            final CsrfToken token = (CsrfToken) request.getAttribute(CSRF_PARAMETER_NAME);
            if (token != null) {
                url.setParameter(token.getParameterName(), token.getToken());
            }
        }
    } else {
        final String targetFolderId = portalUrlBuilder.getTargetFolderId();
        final List<String> folderNames = urlNodeSyntaxHelper.getFolderNamesForLayoutNode(request, targetFolderId);
        if (folderNames != null && !folderNames.isEmpty()) {
            url.addPath(FOLDER_PATH_PREFIX);
            for (final String folderName : folderNames) {
                url.addPath(folderName);
            }
        }
        urlState = UrlState.NORMAL;
        resourceId = null;
    }
    // Add the state of the URL
    url.addPath(urlState.toLowercaseString());
    // File part specifying the type of URL, resource URLs include the resourceId
    if (urlType == UrlType.RESOURCE && resourceId != null) {
        url.addPath(resourceId + "." + urlType.toLowercaseString() + REQUEST_TYPE_SUFFIX);
    } else {
        url.addPath(urlType.toLowercaseString() + REQUEST_TYPE_SUFFIX);
    }
    // Add all portal parameters
    final Map<String, String[]> portalParameters = portalUrlBuilder.getParameters();
    url.addParametersArray(PORTAL_PARAM_PREFIX, portalParameters);
    // Is this URL stateless
    final boolean statelessUrl = statelessUrlStates.contains(urlState);
    // Add parameters for every portlet URL
    for (final IPortletUrlBuilder portletUrlBuilder : portletUrlBuilders.values()) {
        this.addPortletUrlData(request, url, urlType, portletUrlBuilder, targetedPortletWindowId, statelessUrl);
    }
    if (logger.isDebugEnabled()) {
        logger.debug("Generated '" + url + "' from '" + portalUrlBuilder);
    }
    return url.toString();
}