Examples with CsrfToken org.springframework.security.web.csrf.CsrfToken used on opensource projects

Example 26 with CsrfToken

use of org.springframework.security.web.csrf.CsrfToken in project hub-alert by blackducksoftware.

the class HomeController method checkAuthentication.

@GetMapping(value = "/api/verify")
public ResponseEntity<String> checkAuthentication(final HttpServletRequest request) {
    final HttpServletRequest httpRequest = request;
    final CsrfToken csrfToken = csrfTokenRespository.loadToken(request);
    if (csrfToken == null) {
        httpRequest.getSession().invalidate();
        return new ResponseEntity<>(HttpStatus.UNAUTHORIZED);
    } else {
        final String body = "{\"message\":\"Authenticated\"}";
        final HttpHeaders headers = new HttpHeaders();
        headers.add(csrfToken.getHeaderName(), csrfToken.getToken());
        return new ResponseEntity<>(body, headers, HttpStatus.OK);
    }
}

Example 27 with CsrfToken

use of org.springframework.security.web.csrf.CsrfToken in project cloud-sea-towerman by huadahuang1983.

the class WebSecurityConfig method csrfHeaderFilter.

private Filter csrfHeaderFilter() {
    return new OncePerRequestFilter() {

        @Override
        protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
            CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
            if (csrf != null) {
                Cookie cookie = new Cookie("XSRF-TOKEN", csrf.getToken());
                cookie.setPath("/");
                response.addCookie(cookie);
            }
            filterChain.doFilter(request, response);
        }
    };
}

Example 28 with CsrfToken

use of org.springframework.security.web.csrf.CsrfToken in project spring-security by spring-projects.

the class WebSocketMessageBrokerConfigTests method requestWhenConnectMessageAndUsingSockJsThenUsesCsrfTokenHandshakeInterceptor.

@Test
public void requestWhenConnectMessageAndUsingSockJsThenUsesCsrfTokenHandshakeInterceptor() throws Exception {
    this.spring.configLocations(xml("SyncSockJsConfig")).autowire();
    WebApplicationContext context = this.spring.getContext();
    MockMvc mvc = MockMvcBuilders.webAppContextSetup(context).build();
    String csrfAttributeName = CsrfToken.class.getName();
    String customAttributeName = this.getClass().getName();
    MvcResult result = mvc.perform(get("/app/289/tpyx6mde/websocket").requestAttr(csrfAttributeName, this.token).sessionAttr(customAttributeName, "attributeValue")).andReturn();
    CsrfToken handshakeToken = (CsrfToken) this.testHandshakeHandler.attributes.get(csrfAttributeName);
    String handshakeValue = (String) this.testHandshakeHandler.attributes.get(customAttributeName);
    String sessionValue = (String) result.getRequest().getSession().getAttribute(customAttributeName);
    assertThat(handshakeToken).isEqualTo(this.token).withFailMessage("CsrfToken is populated");
    assertThat(handshakeValue).isEqualTo(sessionValue).withFailMessage("Explicitly listed session variables are not overridden");
}

Example 29 with CsrfToken

use of org.springframework.security.web.csrf.CsrfToken in project spring-security by spring-projects.

the class SessionManagementConfigurerServlet31Tests method changeSessionIdThenPreserveParameters.

@Test
public void changeSessionIdThenPreserveParameters() throws Exception {
    MockHttpServletRequest request = new MockHttpServletRequest("GET", "");
    String id = request.getSession().getId();
    request.getSession();
    request.setServletPath("/login");
    request.setMethod("POST");
    request.setParameter("username", "user");
    request.setParameter("password", "password");
    HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
    CsrfToken token = repository.generateToken(request);
    repository.saveToken(token, request, this.response);
    request.setParameter(token.getParameterName(), token.getToken());
    request.getSession().setAttribute("attribute1", "value1");
    loadConfig(SessionManagementDefaultSessionFixationServlet31Config.class);
    this.springSecurityFilterChain.doFilter(request, this.response, this.chain);
    assertThat(request.getSession().getId()).isNotEqualTo(id);
    assertThat(request.getSession().getAttribute("attribute1")).isEqualTo("value1");
}

Example 30 with CsrfToken

use of org.springframework.security.web.csrf.CsrfToken in project spring-security by spring-projects.

the class DefaultFiltersTests method defaultFiltersPermitAll.

@Test
public void defaultFiltersPermitAll() throws IOException, ServletException {
    this.spring.register(DefaultFiltersConfigPermitAll.class, UserDetailsServiceConfig.class);
    MockHttpServletResponse response = new MockHttpServletResponse();
    MockHttpServletRequest request = new MockHttpServletRequest("POST", "");
    request.setServletPath("/logout");
    CsrfToken csrfToken = new DefaultCsrfToken("X-CSRF-TOKEN", "_csrf", "BaseSpringSpec_CSRFTOKEN");
    new HttpSessionCsrfTokenRepository().saveToken(csrfToken, request, response);
    request.setParameter(csrfToken.getParameterName(), csrfToken.getToken());
    this.spring.getContext().getBean("springSecurityFilterChain", Filter.class).doFilter(request, response, new MockFilterChain());
    assertThat(response.getRedirectedUrl()).isEqualTo("/login?logout");
}