use of org.springframework.security.web.csrf.DefaultCsrfToken in project spring-security by spring-projects.
the class CsrfRequestDataValueProcessorTests method setup.
@BeforeEach
public void setup() {
this.request = new MockHttpServletRequest();
this.processor = new CsrfRequestDataValueProcessor();
this.token = new DefaultCsrfToken("1", "a", "b");
this.request.setAttribute(CsrfToken.class.getName(), this.token);
this.expected.put(this.token.getParameterName(), this.token.getToken());
}
use of org.springframework.security.web.csrf.DefaultCsrfToken in project spring-security by spring-projects.
the class CsrfConfigurerTests method loginWhenCustomCsrfTokenRepositoryThenCsrfTokenIsCleared.
@Test
public void loginWhenCustomCsrfTokenRepositoryThenCsrfTokenIsCleared() throws Exception {
CsrfTokenRepositoryConfig.REPO = mock(CsrfTokenRepository.class);
DefaultCsrfToken csrfToken = new DefaultCsrfToken("X-CSRF-TOKEN", "_csrf", "token");
given(CsrfTokenRepositoryConfig.REPO.loadToken(any())).willReturn(csrfToken);
given(CsrfTokenRepositoryConfig.REPO.generateToken(any())).willReturn(csrfToken);
this.spring.register(CsrfTokenRepositoryConfig.class, BasicController.class).autowire();
// @formatter:off
MockHttpServletRequestBuilder loginRequest = post("/login").with(csrf()).param("username", "user").param("password", "password");
// @formatter:on
this.mvc.perform(loginRequest).andExpect(redirectedUrl("/"));
verify(CsrfTokenRepositoryConfig.REPO).saveToken(isNull(), any(HttpServletRequest.class), any(HttpServletResponse.class));
}
use of org.springframework.security.web.csrf.DefaultCsrfToken in project spring-security by spring-projects.
the class CsrfConfigurerTests method getWhenCustomCsrfTokenRepositoryInLambdaThenRepositoryIsUsed.
@Test
public void getWhenCustomCsrfTokenRepositoryInLambdaThenRepositoryIsUsed() throws Exception {
CsrfTokenRepositoryInLambdaConfig.REPO = mock(CsrfTokenRepository.class);
given(CsrfTokenRepositoryInLambdaConfig.REPO.loadToken(any())).willReturn(new DefaultCsrfToken("X-CSRF-TOKEN", "_csrf", "token"));
this.spring.register(CsrfTokenRepositoryInLambdaConfig.class, BasicController.class).autowire();
this.mvc.perform(get("/")).andExpect(status().isOk());
verify(CsrfTokenRepositoryInLambdaConfig.REPO).loadToken(any(HttpServletRequest.class));
}
use of org.springframework.security.web.csrf.DefaultCsrfToken in project spring-security by spring-projects.
the class DefaultLoginPageConfigurerTests method loginPageWhenErrorThenDefaultLoginPageWithError.
@Test
public void loginPageWhenErrorThenDefaultLoginPageWithError() throws Exception {
this.spring.register(DefaultLoginPageConfig.class).autowire();
CsrfToken csrfToken = new DefaultCsrfToken("X-CSRF-TOKEN", "_csrf", "BaseSpringSpec_CSRFTOKEN");
String csrfAttributeName = HttpSessionCsrfTokenRepository.class.getName().concat(".CSRF_TOKEN");
MvcResult mvcResult = this.mvc.perform(post("/login").with(csrf())).andReturn();
// @formatter:off
this.mvc.perform(get("/login?error").session((MockHttpSession) mvcResult.getRequest().getSession()).sessionAttr(csrfAttributeName, csrfToken)).andExpect(content().string("<!DOCTYPE html>\n" + "<html lang=\"en\">\n" + " <head>\n" + " <meta charset=\"utf-8\">\n" + " <meta name=\"viewport\" content=\"width=device-width, initial-scale=1, shrink-to-fit=no\">\n" + " <meta name=\"description\" content=\"\">\n" + " <meta name=\"author\" content=\"\">\n" + " <title>Please sign in</title>\n" + " <link href=\"https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0-beta/css/bootstrap.min.css\" rel=\"stylesheet\" integrity=\"sha384-/Y6pD6FV/Vv2HJnA6t+vslU6fwYXjCFtcEpHbNJ0lyAFsXTsjBbfaDjzALeQsN6M\" crossorigin=\"anonymous\">\n" + " <link href=\"https://getbootstrap.com/docs/4.0/examples/signin/signin.css\" rel=\"stylesheet\" crossorigin=\"anonymous\"/>\n" + " </head>\n" + " <body>\n" + " <div class=\"container\">\n" + " <form class=\"form-signin\" method=\"post\" action=\"/login\">\n" + " <h2 class=\"form-signin-heading\">Please sign in</h2>\n" + "<div class=\"alert alert-danger\" role=\"alert\">Bad credentials</div> <p>\n" + " <label for=\"username\" class=\"sr-only\">Username</label>\n" + " <input type=\"text\" id=\"username\" name=\"username\" class=\"form-control\" placeholder=\"Username\" required autofocus>\n" + " </p>\n" + " <p>\n" + " <label for=\"password\" class=\"sr-only\">Password</label>\n" + " <input type=\"password\" id=\"password\" name=\"password\" class=\"form-control\" placeholder=\"Password\" required>\n" + " </p>\n" + "<input name=\"" + csrfToken.getParameterName() + "\" type=\"hidden\" value=\"" + csrfToken.getToken() + "\" />\n" + " <button class=\"btn btn-lg btn-primary btn-block\" type=\"submit\">Sign in</button>\n" + " </form>\n" + "</div>\n" + "</body></html>"));
// @formatter:on
}
use of org.springframework.security.web.csrf.DefaultCsrfToken in project spring-security by spring-projects.
the class CsrfTokenHandshakeInterceptorTests method beforeHandshake.
@Test
public void beforeHandshake() throws Exception {
CsrfToken token = new DefaultCsrfToken("header", "param", "token");
this.httpRequest.setAttribute(CsrfToken.class.getName(), token);
this.interceptor.beforeHandshake(this.request, this.response, this.wsHandler, this.attributes);
assertThat(this.attributes.keySet()).containsOnly(CsrfToken.class.getName());
assertThat(this.attributes.values()).containsOnly(token);
}
Aggregations