Search in sources :

Example 6 with DefaultCsrfToken

use of org.springframework.security.web.csrf.DefaultCsrfToken in project spring-security by spring-projects.

the class CsrfRequestDataValueProcessorTests method setup.

@BeforeEach
public void setup() {
    this.request = new MockHttpServletRequest();
    this.processor = new CsrfRequestDataValueProcessor();
    this.token = new DefaultCsrfToken("1", "a", "b");
    this.request.setAttribute(CsrfToken.class.getName(), this.token);
    this.expected.put(this.token.getParameterName(), this.token.getToken());
}
Also used : MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) DefaultCsrfToken(org.springframework.security.web.csrf.DefaultCsrfToken) CsrfToken(org.springframework.security.web.csrf.CsrfToken) DefaultCsrfToken(org.springframework.security.web.csrf.DefaultCsrfToken) BeforeEach(org.junit.jupiter.api.BeforeEach)

Example 7 with DefaultCsrfToken

use of org.springframework.security.web.csrf.DefaultCsrfToken in project spring-security by spring-projects.

the class CsrfConfigurerTests method loginWhenCustomCsrfTokenRepositoryThenCsrfTokenIsCleared.

@Test
public void loginWhenCustomCsrfTokenRepositoryThenCsrfTokenIsCleared() throws Exception {
    CsrfTokenRepositoryConfig.REPO = mock(CsrfTokenRepository.class);
    DefaultCsrfToken csrfToken = new DefaultCsrfToken("X-CSRF-TOKEN", "_csrf", "token");
    given(CsrfTokenRepositoryConfig.REPO.loadToken(any())).willReturn(csrfToken);
    given(CsrfTokenRepositoryConfig.REPO.generateToken(any())).willReturn(csrfToken);
    this.spring.register(CsrfTokenRepositoryConfig.class, BasicController.class).autowire();
    // @formatter:off
    MockHttpServletRequestBuilder loginRequest = post("/login").with(csrf()).param("username", "user").param("password", "password");
    // @formatter:on
    this.mvc.perform(loginRequest).andExpect(redirectedUrl("/"));
    verify(CsrfTokenRepositoryConfig.REPO).saveToken(isNull(), any(HttpServletRequest.class), any(HttpServletResponse.class));
}
Also used : HttpServletRequest(jakarta.servlet.http.HttpServletRequest) MockHttpServletRequestBuilder(org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder) HttpServletResponse(jakarta.servlet.http.HttpServletResponse) CsrfTokenRepository(org.springframework.security.web.csrf.CsrfTokenRepository) DefaultCsrfToken(org.springframework.security.web.csrf.DefaultCsrfToken) Test(org.junit.jupiter.api.Test)

Example 8 with DefaultCsrfToken

use of org.springframework.security.web.csrf.DefaultCsrfToken in project spring-security by spring-projects.

the class CsrfConfigurerTests method getWhenCustomCsrfTokenRepositoryInLambdaThenRepositoryIsUsed.

@Test
public void getWhenCustomCsrfTokenRepositoryInLambdaThenRepositoryIsUsed() throws Exception {
    CsrfTokenRepositoryInLambdaConfig.REPO = mock(CsrfTokenRepository.class);
    given(CsrfTokenRepositoryInLambdaConfig.REPO.loadToken(any())).willReturn(new DefaultCsrfToken("X-CSRF-TOKEN", "_csrf", "token"));
    this.spring.register(CsrfTokenRepositoryInLambdaConfig.class, BasicController.class).autowire();
    this.mvc.perform(get("/")).andExpect(status().isOk());
    verify(CsrfTokenRepositoryInLambdaConfig.REPO).loadToken(any(HttpServletRequest.class));
}
Also used : HttpServletRequest(jakarta.servlet.http.HttpServletRequest) CsrfTokenRepository(org.springframework.security.web.csrf.CsrfTokenRepository) DefaultCsrfToken(org.springframework.security.web.csrf.DefaultCsrfToken) Test(org.junit.jupiter.api.Test)

Example 9 with DefaultCsrfToken

use of org.springframework.security.web.csrf.DefaultCsrfToken in project spring-security by spring-projects.

the class DefaultLoginPageConfigurerTests method loginPageWhenErrorThenDefaultLoginPageWithError.

@Test
public void loginPageWhenErrorThenDefaultLoginPageWithError() throws Exception {
    this.spring.register(DefaultLoginPageConfig.class).autowire();
    CsrfToken csrfToken = new DefaultCsrfToken("X-CSRF-TOKEN", "_csrf", "BaseSpringSpec_CSRFTOKEN");
    String csrfAttributeName = HttpSessionCsrfTokenRepository.class.getName().concat(".CSRF_TOKEN");
    MvcResult mvcResult = this.mvc.perform(post("/login").with(csrf())).andReturn();
    // @formatter:off
    this.mvc.perform(get("/login?error").session((MockHttpSession) mvcResult.getRequest().getSession()).sessionAttr(csrfAttributeName, csrfToken)).andExpect(content().string("<!DOCTYPE html>\n" + "<html lang=\"en\">\n" + "  <head>\n" + "    <meta charset=\"utf-8\">\n" + "    <meta name=\"viewport\" content=\"width=device-width, initial-scale=1, shrink-to-fit=no\">\n" + "    <meta name=\"description\" content=\"\">\n" + "    <meta name=\"author\" content=\"\">\n" + "    <title>Please sign in</title>\n" + "    <link href=\"https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0-beta/css/bootstrap.min.css\" rel=\"stylesheet\" integrity=\"sha384-/Y6pD6FV/Vv2HJnA6t+vslU6fwYXjCFtcEpHbNJ0lyAFsXTsjBbfaDjzALeQsN6M\" crossorigin=\"anonymous\">\n" + "    <link href=\"https://getbootstrap.com/docs/4.0/examples/signin/signin.css\" rel=\"stylesheet\" crossorigin=\"anonymous\"/>\n" + "  </head>\n" + "  <body>\n" + "     <div class=\"container\">\n" + "      <form class=\"form-signin\" method=\"post\" action=\"/login\">\n" + "        <h2 class=\"form-signin-heading\">Please sign in</h2>\n" + "<div class=\"alert alert-danger\" role=\"alert\">Bad credentials</div>        <p>\n" + "          <label for=\"username\" class=\"sr-only\">Username</label>\n" + "          <input type=\"text\" id=\"username\" name=\"username\" class=\"form-control\" placeholder=\"Username\" required autofocus>\n" + "        </p>\n" + "        <p>\n" + "          <label for=\"password\" class=\"sr-only\">Password</label>\n" + "          <input type=\"password\" id=\"password\" name=\"password\" class=\"form-control\" placeholder=\"Password\" required>\n" + "        </p>\n" + "<input name=\"" + csrfToken.getParameterName() + "\" type=\"hidden\" value=\"" + csrfToken.getToken() + "\" />\n" + "        <button class=\"btn btn-lg btn-primary btn-block\" type=\"submit\">Sign in</button>\n" + "      </form>\n" + "</div>\n" + "</body></html>"));
// @formatter:on
}
Also used : MockHttpSession(org.springframework.mock.web.MockHttpSession) DefaultCsrfToken(org.springframework.security.web.csrf.DefaultCsrfToken) MvcResult(org.springframework.test.web.servlet.MvcResult) DefaultCsrfToken(org.springframework.security.web.csrf.DefaultCsrfToken) CsrfToken(org.springframework.security.web.csrf.CsrfToken) HttpSessionCsrfTokenRepository(org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository) Test(org.junit.jupiter.api.Test)

Example 10 with DefaultCsrfToken

use of org.springframework.security.web.csrf.DefaultCsrfToken in project spring-security by spring-projects.

the class CsrfTokenHandshakeInterceptorTests method beforeHandshake.

@Test
public void beforeHandshake() throws Exception {
    CsrfToken token = new DefaultCsrfToken("header", "param", "token");
    this.httpRequest.setAttribute(CsrfToken.class.getName(), token);
    this.interceptor.beforeHandshake(this.request, this.response, this.wsHandler, this.attributes);
    assertThat(this.attributes.keySet()).containsOnly(CsrfToken.class.getName());
    assertThat(this.attributes.values()).containsOnly(token);
}
Also used : DefaultCsrfToken(org.springframework.security.web.csrf.DefaultCsrfToken) DefaultCsrfToken(org.springframework.security.web.csrf.DefaultCsrfToken) CsrfToken(org.springframework.security.web.csrf.CsrfToken) Test(org.junit.jupiter.api.Test)

Aggregations

DefaultCsrfToken (org.springframework.security.web.csrf.DefaultCsrfToken)30 Test (org.junit.jupiter.api.Test)21 CsrfToken (org.springframework.security.web.csrf.CsrfToken)17 BeforeEach (org.junit.jupiter.api.BeforeEach)6 HttpSessionCsrfTokenRepository (org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository)6 HttpServletRequest (jakarta.servlet.http.HttpServletRequest)5 CsrfTokenRepository (org.springframework.security.web.csrf.CsrfTokenRepository)5 MockHttpServletRequest (org.springframework.mock.web.MockHttpServletRequest)4 MockHttpSession (org.springframework.mock.web.MockHttpSession)3 MvcResult (org.springframework.test.web.servlet.MvcResult)3 HashMap (java.util.HashMap)2 MockFilterChain (org.springframework.mock.web.MockFilterChain)2 MockHttpServletResponse (org.springframework.mock.web.MockHttpServletResponse)2 TestingAuthenticationToken (org.springframework.security.authentication.TestingAuthenticationToken)2 MockHttpServletRequestBuilder (org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder)2 Filter (jakarta.servlet.Filter)1 HttpServletResponse (jakarta.servlet.http.HttpServletResponse)1 Date (java.util.Date)1 Test (org.junit.Test)1 ExceptionTranslationFilter (org.springframework.security.web.access.ExceptionTranslationFilter)1