Examples with MissingCsrfTokenException - org.springframework.security.web.csrf.MissingCsrfTokenException

Example 1 with MissingCsrfTokenException

use of org.springframework.security.web.csrf.MissingCsrfTokenException in project spring-security by spring-projects.

the class CsrfChannelInterceptor method preSend.

@Override
public Message<?> preSend(Message<?> message, MessageChannel channel) {
    if (!this.matcher.matches(message)) {
        return message;
    }
    Map<String, Object> sessionAttributes = SimpMessageHeaderAccessor.getSessionAttributes(message.getHeaders());
    CsrfToken expectedToken = (sessionAttributes != null) ? (CsrfToken) sessionAttributes.get(CsrfToken.class.getName()) : null;
    if (expectedToken == null) {
        throw new MissingCsrfTokenException(null);
    }
    String actualTokenValue = SimpMessageHeaderAccessor.wrap(message).getFirstNativeHeader(expectedToken.getHeaderName());
    boolean csrfCheckPassed = expectedToken.getToken().equals(actualTokenValue);
    if (!csrfCheckPassed) {
        throw new InvalidCsrfTokenException(expectedToken, actualTokenValue);
    }
    return message;
}

Also used : MissingCsrfTokenException(org.springframework.security.web.csrf.MissingCsrfTokenException) CsrfToken(org.springframework.security.web.csrf.CsrfToken) InvalidCsrfTokenException(org.springframework.security.web.csrf.InvalidCsrfTokenException)

Example 2 with MissingCsrfTokenException

use of org.springframework.security.web.csrf.MissingCsrfTokenException in project spring-security by spring-projects.

the class DelegatingAccessDeniedHandlerTests method matchesDoesNotInvokeDefault.

@Test
public void matchesDoesNotInvokeDefault() throws Exception {
    this.handlers.put(InvalidCsrfTokenException.class, this.handler1);
    this.handlers.put(MissingCsrfTokenException.class, this.handler2);
    this.handler = new DelegatingAccessDeniedHandler(this.handlers, this.handler3);
    AccessDeniedException accessDeniedException = new MissingCsrfTokenException("123");
    this.handler.handle(this.request, this.response, accessDeniedException);
    verify(this.handler1, never()).handle(any(HttpServletRequest.class), any(HttpServletResponse.class), any(AccessDeniedException.class));
    verify(this.handler2).handle(this.request, this.response, accessDeniedException);
    verify(this.handler3, never()).handle(any(HttpServletRequest.class), any(HttpServletResponse.class), any(AccessDeniedException.class));
}

Also used : HttpServletRequest(jakarta.servlet.http.HttpServletRequest) AccessDeniedException(org.springframework.security.access.AccessDeniedException) MissingCsrfTokenException(org.springframework.security.web.csrf.MissingCsrfTokenException) HttpServletResponse(jakarta.servlet.http.HttpServletResponse) Test(org.junit.jupiter.api.Test)

Aggregations

MissingCsrfTokenException (org.springframework.security.web.csrf.MissingCsrfTokenException)2 HttpServletRequest (jakarta.servlet.http.HttpServletRequest)1 HttpServletResponse (jakarta.servlet.http.HttpServletResponse)1 Test (org.junit.jupiter.api.Test)1 AccessDeniedException (org.springframework.security.access.AccessDeniedException)1 CsrfToken (org.springframework.security.web.csrf.CsrfToken)1 InvalidCsrfTokenException (org.springframework.security.web.csrf.InvalidCsrfTokenException)1