diff --git a/spring-boot-samples/spring-boot-sample-web-secure/pom.xml b/spring-boot-samples/spring-boot-sample-web-secure/pom.xml
index 0c7e1048f7..30e206df75 100644
--- a/spring-boot-samples/spring-boot-sample-web-secure/pom.xml
+++ b/spring-boot-samples/spring-boot-sample-web-secure/pom.xml
@@ -27,6 +27,11 @@
org.springframework.boot
spring-boot-starter-thymeleaf
+
+ org.apache.httpcomponents
+ httpclient
+ test
+
org.springframework.boot
spring-boot-starter-test
diff --git a/spring-boot-samples/spring-boot-sample-web-secure/src/main/java/sample/ui/secure/SampleWebSecureApplication.java b/spring-boot-samples/spring-boot-sample-web-secure/src/main/java/sample/ui/secure/SampleWebSecureApplication.java
index b4e9010874..b8580aed93 100644
--- a/spring-boot-samples/spring-boot-sample-web-secure/src/main/java/sample/ui/secure/SampleWebSecureApplication.java
+++ b/spring-boot-samples/spring-boot-sample-web-secure/src/main/java/sample/ui/secure/SampleWebSecureApplication.java
@@ -73,10 +73,6 @@ public class SampleWebSecureApplication extends WebMvcConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
- if (!security.isEnableCsrf()) {
- // For testing
- http.csrf().disable();
- }
http.authorizeRequests().anyRequest().fullyAuthenticated().and().formLogin()
.loginPage("/login").failureUrl("/login?error").permitAll();
}
diff --git a/spring-boot-samples/spring-boot-sample-web-secure/src/main/resources/templates/login.html b/spring-boot-samples/spring-boot-sample-web-secure/src/main/resources/templates/login.html
index c32ff1e094..c3cf22e31c 100644
--- a/spring-boot-samples/spring-boot-sample-web-secure/src/main/resources/templates/login.html
+++ b/spring-boot-samples/spring-boot-sample-web-secure/src/main/resources/templates/login.html
@@ -27,7 +27,7 @@
+ th:name="${_csrf.parameterName}" th:value="${_csrf.token}"/>
diff --git a/spring-boot-samples/spring-boot-sample-web-secure/src/test/java/sample/ui/secure/SampleSecureApplicationTests.java b/spring-boot-samples/spring-boot-sample-web-secure/src/test/java/sample/ui/secure/SampleSecureApplicationTests.java
index 049bf58895..3d6069bf40 100644
--- a/spring-boot-samples/spring-boot-sample-web-secure/src/test/java/sample/ui/secure/SampleSecureApplicationTests.java
+++ b/spring-boot-samples/spring-boot-sample-web-secure/src/test/java/sample/ui/secure/SampleSecureApplicationTests.java
@@ -21,6 +21,8 @@ import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertTrue;
import java.util.Arrays;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
import org.junit.Test;
import org.junit.runner.RunWith;
@@ -48,7 +50,7 @@ import org.springframework.util.MultiValueMap;
@RunWith(SpringJUnit4ClassRunner.class)
@SpringApplicationConfiguration(classes = SampleWebSecureApplication.class)
@WebAppConfiguration
-@IntegrationTest({ "server.port:0", "security.enable_csrf:false" })
+@IntegrationTest("server.port:0")
@DirtiesContext
public class SampleSecureApplicationTests {
@@ -62,14 +64,14 @@ public class SampleSecureApplicationTests {
ResponseEntity entity = new TestRestTemplate().exchange(
"http://localhost:" + this.port, HttpMethod.GET, new HttpEntity(
headers), String.class);
- assertEquals(HttpStatus.OK, entity.getStatusCode());
- assertTrue("Wrong body (title doesn't match):\n" + entity.getBody(),
- entity.getBody().contains("Login"));
+ assertEquals(HttpStatus.FOUND, entity.getStatusCode());
+ assertTrue("Wrong location:\n" + entity.getHeaders(),
+ entity.getHeaders().getLocation().toString().endsWith(port + "/login"));
}
@Test
public void testLogin() throws Exception {
- HttpHeaders headers = new HttpHeaders();
+ HttpHeaders headers = getHeaders();
headers.setAccept(Arrays.asList(MediaType.TEXT_HTML));
headers.setContentType(MediaType.APPLICATION_FORM_URLENCODED);
MultiValueMap form = new LinkedMultiValueMap();
@@ -86,6 +88,20 @@ public class SampleSecureApplicationTests {
entity.getHeaders().get("Set-Cookie"));
}
+ private HttpHeaders getHeaders() {
+ HttpHeaders headers = new HttpHeaders();
+ ResponseEntity page = new TestRestTemplate().getForEntity(
+ "http://localhost:" + this.port + "/login", String.class);
+ assertEquals(HttpStatus.OK, page.getStatusCode());
+ String cookie = page.getHeaders().getFirst("Set-Cookie");
+ headers.set("Cookie", cookie);
+ Matcher matcher = Pattern.compile("(?s).*name=\"_csrf\".*?value=\"([^\"]+).*").matcher(
+ page.getBody());
+ assertTrue("No csrf token: " + page.getBody(), matcher.matches());
+ headers.set("X-CSRF-TOKEN", matcher.group(1));
+ return headers;
+ }
+
@Test
public void testCss() throws Exception {
ResponseEntity entity = new TestRestTemplate().getForEntity(