diff --git a/spring-boot-samples/spring-boot-sample-web-secure/pom.xml b/spring-boot-samples/spring-boot-sample-web-secure/pom.xml index 0c7e1048f7..30e206df75 100644 --- a/spring-boot-samples/spring-boot-sample-web-secure/pom.xml +++ b/spring-boot-samples/spring-boot-sample-web-secure/pom.xml @@ -27,6 +27,11 @@ org.springframework.boot spring-boot-starter-thymeleaf + + org.apache.httpcomponents + httpclient + test + org.springframework.boot spring-boot-starter-test diff --git a/spring-boot-samples/spring-boot-sample-web-secure/src/main/java/sample/ui/secure/SampleWebSecureApplication.java b/spring-boot-samples/spring-boot-sample-web-secure/src/main/java/sample/ui/secure/SampleWebSecureApplication.java index b4e9010874..b8580aed93 100644 --- a/spring-boot-samples/spring-boot-sample-web-secure/src/main/java/sample/ui/secure/SampleWebSecureApplication.java +++ b/spring-boot-samples/spring-boot-sample-web-secure/src/main/java/sample/ui/secure/SampleWebSecureApplication.java @@ -73,10 +73,6 @@ public class SampleWebSecureApplication extends WebMvcConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { - if (!security.isEnableCsrf()) { - // For testing - http.csrf().disable(); - } http.authorizeRequests().anyRequest().fullyAuthenticated().and().formLogin() .loginPage("/login").failureUrl("/login?error").permitAll(); } diff --git a/spring-boot-samples/spring-boot-sample-web-secure/src/main/resources/templates/login.html b/spring-boot-samples/spring-boot-sample-web-secure/src/main/resources/templates/login.html index c32ff1e094..c3cf22e31c 100644 --- a/spring-boot-samples/spring-boot-sample-web-secure/src/main/resources/templates/login.html +++ b/spring-boot-samples/spring-boot-sample-web-secure/src/main/resources/templates/login.html @@ -27,7 +27,7 @@ + th:name="${_csrf.parameterName}" th:value="${_csrf.token}"/> diff --git a/spring-boot-samples/spring-boot-sample-web-secure/src/test/java/sample/ui/secure/SampleSecureApplicationTests.java b/spring-boot-samples/spring-boot-sample-web-secure/src/test/java/sample/ui/secure/SampleSecureApplicationTests.java index 049bf58895..3d6069bf40 100644 --- a/spring-boot-samples/spring-boot-sample-web-secure/src/test/java/sample/ui/secure/SampleSecureApplicationTests.java +++ b/spring-boot-samples/spring-boot-sample-web-secure/src/test/java/sample/ui/secure/SampleSecureApplicationTests.java @@ -21,6 +21,8 @@ import static org.junit.Assert.assertNotNull; import static org.junit.Assert.assertTrue; import java.util.Arrays; +import java.util.regex.Matcher; +import java.util.regex.Pattern; import org.junit.Test; import org.junit.runner.RunWith; @@ -48,7 +50,7 @@ import org.springframework.util.MultiValueMap; @RunWith(SpringJUnit4ClassRunner.class) @SpringApplicationConfiguration(classes = SampleWebSecureApplication.class) @WebAppConfiguration -@IntegrationTest({ "server.port:0", "security.enable_csrf:false" }) +@IntegrationTest("server.port:0") @DirtiesContext public class SampleSecureApplicationTests { @@ -62,14 +64,14 @@ public class SampleSecureApplicationTests { ResponseEntity entity = new TestRestTemplate().exchange( "http://localhost:" + this.port, HttpMethod.GET, new HttpEntity( headers), String.class); - assertEquals(HttpStatus.OK, entity.getStatusCode()); - assertTrue("Wrong body (title doesn't match):\n" + entity.getBody(), - entity.getBody().contains("Login")); + assertEquals(HttpStatus.FOUND, entity.getStatusCode()); + assertTrue("Wrong location:\n" + entity.getHeaders(), + entity.getHeaders().getLocation().toString().endsWith(port + "/login")); } @Test public void testLogin() throws Exception { - HttpHeaders headers = new HttpHeaders(); + HttpHeaders headers = getHeaders(); headers.setAccept(Arrays.asList(MediaType.TEXT_HTML)); headers.setContentType(MediaType.APPLICATION_FORM_URLENCODED); MultiValueMap<String, String> form = new LinkedMultiValueMap<String, String>(); @@ -86,6 +88,20 @@ public class SampleSecureApplicationTests { entity.getHeaders().get("Set-Cookie")); } + private HttpHeaders getHeaders() { + HttpHeaders headers = new HttpHeaders(); + ResponseEntity<String> page = new TestRestTemplate().getForEntity( + "http://localhost:" + this.port + "/login", String.class); + assertEquals(HttpStatus.OK, page.getStatusCode()); + String cookie = page.getHeaders().getFirst("Set-Cookie"); + headers.set("Cookie", cookie); + Matcher matcher = Pattern.compile("(?s).*name=\"_csrf\".*?value=\"([^\"]+).*").matcher( + page.getBody()); + assertTrue("No csrf token: " + page.getBody(), matcher.matches()); + headers.set("X-CSRF-TOKEN", matcher.group(1)); + return headers; + } + @Test public void testCss() throws Exception { ResponseEntity<String> entity = new TestRestTemplate().getForEntity(