Reactive Resource Server Csrf Bypass

This makes requests identified as bearer token requests skip the csrf
filter.

Fixes: gh-5710
This commit is contained in:
Josh Cummings
2018-08-23 12:56:46 -06:00
committed by Rob Winch
parent 820fb7d828
commit 68d836d508
2 changed files with 77 additions and 2 deletions

View File

@@ -48,6 +48,7 @@ import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.test.context.junit4.SpringRunner;
import org.springframework.test.web.reactive.server.WebTestClient;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.context.support.GenericWebApplicationContext;
import org.springframework.web.reactive.DispatcherHandler;
@@ -160,6 +161,25 @@ public class OAuth2ResourceServerSpecTests {
.expectStatus().isOk();
}
@Test
public void postWhenSignedThenReturnsOk() {
this.spring.register(PublicKeyConfig.class, RootController.class).autowire();
this.client.post()
.headers(headers -> headers.setBearerAuth(this.messageReadToken))
.exchange()
.expectStatus().isOk();
}
@Test
public void postWhenMissingTokenThenReturnsForbidden() {
this.spring.register(PublicKeyConfig.class, RootController.class).autowire();
this.client.post()
.exchange()
.expectStatus().isForbidden();
}
@Test
public void getJwtDecoderWhenBeanWiredAndDslWiredThenDslTakesPrecedence() {
GenericWebApplicationContext context = autowireWebServerGenericWebApplicationContext();
@@ -301,7 +321,12 @@ public class OAuth2ResourceServerSpecTests {
@RestController
static class RootController {
@GetMapping
Mono<String> root() {
Mono<String> get() {
return Mono.just("ok");
}
@PostMapping
Mono<String> post() {
return Mono.just("ok");
}
}