Add WebFlux CSRF Protection

Fixes gh-4734
This commit is contained in:
Rob Winch
2017-10-28 20:27:57 -05:00
parent f040bd054d
commit 8da2c7f657
16 changed files with 943 additions and 12 deletions

View File

@@ -55,6 +55,7 @@ import java.nio.charset.StandardCharsets;
import java.security.Principal;
import static org.assertj.core.api.Assertions.assertThat;
import static org.springframework.security.test.web.reactive.server.SecurityMockServerConfigurers.csrf;
import static org.springframework.web.reactive.function.client.ExchangeFilterFunctions.Credentials.basicAuthenticationCredentials;
import static org.springframework.web.reactive.function.client.ExchangeFilterFunctions.basicAuthentication;
@@ -213,6 +214,7 @@ public class EnableWebFluxSecurityTests {
data.add("username", "user");
data.add("password", "password");
client
.mutateWith(csrf())
.post()
.uri("/login")
.body(BodyInserters.fromFormData(data))

View File

@@ -32,6 +32,7 @@ public class AuthorizeExchangeBuilderTests {
@Test
public void antMatchersWhenMethodAndPatternsThenDiscriminatesByMethod() {
this.http
.csrf().disable()
.authorizeExchange()
.pathMatchers(HttpMethod.POST, "/a", "/b").denyAll()
.anyExchange().permitAll();
@@ -63,6 +64,7 @@ public class AuthorizeExchangeBuilderTests {
@Test
public void antMatchersWhenPatternsThenAnyMethod() {
this.http
.csrf().disable()
.authorizeExchange()
.pathMatchers("/a", "/b").denyAll()
.anyExchange().permitAll();