SEC-1574: Add CSRF Support
This commit is contained in:
@@ -0,0 +1,64 @@
|
||||
/*
|
||||
* Copyright 2002-2013 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.springframework.security.web.csrf;
|
||||
|
||||
import static org.mockito.Mockito.verify;
|
||||
|
||||
import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
import org.junit.runner.RunWith;
|
||||
import org.mockito.Mock;
|
||||
import org.mockito.runners.MockitoJUnitRunner;
|
||||
import org.springframework.mock.web.MockHttpServletRequest;
|
||||
import org.springframework.mock.web.MockHttpServletResponse;
|
||||
import org.springframework.security.authentication.TestingAuthenticationToken;
|
||||
|
||||
/**
|
||||
* @author Rob Winch
|
||||
*
|
||||
*/
|
||||
@RunWith(MockitoJUnitRunner.class)
|
||||
public class CsrfAuthenticationStrategyTests {
|
||||
@Mock
|
||||
private CsrfTokenRepository csrfTokenRepository;
|
||||
|
||||
private MockHttpServletRequest request;
|
||||
|
||||
private MockHttpServletResponse response;
|
||||
|
||||
private CsrfAuthenticationStrategy strategy;
|
||||
|
||||
@Before
|
||||
public void setup() {
|
||||
request = new MockHttpServletRequest();
|
||||
response = new MockHttpServletResponse();
|
||||
strategy = new CsrfAuthenticationStrategy(csrfTokenRepository);
|
||||
}
|
||||
|
||||
@Test(expected = IllegalArgumentException.class)
|
||||
public void constructorNullCsrfTokenRepository() {
|
||||
new CsrfAuthenticationStrategy(null);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void logoutRemovesCsrfToken() {
|
||||
strategy.onAuthentication(new TestingAuthenticationToken("user", "password", "ROLE_USER"),request, response);
|
||||
|
||||
verify(csrfTokenRepository).saveToken(null, request, response);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -0,0 +1,303 @@
|
||||
/*
|
||||
* Copyright 2002-2013 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.springframework.security.web.csrf;
|
||||
|
||||
import static org.fest.assertions.Assertions.assertThat;
|
||||
import static org.mockito.Matchers.any;
|
||||
import static org.mockito.Matchers.eq;
|
||||
import static org.mockito.Mockito.verify;
|
||||
import static org.mockito.Mockito.verifyZeroInteractions;
|
||||
import static org.mockito.Mockito.when;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.util.Arrays;
|
||||
|
||||
import javax.servlet.FilterChain;
|
||||
import javax.servlet.ServletException;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
|
||||
import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
import org.junit.runner.RunWith;
|
||||
import org.mockito.Mock;
|
||||
import org.mockito.runners.MockitoJUnitRunner;
|
||||
import org.springframework.mock.web.MockHttpServletRequest;
|
||||
import org.springframework.mock.web.MockHttpServletResponse;
|
||||
import org.springframework.security.web.access.AccessDeniedHandler;
|
||||
import org.springframework.security.web.util.RequestMatcher;
|
||||
|
||||
/**
|
||||
* @author Rob Winch
|
||||
*
|
||||
*/
|
||||
@RunWith(MockitoJUnitRunner.class)
|
||||
public class CsrfFilterTests {
|
||||
|
||||
@Mock
|
||||
private RequestMatcher requestMatcher;
|
||||
@Mock
|
||||
private CsrfTokenRepository tokenRepository;
|
||||
@Mock
|
||||
private FilterChain filterChain;
|
||||
@Mock
|
||||
private AccessDeniedHandler deniedHandler;
|
||||
|
||||
private MockHttpServletRequest request;
|
||||
private MockHttpServletResponse response;
|
||||
private CsrfToken token;
|
||||
|
||||
|
||||
private CsrfFilter filter;
|
||||
|
||||
@Before
|
||||
public void setup() {
|
||||
token = new CsrfToken("headerName","paramName", "csrfTokenValue");
|
||||
resetRequestResponse();
|
||||
filter = new CsrfFilter(tokenRepository);
|
||||
filter.setRequireCsrfProtectionMatcher(requestMatcher);
|
||||
filter.setAccessDeniedHandler(deniedHandler);
|
||||
}
|
||||
|
||||
private void resetRequestResponse() {
|
||||
request = new MockHttpServletRequest();
|
||||
response = new MockHttpServletResponse();
|
||||
}
|
||||
|
||||
@Test(expected = IllegalArgumentException.class)
|
||||
public void constructorNullRepository() {
|
||||
new CsrfFilter(null);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void doFilterAccessDeniedNoTokenPresent() throws ServletException, IOException {
|
||||
when(requestMatcher.matches(request)).thenReturn(true);
|
||||
when(tokenRepository.loadToken(request)).thenReturn(token);
|
||||
|
||||
filter.doFilter(request, response, filterChain);
|
||||
|
||||
assertThat(response.getHeader(token.getHeaderName())).isEqualTo(token.getToken());
|
||||
assertThat(request.getAttribute(token.getParameterName())).isEqualTo(token);
|
||||
assertThat(request.getAttribute(CsrfToken.class.getName())).isEqualTo(token);
|
||||
|
||||
verify(deniedHandler).handle(eq(request), eq(response), any(InvalidCsrfTokenException.class));
|
||||
verifyZeroInteractions(filterChain);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void doFilterAccessDeniedIncorrectTokenPresent() throws ServletException, IOException {
|
||||
when(requestMatcher.matches(request)).thenReturn(true);
|
||||
when(tokenRepository.loadToken(request)).thenReturn(token);
|
||||
request.setParameter(token.getParameterName(), token.getToken()+ " INVALID");
|
||||
|
||||
filter.doFilter(request, response, filterChain);
|
||||
|
||||
assertThat(response.getHeader(token.getHeaderName())).isEqualTo(token.getToken());
|
||||
assertThat(request.getAttribute(token.getParameterName())).isEqualTo(token);
|
||||
assertThat(request.getAttribute(CsrfToken.class.getName())).isEqualTo(token);
|
||||
|
||||
verify(deniedHandler).handle(eq(request), eq(response), any(InvalidCsrfTokenException.class));
|
||||
verifyZeroInteractions(filterChain);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void doFilterAccessDeniedIncorrectTokenPresentHeader() throws ServletException, IOException {
|
||||
when(requestMatcher.matches(request)).thenReturn(true);
|
||||
when(tokenRepository.loadToken(request)).thenReturn(token);
|
||||
request.addHeader(token.getHeaderName(), token.getToken()+ " INVALID");
|
||||
|
||||
filter.doFilter(request, response, filterChain);
|
||||
|
||||
assertThat(response.getHeader(token.getHeaderName())).isEqualTo(token.getToken());
|
||||
assertThat(request.getAttribute(token.getParameterName())).isEqualTo(token);
|
||||
assertThat(request.getAttribute(CsrfToken.class.getName())).isEqualTo(token);
|
||||
|
||||
verify(deniedHandler).handle(eq(request), eq(response), any(InvalidCsrfTokenException.class));
|
||||
verifyZeroInteractions(filterChain);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void doFilterAccessDeniedIncorrectTokenPresentHeaderPreferredOverParameter() throws ServletException, IOException {
|
||||
when(requestMatcher.matches(request)).thenReturn(true);
|
||||
when(tokenRepository.loadToken(request)).thenReturn(token);
|
||||
request.setParameter(token.getParameterName(), token.getToken());
|
||||
request.addHeader(token.getHeaderName(), token.getToken()+ " INVALID");
|
||||
|
||||
filter.doFilter(request, response, filterChain);
|
||||
|
||||
assertThat(response.getHeader(token.getHeaderName())).isEqualTo(token.getToken());
|
||||
assertThat(request.getAttribute(token.getParameterName())).isEqualTo(token);
|
||||
assertThat(request.getAttribute(CsrfToken.class.getName())).isEqualTo(token);
|
||||
|
||||
verify(deniedHandler).handle(eq(request), eq(response), any(InvalidCsrfTokenException.class));
|
||||
verifyZeroInteractions(filterChain);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void doFilterNotCsrfRequestExistingToken() throws ServletException, IOException {
|
||||
when(requestMatcher.matches(request)).thenReturn(false);
|
||||
when(tokenRepository.loadToken(request)).thenReturn(token);
|
||||
|
||||
filter.doFilter(request, response, filterChain);
|
||||
|
||||
assertThat(response.getHeader(token.getHeaderName())).isEqualTo(token.getToken());
|
||||
assertThat(request.getAttribute(token.getParameterName())).isEqualTo(token);
|
||||
assertThat(request.getAttribute(CsrfToken.class.getName())).isEqualTo(token);
|
||||
|
||||
verify(filterChain).doFilter(request, response);
|
||||
verifyZeroInteractions(deniedHandler);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void doFilterNotCsrfRequestGenerateToken() throws ServletException, IOException {
|
||||
when(requestMatcher.matches(request)).thenReturn(false);
|
||||
when(tokenRepository.generateAndSaveToken(request, response)).thenReturn(token);
|
||||
|
||||
filter.doFilter(request, response, filterChain);
|
||||
|
||||
assertThat(response.getHeader(token.getHeaderName())).isEqualTo(token.getToken());
|
||||
assertThat(request.getAttribute(token.getParameterName())).isEqualTo(token);
|
||||
assertThat(request.getAttribute(CsrfToken.class.getName())).isEqualTo(token);
|
||||
|
||||
verify(filterChain).doFilter(request, response);
|
||||
verifyZeroInteractions(deniedHandler);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void doFilterIsCsrfRequestExistingTokenHeader() throws ServletException, IOException {
|
||||
when(requestMatcher.matches(request)).thenReturn(true);
|
||||
when(tokenRepository.loadToken(request)).thenReturn(token);
|
||||
request.addHeader(token.getHeaderName(), token.getToken());
|
||||
|
||||
filter.doFilter(request, response, filterChain);
|
||||
|
||||
assertThat(response.getHeader(token.getHeaderName())).isEqualTo(token.getToken());
|
||||
assertThat(request.getAttribute(token.getParameterName())).isEqualTo(token);
|
||||
assertThat(request.getAttribute(CsrfToken.class.getName())).isEqualTo(token);
|
||||
|
||||
verify(filterChain).doFilter(request, response);
|
||||
verifyZeroInteractions(deniedHandler);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void doFilterIsCsrfRequestExistingTokenHeaderPreferredOverInvalidParam() throws ServletException, IOException {
|
||||
when(requestMatcher.matches(request)).thenReturn(true);
|
||||
when(tokenRepository.loadToken(request)).thenReturn(token);
|
||||
request.setParameter(token.getParameterName(), token.getToken()+ " INVALID");
|
||||
request.addHeader(token.getHeaderName(), token.getToken());
|
||||
|
||||
filter.doFilter(request, response, filterChain);
|
||||
|
||||
assertThat(response.getHeader(token.getHeaderName())).isEqualTo(token.getToken());
|
||||
assertThat(request.getAttribute(token.getParameterName())).isEqualTo(token);
|
||||
assertThat(request.getAttribute(CsrfToken.class.getName())).isEqualTo(token);
|
||||
|
||||
verify(filterChain).doFilter(request, response);
|
||||
verifyZeroInteractions(deniedHandler);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void doFilterIsCsrfRequestExistingToken() throws ServletException, IOException {
|
||||
when(requestMatcher.matches(request)).thenReturn(true);
|
||||
when(tokenRepository.loadToken(request)).thenReturn(token);
|
||||
request.setParameter(token.getParameterName(), token.getToken());
|
||||
|
||||
filter.doFilter(request, response, filterChain);
|
||||
|
||||
assertThat(response.getHeader(token.getHeaderName())).isEqualTo(token.getToken());
|
||||
assertThat(request.getAttribute(token.getParameterName())).isEqualTo(token);
|
||||
assertThat(request.getAttribute(CsrfToken.class.getName())).isEqualTo(token);
|
||||
|
||||
verify(filterChain).doFilter(request, response);
|
||||
verifyZeroInteractions(deniedHandler);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void doFilterIsCsrfRequestGenerateToken() throws ServletException, IOException {
|
||||
when(requestMatcher.matches(request)).thenReturn(true);
|
||||
when(tokenRepository.generateAndSaveToken(request, response)).thenReturn(token);
|
||||
request.setParameter(token.getParameterName(), token.getToken());
|
||||
|
||||
filter.doFilter(request, response, filterChain);
|
||||
|
||||
assertThat(response.getHeader(token.getHeaderName())).isEqualTo(token.getToken());
|
||||
assertThat(request.getAttribute(token.getParameterName())).isEqualTo(token);
|
||||
assertThat(request.getAttribute(CsrfToken.class.getName())).isEqualTo(token);
|
||||
|
||||
verify(filterChain).doFilter(request, response);
|
||||
verifyZeroInteractions(deniedHandler);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void doFilterDefaultRequireCsrfProtectionMatcherAllowedMethods() throws ServletException, IOException {
|
||||
filter = new CsrfFilter(tokenRepository);
|
||||
filter.setAccessDeniedHandler(deniedHandler);
|
||||
|
||||
for(String method : Arrays.asList("GET","TRACE", "OPTIONS", "HEAD")) {
|
||||
resetRequestResponse();
|
||||
when(tokenRepository.loadToken(request)).thenReturn(token);
|
||||
request.setMethod(method);
|
||||
|
||||
filter.doFilter(request, response, filterChain);
|
||||
|
||||
verify(filterChain).doFilter(request, response);
|
||||
verifyZeroInteractions(deniedHandler);
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void doFilterDefaultRequireCsrfProtectionMatcherDeniedMethods() throws ServletException, IOException {
|
||||
filter = new CsrfFilter(tokenRepository);
|
||||
filter.setAccessDeniedHandler(deniedHandler);
|
||||
|
||||
for(String method : Arrays.asList("POST","PUT", "PATCH", "DELETE", "INVALID")) {
|
||||
resetRequestResponse();
|
||||
when(tokenRepository.loadToken(request)).thenReturn(token);
|
||||
request.setMethod(method);
|
||||
|
||||
filter.doFilter(request, response, filterChain);
|
||||
|
||||
verify(deniedHandler).handle(eq(request), eq(response), any(InvalidCsrfTokenException.class));
|
||||
verifyZeroInteractions(filterChain);
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void doFilterDefaultAccessDenied() throws ServletException, IOException {
|
||||
filter = new CsrfFilter(tokenRepository);
|
||||
filter.setRequireCsrfProtectionMatcher(requestMatcher);
|
||||
when(requestMatcher.matches(request)).thenReturn(true);
|
||||
when(tokenRepository.loadToken(request)).thenReturn(token);
|
||||
|
||||
filter.doFilter(request, response, filterChain);
|
||||
|
||||
assertThat(response.getHeader(token.getHeaderName())).isEqualTo(token.getToken());
|
||||
assertThat(request.getAttribute(token.getParameterName())).isEqualTo(token);
|
||||
assertThat(request.getAttribute(CsrfToken.class.getName())).isEqualTo(token);
|
||||
|
||||
assertThat(response.getStatus()).isEqualTo(HttpServletResponse.SC_FORBIDDEN);
|
||||
verifyZeroInteractions(filterChain);
|
||||
}
|
||||
|
||||
@Test(expected = IllegalArgumentException.class)
|
||||
public void setRequireCsrfProtectionMatcherNull() {
|
||||
filter.setRequireCsrfProtectionMatcher(null);
|
||||
}
|
||||
|
||||
@Test(expected = IllegalArgumentException.class)
|
||||
public void setAccessDeniedHandlerNull() {
|
||||
filter.setAccessDeniedHandler(null);
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,63 @@
|
||||
/*
|
||||
* Copyright 2002-2013 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.springframework.security.web.csrf;
|
||||
|
||||
import static org.mockito.Mockito.verify;
|
||||
|
||||
import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
import org.junit.runner.RunWith;
|
||||
import org.mockito.Mock;
|
||||
import org.mockito.runners.MockitoJUnitRunner;
|
||||
import org.springframework.mock.web.MockHttpServletRequest;
|
||||
import org.springframework.mock.web.MockHttpServletResponse;
|
||||
import org.springframework.security.authentication.TestingAuthenticationToken;
|
||||
|
||||
/**
|
||||
* @author Rob Winch
|
||||
* @since 3.2
|
||||
*/
|
||||
@RunWith(MockitoJUnitRunner.class)
|
||||
public class CsrfLogoutHandlerTests {
|
||||
@Mock
|
||||
private CsrfTokenRepository csrfTokenRepository;
|
||||
|
||||
private MockHttpServletRequest request;
|
||||
|
||||
private MockHttpServletResponse response;
|
||||
|
||||
private CsrfLogoutHandler handler;
|
||||
|
||||
@Before
|
||||
public void setup() {
|
||||
request = new MockHttpServletRequest();
|
||||
response = new MockHttpServletResponse();
|
||||
handler = new CsrfLogoutHandler(csrfTokenRepository);
|
||||
}
|
||||
|
||||
@Test(expected = IllegalArgumentException.class)
|
||||
public void constructorNullCsrfTokenRepository() {
|
||||
new CsrfLogoutHandler(null);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void logoutRemovesCsrfToken() {
|
||||
handler.logout(request, response, new TestingAuthenticationToken("user", "password", "ROLE_USER"));
|
||||
|
||||
verify(csrfTokenRepository).saveToken(null, request, response);
|
||||
}
|
||||
|
||||
}
|
||||
@@ -0,0 +1,58 @@
|
||||
/*
|
||||
* Copyright 2002-2013 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.springframework.security.web.csrf;
|
||||
|
||||
import org.junit.Test;
|
||||
|
||||
/**
|
||||
* @author Rob Winch
|
||||
*
|
||||
*/
|
||||
public class CsrfTokenTests {
|
||||
private final String headerName = "headerName";
|
||||
private final String parameterName = "parameterName";
|
||||
private final String tokenValue = "tokenValue";
|
||||
|
||||
@Test(expected = IllegalArgumentException.class)
|
||||
public void constructorNullHeaderName() {
|
||||
new CsrfToken(null,parameterName, tokenValue);
|
||||
}
|
||||
|
||||
@Test(expected = IllegalArgumentException.class)
|
||||
public void constructorEmptyHeaderName() {
|
||||
new CsrfToken("",parameterName, tokenValue);
|
||||
}
|
||||
|
||||
@Test(expected = IllegalArgumentException.class)
|
||||
public void constructorNullParameterName() {
|
||||
new CsrfToken(headerName,null, tokenValue);
|
||||
}
|
||||
|
||||
@Test(expected = IllegalArgumentException.class)
|
||||
public void constructorEmptyParameterName() {
|
||||
new CsrfToken(headerName,"", tokenValue);
|
||||
}
|
||||
|
||||
@Test(expected = IllegalArgumentException.class)
|
||||
public void constructorNullTokenValue() {
|
||||
new CsrfToken(headerName,parameterName, null);
|
||||
}
|
||||
|
||||
@Test(expected = IllegalArgumentException.class)
|
||||
public void constructorEmptyTokenValue() {
|
||||
new CsrfToken(headerName,parameterName, "");
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,127 @@
|
||||
/*
|
||||
* Copyright 2002-2013 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.springframework.security.web.csrf;
|
||||
|
||||
import static org.fest.assertions.Assertions.assertThat;
|
||||
|
||||
import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
import org.springframework.mock.web.MockHttpServletRequest;
|
||||
import org.springframework.mock.web.MockHttpServletResponse;
|
||||
|
||||
/**
|
||||
* @author Rob Winch
|
||||
*
|
||||
*/
|
||||
public class HttpSessionCsrfTokenRepositoryTests {
|
||||
private MockHttpServletRequest request;
|
||||
|
||||
private MockHttpServletResponse response;
|
||||
|
||||
private CsrfToken token;
|
||||
private HttpSessionCsrfTokenRepository repo;
|
||||
|
||||
@Before
|
||||
public void setup() {
|
||||
request = new MockHttpServletRequest();
|
||||
response = new MockHttpServletResponse();
|
||||
repo = new HttpSessionCsrfTokenRepository();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void generateAndSaveToken() {
|
||||
token = repo.generateAndSaveToken(request, response);
|
||||
|
||||
assertThat(token.getParameterName()).isEqualTo("_csrf");
|
||||
assertThat(token.getToken()).isNotEmpty();
|
||||
|
||||
CsrfToken loadedToken = repo.loadToken(request);
|
||||
|
||||
assertThat(loadedToken).isEqualTo(token);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void generateAndSaveTokenCustomParameter() {
|
||||
String paramName = "_csrf";
|
||||
repo.setParameterName(paramName);
|
||||
|
||||
token = repo.generateAndSaveToken(request, response);
|
||||
|
||||
assertThat(token.getParameterName()).isEqualTo(paramName);
|
||||
assertThat(token.getToken()).isNotEmpty();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void loadTokenNull() {
|
||||
assertThat(repo.loadToken(request)).isNull();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void saveToken() {
|
||||
CsrfToken tokenToSave = new CsrfToken("123", "abc", "def");
|
||||
repo.saveToken(tokenToSave, request, response);
|
||||
|
||||
String attrName = request.getSession().getAttributeNames()
|
||||
.nextElement();
|
||||
CsrfToken loadedToken = (CsrfToken) request.getSession().getAttribute(
|
||||
attrName);
|
||||
|
||||
assertThat(loadedToken).isEqualTo(tokenToSave);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void saveTokenCustomSessionAttribute() {
|
||||
CsrfToken tokenToSave = new CsrfToken("123", "abc", "def");
|
||||
String sessionAttributeName = "custom";
|
||||
repo.setSessionAttributeName(sessionAttributeName);
|
||||
repo.saveToken(tokenToSave, request, response);
|
||||
|
||||
CsrfToken loadedToken = (CsrfToken) request.getSession().getAttribute(
|
||||
sessionAttributeName);
|
||||
|
||||
assertThat(loadedToken).isEqualTo(tokenToSave);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void saveTokenNullToken() {
|
||||
saveToken();
|
||||
|
||||
repo.saveToken(null, request, response);
|
||||
|
||||
assertThat(request.getSession().getAttributeNames().hasMoreElements())
|
||||
.isFalse();
|
||||
}
|
||||
|
||||
@Test(expected = IllegalArgumentException.class)
|
||||
public void setSessionAttributeNameEmpty() {
|
||||
repo.setSessionAttributeName("");
|
||||
}
|
||||
|
||||
@Test(expected = IllegalArgumentException.class)
|
||||
public void setSessionAttributeNameNull() {
|
||||
repo.setSessionAttributeName(null);
|
||||
}
|
||||
|
||||
@Test(expected = IllegalArgumentException.class)
|
||||
public void setParameterNameEmpty() {
|
||||
repo.setParameterName("");
|
||||
}
|
||||
|
||||
@Test(expected = IllegalArgumentException.class)
|
||||
public void setParameterNameNull() {
|
||||
repo.setParameterName(null);
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,79 @@
|
||||
/*
|
||||
* Copyright 2002-2013 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.springframework.security.web.servlet.support.csrf;
|
||||
|
||||
import static org.fest.assertions.Assertions.assertThat;
|
||||
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
|
||||
import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
import org.springframework.mock.web.MockHttpServletRequest;
|
||||
import org.springframework.mock.web.MockHttpServletResponse;
|
||||
import org.springframework.security.web.csrf.CsrfToken;
|
||||
|
||||
/**
|
||||
* @author Rob Winch
|
||||
*
|
||||
*/
|
||||
public class CsrfRequestDataValueProcessorTests {
|
||||
private MockHttpServletRequest request;
|
||||
|
||||
private MockHttpServletResponse response;
|
||||
|
||||
private CsrfRequestDataValueProcessor processor;
|
||||
|
||||
@Before
|
||||
public void setup() {
|
||||
request = new MockHttpServletRequest();
|
||||
response = new MockHttpServletResponse();
|
||||
processor = new CsrfRequestDataValueProcessor();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void getExtraHiddenFieldsNoCsrfToken() {
|
||||
assertThat(processor.getExtraHiddenFields(request)).isEmpty();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void getExtraHiddenFieldsHasCsrfToken() {
|
||||
CsrfToken token = new CsrfToken("1", "a", "b");
|
||||
request.setAttribute(CsrfToken.class.getName(), token);
|
||||
Map<String,String> expected = new HashMap<String,String>();
|
||||
expected.put(token.getParameterName(),token.getToken());
|
||||
|
||||
assertThat(processor.getExtraHiddenFields(request)).isEqualTo(expected);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void processAction() {
|
||||
String action = "action";
|
||||
assertThat(processor.processAction(request, action)).isEqualTo(action);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void processFormFieldValue() {
|
||||
String value = "action";
|
||||
assertThat(processor.processFormFieldValue(request, "name", value, "hidden")).isEqualTo(value);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void processUrl() {
|
||||
String url = "url";
|
||||
assertThat(processor.processUrl(request, url)).isEqualTo(url);
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user