|
|
@@ -876,7 +876,7 @@ class SpaCsrfTokenRequestHandler : CsrfTokenRequestAttributeHandler() {
|
|
|
delegate.handle(request, response, csrfToken)
|
|
|
}
|
|
|
|
|
|
- override fun resolveCsrfTokenValue(request: HttpServletRequest, csrfToken: CsrfToken): String {
|
|
|
+ override fun resolveCsrfTokenValue(request: HttpServletRequest, csrfToken: CsrfToken): String? {
|
|
|
/*
|
|
|
* If the request contains a request header, use CsrfTokenRequestAttributeHandler
|
|
|
* to resolve the CsrfToken. This applies when a single-page application includes
|
|
|
@@ -1221,6 +1221,24 @@ public class CsrfTests {
|
|
|
.andExpect(header().string(HttpHeaders.LOCATION, "/"));
|
|
|
}
|
|
|
|
|
|
+ @Test
|
|
|
+ public void loginWhenInvalidCsrfTokenThenForbidden() throws Exception {
|
|
|
+ this.mockMvc.perform(post("/login").with(csrf().useInvalidToken())
|
|
|
+ .accept(MediaType.TEXT_HTML)
|
|
|
+ .param("username", "user")
|
|
|
+ .param("password", "password"))
|
|
|
+ .andExpect(status().isForbidden());
|
|
|
+ }
|
|
|
+
|
|
|
+ @Test
|
|
|
+ public void loginWhenMissingCsrfTokenThenForbidden() throws Exception {
|
|
|
+ this.mockMvc.perform(post("/login")
|
|
|
+ .accept(MediaType.TEXT_HTML)
|
|
|
+ .param("username", "user")
|
|
|
+ .param("password", "password"))
|
|
|
+ .andExpect(status().isForbidden());
|
|
|
+ }
|
|
|
+
|
|
|
@Test
|
|
|
@WithMockUser
|
|
|
public void logoutWhenValidCsrfTokenThenSuccess() throws Exception {
|
|
|
@@ -1264,6 +1282,24 @@ class CsrfTests {
|
|
|
.andExpect(header().string(HttpHeaders.LOCATION, "/"))
|
|
|
}
|
|
|
|
|
|
+ @Test
|
|
|
+ fun loginWhenInvalidCsrfTokenThenForbidden() {
|
|
|
+ mockMvc.perform(post("/login").with(csrf().useInvalidToken())
|
|
|
+ .accept(MediaType.TEXT_HTML)
|
|
|
+ .param("username", "user")
|
|
|
+ .param("password", "password"))
|
|
|
+ .andExpect(status().isForbidden)
|
|
|
+ }
|
|
|
+
|
|
|
+ @Test
|
|
|
+ fun loginWhenMissingCsrfTokenThenForbidden() {
|
|
|
+ mockMvc.perform(post("/login")
|
|
|
+ .accept(MediaType.TEXT_HTML)
|
|
|
+ .param("username", "user")
|
|
|
+ .param("password", "password"))
|
|
|
+ .andExpect(status().isForbidden)
|
|
|
+ }
|
|
|
+
|
|
|
@Test
|
|
|
@WithMockUser
|
|
|
@Throws(Exception::class)
|
Steve Riesenberg