Halaman utama Jelajahi Bantuan
Daftar Masuk
github
/
spring-security
cermin dari https://github.com/spring-projects/spring-security
2
0
Fork 0
Berkas Masalah 0 Wiki
Jelajahi Sumber

Mock Jwt Disables CSRF

Fixes gh-7170
Josh Cummings 6 tahun lalu
induk
aa12748c9b
melakukan
b55b2914c2
3 mengubah file dengan 12 tambahan dan 23 penghapusan
Tampilan Split Tampilkan Statistik Diff
  1. 3 21
      samples/boot/oauth2resourceserver/src/test/java/sample/OAuth2ResourceServerControllerTests.java
  2. 4 0
      test/src/main/java/org/springframework/security/test/web/reactive/server/SecurityMockServerConfigurers.java
  3. 5 2
      test/src/main/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessors.java

+ 3 - 21
samples/boot/oauth2resourceserver/src/test/java/sample/OAuth2ResourceServerControllerTests.java
Tampilan Berkas 

@@ -25,7 +25,6 @@ import org.springframework.security.core.authority.SimpleGrantedAuthority;
 
 import org.springframework.security.oauth2.jwt.JwtDecoder;
 
 import org.springframework.test.context.junit4.SpringRunner;
 
 import org.springframework.test.web.servlet.MockMvc;
 
-import org.springframework.security.oauth2.jwt.Jwt;
 
 
 import static org.hamcrest.CoreMatchers.is;
 
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.jwt;
 
@@ -33,8 +32,6 @@ import static org.springframework.test.web.servlet.request.MockMvcRequestBuilder
 
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
 
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
 
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
-import static org.mockito.ArgumentMatchers.anyString;
 
-import static org.mockito.Mockito.when;
 
 
 /**
 
  *
 
@@ -77,41 +74,26 @@ public class OAuth2ResourceServerControllerTests {
 
 
 	@Test
 
 	public void messageCanNotBeCreatedWithoutAnyScope() throws Exception {
 
-		Jwt jwt = Jwt.withTokenValue("token")
 
-				.header("alg", "none")
 
-				.claim("scope", "")
 
-				.build();
 
-		when(jwtDecoder.decode(anyString())).thenReturn(jwt);
 
 		mockMvc.perform(post("/message")
 
 				.content("Hello message")
 
-				.header("Authorization", "Bearer " + jwt.getTokenValue()))
 
+				.with(jwt()))
 
 				.andExpect(status().isForbidden());
 
 	}
 
 
 	@Test
 
 	public void messageCanNotBeCreatedWithScopeMessageReadAuthority() throws Exception {
 
-		Jwt jwt = Jwt.withTokenValue("token")
 
-				.header("alg", "none")
 
-				.claim("scope", "message:read")
 
-				.build();
 
-		when(jwtDecoder.decode(anyString())).thenReturn(jwt);
 
 		mockMvc.perform(post("/message")
 
 				.content("Hello message")
 
-				.header("Authorization", "Bearer " + jwt.getTokenValue()))
 
+				.with(jwt(jwt -> jwt.claim("scope", "message:read"))))
 
 				.andExpect(status().isForbidden());
 
 	}
 
 
 	@Test
 
 	public void messageCanBeCreatedWithScopeMessageWriteAuthority()
 
 			throws Exception {
 
-		Jwt jwt = Jwt.withTokenValue("token")
 
-				.header("alg", "none")
 
-				.claim("scope", "message:write")
 
-				.build();
 
-		when(jwtDecoder.decode(anyString())).thenReturn(jwt);
 
 		mockMvc.perform(post("/message")
 
 				.content("Hello message")
 
-				.header("Authorization", "Bearer " + jwt.getTokenValue()))
 
+				.with(jwt(jwt -> jwt.claim("scope", "message:write"))))
 
 				.andExpect(status().isOk())
 
 				.andExpect(content().string(is("Message was created. Content: Hello message")));
 
 	}

+ 4 - 0
test/src/main/java/org/springframework/security/test/web/reactive/server/SecurityMockServerConfigurers.java
Tampilan Berkas 

@@ -419,6 +419,10 @@ public class SecurityMockServerConfigurers {
 
 				WebTestClient.Builder builder,
 
 				@Nullable WebHttpHandlerBuilder httpHandlerBuilder,
 
 				@Nullable ClientHttpConnector connector) {
 
+			httpHandlerBuilder.filter((exchange, chain) -> {
 
+				CsrfWebFilter.skipExchange(exchange);
 
+				return chain.filter(exchange);
 
+			});
 
 			configurer().afterConfigurerAdded(builder, httpHandlerBuilder, connector);
 
 		}

+ 5 - 2
test/src/main/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessors.java
Tampilan Berkas 

@@ -55,6 +55,7 @@ import org.springframework.security.test.web.support.WebTestUtils;
 
 import org.springframework.security.web.context.HttpRequestResponseHolder;
 
 import org.springframework.security.web.context.SecurityContextPersistenceFilter;
 
 import org.springframework.security.web.context.SecurityContextRepository;
 
+import org.springframework.security.web.csrf.CsrfFilter;
 
 import org.springframework.security.web.csrf.CsrfToken;
 
 import org.springframework.security.web.csrf.CsrfTokenRepository;
 
 import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
 
@@ -63,6 +64,7 @@ import org.springframework.test.web.servlet.request.RequestPostProcessor;
 
 import org.springframework.util.Assert;
 
 import org.springframework.util.DigestUtils;
 
 
+import static java.lang.Boolean.TRUE;
 
 import static org.springframework.security.oauth2.jwt.JwtClaimNames.SUB;
 
 
 /**
 
@@ -502,11 +504,11 @@ public final class SecurityMockMvcRequestPostProcessors {
 
 			}
 
 
 			public static void enable(HttpServletRequest request) {
 
-				request.setAttribute(ENABLED_ATTR_NAME, Boolean.TRUE);
 
+				request.setAttribute(ENABLED_ATTR_NAME, TRUE);
 
 			}
 
 
 			public boolean isEnabled(HttpServletRequest request) {
 
-				return Boolean.TRUE.equals(request.getAttribute(ENABLED_ATTR_NAME));
 
+				return TRUE.equals(request.getAttribute(ENABLED_ATTR_NAME));
 
 			}
 
 		}
 
 	}
 
@@ -1043,6 +1045,7 @@ public final class SecurityMockMvcRequestPostProcessors {
 
 
 		@Override
 
 		public MockHttpServletRequest postProcessRequest(MockHttpServletRequest request) {
 
+			CsrfFilter.skipRequest(request);
 
 			JwtAuthenticationToken token = new JwtAuthenticationToken(this.jwt, this.authorities);
 
 			return new AuthenticationRequestPostProcessor(token).postProcessRequest(request);
 
 		}