首页 发现 帮助
注册 登录
github
/
spring-security
镜像自地址 https://github.com/spring-projects/spring-security
2
0
派生 0
文件 工单管理 0 Wiki
浏览代码

SEC-3097: Use MockMvc for SecurityMockMVcRequestPostProcessorsCsrfTests

This is necessary because the changes for this issue are going to make
the mocked version of the tests invalid.
Rob Winch 10 年之前
父节点
a9a5377e4a
当前提交
ea94706319
共有 1 个文件被更改,包括 86 次插入46 次删除
分列视图 显示文件统计
  1. 86 46
      test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsCsrfTests.java

+ 86 - 46
test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsCsrfTests.java
查看文件 

@@ -17,78 +17,118 @@ package org.springframework.security.test.web.servlet.request;
 
 
 import static org.fest.assertions.Assertions.assertThat;
 
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
 
-import static org.powermock.api.mockito.PowerMockito.*;
 
+import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity;
 
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
 
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
 
 import org.junit.Before;
 
 import org.junit.Test;
 
 import org.junit.runner.RunWith;
 
-import org.mockito.Mock;
 
-import org.powermock.core.classloader.annotations.PrepareOnlyThisForTest;
 
-import org.powermock.modules.junit4.PowerMockRunner;
 
+import org.springframework.beans.factory.annotation.Autowired;
 
+import org.springframework.context.annotation.Bean;
 
 import org.springframework.mock.web.MockHttpServletRequest;
 
-import org.springframework.security.test.web.support.WebTestUtils;
 
-import org.springframework.security.web.csrf.CsrfTokenRepository;
 
-import org.springframework.security.web.csrf.DefaultCsrfToken;
 
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 
+import org.springframework.test.context.ContextConfiguration;
 
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
 
+import org.springframework.test.context.web.WebAppConfiguration;
 
+import org.springframework.test.web.servlet.MockMvc;
 
+import org.springframework.test.web.servlet.MvcResult;
 
+import org.springframework.test.web.servlet.ResultMatcher;
 
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 
+import org.springframework.web.bind.annotation.RequestMapping;
 
+import org.springframework.web.bind.annotation.RestController;
 
+import org.springframework.web.context.WebApplicationContext;
 
 
-@RunWith(PowerMockRunner.class)
 
-@PrepareOnlyThisForTest(WebTestUtils.class)
 
+@RunWith(SpringJUnit4ClassRunner.class)
 
+@ContextConfiguration
 
+@WebAppConfiguration
 
 public class SecurityMockMvcRequestPostProcessorsCsrfTests {
 
-	@Mock
 
-	private CsrfTokenRepository repository;
 
-	private DefaultCsrfToken token;
 
+	@Autowired
 
+	WebApplicationContext wac;
 
 
-	private MockHttpServletRequest request;
 
+	MockMvc mockMvc;
 
 
 	@Before
 
 	public void setup() {
 
-		token = new DefaultCsrfToken("header", "param", "token");
 
-		request = new MockHttpServletRequest();
 
-		mockWebTestUtils();
 
+		mockMvc = MockMvcBuilders
 
+				.webAppContextSetup(wac)
 
+				.apply(springSecurity())
 
+				.build();
 
 	}
 
 
 	@Test
 
-	public void csrfWithParam() {
 
-		MockHttpServletRequest postProcessedRequest = csrf().postProcessRequest(request);
 
-
 
-		assertThat(postProcessedRequest.getParameter(token.getParameterName()))
 
-				.isEqualTo(token.getToken());
 
-		assertThat(postProcessedRequest.getHeader(token.getHeaderName())).isNull();
 
+	public void csrfWithParam() throws Exception {
 
+		mockMvc.perform(post("/").with(csrf()))
 
+			.andExpect(status().is2xxSuccessful())
 
+			.andExpect(csrfAsParam());
 
 	}
 
 
 	@Test
 
-	public void csrfWithHeader() {
 
-		MockHttpServletRequest postProcessedRequest = csrf().asHeader()
 
-				.postProcessRequest(request);
 
+	public void csrfWithHeader() throws Exception {
 
+		mockMvc.perform(post("/").with(csrf().asHeader()))
 
+			.andExpect(status().is2xxSuccessful())
 
+			.andExpect(csrfAsHeader());
 
+	}
 
 
-		assertThat(postProcessedRequest.getParameter(token.getParameterName())).isNull();
 
-		assertThat(postProcessedRequest.getHeader(token.getHeaderName())).isEqualTo(
 
-				token.getToken());
 
+	@Test
 
+	public void csrfWithInvalidParam() throws Exception {
 
+		mockMvc.perform(post("/").with(csrf().useInvalidToken()))
 
+				.andExpect(status().isForbidden())
 
+				.andExpect(csrfAsParam());
 
 	}
 
 
 	@Test
 
-	public void csrfWithInvalidParam() {
 
-		MockHttpServletRequest postProcessedRequest = csrf().useInvalidToken()
 
-				.postProcessRequest(request);
 
+	public void csrfWithInvalidHeader() throws Exception {
 
+		mockMvc.perform(post("/").with(csrf().asHeader().useInvalidToken()))
 
+			.andExpect(status().isForbidden())
 
+			.andExpect(csrfAsHeader());
 
+	}
 
 
-		assertThat(postProcessedRequest.getParameter(token.getParameterName()))
 
-				.isNotEmpty().isNotEqualTo(token.getToken());
 
-		assertThat(postProcessedRequest.getHeader(token.getHeaderName())).isNull();
 
+	public static ResultMatcher csrfAsParam() {
 
+		return new CsrfParamResultMatcher();
 
 	}
 
 
-	@Test
 
-	public void csrfWithInvalidHeader() {
 
-		MockHttpServletRequest postProcessedRequest = csrf().asHeader().useInvalidToken()
 
-				.postProcessRequest(request);
 
+	static class CsrfParamResultMatcher implements ResultMatcher {
 
+
 
+		public void match(MvcResult result) throws Exception {
 
+			MockHttpServletRequest request = result.getRequest();
 
+			assertThat(request.getParameter("_csrf")).isNotNull();
 
+			assertThat(request.getHeader("X-CSRF-TOKEN")).isNull();
 
+		}
 
+	}
 
+
 
+	public static ResultMatcher csrfAsHeader() {
 
+		return new CsrfHeaderResultMatcher();
 
+	}
 
 
-		assertThat(postProcessedRequest.getParameter(token.getParameterName())).isNull();
 
-		assertThat(postProcessedRequest.getHeader(token.getHeaderName())).isNotEmpty()
 
-				.isNotEqualTo(token.getToken());
 
+	static class CsrfHeaderResultMatcher implements ResultMatcher {
 
+
 
+		public void match(MvcResult result) throws Exception {
 
+			MockHttpServletRequest request = result.getRequest();
 
+			assertThat(request.getParameter("_csrf")).isNull();
 
+			assertThat(request.getHeader("X-CSRF-TOKEN")).isNotNull();
 
+		}
 
 	}
 
 
-	private void mockWebTestUtils() {
 
-		spy(WebTestUtils.class);
 
-		when(WebTestUtils.getCsrfTokenRepository(request)).thenReturn(repository);
 
-		when(repository.loadToken(request)).thenReturn(token);
 
-		when(repository.generateToken(request)).thenReturn(token);
 
+	@EnableWebSecurity
 
+	static class Config extends WebSecurityConfigurerAdapter {
 
+		@Override
 
+		protected void configure(HttpSecurity http) throws Exception {
 
+		}
 
+
 
+		@Bean
 
+		public TheController controller() {
 
+			return new TheController();
 
+		}
 
+
 
+		@RestController
 
+		static class TheController {
 
+			@RequestMapping("/")
 
+			String index() {
 
+				return "Hi";
 
+			}
 
+		}
 
 	}
 
 }