@@ -114,72 +114,72 @@ public class CsrfConfigurerTests {
114
114
@ Test
115
115
public void postWhenWebSecurityEnabledThenRespondsWithForbidden () throws Exception {
116
116
this .spring
117
- .register (CsrfAppliedDefaultConfig .class , AllowHttpMethodsFirewallConfig .class , BasicController .class )
118
- .autowire ();
117
+ .register (CsrfAppliedDefaultConfig .class , AllowHttpMethodsFirewallConfig .class , BasicController .class )
118
+ .autowire ();
119
119
this .mvc .perform (post ("/" )).andExpect (status ().isForbidden ());
120
120
}
121
121
122
122
@ Test
123
123
public void putWhenWebSecurityEnabledThenRespondsWithForbidden () throws Exception {
124
124
this .spring
125
- .register (CsrfAppliedDefaultConfig .class , AllowHttpMethodsFirewallConfig .class , BasicController .class )
126
- .autowire ();
125
+ .register (CsrfAppliedDefaultConfig .class , AllowHttpMethodsFirewallConfig .class , BasicController .class )
126
+ .autowire ();
127
127
this .mvc .perform (put ("/" )).andExpect (status ().isForbidden ());
128
128
}
129
129
130
130
@ Test
131
131
public void patchWhenWebSecurityEnabledThenRespondsWithForbidden () throws Exception {
132
132
this .spring
133
- .register (CsrfAppliedDefaultConfig .class , AllowHttpMethodsFirewallConfig .class , BasicController .class )
134
- .autowire ();
133
+ .register (CsrfAppliedDefaultConfig .class , AllowHttpMethodsFirewallConfig .class , BasicController .class )
134
+ .autowire ();
135
135
this .mvc .perform (patch ("/" )).andExpect (status ().isForbidden ());
136
136
}
137
137
138
138
@ Test
139
139
public void deleteWhenWebSecurityEnabledThenRespondsWithForbidden () throws Exception {
140
140
this .spring
141
- .register (CsrfAppliedDefaultConfig .class , AllowHttpMethodsFirewallConfig .class , BasicController .class )
142
- .autowire ();
141
+ .register (CsrfAppliedDefaultConfig .class , AllowHttpMethodsFirewallConfig .class , BasicController .class )
142
+ .autowire ();
143
143
this .mvc .perform (delete ("/" )).andExpect (status ().isForbidden ());
144
144
}
145
145
146
146
@ Test
147
147
public void invalidWhenWebSecurityEnabledThenRespondsWithForbidden () throws Exception {
148
148
this .spring
149
- .register (CsrfAppliedDefaultConfig .class , AllowHttpMethodsFirewallConfig .class , BasicController .class )
150
- .autowire ();
149
+ .register (CsrfAppliedDefaultConfig .class , AllowHttpMethodsFirewallConfig .class , BasicController .class )
150
+ .autowire ();
151
151
this .mvc .perform (request ("INVALID" , URI .create ("/" ))).andExpect (status ().isForbidden ());
152
152
}
153
153
154
154
@ Test
155
155
public void getWhenWebSecurityEnabledThenRespondsWithOk () throws Exception {
156
156
this .spring
157
- .register (CsrfAppliedDefaultConfig .class , AllowHttpMethodsFirewallConfig .class , BasicController .class )
158
- .autowire ();
157
+ .register (CsrfAppliedDefaultConfig .class , AllowHttpMethodsFirewallConfig .class , BasicController .class )
158
+ .autowire ();
159
159
this .mvc .perform (get ("/" )).andExpect (status ().isOk ());
160
160
}
161
161
162
162
@ Test
163
163
public void headWhenWebSecurityEnabledThenRespondsWithOk () throws Exception {
164
164
this .spring
165
- .register (CsrfAppliedDefaultConfig .class , AllowHttpMethodsFirewallConfig .class , BasicController .class )
166
- .autowire ();
165
+ .register (CsrfAppliedDefaultConfig .class , AllowHttpMethodsFirewallConfig .class , BasicController .class )
166
+ .autowire ();
167
167
this .mvc .perform (head ("/" )).andExpect (status ().isOk ());
168
168
}
169
169
170
170
@ Test
171
171
public void traceWhenWebSecurityEnabledThenRespondsWithOk () throws Exception {
172
172
this .spring
173
- .register (CsrfAppliedDefaultConfig .class , AllowHttpMethodsFirewallConfig .class , BasicController .class )
174
- .autowire ();
173
+ .register (CsrfAppliedDefaultConfig .class , AllowHttpMethodsFirewallConfig .class , BasicController .class )
174
+ .autowire ();
175
175
this .mvc .perform (request (HttpMethod .TRACE , "/" )).andExpect (status ().isOk ());
176
176
}
177
177
178
178
@ Test
179
179
public void optionsWhenWebSecurityEnabledThenRespondsWithOk () throws Exception {
180
180
this .spring
181
- .register (CsrfAppliedDefaultConfig .class , AllowHttpMethodsFirewallConfig .class , BasicController .class )
182
- .autowire ();
181
+ .register (CsrfAppliedDefaultConfig .class , AllowHttpMethodsFirewallConfig .class , BasicController .class )
182
+ .autowire ();
183
183
this .mvc .perform (options ("/" )).andExpect (status ().isOk ());
184
184
}
185
185
@@ -209,11 +209,11 @@ public void loginWhenCsrfDisabledThenRedirectsToPreviousPostRequest() throws Exc
209
209
RequestCache requestCache = new HttpSessionRequestCache ();
210
210
String redirectUrl = requestCache .getRequest (mvcResult .getRequest (), mvcResult .getResponse ()).getRedirectUrl ();
211
211
this .mvc
212
- .perform (post ("/login" ).param ("username" , "user" )
213
- .param ("password" , "password" )
214
- .session ((MockHttpSession ) mvcResult .getRequest ().getSession ()))
215
- .andExpect (status ().isFound ())
216
- .andExpect (redirectedUrl (redirectUrl ));
212
+ .perform (post ("/login" ).param ("username" , "user" )
213
+ .param ("password" , "password" )
214
+ .session ((MockHttpSession ) mvcResult .getRequest ().getSession ()))
215
+ .andExpect (status ().isFound ())
216
+ .andExpect (redirectedUrl (redirectUrl ));
217
217
}
218
218
219
219
@ Test
@@ -222,18 +222,18 @@ public void loginWhenCsrfEnabledThenDoesNotRedirectToPreviousPostRequest() throw
222
222
DefaultCsrfToken csrfToken = new DefaultCsrfToken ("X-CSRF-TOKEN" , "_csrf" , "token" );
223
223
given (CsrfDisablesPostRequestFromRequestCacheConfig .REPO .loadDeferredToken (any (HttpServletRequest .class ),
224
224
any (HttpServletResponse .class )))
225
- .willReturn (new TestDeferredCsrfToken (csrfToken ));
225
+ .willReturn (new TestDeferredCsrfToken (csrfToken ));
226
226
this .spring .register (CsrfDisablesPostRequestFromRequestCacheConfig .class ).autowire ();
227
227
MvcResult mvcResult = this .mvc .perform (post ("/some-url" )).andReturn ();
228
228
this .mvc
229
- .perform (post ("/login" ).param ("username" , "user" )
230
- .param ("password" , "password" )
231
- .with (csrf ())
232
- .session ((MockHttpSession ) mvcResult .getRequest ().getSession ()))
233
- .andExpect (status ().isFound ())
234
- .andExpect (redirectedUrl ("/" ));
229
+ .perform (post ("/login" ).param ("username" , "user" )
230
+ .param ("password" , "password" )
231
+ .with (csrf ())
232
+ .session ((MockHttpSession ) mvcResult .getRequest ().getSession ()))
233
+ .andExpect (status ().isFound ())
234
+ .andExpect (redirectedUrl ("/" ));
235
235
verify (CsrfDisablesPostRequestFromRequestCacheConfig .REPO , atLeastOnce ())
236
- .loadDeferredToken (any (HttpServletRequest .class ), any (HttpServletResponse .class ));
236
+ .loadDeferredToken (any (HttpServletRequest .class ), any (HttpServletResponse .class ));
237
237
}
238
238
239
239
@ Test
@@ -242,32 +242,32 @@ public void loginWhenCsrfEnabledThenRedirectsToPreviousGetRequest() throws Excep
242
242
DefaultCsrfToken csrfToken = new DefaultCsrfToken ("X-CSRF-TOKEN" , "_csrf" , "token" );
243
243
given (CsrfDisablesPostRequestFromRequestCacheConfig .REPO .loadDeferredToken (any (HttpServletRequest .class ),
244
244
any (HttpServletResponse .class )))
245
- .willReturn (new TestDeferredCsrfToken (csrfToken ));
245
+ .willReturn (new TestDeferredCsrfToken (csrfToken ));
246
246
this .spring .register (CsrfDisablesPostRequestFromRequestCacheConfig .class ).autowire ();
247
247
MvcResult mvcResult = this .mvc .perform (get ("/some-url" )).andReturn ();
248
248
RequestCache requestCache = new HttpSessionRequestCache ();
249
249
String redirectUrl = requestCache .getRequest (mvcResult .getRequest (), mvcResult .getResponse ()).getRedirectUrl ();
250
250
this .mvc
251
- .perform (post ("/login" ).param ("username" , "user" )
252
- .param ("password" , "password" )
253
- .with (csrf ())
254
- .session ((MockHttpSession ) mvcResult .getRequest ().getSession ()))
255
- .andExpect (status ().isFound ())
256
- .andExpect (redirectedUrl (redirectUrl ));
251
+ .perform (post ("/login" ).param ("username" , "user" )
252
+ .param ("password" , "password" )
253
+ .with (csrf ())
254
+ .session ((MockHttpSession ) mvcResult .getRequest ().getSession ()))
255
+ .andExpect (status ().isFound ())
256
+ .andExpect (redirectedUrl (redirectUrl ));
257
257
verify (CsrfDisablesPostRequestFromRequestCacheConfig .REPO , atLeastOnce ())
258
- .loadDeferredToken (any (HttpServletRequest .class ), any (HttpServletResponse .class ));
258
+ .loadDeferredToken (any (HttpServletRequest .class ), any (HttpServletResponse .class ));
259
259
}
260
260
261
261
// SEC-2422
262
262
@ Test
263
263
public void postWhenCsrfEnabledAndSessionIsExpiredThenRespondsWithForbidden () throws Exception {
264
264
this .spring .register (InvalidSessionUrlConfig .class ).autowire ();
265
265
MvcResult mvcResult = this .mvc .perform (post ("/" ).param ("_csrf" , "abc" ))
266
- .andExpect (status ().isFound ())
267
- .andExpect (redirectedUrl ("/error/sessionError" ))
268
- .andReturn ();
266
+ .andExpect (status ().isFound ())
267
+ .andExpect (redirectedUrl ("/error/sessionError" ))
268
+ .andReturn ();
269
269
this .mvc .perform (post ("/" ).session ((MockHttpSession ) mvcResult .getRequest ().getSession ()))
270
- .andExpect (status ().isForbidden ());
270
+ .andExpect (status ().isForbidden ());
271
271
}
272
272
273
273
@ Test
@@ -306,7 +306,7 @@ public void postWhenCustomCsrfTokenRepositoryThenRepositoryIsUsed() throws Excep
306
306
CsrfTokenRepositoryConfig .REPO = mock (CsrfTokenRepository .class );
307
307
given (CsrfTokenRepositoryConfig .REPO .loadDeferredToken (any (HttpServletRequest .class ),
308
308
any (HttpServletResponse .class )))
309
- .willReturn (new TestDeferredCsrfToken (new DefaultCsrfToken ("X-CSRF-TOKEN" , "_csrf" , "token" )));
309
+ .willReturn (new TestDeferredCsrfToken (new DefaultCsrfToken ("X-CSRF-TOKEN" , "_csrf" , "token" )));
310
310
this .spring .register (CsrfTokenRepositoryConfig .class , BasicController .class ).autowire ();
311
311
this .mvc .perform (post ("/" ));
312
312
verify (CsrfTokenRepositoryConfig .REPO ).loadDeferredToken (any (HttpServletRequest .class ),
@@ -329,7 +329,7 @@ public void loginWhenCustomCsrfTokenRepositoryThenCsrfTokenIsCleared() throws Ex
329
329
given (CsrfTokenRepositoryConfig .REPO .loadToken (any ())).willReturn (csrfToken );
330
330
given (CsrfTokenRepositoryConfig .REPO .loadDeferredToken (any (HttpServletRequest .class ),
331
331
any (HttpServletResponse .class )))
332
- .willReturn (new TestDeferredCsrfToken (csrfToken ));
332
+ .willReturn (new TestDeferredCsrfToken (csrfToken ));
333
333
this .spring .register (CsrfTokenRepositoryConfig .class , BasicController .class ).autowire ();
334
334
// @formatter:off
335
335
MockHttpServletRequestBuilder loginRequest = post ("/login" )
@@ -348,7 +348,7 @@ public void getWhenCustomCsrfTokenRepositoryInLambdaThenRepositoryIsUsed() throw
348
348
CsrfTokenRepositoryInLambdaConfig .REPO = mock (CsrfTokenRepository .class );
349
349
given (CsrfTokenRepositoryInLambdaConfig .REPO .loadDeferredToken (any (HttpServletRequest .class ),
350
350
any (HttpServletResponse .class )))
351
- .willReturn (new TestDeferredCsrfToken (new DefaultCsrfToken ("X-CSRF-TOKEN" , "_csrf" , "token" )));
351
+ .willReturn (new TestDeferredCsrfToken (new DefaultCsrfToken ("X-CSRF-TOKEN" , "_csrf" , "token" )));
352
352
this .spring .register (CsrfTokenRepositoryInLambdaConfig .class , BasicController .class ).autowire ();
353
353
this .mvc .perform (post ("/" ));
354
354
verify (CsrfTokenRepositoryInLambdaConfig .REPO ).loadDeferredToken (any (HttpServletRequest .class ),
@@ -418,8 +418,8 @@ public void logoutWhenGetRequestAndGetEnabledForLogoutThenLogsOut() throws Excep
418
418
@ Test
419
419
public void configureWhenRequireCsrfProtectionMatcherNullThenException () {
420
420
assertThatExceptionOfType (BeanCreationException .class )
421
- .isThrownBy (() -> this .spring .register (NullRequireCsrfProtectionMatcherConfig .class ).autowire ())
422
- .withRootCauseInstanceOf (IllegalArgumentException .class );
421
+ .isThrownBy (() -> this .spring .register (NullRequireCsrfProtectionMatcherConfig .class ).autowire ())
422
+ .withRootCauseInstanceOf (IllegalArgumentException .class );
423
423
}
424
424
425
425
@ Test
@@ -432,8 +432,8 @@ public void getWhenDefaultCsrfTokenRepositoryThenDoesNotCreateSession() throws E
432
432
@ Test
433
433
public void getWhenNullAuthenticationStrategyThenException () {
434
434
assertThatExceptionOfType (BeanCreationException .class )
435
- .isThrownBy (() -> this .spring .register (NullAuthenticationStrategy .class ).autowire ())
436
- .withRootCauseInstanceOf (IllegalArgumentException .class );
435
+ .isThrownBy (() -> this .spring .register (NullAuthenticationStrategy .class ).autowire ())
436
+ .withRootCauseInstanceOf (IllegalArgumentException .class );
437
437
}
438
438
439
439
@ Test
@@ -456,13 +456,13 @@ public void getLoginWhenCsrfTokenRequestAttributeHandlerSetThenRespondsWithNorma
456
456
CsrfTokenRepository csrfTokenRepository = mock (CsrfTokenRepository .class );
457
457
CsrfToken csrfToken = new DefaultCsrfToken ("X-CSRF-TOKEN" , "_csrf" , "token" );
458
458
given (csrfTokenRepository .loadDeferredToken (any (HttpServletRequest .class ), any (HttpServletResponse .class )))
459
- .willReturn (new TestDeferredCsrfToken (csrfToken ));
459
+ .willReturn (new TestDeferredCsrfToken (csrfToken ));
460
460
CsrfTokenRequestHandlerConfig .REPO = csrfTokenRepository ;
461
461
CsrfTokenRequestHandlerConfig .HANDLER = new CsrfTokenRequestAttributeHandler ();
462
462
this .spring .register (CsrfTokenRequestHandlerConfig .class , BasicController .class ).autowire ();
463
463
this .mvc .perform (get ("/login" ))
464
- .andExpect (status ().isOk ())
465
- .andExpect (content ().string (containsString (csrfToken .getToken ())));
464
+ .andExpect (status ().isOk ())
465
+ .andExpect (content ().string (containsString (csrfToken .getToken ())));
466
466
verify (csrfTokenRepository ).loadDeferredToken (any (HttpServletRequest .class ), any (HttpServletResponse .class ));
467
467
verifyNoMoreInteractions (csrfTokenRepository );
468
468
}
@@ -473,7 +473,7 @@ public void loginWhenCsrfTokenRequestAttributeHandlerSetAndNormalCsrfTokenThenSu
473
473
CsrfTokenRepository csrfTokenRepository = mock (CsrfTokenRepository .class );
474
474
given (csrfTokenRepository .loadToken (any (HttpServletRequest .class ))).willReturn (csrfToken );
475
475
given (csrfTokenRepository .loadDeferredToken (any (HttpServletRequest .class ), any (HttpServletResponse .class )))
476
- .willReturn (new TestDeferredCsrfToken (csrfToken ));
476
+ .willReturn (new TestDeferredCsrfToken (csrfToken ));
477
477
CsrfTokenRequestHandlerConfig .REPO = csrfTokenRepository ;
478
478
CsrfTokenRequestHandlerConfig .HANDLER = new CsrfTokenRequestAttributeHandler ();
479
479
this .spring .register (CsrfTokenRequestHandlerConfig .class , BasicController .class ).autowire ();
@@ -497,13 +497,13 @@ public void getLoginWhenXorCsrfTokenRequestAttributeHandlerSetThenRespondsWithMa
497
497
CsrfTokenRepository csrfTokenRepository = mock (CsrfTokenRepository .class );
498
498
CsrfToken csrfToken = new DefaultCsrfToken ("X-CSRF-TOKEN" , "_csrf" , "token" );
499
499
given (csrfTokenRepository .loadDeferredToken (any (HttpServletRequest .class ), any (HttpServletResponse .class )))
500
- .willReturn (new TestDeferredCsrfToken (csrfToken ));
500
+ .willReturn (new TestDeferredCsrfToken (csrfToken ));
501
501
CsrfTokenRequestHandlerConfig .REPO = csrfTokenRepository ;
502
502
CsrfTokenRequestHandlerConfig .HANDLER = new XorCsrfTokenRequestAttributeHandler ();
503
503
this .spring .register (CsrfTokenRequestHandlerConfig .class , BasicController .class ).autowire ();
504
504
this .mvc .perform (get ("/login" ))
505
- .andExpect (status ().isOk ())
506
- .andExpect (content ().string (not (containsString (csrfToken .getToken ()))));
505
+ .andExpect (status ().isOk ())
506
+ .andExpect (content ().string (not (containsString (csrfToken .getToken ()))));
507
507
verify (csrfTokenRepository ).loadDeferredToken (any (HttpServletRequest .class ), any (HttpServletResponse .class ));
508
508
verifyNoMoreInteractions (csrfTokenRepository );
509
509
}
@@ -514,7 +514,7 @@ public void loginWhenXorCsrfTokenRequestAttributeHandlerSetAndMaskedCsrfTokenThe
514
514
CsrfTokenRepository csrfTokenRepository = mock (CsrfTokenRepository .class );
515
515
given (csrfTokenRepository .loadToken (any (HttpServletRequest .class ))).willReturn (csrfToken );
516
516
given (csrfTokenRepository .loadDeferredToken (any (HttpServletRequest .class ), any (HttpServletResponse .class )))
517
- .willReturn (new TestDeferredCsrfToken (csrfToken ));
517
+ .willReturn (new TestDeferredCsrfToken (csrfToken ));
518
518
CsrfTokenRequestHandlerConfig .REPO = csrfTokenRepository ;
519
519
CsrfTokenRequestHandlerConfig .HANDLER = new XorCsrfTokenRequestAttributeHandler ();
520
520
this .spring .register (CsrfTokenRequestHandlerConfig .class , BasicController .class ).autowire ();
@@ -613,35 +613,33 @@ public void getWhenHttpBasicAndCookieCsrfTokenRepositorySetAndNoExistingCookieTh
613
613
614
614
@ Test
615
615
public void spaConfigForbidden () throws Exception {
616
- this .spring
617
- .register (CsrfSpaConfig .class , AllowHttpMethodsFirewallConfig .class , BasicController .class )
618
- .autowire ();
616
+ this .spring .register (CsrfSpaConfig .class , AllowHttpMethodsFirewallConfig .class , BasicController .class )
617
+ .autowire ();
619
618
this .mvc .perform (post ("/" )).andExpect (status ().isForbidden ());
620
619
}
621
620
622
621
@ Test
623
622
public void spaConfigOk () throws Exception {
624
- this .spring
625
- .register (CsrfSpaConfig .class , AllowHttpMethodsFirewallConfig .class , BasicController .class )
626
- .autowire ();
623
+ this .spring .register (CsrfSpaConfig .class , AllowHttpMethodsFirewallConfig .class , BasicController .class )
624
+ .autowire ();
627
625
this .mvc .perform (post ("/" ).with (csrf ())).andExpect (status ().isOk ());
628
626
}
629
627
630
628
@ Test
631
629
public void spaConfigDoubleSubmit () throws Exception {
632
- this .spring
633
- . register ( CsrfSpaConfig . class , AllowHttpMethodsFirewallConfig . class , BasicController . class )
634
- . autowire ();
635
- var token = this . mvc
636
- . perform ( post ( "/ " ))
637
- . andExpect ( status (). isForbidden () )
638
- . andExpect ( cookie (). exists ( "XSRF-TOKEN" ) )
639
- . andReturn (). getResponse () .getCookie ("XSRF-TOKEN" );
630
+ this .spring . register ( CsrfSpaConfig . class , AllowHttpMethodsFirewallConfig . class , BasicController . class )
631
+ . autowire ();
632
+ var token = this . mvc . perform ( post ( "/" ))
633
+ . andExpect ( status (). isForbidden ())
634
+ . andExpect ( cookie (). exists ( "XSRF-TOKEN " ))
635
+ . andReturn ( )
636
+ . getResponse ( )
637
+ .getCookie ("XSRF-TOKEN" );
640
638
641
- this .mvc . perform ( post ( "/" )
642
- .header ("X-XSRF-TOKEN" , token .getValue ())
643
- .cookie (new Cookie ("XSRF-TOKEN" , token .getValue ())))
644
- .andExpect (status ().isOk ());
639
+ this .mvc
640
+ . perform ( post ( "/" ) .header ("X-XSRF-TOKEN" , token .getValue ())
641
+ .cookie (new Cookie ("XSRF-TOKEN" , token .getValue ())))
642
+ .andExpect (status ().isOk ());
645
643
}
646
644
647
645
@ Configuration
@@ -1043,11 +1041,11 @@ static class CsrfSpaConfig {
1043
1041
1044
1042
@ Bean
1045
1043
SecurityFilterChain filterChain (HttpSecurity http ) throws Exception {
1046
- http .csrf (CsrfCustomizer . spaDefaults () );
1044
+ http .csrf (CsrfConfigurer :: spa );
1047
1045
return http .build ();
1048
1046
}
1049
- }
1050
1047
1048
+ }
1051
1049
1052
1050
@ Configuration
1053
1051
@ EnableWebSecurity
0 commit comments