这是indexloc提供的服务,不要输入任何密码
Skip to content

BAEL-5188 Add CSRF cookie protection + test #11775

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Feb 9, 2022
Merged

BAEL-5188 Add CSRF cookie protection + test #11775

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ed954da
BAEL-5188 Add CSRF cookie protection + test
bcaure Feb 4, 2022
218f7fd
BAEL-5188 Break long lines of code
bcaure Feb 7, 2022
1eeb076
BAEL-5188 Remove line-breaks before semi-colons
bcaure Feb 7, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions ...mvc-custom/src/test/java/com/baeldung/security/csrf/CsrfCookieEnabledIntegrationTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
package com.baeldung.security.csrf;

import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;

import com.baeldung.security.spring.SecurityWithCsrfCookieConfig;
import com.baeldung.spring.MvcConfig;
import org.junit.Test;
import org.springframework.http.MediaType;
import org.springframework.test.context.ContextConfiguration;

@ContextConfiguration(classes = { SecurityWithCsrfCookieConfig.class, MvcConfig.class })
public class CsrfCookieEnabledIntegrationTest extends CsrfAbstractIntegrationTest {

@Test
public void givenNoCsrf_whenAddFoo_thenForbidden() throws Exception {
// @formatter:off
mvc
.perform(post("/auth/foos")
.contentType(MediaType.APPLICATION_JSON)
.content(createFoo())
.with(testUser()))
.andExpect(status().isForbidden());
// @formatter:on
}

@Test
public void givenCsrf_whenAddFoo_thenCreated() throws Exception {
// @formatter:off
mvc
.perform(post("/auth/foos")
.contentType(MediaType.APPLICATION_JSON)
.content(createFoo())
.with(testUser())
.with(csrf()))
.andExpect(status().isCreated());
// @formatter:on
}

}
17 changes: 15 additions & 2 deletions ...-web-mvc-custom/src/test/java/com/baeldung/security/csrf/CsrfDisabledIntegrationTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,12 +14,25 @@ public class CsrfDisabledIntegrationTest extends CsrfAbstractIntegrationTest {

@Test
public void givenNotAuth_whenAddFoo_thenUnauthorized() throws Exception {
mvc.perform(post("/auth/foos").contentType(MediaType.APPLICATION_JSON).content(createFoo())).andExpect(status().isUnauthorized());
// @formatter:off
mvc
.perform(post("/auth/foos")
.contentType(MediaType.APPLICATION_JSON)
.content(createFoo()))
.andExpect(status().isUnauthorized());
// @formatter:on
}

@Test
public void givenAuth_whenAddFoo_thenCreated() throws Exception {
mvc.perform(post("/auth/foos").contentType(MediaType.APPLICATION_JSON).content(createFoo()).with(testUser())).andExpect(status().isCreated());
// @formatter:off
mvc
.perform(post("/auth/foos")
.contentType(MediaType.APPLICATION_JSON)
.content(createFoo())
.with(testUser()))
.andExpect(status().isCreated());
// @formatter:on
}

}
19 changes: 17 additions & 2 deletions ...y-web-mvc-custom/src/test/java/com/baeldung/security/csrf/CsrfEnabledIntegrationTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,12 +15,27 @@ public class CsrfEnabledIntegrationTest extends CsrfAbstractIntegrationTest {

@Test
public void givenNoCsrf_whenAddFoo_thenForbidden() throws Exception {
mvc.perform(post("/auth/foos").contentType(MediaType.APPLICATION_JSON).content(createFoo()).with(testUser())).andExpect(status().isForbidden());
// @formatter:off
mvc
.perform(post("/auth/foos")
.contentType(MediaType.APPLICATION_JSON)
.content(createFoo())
.with(testUser()))
.andExpect(status().isForbidden());
// @formatter:on
}

@Test
public void givenCsrf_whenAddFoo_thenCreated() throws Exception {
mvc.perform(post("/auth/foos").contentType(MediaType.APPLICATION_JSON).content(createFoo()).with(testUser()).with(csrf())).andExpect(status().isCreated());
// @formatter:off
mvc
.perform(post("/auth/foos")
.contentType(MediaType.APPLICATION_JSON)
.content(createFoo())
.with(testUser())
.with(csrf()))
.andExpect(status().isCreated());
// @formatter:on
}

}
15 changes: 12 additions & 3 deletions ...ity-web-mvc-custom/src/test/java/com/baeldung/security/spring/SecurityWithCsrfConfig.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,17 @@ public AuthenticationManager authenticationManagerBean() throws Exception {

@Override
protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("user1").password("user1Pass").authorities("ROLE_USER").and().withUser("admin").password("adminPass").authorities("ROLE_ADMIN");
// @formatter:off
auth
.inMemoryAuthentication()
.withUser("user1")
.password("user1Pass")
.authorities("ROLE_USER")
.and()
.withUser("admin")
.password("adminPass")
.authorities("ROLE_ADMIN");
// @formatter:on
}

@Override
Expand All @@ -45,8 +55,7 @@ protected void configure(final HttpSecurity http) throws Exception {
.and()
.httpBasic()
.and()
.headers().cacheControl().disable()
;
.headers().cacheControl().disable();
// @formatter:on
}

Expand Down
67 changes: 67 additions & 0 deletions ...b-mvc-custom/src/test/java/com/baeldung/security/spring/SecurityWithCsrfCookieConfig.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
package com.baeldung.security.spring;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.csrf.CookieCsrfTokenRepository;

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityWithCsrfCookieConfig extends WebSecurityConfigurerAdapter {

public SecurityWithCsrfCookieConfig() {
super();
}

@Bean("authenticationManager")
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}

@Override
protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
// @formatter:off
auth
.inMemoryAuthentication()
.withUser("user1")
.password("user1Pass")
.authorities("ROLE_USER")
.and()
.withUser("admin")
.password("adminPass")
.authorities("ROLE_ADMIN");
// @formatter:on
}

@Override
public void configure(final WebSecurity web) throws Exception {
web.ignoring().antMatchers("/resources/**");
}

@Override
protected void configure(final HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests()
.antMatchers("/auth/admin/*").hasAnyRole("ROLE_ADMIN")
.anyRequest().authenticated()
.and()
.httpBasic()
.and()
.headers().cacheControl().disable()
// Stateless API CSRF configuration
.and()
.csrf()
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
// @formatter:on
}

}
15 changes: 12 additions & 3 deletions ...-web-mvc-custom/src/test/java/com/baeldung/security/spring/SecurityWithoutCsrfConfig.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,17 @@ public AuthenticationManager authenticationManagerBean() throws Exception {

@Override
protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("user1").password("user1Pass").authorities("ROLE_USER").and().withUser("admin").password("adminPass").authorities("ROLE_ADMIN");
// @formatter:off
auth
.inMemoryAuthentication()
.withUser("user1")
.password("user1Pass")
.authorities("ROLE_USER")
.and()
.withUser("admin")
.password("adminPass")
.authorities("ROLE_ADMIN");
// @formatter:on
}

@Override
Expand All @@ -47,8 +57,7 @@ protected void configure(final HttpSecurity http) throws Exception {
.and()
.headers().cacheControl().disable()
.and()
.csrf().disable()
;
.csrf().disable();
// @formatter:on
}

Expand Down