@Test public void requestWhenCreateSessionIsSetToNeverThenUsesExistingSession() throws Exception { this.spring.configLocations(this.xml("CreateSessionNever")).autowire(); MockHttpServletRequest request = post("/login") .param("username", "user") .param("password", "password") .buildRequest(this.servletContext()); request = csrf().postProcessRequest(request); MockHttpSession session = new MockHttpSession(); request.setSession(session); MockHttpServletResponse response = request(request, this.spring.getContext()); assertThat(response.getStatus()).isEqualTo(HttpStatus.SC_MOVED_TEMPORARILY); assertThat(request.getSession(false)).isNotNull(); assertThat(request.getSession(false).getAttribute(SPRING_SECURITY_CONTEXT_KEY)) .isNotNull(); }
@Test public void t002_testDocumentCreate() throws Exception { mvc.perform(get(API_BASE + "/projects/1/documents") .with(csrf().asHeader()) .with(user("admin").roles("ADMIN"))) .andExpect(status().isOk()) .andExpect(content().contentType("application/json;charset=UTF-8")) .andExpect(jsonPath("$.messages").isEmpty()); mvc.perform(multipart(API_BASE + "/projects/1/documents") .file("content", "This is a test.".getBytes("UTF-8")) .with(csrf().asHeader()) .with(user("admin").roles("ADMIN")) .param("name", "test.txt") .param("format", "text")) .andExpect(status().isCreated()) .andExpect(content().contentType("application/json;charset=UTF-8")) .andExpect(jsonPath("$.body.id").value("1")) .andExpect(jsonPath("$.body.name").value("test.txt")); mvc.perform(get(API_BASE + "/projects/1/documents") .with(csrf().asHeader()) .with(user("admin").roles("ADMIN"))) .andExpect(status().isOk()) .andExpect(content().contentType("application/json;charset=UTF-8")) .andExpect(jsonPath("$.body[0].id").value("1")) .andExpect(jsonPath("$.body[0].name").value("test.txt")) .andExpect(jsonPath("$.body[0].state").value("NEW")); }
@Test public void t001_testProjectCreate() throws Exception { mvc.perform(get(API_BASE + "/projects") .with(csrf().asHeader()) .with(user("admin").roles("ADMIN"))) .andExpect(status().isOk()) .andExpect(content().contentType("application/json;charset=UTF-8")) .andExpect(jsonPath("$.messages").isEmpty()); mvc.perform(post(API_BASE + "/projects") .with(csrf().asHeader()) .with(user("admin").roles("ADMIN")) .contentType(MediaType.MULTIPART_FORM_DATA) .param("name", "project1")) .andExpect(status().isCreated()) .andExpect(content().contentType("application/json;charset=UTF-8")) .andExpect(jsonPath("$.body.id").value("1")) .andExpect(jsonPath("$.body.name").value("project1")); mvc.perform(get(API_BASE + "/projects") .with(csrf().asHeader()) .with(user("admin").roles("ADMIN"))) .andExpect(status().isOk()) .andExpect(content().contentType("application/json;charset=UTF-8")) .andExpect(jsonPath("$.body[0].id").value("1")) .andExpect(jsonPath("$.body[0].name").value("project1")); }
@Test public void t005_testCurationDelete() throws Exception { mvc.perform(delete(API_BASE + "/projects/1/documents/1/curation") .with(csrf().asHeader()) .with(user("admin").roles("ADMIN")) .param("projectId", "1") .param("documentId", "1")) .andExpect(status().isOk()) .andExpect(content().contentType("application/json;charset=UTF-8")); mvc.perform(get(API_BASE + "/projects/1/documents") .with(csrf().asHeader()) .with(user("admin").roles("ADMIN"))) .andExpect(status().isOk()) .andExpect(content().contentType("application/json;charset=UTF-8")) .andExpect(jsonPath("$.body[0].id").value("1")) .andExpect(jsonPath("$.body[0].name").value("test.txt")) .andExpect(jsonPath("$.body[0].state").value("ANNOTATION-IN-PROGRESS")); }
/** * Creates a {@link RequestPostProcessor} that will automatically populate a valid * {@link CsrfToken} in the request. * * @return the {@link CsrfRequestPostProcessor} for further customizations. */ public static CsrfRequestPostProcessor csrf() { return new CsrfRequestPostProcessor(); }
/** * Creates a {@link RequestPostProcessor} that will automatically populate a valid * {@link CsrfToken} in the request. * * @return the {@link CsrfRequestPostProcessor} for further customizations. */ public static CsrfRequestPostProcessor csrf() { return new CsrfRequestPostProcessor(); }
@Test @WithMockUser public void postWhenCsrfMismatchesThenForbidden() throws Exception { this.spring.configLocations( this.xml("shared-controllers"), this.xml("AutoConfig") ).autowire(); MvcResult result = this.mvc.perform(get("/ok")).andReturn(); MockHttpSession session = (MockHttpSession) result.getRequest().getSession(); this.mvc.perform(post("/ok") .session(session) .with(csrf().useInvalidToken())) .andExpect(status().isForbidden()); }
@Test public void requestWhenCreateSessionIsSetToNeverThenDoesNotCreateSessionOnLogin() throws Exception { this.spring.configLocations(this.xml("CreateSessionNever")).autowire(); MockHttpServletRequest request = post("/login") .param("username", "user") .param("password", "password") .buildRequest(this.servletContext()); request = csrf().postProcessRequest(request); MockHttpServletResponse response = request(request, this.spring.getContext()); assertThat(response.getStatus()).isEqualTo(HttpStatus.SC_MOVED_TEMPORARILY); assertThat(request.getSession(false)).isNull(); }
@Test public void requestWhenCreateSessionIsSetToIfRequiredThenCreatesSessionOnLogin() throws Exception { this.spring.configLocations(this.xml("CreateSessionIfRequired")).autowire(); ServletContext servletContext = this.mvc.getDispatcherServlet().getServletContext(); MockHttpServletRequest request = post("/login") .param("username", "user") .param("password", "password") .buildRequest(servletContext); request = csrf().postProcessRequest(request); MockHttpServletResponse response = request(request, this.spring.getContext()); assertThat(response.getStatus()).isEqualTo(HttpStatus.SC_MOVED_TEMPORARILY); assertThat(request.getSession(false)).isNotNull(); }