Geek Answers Handbook

Add csrf token with mockmvc and junit

I have a view with two metas (I use thimeleaf):

    <meta name="_csrf" th:content="${_csrf.token}" />
    <meta name="_csrf_header" th:content="${_csrf.headerName}" />

In my test controller, I do this:

HttpSessionCsrfTokenRepository httpSessionCsrfTokenRepository = new HttpSessionCsrfTokenRepository();
CsrfToken csrfToken2 = httpSessionCsrfTokenRepository.generateToken(new MockHttpServletRequest());

CustomUser user = new CustomUser();
user.setName("foo");
user.setSurname("fooo");
List<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>();
grantedAuthorities.add(new SimpleGrantedAuthority("role"));

UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("foo", "fooo", grantedAuthorities);
token.setDetails(user);     

MockHttpSession session = new MockHttpSession();
session.setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, new MockSecurityContext(token));
session.setAttribute("_csrf", csrfToken2);


this.mockMvc.perform(post("/foo/update")
            .param("param", "asdfasd")
            ....
            .session(session)
            )
        .andExpect(view().name(("foo/detail"))).andExpect(model().hasErrors())

When I run the test, I get this error (token not found or equal to zero):

org.springframework.web.util.NestedServletException: Request ; org.thymeleaf.exceptions.TemplateProcessingException: SpringEL: "_csrf.token" (layout/default: 4) at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:979)    org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:869)    javax.servlet.http.HttpServlet.service(HttpServlet.java:707) org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:843)    org.springframework.test.web.servlet.TestDispatcherServlet.service(TestDispatcherServlet.java:65)    javax.servlet.http.HttpServlet.service(HttpServlet.java:790) org.springframework.mock.web.MockFilterChain $ServletFilterProxy.doFilter(MockFilterChain.java:167)    org.springframework.mock.web.MockFilterChain.doFilter(MockFilterChain.java:134)    org.springframework.test.web.servlet.MockMvc.perform(MockMvc.java:144)    es.xunta.amtega.axipro.web.controller.SolicitudeControllerSaveTest.testSaveValidator(SolicitudeControllerSaveTest.java:144)   at sun.reflect.NativeMethodAccessorImpl.invoke0 ( ) sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)    java.lang.reflect.Method.invoke(Method.java:601) org.junit.runners.model.FrameworkMethod $1.runReflectiveCall(FrameworkMethod.java:50)    org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)    org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47)    org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)    org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)    org.springframework.test.context.junit4.statements.RunBeforeTestMethodCallbacks.evaluate(RunBeforeTestMethodCallbacks.java:75)    org.springframework.test.context.junit4.statements.RunAfterTestMethodCallbacks.evaluate(RunAfterTestMethodCallbacks.java:86)    org.springframework.test.context.junit4.statements.SpringRepeat.evaluate(SpringRepeat.java:70)    org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:325) org.springframework.test.context.junit4.SpringJUnit4ClassRunner.runChild(SpringJUnit4ClassRunner.java:224)    org.springframework.test.context.junit4.SpringJUnit4ClassRunner.runChild(SpringJUnit4ClassRunner.java:83)    org.junit.runners.ParentRunner $3.run(ParentRunner.java:290) org.junit.runners.ParentRunner $1.schedule(ParentRunner.java:71) org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288) org.junit.runners.ParentRunner.access $000 (ParentRunner.java:58) org.junit.runners.ParentRunner $2. (ParentRunner.java:268) org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)    org.springframework.test.context.junit4.statements.RunBeforeTestClassCallbacks.evaluate(RunBeforeTestClassCallbacks.java:61)    org.springframework.test.context.junit4.statements.RunAfterTestClassCallbacks.evaluate(RunAfterTestClassCallbacks.java:70)    org.junit.runners.ParentRunner.run(ParentRunner.java:363) org.springframework.test.context.junit4.SpringJUnit4ClassRunner.run(SpringJUnit4ClassRunner.java:163)    org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:50)    org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)    org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:459)    org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:675)    org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:382)    org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:192) : org.thymeleaf.exceptions.TemplateProcessingException: , SpringEL: "_csrf.token" (/ : 4) org.thymeleaf.spring4.expression.SpelVariableExpressionEvaluator.evaluate(SpelVariableExpressionEvaluator.java:161)    org.thymeleaf.standard.expression.VariableExpression.executeVariable(VariableExpression.java:154)    org.thymeleaf.standard.expression.SimpleExpression.executeSimple(SimpleExpression.java:59)    org.thymeleaf.standard.expression.Expression.execute(Expression.java:103)    org.thymeleaf.standard.expression.Expression.execute(Expression.java:133)    org.thymeleaf.standard.expression.Expression.execute(Expression.java:120)    org.thymeleaf.standard.processor.attr.AbstractStandardSingleAttributeModifierAttrProcessor.getTargetAttributeValue(AbstractStandardSingleAttributeModifierAttrProcessor.java:67)    org.thymeleaf.processor.attr.AbstractSingleAttributeModifierAttrProcessor.getModifiedAttributeValues ​​(AbstractSingleAttributeModifierAttrProcessor.java:59)    org.thymeleaf.processor.attr.AbstractAttributeModifierAttrProcessor.processAttribute(AbstractAttributeModifierAttrProcessor.java:62)    org.thymeleaf.processor.attr.AbstractAttrProcessor.doProcess(AbstractAttrProcessor.java:87)    org.thymeleaf.processor.AbstractProcessor.process(AbstractProcessor.java:212)    org.thymeleaf.dom.Node.applyNextProcessor(Node.java: 1017) at org.thymeleaf.dom.Node.processNode(Node.java: 972) at org.thymeleaf.dom.NestableNode.computeNextChild(NestableNode.java:695)    org.thymeleaf.dom.NestableNode.doAdditionalProcess(NestableNode.java:668)    org.thymeleaf.dom.Node.processNode(Node.java: 990) at org.thymeleaf.dom.NestableNode.computeNextChild(NestableNode.java:695)    org.thymeleaf.dom.NestableNode.doAdditionalProcess(NestableNode.java:668)    org.thymeleaf.dom.Node.processNode(Node.java: 990) at org.thymeleaf.dom.NestableNode.computeNextChild(NestableNode.java:695)    org.thymeleaf.dom.NestableNode.doAdditionalProcess(NestableNode.java:668)    org.thymeleaf.dom.Node.processNode(Node.java: 990) at org.thymeleaf.dom.Document.process(Document.java:93) org.thymeleaf.TemplateEngine.process(TemplateEngine.java:1155) org.thymeleaf.TemplateEngine.process(TemplateEngine.java:1060) at org.thymeleaf.TemplateEngine.process(TemplateEngine.java:1011) org.thymeleaf.spring4.view.ThymeleafView.renderFragment(ThymeleafView.java:335)    org.thymeleaf.spring4.view.ThymeleafView.render(ThymeleafView.java:190)    org.springframework.web.servlet.DispatcherServlet.render(DispatcherServlet.java:1244)    org.springframework.test.web.servlet.TestDispatcherServlet.render(TestDispatcherServlet.java:105)    org.springframework.web.servlet.DispatcherServlet.processDispatchResult(DispatcherServlet.java:1027)    org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:971)    org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893)    org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:967)   ... 40 : org.springframework.expression.spel.SpelEvaluationException: EL1007E: (pos 0): "" org.springframework.expression.spel.ast.PropertyOrFieldReference.readProperty(PropertyOrFieldReference.java:220)    org.springframework.expression.spel.ast.PropertyOrFieldReference.getValueInternal(PropertyOrFieldReference.java:94)    org.springframework.expression.spel.ast.PropertyOrFieldReference.access $000 (PropertyOrFieldReference.java:46)    org.springframework.expression.spel.ast.PropertyOrFieldReference $AccessorLValue.getValue(PropertyOrFieldReference.java:374)    org.springframework.expression.spel.ast.CompoundExpression.getValueInternal(CompoundExpression.java:88)    org.springframework.expression.spel.ast.SpelNodeImpl.getValue(SpelNodeImpl.java:120)    org.springframework.expression.spel.standard.SpelExpression.getValue(SpelExpression.java:267)    org.thymeleaf.spring4.expression.SpelVariableExpressionEvaluator.evaluate(SpelVariableExpressionEvaluator.java:139)   ... 73

, ..:

<th:block th:if="${_csrf}">
   <meta name="_csrf" th:content="${_csrf.token}" />
   <meta name="_csrf_header" th:content="${_csrf.headerName}" />
</th:block>
+4
3

,

th:text="${session._csrf.headerName}">
th:text="${session._csrf.token}">

. spring thymeleaf

MockMvc , csrf

mvc
.perform(post("/").with(csrf()))

. -

+6

CSRF, Spring Security _csrf , headerName strong > . , CSRF :

  • meta​​strong > .

    <meta name="_csrf" th:content="${_csrf.token}" />
<meta name="_csrf_header" th:content="${_csrf.headerName}" />

  • .

    <input type="hidden" th:name="${_csrf.parameterName}" th:value="${_csrf.token}"/>

SecurityMockMvcRequestPostProcessors.csrf , , :

    ...
    request.addHeader(token.getHeaderName(), tokenValue);
    ...
    request.setParameter(token.getParameterName(), tokenValue);

, RequestPostProcessor :

    package ...;

    import org.springframework.mock.web.MockHttpServletRequest;
    import org.springframework.mock.web.MockHttpServletResponse;
    import org.springframework.security.test.web.support.WebTestUtils;
    import org.springframework.security.web.csrf.CsrfToken;
    import org.springframework.security.web.csrf.CsrfTokenRepository;
    import org.springframework.test.web.servlet.request.RequestPostProcessor;

    /**
     * A request post processor to add <em>csrf</em> information.
     */
    public class CsrfRequestPostProcessor implements RequestPostProcessor {

        private boolean useInvalidToken = false;

        private boolean asHeader = false;


        @Override
        public MockHttpServletRequest postProcessRequest(MockHttpServletRequest request) {
            CsrfTokenRepository repository = WebTestUtils.getCsrfTokenRepository(request);
            CsrfToken token = repository.generateToken(request);
            repository.saveToken(token, request, new MockHttpServletResponse());
            String tokenValue = useInvalidToken ? "invalid" + token.getToken() : token
                    .getToken();
            if (asHeader) {
                request.setAttribute(token.getHeaderName(), token);
            }
            else {
                request.setAttribute(token.getParameterName(), token);
            }
            return request;
        }

        public RequestPostProcessor invalidToken() {
            this.useInvalidToken = true;
            return this;
        }

        public RequestPostProcessor asHeader() {
            this.asHeader = true;
            return this;
        }

        public static CsrfRequestPostProcessor csrf() {
            return new CsrfRequestPostProcessor();
        }
    }

MockMvc:

mockMvc.perform(
        get("/security/winsso")
                .with(CsrfRequestPostProcessor.csrf())
                .param("xxx", XXX)
                .param("yyy", YYY))
        .andExpect(status().isOk());

asHeader, .

+1

@RunWith(SpringJUnit4ClassRunner.class)
@ContextConfiguration
@WebAppConfiguration
public class CsrfShowcaseTests {

  @Autowired
  private WebApplicationContext context;

  @Autowired
  private Filter springSecurityFilterChain;

  private MockMvc mvc;

  @Before
  public void setup() {
      mvc = MockMvcBuilders
              .webAppContextSetup(context)
              .addFilters(springSecurityFilterChain)
              .build();
  }
@Test
public void verifiesHomePageLoads() throws Exception {
    mockMvc.perform(MockMvcRequestBuilders.get("/index"))
            .andExpect(MockMvcResultMatchers.model().hasNoErrors())
            .andExpect(MockMvcResultMatchers.model().attributeExists("word"))
            .andExpect(MockMvcResultMatchers.model().attributeExists("w"))
            .andExpect(MockMvcResultMatchers.model().attributeExists("mobil"))
            .andExpect(MockMvcResultMatchers.view().name("/index"))
            .andExpect(MockMvcResultMatchers.status().isOk());

}

}

thymleaf:

 <form id="suggetWord" name="suggetWord" data-th-action="@{/suggest-word(${_csrf.parameterName}=${_csrf.token})}" ></form>
 <form class="mainForm" th:id="word-search" th:name="word-search" data-th-action="@{/word-search(${_csrf.parameterName}=${_csrf.token})}"  > </form>
0
source

More articles:


All Articles