@Override
protected void doFilterInternal(
HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
CsrfToken token = (CsrfToken) request.getAttribute("_csrf");
// Spring Security will allow the Token to be included in this header name
response.setHeader("X-CSRF-HEADER", token.getHeaderName());
// Spring Security will allow the token to be included in this parameter name
response.setHeader("X-CSRF-PARAM", token.getParameterName());
// this is the value of the token to be included as either a header or an HTTP parameter
response.setHeader("X-CSRF-TOKEN", token.getToken());
// Cookie Base Approach for CSRF token
// String pCookieName = "XSRF-TOKEN";
//
// try {
// Cookie cookie = new Cookie(pCookieName, token.getToken());
// URL url = new URL(request.getRequestURL().toString());
// cookie.setDomain(url.getHost());
// cookie.setComment("user is not eligible to take the survey this time");
// cookie.setMaxAge(-1);
// response.addCookie(cookie);
// } catch (MalformedURLException e) {
// e.printStackTrace();
// }
filterChain.doFilter(request, response);
}
/*
* (non-Javadoc)
*
* @see
* org.springframework.test.web.servlet.request.RequestPostProcessor
* #postProcessRequest
* (org.springframework.mock.web.MockHttpServletRequest)
*/
public MockHttpServletRequest postProcessRequest(MockHttpServletRequest request) {
CsrfTokenRepository repository = WebTestUtils.getCsrfTokenRepository(request);
CsrfToken token = repository.generateToken(request);
repository.saveToken(token, request, new MockHttpServletResponse());
String tokenValue = useInvalidToken ? "invalid" + token.getToken() : token.getToken();
if (asHeader) {
request.addHeader(token.getHeaderName(), tokenValue);
} else {
request.setParameter(token.getParameterName(), tokenValue);
}
return request;
}
@Test
public void defaults() throws Exception {
MockHttpServletRequest request = formLogin().buildRequest(this.servletContext);
CsrfToken token =
(CsrfToken)
request.getAttribute(CsrfRequestPostProcessor.TestCsrfTokenRepository.ATTR_NAME);
assertThat(request.getParameter("username")).isEqualTo("user");
assertThat(request.getParameter("password")).isEqualTo("password");
assertThat(request.getMethod()).isEqualTo("POST");
assertThat(request.getParameter(token.getParameterName())).isEqualTo(token.getToken());
assertThat(request.getRequestURI()).isEqualTo("/login");
assertThat(request.getParameter("_csrf")).isNotNull();
}
