@Override protected void doFilterInternal( HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { CsrfToken token = (CsrfToken) request.getAttribute("_csrf"); // Spring Security will allow the Token to be included in this header name response.setHeader("X-CSRF-HEADER", token.getHeaderName()); // Spring Security will allow the token to be included in this parameter name response.setHeader("X-CSRF-PARAM", token.getParameterName()); // this is the value of the token to be included as either a header or an HTTP parameter response.setHeader("X-CSRF-TOKEN", token.getToken()); // Cookie Base Approach for CSRF token // String pCookieName = "XSRF-TOKEN"; // // try { // Cookie cookie = new Cookie(pCookieName, token.getToken()); // URL url = new URL(request.getRequestURL().toString()); // cookie.setDomain(url.getHost()); // cookie.setComment("user is not eligible to take the survey this time"); // cookie.setMaxAge(-1); // response.addCookie(cookie); // } catch (MalformedURLException e) { // e.printStackTrace(); // } filterChain.doFilter(request, response); }
/* * (non-Javadoc) * * @see * org.springframework.test.web.servlet.request.RequestPostProcessor * #postProcessRequest * (org.springframework.mock.web.MockHttpServletRequest) */ public MockHttpServletRequest postProcessRequest(MockHttpServletRequest request) { CsrfTokenRepository repository = WebTestUtils.getCsrfTokenRepository(request); CsrfToken token = repository.generateToken(request); repository.saveToken(token, request, new MockHttpServletResponse()); String tokenValue = useInvalidToken ? "invalid" + token.getToken() : token.getToken(); if (asHeader) { request.addHeader(token.getHeaderName(), tokenValue); } else { request.setParameter(token.getParameterName(), tokenValue); } return request; }
@Test public void defaults() throws Exception { MockHttpServletRequest request = formLogin().buildRequest(this.servletContext); CsrfToken token = (CsrfToken) request.getAttribute(CsrfRequestPostProcessor.TestCsrfTokenRepository.ATTR_NAME); assertThat(request.getParameter("username")).isEqualTo("user"); assertThat(request.getParameter("password")).isEqualTo("password"); assertThat(request.getMethod()).isEqualTo("POST"); assertThat(request.getParameter(token.getParameterName())).isEqualTo(token.getToken()); assertThat(request.getRequestURI()).isEqualTo("/login"); assertThat(request.getParameter("_csrf")).isNotNull(); }