/*
* (non-Javadoc)
*
* @see
* org.springframework.test.web.servlet.request.RequestPostProcessor
* #postProcessRequest
* (org.springframework.mock.web.MockHttpServletRequest)
*/
public MockHttpServletRequest postProcessRequest(MockHttpServletRequest request) {
CsrfTokenRepository repository = WebTestUtils.getCsrfTokenRepository(request);
CsrfToken token = repository.generateToken(request);
repository.saveToken(token, request, new MockHttpServletResponse());
String tokenValue = useInvalidToken ? "invalid" + token.getToken() : token.getToken();
if (asHeader) {
request.addHeader(token.getHeaderName(), tokenValue);
} else {
request.setParameter(token.getParameterName(), tokenValue);
}
return request;
}
@Override
protected void doFilterInternal(
HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
CsrfToken token = (CsrfToken) request.getAttribute("_csrf");
// Spring Security will allow the Token to be included in this header name
response.setHeader("X-CSRF-HEADER", token.getHeaderName());
// Spring Security will allow the token to be included in this parameter name
response.setHeader("X-CSRF-PARAM", token.getParameterName());
// this is the value of the token to be included as either a header or an HTTP parameter
response.setHeader("X-CSRF-TOKEN", token.getToken());
// Cookie Base Approach for CSRF token
// String pCookieName = "XSRF-TOKEN";
//
// try {
// Cookie cookie = new Cookie(pCookieName, token.getToken());
// URL url = new URL(request.getRequestURL().toString());
// cookie.setDomain(url.getHost());
// cookie.setComment("user is not eligible to take the survey this time");
// cookie.setMaxAge(-1);
// response.addCookie(cookie);
// } catch (MalformedURLException e) {
// e.printStackTrace();
// }
filterChain.doFilter(request, response);
}
@RequestMapping(value = "login", method = RequestMethod.POST)
ResponseEntity<PageDto> login(
@Validated @RequestBody LoginDto loginDto,
HttpServletRequest request,
HttpServletResponse response) {
PageDto pageDto = userService.login(loginDto);
if (pageDto.getHeaderDto().isAuth()) {
CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
if (csrf != null) {
Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN");
String token = csrf.getToken();
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if ((cookie == null || token != null && !token.equals(cookie.getValue()))
&& (authentication != null && authentication.isAuthenticated())) {
cookie = new Cookie("XSRF-TOKEN", token);
cookie.setPath("/");
response.addCookie(cookie);
}
}
return new ResponseEntity<>(pageDto, null, HttpStatus.OK);
} else {
return new ResponseEntity<>(pageDto, null, HttpStatus.UNAUTHORIZED);
}
}
@Override
public void saveToken(CsrfToken token, HttpServletRequest request, HttpServletResponse response) {
CookieSaver saver = new CookieSaver(getCookieConfig());
if (token == null) {
saver.set(request, response, null);
return;
}
saver.set(request, response, token.getToken());
}
@Override
protected void doFilterInternal(
HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
// Spring put the CSRF token in session attribute "_csrf"
CsrfToken csrfToken = (CsrfToken) request.getAttribute("_csrf");
// Send the cookie only if the token has changed
String actualToken = request.getHeader("X-CSRF-TOKEN");
if (actualToken == null || !actualToken.equals(csrfToken.getToken())) {
// Session cookie that will be used by AngularJS
String pCookieName = "CSRF-TOKEN";
Cookie cookie = new Cookie(pCookieName, csrfToken.getToken());
cookie.setMaxAge(-1);
cookie.setHttpOnly(false);
cookie.setPath("/");
response.addCookie(cookie);
}
filterChain.doFilter(request, response);
}
@Test
public void defaults() throws Exception {
MockHttpServletRequest request = formLogin().buildRequest(this.servletContext);
CsrfToken token =
(CsrfToken)
request.getAttribute(CsrfRequestPostProcessor.TestCsrfTokenRepository.ATTR_NAME);
assertThat(request.getParameter("username")).isEqualTo("user");
assertThat(request.getParameter("password")).isEqualTo("password");
assertThat(request.getMethod()).isEqualTo("POST");
assertThat(request.getParameter(token.getParameterName())).isEqualTo(token.getToken());
assertThat(request.getRequestURI()).isEqualTo("/login");
assertThat(request.getParameter("_csrf")).isNotNull();
}
@Override
protected void doFilterInternal(
HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
if (csrf != null) {
Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN");
String token = csrf.getToken();
if (cookie == null || token != null && !token.equals(cookie.getValue())) {
cookie = new Cookie("XSRF-TOKEN", token);
cookie.setPath("/");
response.addCookie(cookie);
}
}
filterChain.doFilter(request, response);
}
@Override
protected void doFilterInternal(
HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
CsrfToken token = (CsrfToken) request.getAttribute("_csrf");
// final HttpSessionCsrfTokenRepository tokenRepository = new HttpSessionCsrfTokenRepository();
// tokenRepository.setHeaderName("XSRF-TOKEN");
// Spring Security will allow the Token to be included in this header name
// response.setHeader("X-XSRF-HEADER", token.getHeaderName());
// Spring Security will allow the token to be included in this parameter name
// response.setHeader("X-XSRF-PARAM", token.getParameterName());
// this is the value of the token to be included as either a header or an HTTP parameter
response.setHeader("XSRF-TOKEN", token.getToken());
Cookie cookie = new Cookie("XSRF_TOKEN", "C4186A42B1E72E179B25DA27865DC0E4");
response.addCookie(cookie);
filterChain.doFilter(request, response);
}
@Override
protected void doFilterInternal(
HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
final CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
if (csrf != null) {
Cookie cookie = WebUtils.getCookie(request, CookieBlog.CSRF_NAME);
final String token = csrf.getToken();
if ((cookie == null) || ((token != null) && (token.equals(cookie.getValue()) == false))) {
cookie = new Cookie(CookieBlog.CSRF_NAME, token);
cookie.setPath(COOKIE_PATH);
response.addCookie(cookie);
}
}
filterChain.doFilter(request, response);
}