@Test @WithMockUser public void postWhenCsrfMismatchesThenForbidden() throws Exception { this.spring.configLocations( this.xml("shared-controllers"), this.xml("AutoConfig") ).autowire(); MvcResult result = this.mvc.perform(get("/ok")).andReturn(); MockHttpSession session = (MockHttpSession) result.getRequest().getSession(); this.mvc.perform(post("/ok") .session(session) .with(csrf().useInvalidToken())) .andExpect(status().isForbidden()); }