@Test void testChangeEmailPageHasCsrf() throws Exception { SecurityContext marissaContext = getMarissaSecurityContext(webApplicationContext); MockHttpServletRequestBuilder get = get("/change_email") .accept(TEXT_HTML) .with(securityContext(marissaContext)); mockMvc.perform(get) .andExpect(status().isOk()) .andExpect(content().string(containsString("X-Uaa-Csrf"))); }
@Test void testChangePasswordPageDoesHaveCsrf() throws Exception { mockMvc.perform( get("/change_password") .with(securityContext(MockMvcUtils.getMarissaSecurityContext(webApplicationContext))) ) .andExpect(status().isOk()) .andExpect(view().name("change_password")) .andExpect(content().string(containsString("action=\"/change_password.do\""))) .andExpect(content().string(containsString("name=\"X-Uaa-Csrf\""))); }
@Test void access_login_page_while_logged_in() throws Exception { SecurityContext securityContext = MockMvcUtils.getMarissaSecurityContext(webApplicationContext); mockMvc.perform( get("/login") .header("Accept", MediaType.TEXT_HTML_VALUE) .with(securityContext(securityContext)) ) .andExpect(status().isFound()) .andExpect(redirectedUrl("/home")); }
@Test void testChangeEmailNoCsrfReturns403AndInvalidRequest() throws Exception { assumeFalse(isLimitedMode(limitedModeUaaFilter), "Test only runs in non limited mode."); SecurityContext marissaContext = getMarissaSecurityContext(webApplicationContext); MockHttpServletRequestBuilder get = get("/change_email") .accept(TEXT_HTML) .with(securityContext(marissaContext)); mockMvc.perform(get) .andExpect(status().isOk()) .andExpect(content().string(containsString("X-Uaa-Csrf"))) .andReturn(); MockHttpServletRequestBuilder changeEmail = post("/change_email.do") .accept(TEXT_HTML) .with(securityContext(marissaContext)) .with(cookieCsrf().useInvalidToken()) .param("newEmail", "test@test.org") .param("client_id", ""); mockMvc.perform(changeEmail) .andExpect(status().isForbidden()) .andExpect(forwardedUrl("/invalid_request")); }
public String performIdpAuthentication() throws Exception { RequestPostProcessor marissa = securityContext(getUaaSecurityContext("marissa", getWebApplicationContext(), idpZone.getIdentityZone())); return getMockMvc().perform( get("/saml/idp/initiate") .header("Host", idpZone.getIdentityZone().getSubdomain()+".localhost") .param("sp", entityId) .with(marissa) ) .andDo(print()) .andReturn().getResponse().getContentAsString(); }
@Test void testChangeEmailSubmitWithSpringSecurityForcedCsrf() throws Exception { assumeFalse(isLimitedMode(limitedModeUaaFilter), "Test only runs in non limited mode."); SecurityContext marissaContext = getMarissaSecurityContext(webApplicationContext); //example shows to to test a request that is secured by csrf and you wish to bypass it MockHttpServletRequestBuilder changeEmail = post("/change_email.do") .accept(TEXT_HTML) .with(securityContext(marissaContext)) .with(cookieCsrf()) .param("newEmail", "test@test.org") .param("client_id", ""); HttpSession session = mockMvc.perform(changeEmail) .andExpect(status().isFound()) .andExpect(redirectedUrl("email_sent?code=email_change")) .andReturn().getRequest().getSession(false); System.out.println("session = " + session); }
@Test void testChangeEmailSubmitWithMissingCsrf() throws Exception { assumeFalse(isLimitedMode(limitedModeUaaFilter), "Test only runs in non limited mode."); SecurityContext marissaContext = getMarissaSecurityContext(webApplicationContext); MockHttpServletRequestBuilder get = get("/change_email") .accept(TEXT_HTML) .with(securityContext(marissaContext)); MockHttpSession session = (MockHttpSession) mockMvc.perform(get) .andExpect(status().isOk()) .andExpect(content().string(containsString("X-Uaa-Csrf"))) .andReturn().getRequest().getSession(); MockHttpServletRequestBuilder changeEmail = post("/change_email.do") .accept(TEXT_HTML) .session(session) .with(cookieCsrf().useInvalidToken()) .with(securityContext(marissaContext)) .param("newEmail", "test@test.org") .param("client_id", ""); mockMvc.perform(changeEmail) .andExpect(status().isForbidden()) .andExpect(forwardedUrl("/invalid_request")); }
@Test void testChangeEmailSubmitWithCorrectCsrf() throws Exception { assumeFalse(isLimitedMode(limitedModeUaaFilter), "Test only runs in non limited mode."); SecurityContext marissaContext = getMarissaSecurityContext(webApplicationContext); MockHttpServletRequestBuilder get = get("/change_email") .accept(TEXT_HTML) .with(securityContext(marissaContext)); MvcResult result = mockMvc.perform(get) .andExpect(status().isOk()) .andExpect(content().string(containsString("X-Uaa-Csrf"))) .andReturn(); MockHttpSession session = (MockHttpSession) result.getRequest().getSession(); MockHttpServletRequestBuilder changeEmail = post("/change_email.do") .accept(TEXT_HTML) .with(securityContext(marissaContext)) .with(cookieCsrf()) .session(session) .param("newEmail", "test@test.org") .param("client_id", ""); mockMvc.perform(changeEmail) .andExpect(status().isFound()) .andExpect(redirectedUrl("email_sent?code=email_change")); }
@Test void testChangeEmailSubmitWithInvalidCsrf() throws Exception { assumeFalse(isLimitedMode(limitedModeUaaFilter), "Test only runs in non limited mode."); SecurityContext marissaContext = getMarissaSecurityContext(webApplicationContext); MockHttpServletRequestBuilder get = get("/change_email") .accept(TEXT_HTML) .with(securityContext(marissaContext)); MockHttpSession session = (MockHttpSession) mockMvc.perform(get) .andExpect(status().isOk()) .andExpect(content().string(containsString("X-Uaa-Csrf"))) .andReturn().getRequest().getSession(); MockHttpServletRequestBuilder changeEmail = post("/change_email.do") .accept(TEXT_HTML) .session(session) .with(securityContext(marissaContext)) .param("newEmail", "test@test.org") .param("client_id", "") .with(cookieCsrf().useInvalidToken()); mockMvc.perform(changeEmail) .andExpect(status().isForbidden()) .andExpect(forwardedUrl("/invalid_request")); }
.with(securityContext(getUaaSecurityContext(marissa.getUserName(), webApplicationContext, zone))) .header("Host", zone.getSubdomain() + ".localhost") .with(securityContext(getUaaSecurityContext(marissa.getUserName(), webApplicationContext, zone))) .header("Host", zone.getSubdomain() + ".localhost") mockMvc.perform( get("/") .with(securityContext(getUaaSecurityContext(marissa.getUserName(), webApplicationContext, zone))) .header("Host", zone.getSubdomain() + ".localhost")
@Test void testChangePasswordSubmitDoesValidateCsrf( @Autowired ScimUserProvisioning scimUserProvisioning ) throws Exception { assumeFalse(isLimitedMode(limitedModeUaaFilter), "Test only runs in non limited mode."); ScimUser user = createUser(scimUserProvisioning, generator, getUaa().getId()); mockMvc.perform( post("/change_password.do") .with(securityContext(MockMvcUtils.getUaaSecurityContext(user.getUserName(), webApplicationContext))) .param("current_password", user.getPassword()) .param("new_password", "newSecr3t") .param("confirm_password", "newSecr3t") .with(cookieCsrf().useInvalidToken())) .andExpect(status().isForbidden()) .andExpect(forwardedUrl("/invalid_request")); mockMvc.perform( post("/change_password.do") .with(securityContext(MockMvcUtils.getUaaSecurityContext(user.getUserName(), webApplicationContext))) .param("current_password", user.getPassword()) .param("new_password", "newSecr3t") .param("confirm_password", "newSecr3t") .with(cookieCsrf())) .andExpect(status().isFound()) .andExpect(redirectedUrl("profile")); }
.param("sp", spEntityID) .with(new SetServerNameRequestPostProcessor(zone.getSubdomain()+".localhost")) .with(securityContext(getUaaSecurityContext(marissa.getUserName(), webApplicationContext, zone)))
@Test void testChangeEmailDoNotLoggedIn() throws Exception { assumeFalse(isLimitedMode(limitedModeUaaFilter), "Test only runs in non limited mode."); SecurityContext marissaContext = getMarissaSecurityContext(webApplicationContext); MockHttpServletRequestBuilder changeEmail = post("/change_email.do") .accept(TEXT_HTML) .with(cookieCsrf()); mockMvc.perform(changeEmail) .andExpect(status().isFound()) .andExpect(redirectedUrl("http://localhost/login")); changeEmail = post("/change_email.do") .accept(TEXT_HTML) .with(cookieCsrf()); mockMvc.perform(changeEmail) .andExpect(status().isFound()) .andExpect(redirectedUrl("http://localhost/login")); changeEmail = post("/change_email.do") .accept(TEXT_HTML) .with(cookieCsrf().useInvalidToken()) .with(securityContext(marissaContext)); mockMvc.perform(changeEmail) .andExpect(status().isForbidden()) .andExpect(forwardedUrl("/invalid_request")); }