protected MockHttpServletRequestBuilder initDefaultSetting(MockHttpServletRequestBuilder builder) { return builder.session(session).characterEncoding("UTF-8").contentType(MediaType.APPLICATION_JSON); }
@Test public void session() { MockHttpSession session = new MockHttpSession(this.servletContext); session.setAttribute("foo", "bar"); this.builder.session(session); this.builder.sessionAttr("baz", "qux"); MockHttpServletRequest request = this.builder.buildRequest(this.servletContext); assertEquals(session, request.getSession()); assertEquals("bar", request.getSession().getAttribute("foo")); assertEquals("qux", request.getSession().getAttribute("baz")); }
private ResultActions performGetMfaManualRegister() throws Exception { return getMockMvc().perform(get("/login/mfa/manual") .session(session) ); }
private static RequestBuilder formLogin(MockHttpSession session) { return post("/login") .param("username", "user") .param("password", "password") .session(session) .with(csrf()); } }
@Test public void testRedirectToMfaAfterLogin() throws Exception { redirectToMFARegistration(); MockHttpServletResponse response = getMockMvc().perform(get("/profile") .session(session)).andReturn().getResponse(); assertTrue(response.getRedirectedUrl().contains("/login")); }
@Test public void testRedirectToLoginPageAfterClickingBackFromMfaRegistrationPage() throws Exception { redirectToMFARegistration(); MockHttpServletResponse response = getMockMvc().perform(get("/logout.do") .session(session)).andReturn().getResponse(); assertTrue(response.getRedirectedUrl().endsWith("/login")); }
@Test public void requestWhenSessionFixationProtectionIsMigrateSessionThenSessionIsReplaced() throws Exception { this.spring.configLocations(this.xml("SessionFixationProtectionMigrateSession")).autowire(); MockHttpSession session = new MockHttpSession(); String sessionId = session.getId(); MvcResult result = this.mvc.perform(get("/auth") .session(session) .with(httpBasic("user", "password"))) .andExpect(session()) .andReturn(); assertThat(result.getRequest().getSession(false).getId()).isNotEqualTo(sessionId); }
private void login(MockHttpSession session) throws Exception { mockMvc.perform( post("/login.do") .with(cookieCsrf()) .param("username", "marissa") .param("password", "koala") .session(session) ).andExpect(redirectedUrl("/")); } }
@Test void testSilentAuthentication_Returns400_whenInvalidRedirectUrlIsProvided() throws Exception { MockHttpSession session = new MockHttpSession(); login(session); mockMvc.perform( get("/oauth/authorize?response_type=token&scope=openid&client_id=ant&prompt=none&redirect_uri=no good uri") .session(session) ) .andExpect(status().is4xxClientError()); }
@Test public void servletLogoutWhenUsingDefaultConfigurationThenUsesSpringSecurity() throws Exception { this.spring.configLocations(this.xml("Simple")).autowire(); MvcResult result = this.mvc.perform(get("/good-login")).andReturn(); MockHttpSession session = (MockHttpSession) result.getRequest().getSession(false); assertThat(session).isNotNull(); result = this.mvc.perform(get("/do-logout").session(session)) .andExpect(status().isOk()) .andExpect(content().string("")) .andReturn(); session = (MockHttpSession) result.getRequest().getSession(false); assertThat(session).isNull(); }
public static String performMfaPostVerifyWithCode(int code, MockMvc mvc, MockHttpSession session, String host) throws Exception { return mvc.perform(post("/login/mfa/verify.do") .param("code", Integer.toString(code)) .header("Host", host) .session(session) .with(cookieCsrf())) .andExpect(status().is3xxRedirection()) .andExpect(redirectedUrl("/login/mfa/completed")) .andReturn().getResponse().getRedirectedUrl(); }
@Test public void logoutWhenDefaultConfigurationThenCsrfCleared() throws Exception { this.spring.configLocations( this.xml("shared-controllers"), this.xml("AutoConfig") ).autowire(); MvcResult result = this.mvc.perform(get("/csrf")).andReturn(); MockHttpSession session = (MockHttpSession) result.getRequest().getSession(); this.mvc.perform(post("/logout").session(session) .with(csrf())) .andExpect(status().isFound()); this.mvc.perform(get("/csrf").session(session)) .andExpect(csrfChanged(result)); }
@Test public void requestWhenConcurrencyControlIsSetThenDefaultsToResponseBodyExpirationResponse() throws Exception { this.spring.configLocations(this.xml("ConcurrencyControlSessionRegistryAlias")).autowire(); this.mvc.perform(get("/auth") .session(this.expiredSession()) .with(httpBasic("user", "password"))) .andExpect(content().string("This session has been expired (possibly due to multiple concurrent " + "logins being attempted as the same user).")); }
@Test public void requestWhenCreateSessionIsSetToStatelessThenIgnoresExistingSession() throws Exception { this.spring.configLocations(this.xml("CreateSessionStateless")).autowire(); MvcResult result = this.mvc.perform(post("/login") .param("username", "user") .param("password", "password") .session(new MockHttpSession()) .with(csrf())) .andExpect(status().isFound()) .andExpect(session()) .andReturn(); assertThat(result.getRequest().getSession(false).getAttribute(SPRING_SECURITY_CONTEXT_KEY)) .isNull(); }
@Test public void requestWhenSessionFixationProtectionIsNoneThenSessionNotInvalidated() throws Exception { this.spring.configLocations(this.xml("SessionFixationProtectionNone")).autowire(); MockHttpSession session = new MockHttpSession(); String sessionId = session.getId(); this.mvc.perform(get("/auth") .session(session) .with(httpBasic("user", "password"))) .andExpect(session().id(sessionId)); }
@Test public void requestWhenExpiredUrlIsSetThenInvalidatesSessionAndRedirects() throws Exception { this.spring.configLocations(this.xml("ConcurrencyControlExpiredUrl")).autowire(); this.mvc.perform(get("/auth") .session(this.expiredSession()) .with(httpBasic("user", "password"))) .andExpect(redirectedUrl("/expired")) .andExpect(session().exists(false)); }
/** * SEC-2137 */ @Test public void requestWhenSessionFixationProtectionDisabledAndConcurrencyControlEnabledThenSessionNotInvalidated() throws Exception { this.spring.configLocations(this.xml("Sec2137")).autowire(); MockHttpSession session = new MockHttpSession(); this.mvc.perform(get("/auth") .session(session) .with(httpBasic("user", "password"))) .andExpect(status().isOk()) .andExpect(session().id(session.getId())); }
@Test public void requestWhenConcurrencyControlAndRememberMeAreSetThenInvokedWhenSessionExpires() throws Exception { this.spring.configLocations(this.xml("ConcurrencyControlRememberMeHandler")).autowire(); this.mvc.perform(get("/auth") .session(this.expiredSession()) .with(httpBasic("user", "password"))) .andExpect(status().isOk()) .andExpect(cookie().exists("rememberMeCookie")) .andExpect(session().exists(false)); }
@Test public void requestWhenConcurrencyControlAndCustomLogoutHandlersAreSetThenAllAreInvokedWhenSessionExpires() throws Exception { this.spring.configLocations(this.xml("ConcurrencyControlLogoutAndRememberMeHandlers")).autowire(); this.mvc.perform(get("/auth") .session(this.expiredSession()) .with(httpBasic("user", "password"))) .andExpect(status().isOk()) .andExpect(cookie().maxAge("testCookie", 0)) .andExpect(cookie().exists("rememberMeCookie")) .andExpect(session().valid(true)); }
@Test @WithMockUser public void postWhenCsrfMismatchesThenForbidden() throws Exception { this.spring.configLocations( this.xml("shared-controllers"), this.xml("AutoConfig") ).autowire(); MvcResult result = this.mvc.perform(get("/ok")).andReturn(); MockHttpSession session = (MockHttpSession) result.getRequest().getSession(); this.mvc.perform(post("/ok") .session(session) .with(csrf().useInvalidToken())) .andExpect(status().isForbidden()); }