@Test public void test() throws Exception { MyController controller = this.wac.getBean(MyController.class); int initialCount = controller.counter.get(); this.mockMvc.perform(options("/myUrl")).andExpect(status().isOk()); assertEquals(initialCount + 1, controller.counter.get()); }
/** * Positive test case that exercises the CORS logic for dealing with the "X-Requested-With" header. * * @throws Exception */ @Test void testLogOutCorsPreflight(@Autowired CorsFilter corsFilter) throws Exception { corsFilter.setCorsXhrAllowedOrigins(asList("^localhost$", "^*\\.localhost$")); corsFilter.setCorsXhrAllowedUris(singletonList("^/logout\\.do$")); corsFilter.initialize(); HttpHeaders httpHeaders = new HttpHeaders(); httpHeaders.add("Access-Control-Request-Headers", "X-Requested-With"); httpHeaders.add("Access-Control-Request-Method", "GET"); httpHeaders.add("Origin", "localhost"); mockMvc.perform(options("/logout.do").headers(httpHeaders)).andExpect(status().isOk()); }
/** * This should avoid the logic for X-Requested-With header entirely. * * @throws Exception on test failure */ @Test void testLogOutCorsPreflightWithStandardHeader(@Autowired CorsFilter corsFilter) throws Exception { corsFilter.setCorsXhrAllowedOrigins(singletonList("^localhost$")); corsFilter.setCorsXhrAllowedUris(singletonList("^/logout\\.do$")); corsFilter.initialize(); HttpHeaders httpHeaders = new HttpHeaders(); httpHeaders.add("Access-Control-Request-Headers", "Accept"); httpHeaders.add("Access-Control-Request-Method", "GET"); httpHeaders.add("Origin", "localhost"); mockMvc.perform(options("/logout.do").headers(httpHeaders)).andExpect(status().isOk()); }
/** * The access control request method is not a GET therefore CORS requests with the "X-Requested-With" * header are not allowed and the CorsFilter returns a 405. * * @throws Exception on test failure */ @Test void testLogOutCorsPreflightWithUnallowedMethod(@Autowired CorsFilter corsFilter) throws Exception { corsFilter.setCorsXhrAllowedOrigins(singletonList("^localhost$")); corsFilter.setCorsXhrAllowedUris(singletonList("^/logout\\.do$")); corsFilter.initialize(); HttpHeaders httpHeaders = new HttpHeaders(); httpHeaders.add("Access-Control-Request-Headers", "X-Requested-With"); httpHeaders.add("Access-Control-Request-Method", "POST"); httpHeaders.add("Origin", "localhost"); mockMvc.perform(options("/logout.do").headers(httpHeaders)).andExpect(status().isMethodNotAllowed()); }
/** * The endpoint is not white-listed to allow CORS requests with the "X-Requested-With" header so the * CorsFilter returns a 403. * * @throws Exception on test failure */ @Test void testLogOutCorsPreflightWithUnallowedEndpoint(@Autowired CorsFilter corsFilter) throws Exception { corsFilter.setCorsXhrAllowedOrigins(singletonList("^localhost$")); corsFilter.setCorsXhrAllowedUris(singletonList("^/logout\\.do$")); corsFilter.initialize(); HttpHeaders httpHeaders = new HttpHeaders(); httpHeaders.add("Access-Control-Request-Headers", "X-Requested-With"); httpHeaders.add("Access-Control-Request-Method", "GET"); httpHeaders.add("Origin", "localhost"); mockMvc.perform(options("/logout.dont").headers(httpHeaders)).andExpect(status().isForbidden()); }
/** * Positive test case that exercises the CORS logic for dealing with the "X-Requested-With" header. * * @throws Exception */ @Test void testLogOutCorsPreflightForIdentityZone(@Autowired CorsFilter corsFilter) throws Exception { corsFilter.setCorsXhrAllowedOrigins(asList("^localhost$", "^*\\.localhost$")); corsFilter.setCorsXhrAllowedUris(singletonList("^/logout.do$")); corsFilter.initialize(); HttpHeaders httpHeaders = new HttpHeaders(); httpHeaders.add("Access-Control-Request-Headers", "X-Requested-With"); httpHeaders.add("Access-Control-Request-Method", "GET"); httpHeaders.add("Origin", "testzone1.localhost"); mockMvc.perform(options("/logout.do").headers(httpHeaders)).andExpect(status().isOk()); }
/** * The request origin is not white-listed to allow CORS requests with the "X-Requested-With" header so the * CorsFilter returns a 403. * * @throws Exception on test failure */ @Test void testLogOutCorsPreflightWithUnallowedOrigin(@Autowired CorsFilter corsFilter) throws Exception { corsFilter.setCorsXhrAllowedOrigins(singletonList("^localhost$")); corsFilter.setCorsXhrAllowedUris(singletonList("^/logout\\.do$")); corsFilter.initialize(); HttpHeaders httpHeaders = new HttpHeaders(); httpHeaders.add("Access-Control-Request-Headers", "X-Requested-With"); httpHeaders.add("Access-Control-Request-Method", "GET"); httpHeaders.add("Origin", "fuzzybunnies.com"); mockMvc.perform(options("/logout.do").headers(httpHeaders)).andExpect(status().isForbidden()); }
/** * Create a {@link MockHttpServletRequestBuilder} for an OPTIONS request. * @param uri the URL * @return the builder for the OPTIONS request */ public static MockHttpServletRequestBuilder options(URI uri) { return MockMvcRequestBuilders.options(uri); }
@Test public void optionsWhenDefaultConfigurationThenCsrfIsEnabled() throws Exception { this.spring.configLocations( this.xml("shared-controllers"), this.xml("AutoConfig") ).autowire(); this.mvc.perform(options("/csrf-in-header")) .andExpect(csrfInHeader()); }
@Test public void optionsWhenCsrfElementEnabledThenOk() throws Exception { this.spring.configLocations( this.xml("shared-controllers"), this.xml("CsrfEnabled") ).autowire(); this.mvc.perform(options("/csrf-in-header")) .andExpect(csrfInHeader()); }
/** * Create a {@link MockHttpServletRequestBuilder} for an OPTIONS request. The url * template will be captured and made available for documentation. * @param urlTemplate a URL template; the resulting URL will be encoded * @param urlVariables zero or more URL variables * @return the builder for the OPTIONS request */ public static MockHttpServletRequestBuilder options(String urlTemplate, Object... urlVariables) { return MockMvcRequestBuilders.options(urlTemplate, urlVariables).requestAttr( RestDocumentationGenerator.ATTRIBUTE_NAME_URL_TEMPLATE, urlTemplate); }
@Test public void getWhenUsingCorsThenDoesSpringSecurityCorsHandshake() throws Exception { this.spring.configLocations(this.xml("WithCors")).autowire(); this.mvc.perform(get("/").with(this.approved())) .andExpect(corsResponseHeaders()) .andExpect((status().isIAmATeapot())); this.mvc.perform(options("/").with(this.preflight())) .andExpect(corsResponseHeaders()) .andExpect(status().isOk()); }
@Test public void getWhenUsingCustomCorsConfigurationSourceThenDoesSpringSecurityCorsHandshake() throws Exception { this.spring.configLocations(this.xml("WithCorsConfigurationSource")).autowire(); this.mvc.perform(get("/").with(this.approved())) .andExpect(corsResponseHeaders()) .andExpect((status().isIAmATeapot())); this.mvc.perform(options("/").with(this.preflight())) .andExpect(corsResponseHeaders()) .andExpect(status().isOk()); }
@Test public void getWhenUsingCustomCorsFilterThenDoesSPringSecurityCorsHandshake() throws Exception { this.spring.configLocations(this.xml("WithCorsFilter")).autowire(); this.mvc.perform(get("/").with(this.approved())) .andExpect(corsResponseHeaders()) .andExpect((status().isIAmATeapot())); this.mvc.perform(options("/").with(this.preflight())) .andExpect(corsResponseHeaders()) .andExpect(status().isOk()); }
/** * Create a {@link MockHttpServletRequestBuilder} for an OPTIONS request. * @param uri the URL * @return the builder for the OPTIONS request */ public static MockHttpServletRequestBuilder options(URI uri) { return MockMvcRequestBuilders.options(uri); }
/** * Create a {@link MockHttpServletRequestBuilder} for an OPTIONS request. The url * template will be captured and made available for documentation. * @param urlTemplate a URL template; the resulting URL will be encoded * @param urlVariables zero or more URL variables * @return the builder for the OPTIONS request */ public static MockHttpServletRequestBuilder options(String urlTemplate, Object... urlVariables) { return MockMvcRequestBuilders.options(urlTemplate, urlVariables).requestAttr( RestDocumentationGenerator.ATTRIBUTE_NAME_URL_TEMPLATE, urlTemplate); }