Examples of org.springframework.security.web.csrf.CsrfToken

• org.springframework.security.web.csrf.CsrfToken
  Provides the information about an expected CSRF token. @see DefaultCsrfToken @author Rob Winch @since 3.2

abstract class AbstractCsrfTag extends TagSupport {

    @Override
    public int doEndTag() throws JspException {

        CsrfToken token = (CsrfToken)this.pageContext.getRequest().getAttribute(CsrfToken.class.getName());
        if (token != null) {
            try {
                this.pageContext.getOut().write(this.handleToken(token));
            } catch (IOException e) {
                throw new JspException(e);

        return sb.toString();
    }

    private void renderHiddenInputs(StringBuilder sb, HttpServletRequest request) {
        CsrfToken token = (CsrfToken) request.getAttribute(CsrfToken.class.getName());

        if(token != null) {
            sb.append("    <input name=\""+ token.getParameterName() +"\" type=\"hidden\" value=\""+ token.getToken() +"\" />\n");
        }
    }

        assertThat(processor.processUrl(request, url)).isEqualTo(url);
    }

    @Test
    public void createGetExtraHiddenFieldsHasCsrfToken() {
        CsrfToken token = new DefaultCsrfToken("1", "a", "b");
        request.setAttribute(CsrfToken.class.getName(), token);
        Map<String,String> expected = new HashMap<String,String>();
        expected.put(token.getParameterName(),token.getToken());

        RequestDataValueProcessor processor = new CsrfRequestDataValueProcessor();
        assertThat(processor.getExtraHiddenFields(request)).isEqualTo(expected);
    }

        if(Boolean.TRUE.equals(request.getAttribute(DISABLE_CSRF_TOKEN_ATTR))) {
            request.removeAttribute(DISABLE_CSRF_TOKEN_ATTR);
            return Collections.emptyMap();
        }

        CsrfToken token = (CsrfToken) request.getAttribute(CsrfToken.class
                .getName());
        if (token == null) {
            return Collections.emptyMap();
        }
        Map<String, String> hiddenFields = new HashMap<String, String>(1);
        hiddenFields.put(token.getParameterName(), token.getToken());
        return hiddenFields;
    }

        request.setServletPath("/login");
        request.setMethod("POST");
        request.setParameter("username", "user");
        request.setParameter("password", "password");
        HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
        CsrfToken token = repository.generateToken(request);
        repository.saveToken(token, request, response);
        request.setParameter(token.getParameterName(),token.getToken());
        when(ReflectionUtils.findMethod(HttpServletRequest.class, "changeSessionId")).thenReturn(method);

        loadConfig(SessionManagementDefaultSessionFixationServlet31Config.class);

        springSecurityFilterChain.doFilter(request,response,chain);

        public MockHttpServletRequest postProcessRequest(
                MockHttpServletRequest request) {

            CsrfTokenRepository repository = WebTestUtils
                    .getCsrfTokenRepository(request);
            CsrfToken token = repository.generateToken(request);
            repository.saveToken(token, request, new MockHttpServletResponse());
            String tokenValue = useInvalidToken ? "invalid" + token.getToken() : token.getToken();
            if(asHeader) {
                request.addHeader(token.getHeaderName(), tokenValue);
            } else {
                request.setParameter(token.getParameterName(), tokenValue);
            }
            return request;
        }

        this.tag = new CsrfMetaTagsTag();
    }

    @Test
    public void handleTokenRendersTags() {
        CsrfToken token = new DefaultCsrfToken("X-Csrf-Token", "_csrf", "abc123def456ghi789");

        String value = this.tag.handleToken(token);

        assertNotNull("The returned value should not be null.", value);
        assertEquals("The output is not correct.",

                value);
    }

    @Test
    public void handleTokenRendersTagsDifferentToken() {
        CsrfToken token = new DefaultCsrfToken("csrfHeader", "csrfParameter", "fooBarBazQux");

        String value = this.tag.handleToken(token);

        assertNotNull("The returned value should not be null.", value);
        assertEquals("The output is not correct.",

    }

    @Test
    public void hasCsrfRendersReturnedValue() throws JspException, UnsupportedEncodingException {

        CsrfToken token = new DefaultCsrfToken("X-Csrf-Token", "_csrf", "abc123def456ghi789");
        this.request.setAttribute(CsrfToken.class.getName(), token);

        this.tag.handleReturn = "fooBarBazQux";

        int returned = this.tag.doEndTag();

    }

    @Test
    public void hasCsrfRendersDifferentValue() throws JspException, UnsupportedEncodingException {

        CsrfToken token = new DefaultCsrfToken("X-Csrf-Token", "_csrf", "abc123def456ghi789");
        this.request.setAttribute(CsrfToken.class.getName(), token);

        this.tag.handleReturn = "<input type=\"hidden\" />";

        int returned = this.tag.doEndTag();