个人中心
gpt4 book ai didi

spring-security - 使用 CSRF 进行放心和基本身份验证的集成测试

转载 作者:行者123 更新时间:2023-12-01 02:02:57 25 4
gpt4 key购买 nike

我有一个基于 https://spring.io/guides/tutorials/spring-security-and-angular-js/ 的带有 AngularJs 应用程序的 Spring Boot

我正在使用基本身份验证,我想为它编写一个集成测试。目前,我总是收到带有消息的 403 状态代码:

Expected CSRF token not found. Has your session expired?

这是我的测试: 
@Test
public void givenAdmin_deleteOfBookIsAllowed() {

    Response response = given().auth().preemptive().basic("admin", "admin").get("/api/user/");
    response.then().log().all();
    String sessionId = response.sessionId();
    String token = response.cookie("XSRF-TOKEN");

    Book book = Books.randomBook();
    bookRepository.save(book);

    given()
            .sessionId(sessionId)
            .cookie("XSRF-TOKEN", token)
            .header("X-XSRF-TOKEN", token)
            .pathParam("id", book.getId().getId())
            .when().delete("/api/books/{id}")
            .then().statusCode(HttpStatus.SC_NO_CONTENT);
}

我根据教程使用自定义 token 存储库: 
 private CsrfTokenRepository csrfTokenRepository() {
    HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
    repository.setHeaderName("X-XSRF-TOKEN");
    return repository;
}

这是第一次调用的请求/响应: 
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Set-Cookie: JSESSIONID=7020E58A8D6DC2C883FD5D6BD086512A; Path=/; HttpOnly
Set-Cookie: XSRF-TOKEN=6c44ae09-73f9-4115-bbbf-b01773ec1b91; Path=/
X-Application-Context: application:staging:0
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Content-Encoding: gzip
Vary: Accept-Encoding
Date: Fri, 08 Jan 2016 07:43:21 GMT

{
    "details": {
        "remoteAddress": "127.0.0.1",
        "sessionId": "7020E58A8D6DC2C883FD5D6BD086512A"
    },
    "authorities": [
        {
            "authority": "ROLE_ADMIN"
        },
        {
            "authority": "ROLE_USER"
        }
    ],
    "authenticated": true,
    "principal": {
        "password": null,
        "username": "admin",
        "authorities": [
            {
                "authority": "ROLE_ADMIN"
            },
            {
                "authority": "ROLE_USER"
            }
        ],
        "accountNonExpired": true,
        "accountNonLocked": true,
        "credentialsNonExpired": true,
        "enabled": true
    },
    "credentials": null,
    "name": "admin"
}

从第二个电话开始: 
Request method: DELETE
Request path:   http://localhost:64588/api/books/04ad6d12-9b59-4ade-9a8a-e45daccb1f61
Proxy:          <none>
Request params: <none>
Query params:   <none>
Form params:    <none>
Path params:    id=04ad6d12-9b59-4ade-9a8a-e45daccb1f61
Multiparts:     <none>
Headers:        X-XSRF-TOKEN=6c44ae09-73f9-4115-bbbf-b01773ec1b91
                Accept=*/*
Cookies:        JSESSIONID=7020E58A8D6DC2C883FD5D6BD086512A
                XSRF-TOKEN=6c44ae09-73f9-4115-bbbf-b01773ec1b91
Body:           <none>

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Content-Encoding: gzip
Vary: Accept-Encoding
Date: Fri, 08 Jan 2016 07:44:21 GMT

{
    "timestamp": "2016-01-08T07:44:21.963+0000",
    "status": 403,
    "error": "Forbidden",
    "message": "Expected CSRF token not found. Has your session expired?",
    "path": "/api/books/04ad6d12-9b59-4ade-9a8a-e45daccb1f61"
}

最佳答案

你需要做 2 GET发帖前使用spring security CSRF在您的休息客户端或集成测试中提供保护。

  • 做个 GET请求登录。这将返回 JSESSIONID token 和 XSRF-TOKEN token 。如果您使用返回的 XSRF-TOKENPOST它会失败,因为我们使用 empty/false JSESSIONID 得到它.
  • 获取有用的 XSRF-TOKEN来自第二个 GET , 使用 JSESSIONID来自之前的请求。
  • 现在您可以使用 XSRF-TOKEN为您 POST .

    • 使用基本身份验证和 CSRF 放心的示例集成测试保护: 
    //1) get sessionId
    Response response =
            given().auth().preemptive().basic(userName, userPassword).contentType(JSON).
            when().get(PREFIX_URL + "/user").
            then().log().all().extract().response();
    String jsessionidId =  response.getSessionId();//or response.cookie("JSESSIONID");

    //2) get XSRF-TOKEN using new/real sessionId
    response =
            given().
            sessionId(jsessionidId).//or cookie("JSESSIONID", jsessionidId).
            contentType(JSON).
            when().get(PREFIX_URL + "/user").
            then().log().all().extract().response();

    //3) post data using XSRF-TOKEN
    given().log().all().
            sessionId(jsessionidId).//or cookie("JSESSIONID", jsessionidId).
            header("X-XSRF-TOKEN", response.cookie("XSRF-TOKEN")).
            queryParam("param",paramValue)).
            body(someData).
            contentType(JSON).
    when().
            post(PREFIX_URL + "/post_some_data").
    then().
        log().all().assertThat().statusCode(200);

    关于spring-security - 使用 CSRF 进行放心和基本身份验证的集成测试,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/34671999/

    25 4 0
    文章推荐: angularjs - Angular : how to check variable in scope without ng-bind and ng-model? 中的 Protractor 测试
    文章推荐: pyqt5 - PyQt5 是否支持 Qt3D?
    文章推荐: scala - 使用 Scala 将 org.apache.spark.mllib.linalg.Vector RDD 转换为 Spark 中的 DataFrame
    文章推荐: python - Django/manage.py 运行服务器不起作用 (Windows)
    行者123
    个人简介

    我是一名优秀的程序员,十分优秀!

    滴滴打车优惠券免费领取
    滴滴打车优惠券
    全站热门文章
    Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
    广告合作:1813099741@qq.com 6ren.com