osc*_*car 7 junit spring spring-security mockito mockmvc
我有两个metas的视图(我使用的是thymeleaf):
<meta name="_csrf" th:content="${_csrf.token}" />
<meta name="_csrf_header" th:content="${_csrf.headerName}" />
在我的测试控制器中,我这样做:
HttpSessionCsrfTokenRepository httpSessionCsrfTokenRepository = new HttpSessionCsrfTokenRepository();
CsrfToken csrfToken2 = httpSessionCsrfTokenRepository.generateToken(new MockHttpServletRequest());
CustomUser user = new CustomUser();
user.setName("foo");
user.setSurname("fooo");
List<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>();
grantedAuthorities.add(new SimpleGrantedAuthority("role"));
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("foo", "fooo", grantedAuthorities);
token.setDetails(user);
MockHttpSession session = new MockHttpSession();
session.setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, new MockSecurityContext(token));
session.setAttribute("_csrf", csrfToken2);
this.mockMvc.perform(post("/foo/update")
.param("param", "asdfasd")
....
.session(session)
)
.andExpect(view().name(("foo/detail"))).andExpect(model().hasErrors())
当我运行测试时,我收到此错误(未找到令牌或为空):
org.springframework.web.util.NestedServletException:请求处理失败; 嵌套异常是org.thymeleaf.exceptions.TemplateProcessingException:异常评估SpringEL表达: "_csrf.token"(布局/默认:4)在org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:979)在有机springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:869)位于org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java)的javax.servlet.http.HttpServlet.service(HttpServlet.java:707) 843)在org.springframework.mock.web.MockFilterChain的javax.servlet.http.HttpServlet.service(HttpServlet.java:790)的org.springframework.test.web.servlet.TestDispatcherServlet.service(TestDispatcherServlet.java:65) $ ServletFilterProxy.doFilter(MockFilterChain.java:167)org.springframework.mock.web.MockFilterChain.doFilter(MockFilterChain.java:134)org.springframework.test.web.servlet.MockMvc.perform(MockMvc.java:144) )在es.xunta.amtega.axipro.web.controller.SolicitudeControllerSaveTest.testSaveValidator(Solicitu)deControllerSaveTest.java:144)sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)at java .lang.reflect.Method.invoke(Method.java:601)在org.junit.runners.model.FrameworkMethod $ 1.runReflectiveCall(FrameworkMethod.java:50)在org.junit.internal.runners.model.ReflectiveCallable.run( ReflectiveCallable.java:12)在org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47)在org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)在org.junit org.springframework.test.context.junit4上的org.springframework.test.context.junit4.statements.RunBeforeTestMethodCallbacks.evaluate(RunBeforeTestMethodCallbacks.java:75)中的.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26) .statements.RunAfterTestMethodCallbacks.evaluate(RunAfterTestMethodCallbacks.java:86)在org.springframework.test.context.junit4.statements.SpringRepeat.evaluate(SpringRepeat.java:70)在org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:325)在org.springframework.test.context.junit4 .SpringJUnit4ClassRunner.runChild(SpringJUnit4ClassRunner.java:224)org.springframework.test.context.junit4.SpringJUnit4ClassRunner.runChild(SpringJUnit4ClassRunner.java:83)at org.junit.runners.ParentRunner $ 3.run(ParentRunner.java:290)在org.junit.runners.ParentRunner $ 1.schedule(ParentRunner.java:71)在org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288)在org.junit.runners.ParentRunner.access $ 000(ParentRunner.java :58)org.jun.RunBefores.evaluate(RunBefores.java:26)org.springframework.test.context上的org.junit.runners.ParentRunner $ 2.evaluate(ParentRunner.java:268)org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26) org.springframework.test.context.junit4.statements.RunAfterTestClassCal中的.junit4.statements.RunBeforeTestClassCallbacks.evaluate(RunBeforeTestClassCallbacks.java:61)org.junit.runners.ParentRunner.run(ParentRunner.java:363)的orback.springframework.test.context.junit4.SpringJUnit4ClassRunner.run(SpringJUnit4ClassRunner.java:163)org上的lbacks.evaluate(RunAfterTestClassCallbacks.java:70) org.eclipse.jdt上的org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)中的.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:50) .internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:459)位于org.eclipse.jdt.internal.junit的org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:675) .runner.RemoteTestRunner.run(RemoteTestRunner.java:382)at or.e.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:192)引起:org.thymeleaf.exceptions.TemplateProcessingException:评估SpringEL的异常表达式:"_csrf.token"(layout/default:4)at org.thymeleaf.spring4.expression.SpelVariableExpressionEvaluator.evaluate(SpelVariableExpressio)nEvaluator.java:161)atg.thymeleaf.standard.expression.VariableExpression.executeVariable(VariableExpression.java:154)atg.thymeleaf.standard.expression.SimpleExpression.executeSimple(SimpleExpression.java:59)org.thymeleaf.standard .expression.Expression.execute(Expression.java:103)atg.thymeleaf.standard.expression.Expression.execute(Expression.java:133)org.thymeleaf.standard.expression.Expression.execute(Expression.java:120) )在在org.thymeleaf.processor.attr org.thymeleaf.standard.processor.attr.AbstractStandardSingleAttributeModifierAttrProcessor.getTargetAttributeValue(AbstractStandardSingleAttributeModifierAttrProcessor.java:67)在org.thymeleaf.processor.attr.AbstractSingleAttributeModifierAttrProcessor.getModifiedAttributeValues(AbstractSingleAttributeModifierAttrProcessor.java:59). org.thymeleaf.processor.attr.AbstractAttrProcessor.doProcess(AbstractAttrPro)中的AbstractAttributeModifierAttrProcessor.processAttribute(AbstractAttributeModifierAttrProcessor.java:62)cessor.java:87)org.thymeleaf.processor.AbstractProcessor.process(AbstractProcessor.java:212)atg.thymeleaf.dom.Node.applyNextProcessor(Node.java:1017)atg.thymeleaf.dom.Node.processNode (Node.java:972)org.thymeleaf.dom.NestableNode.computeNextChild(NestableNode.java:695)org.thymeleaf.dom.NestableNode.doAdditionalProcess(NestableNode.java:668)atg.thymeleaf.dom.Node. processNode(Node.java:990)org.thymeleaf.dom.NestableNode.computeNextChild(NestableNode.java:695)atg.thymeleaf.dom.NestableNode.doAdditionalProcess(NestableNode.java:668)atg.thymeleaf.dom.Node .processNode(Node.java:990)org.thymeleaf.dom.NestableNode.computeNextChild(NestableNode.java:695)org.thymeleaf.dom.NestableNode.doAdditionalProcess(NestableNode.java:668)atg.thymeleaf.dom. org.thymeleaf.TemplateEngine.process上的org.thymeleaf.dom.Document.process(Document.java:93)org.thymeleaf.TemplateEngine.process(TemplateEngine.java:1155)中的Node.processNode(Node.java:990) (TemplateEngine.java:1060)org.thymeleaf.TemplateEngine.process(TemplateEngine.java:1011)org.thymeleaf.spring4.view.ThymeleafView.renderFragment(ThymeleafView.java:335)atg.thymeleaf.spring4.view.ThymeleafView.render (ThymeleafView.java:190)org.springframework.web.servlet.DispatcherServlet.render(DispatcherServlet.java:1244)org.springframework.test.web.servlet.TestDispatcherServlet.render(TestDispatcherServlet.java:105)org. springframework.web.servlet.DispatcherServlet.processDispatchResult(DispatcherServlet.java:1027)atg.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:971)org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet. Java的:org.springframework.expression.spel.SpelEvaluationException:893)在org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:967)... 40多个所致EL1007E:(POS 0):属性或在org.springframework.expression.spel.ast中无法在null上找到字段'token'.PropertyOrFieldReference.readProperty(PropertyOrFieldReference.java:220)org.springframework.expression.spel.ast.PropertyOrFieldReference.getValueInternal(PropertyOrFieldReference.java:94)at org.springframework.expression.spel.ast.PropertyOrFieldReference.access $ 000(PropertyOrFieldReference.java) :46)atg.springframework.expression.spel.ast.PropertyOrFieldReference $ AccessorLValue.getValue(PropertyOrFieldReference.java:374)atg.springframework.expression.spel.ast.CompoundExpression.getValueInternal(CompoundExpression.java:88)at org.在org.thymeleaf.spring4.expression.SpelVariableExpressionEvaluator的org.springframework.expression.spel.standard.SpelExpression.getValue(SpelExpression.java:267)的springframework.expression.spel.ast.SpelNodeImpl.getValue(SpelNodeImpl.java:120).评估(SpelVariableExpressionEvaluator.java:139)... 73更多
我找到了一个时间解决方案,但它不是一个好的解决方案..:
<th:block th:if="${_csrf}">
<meta name="_csrf" th:content="${_csrf.token}" />
<meta name="_csrf_header" th:content="${_csrf.headerName}" />
</th:block>
Ste*_*com 13
要访问您需要的会话属性
th:text="${session._csrf.headerName}">
th:text="${session._csrf.token}">
看到春天的百里香
如果在测试中使用MockMvc,则可以设置csrf标记
mvc
.perform(post("/").with(csrf()))
看看网络安全
当 CSRF 选项被激活时,Spring Security 会创建一个_csrf对象,其属性为token、headerName和parameter。thymeleaf 中有两个地方可以使用 CSRF 保护:
在标题部分使用元标记。
<meta name="_csrf" th:content="${_csrf.token}" />
<meta name="_csrf_header" th:content="${_csrf.headerName}" />
在表单中使用隐藏字段。
<input type="hidden" th:name="${_csrf.parameterName}" th:value="${_csrf.token}"/>
SecurityMockMvcRequestPostProcessors.csrf请求处理器的问题是它只创建一个字符串参数,没有属性,这与上面提到的 thymeleaf 代码不兼容:
...
request.addHeader(token.getHeaderName(), tokenValue);
...
request.setParameter(token.getParameterName(), tokenValue);
我的解决方法是创建一个自定义RequestPostProcessor将令牌添加为请求属性而不是请求参数:
package ...;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.test.web.support.WebTestUtils;
import org.springframework.security.web.csrf.CsrfToken;
import org.springframework.security.web.csrf.CsrfTokenRepository;
import org.springframework.test.web.servlet.request.RequestPostProcessor;
/**
* A request post processor to add <em>csrf</em> information.
*/
public class CsrfRequestPostProcessor implements RequestPostProcessor {
private boolean useInvalidToken = false;
private boolean asHeader = false;
@Override
public MockHttpServletRequest postProcessRequest(MockHttpServletRequest request) {
CsrfTokenRepository repository = WebTestUtils.getCsrfTokenRepository(request);
CsrfToken token = repository.generateToken(request);
repository.saveToken(token, request, new MockHttpServletResponse());
String tokenValue = useInvalidToken ? "invalid" + token.getToken() : token
.getToken();
if (asHeader) {
request.setAttribute(token.getHeaderName(), token);
}
else {
request.setAttribute(token.getParameterName(), token);
}
return request;
}
public RequestPostProcessor invalidToken() {
this.useInvalidToken = true;
return this;
}
public RequestPostProcessor asHeader() {
this.asHeader = true;
return this;
}
public static CsrfRequestPostProcessor csrf() {
return new CsrfRequestPostProcessor();
}
}
您可以直接在MockMvc中使用此类:
mockMvc.perform(
get("/security/winsso")
.with(CsrfRequestPostProcessor.csrf())
.param("xxx", XXX)
.param("yyy", YYY))
.andExpect(status().isOk());
如果您在 thymeleaf 中使用 header 选项,请注意 asHeader 。
| 归档时间: |
|
| 查看次数: |
5173 次 |
| 最近记录: |