Removes the need for a CSRF token with mock JWT

Changes the JwtRequestPostProcessor to remove
the check for a CSRF token in the request.

Fixes gh-7170

Author: henriquels25

samples/boot/oauth2resourceserver/src/test/java/sample/OAuth2ResourceServerControllerTests.java

@@ -25,16 +25,13 @@
 import org.springframework.security.oauth2.jwt.JwtDecoder;
 import org.springframework.test.context.junit4.SpringRunner;
 import org.springframework.test.web.servlet.MockMvc;
-import org.springframework.security.oauth2.jwt.Jwt;
 
 import static org.hamcrest.CoreMatchers.is;
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.jwt;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
-import static org.mockito.ArgumentMatchers.anyString;
-import static org.mockito.Mockito.when;
 
 /**
  *
@@ -77,41 +74,32 @@ public void messageCanNotBeReadWithoutScopeMessageReadAuthority() throws Excepti
 
 	@Test
 	public void messageCanNotBeCreatedWithoutAnyScope() throws Exception {
-		Jwt jwt = Jwt.withTokenValue("token")
-				.header("alg", "none")
-				.claim("scope", "")
-				.build();
-		when(jwtDecoder.decode(anyString())).thenReturn(jwt);
 		mockMvc.perform(post("/message")
 				.content("Hello message")
-				.header("Authorization", "Bearer " + jwt.getTokenValue()))
+				.with(jwt(jwt -> jwt.claim("scope", "message:read"))))
 				.andExpect(status().isForbidden());
 	}
 
 	@Test
 	public void messageCanNotBeCreatedWithScopeMessageReadAuthority() throws Exception {
-		Jwt jwt = Jwt.withTokenValue("token")
-				.header("alg", "none")
-				.claim("scope", "message:read")
-				.build();
-		when(jwtDecoder.decode(anyString())).thenReturn(jwt);
 		mockMvc.perform(post("/message")
-				.content("Hello message")
-				.header("Authorization", "Bearer " + jwt.getTokenValue()))
+				.with(jwt(jwt -> jwt.claim("scope", "message:read")))
+				.content("Hello message"))
 				.andExpect(status().isForbidden());
 	}
 
 	@Test
 	public void messageCanBeCreatedWithScopeMessageWriteAuthority()
 			throws Exception {
-		Jwt jwt = Jwt.withTokenValue("token")
-				.header("alg", "none")
-				.claim("scope", "message:write")
-				.build();
-		when(jwtDecoder.decode(anyString())).thenReturn(jwt);
 		mockMvc.perform(post("/message")
-				.content("Hello message")
-				.header("Authorization", "Bearer " + jwt.getTokenValue()))
+				.with(jwt(jwt -> jwt.claim("scope", "message:write")))
+				.content("Hello message"))
+				.andExpect(status().isOk())
+				.andExpect(content().string(is("Message was created. Content: Hello message")));
+
+		mockMvc.perform(post("/message")
+				.with(jwt().authorities(new SimpleGrantedAuthority(("SCOPE_message:write"))))
+				.content("Hello message"))
 				.andExpect(status().isOk())
 				.andExpect(content().string(is("Message was created. Content: Hello message")));
 	}

test/src/main/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessors.java

@@ -1043,6 +1043,7 @@ public JwtRequestPostProcessor authorities(Converter<Jwt, Collection<GrantedAuth
 
 		@Override
 		public MockHttpServletRequest postProcessRequest(MockHttpServletRequest request) {
+			WebTestUtils.setCsrfRequestMatcher(request, r -> false);
 			JwtAuthenticationToken token = new JwtAuthenticationToken(this.jwt, this.authorities);
 			return new AuthenticationRequestPostProcessor(token).postProcessRequest(request);
 		}

test/src/main/java/org/springframework/security/test/web/support/WebTestUtils.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2014 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -30,6 +30,7 @@
 import org.springframework.security.web.csrf.CsrfFilter;
 import org.springframework.security.web.csrf.CsrfTokenRepository;
 import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
+import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.test.util.ReflectionTestUtils;
 import org.springframework.web.context.WebApplicationContext;
 import org.springframework.web.context.support.WebApplicationContextUtils;
@@ -114,6 +115,21 @@ public static void setCsrfTokenRepository(HttpServletRequest request,
 		}
 	}
 
+	/**
+	 * Sets the {@link RequestMatcher} for the specified {@link HttpServletRequest}.
+	 *
+	 * @param request the {@link RequestMatcher} to obtain the
+	 * {@link RequestMatcher}
+	 * @param requestMatcher the {@link RequestMatcher} to set
+	 */
+	public static void setCsrfRequestMatcher(HttpServletRequest request,
+			RequestMatcher requestMatcher) {
+		CsrfFilter filter = findFilter(request, CsrfFilter.class);
+		if (filter != null) {
+			filter.setRequireCsrfProtectionMatcher(requestMatcher);
+		}
+	}
+
 	@SuppressWarnings("unchecked")
 	static <T extends Filter> T findFilter(HttpServletRequest request,
 			Class<T> filterClass) {