Skip to content

Mock Jwt should ensure that CSRF is not required #7170

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jzheaux opened this issue Jul 31, 2019 · 0 comments
Closed

Mock Jwt should ensure that CSRF is not required #7170

jzheaux opened this issue Jul 31, 2019 · 0 comments
Assignees
@jzheaux
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Milestone
5.2.0

Comments

@jzheaux
Copy link
Contributor

jzheaux commented Jul 31, 2019

According to #7118, when using jwt() (Servlet) or mockJwt() (WebFlux) test support, a tester must also provide a CSRF token.

This is because the CSRF token is lifted when a bearer token header is present in the request.

But, when using jwt() or mockJwt(), no bearer token header is provided as it's unnecessary.

In order to align with the expected behavior of resource server endpoints, when jwt() or mockJwt() is used, the tester should not also have to supply a CSRF token.
@jzheaux jzheaux added type: enhancement A general enhancement in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) labels Jul 31, 2019
@jzheaux jzheaux added this to the 5.2.0.M4 milestone Jul 31, 2019
@jzheaux jzheaux self-assigned this Jul 31, 2019
@jzheaux jzheaux modified the milestones: 5.2.0.M4, 5.2.0.RC1 Aug 5, 2019
@henriquels25 henriquels25 mentioned this issue Aug 18, 2019
Closed
henriquels25 added a commit to henriquels25/spring-security that referenced this issue Aug 18, 2019
@henriquels25
Removes the need for a CSRF token with mock JWT
c0d2b7f 
Changes the JwtRequestPostProcessor to remove
the check for a CSRF token in the request.

Fixes spring-projectsgh-7170
jzheaux added a commit to jzheaux/spring-security that referenced this issue Sep 5, 2019
@jzheaux
Mock Jwt Disables CSRF
87362c2 
Fixes spring-projectsgh-7170
@jzheaux jzheaux modified the milestones: 5.2.0.RC1, 5.2.0 Sep 5, 2019
jzheaux added a commit that referenced this issue Sep 16, 2019
@jzheaux
Remove Stray @MockBean
bdaf530 
Issue gh-7170
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Projects
None yet
Milestone
5.2.0
Development

Successfully merging a pull request may close this issue.

Removes the need for a CSRF token with mock JWT henriquels25/spring-security
1 participant
@jzheaux