response.addCookie(createCookie(csrfState, timeoutInSeconds));
}
- public void removeState(HttpServletResponse response){
- response.addCookie(createCookie(null, 0));
- }
-
private static boolean shouldRequestBeChecked(HttpServletRequest request) {
if (UPDATE_METHODS.contains(request.getMethod())) {
String path = request.getRequestURI().replaceFirst(request.getContextPath(), "");
if (userDto.isPresent()) {
return userDto;
}
- removeToken(response);
return Optional.empty();
}
jwtCsrfVerifier.refreshState(response, (String) token.get(CSRF_JWT_PARAM), sessionTimeoutInSeconds);
}
- void removeToken(HttpServletResponse response) {
- response.addCookie(createCookie(JWT_COOKIE, null, 0));
- jwtCsrfVerifier.removeState(response);
- }
-
private Cookie createCookie(String name, @Nullable String value, int expirationInSeconds) {
Cookie cookie = new Cookie(name, value);
cookie.setPath("/");
setUserSession(request, response);
return true;
} catch (UnauthorizedException e) {
- jwtHttpHandler.removeToken(response);
response.setStatus(HTTP_UNAUTHORIZED);
if (isWsUrl(path)) {
return false;
verifyCookie(cookieArgumentCaptor.getValue(), true);
}
- @Test
- public void remove_state() throws Exception {
- when(server.isSecured()).thenReturn(true);
-
- underTest.removeState(response);
-
- verify(response).addCookie(cookieArgumentCaptor.capture());
- Cookie cookie = cookieArgumentCaptor.getValue();
- assertThat(cookie.getValue()).isNull();
- assertThat(cookie.getMaxAge()).isEqualTo(0);
- }
-
private void verifyCookie(Cookie cookie, boolean isSecured) {
assertThat(cookie.getName()).isEqualTo("XSRF-TOKEN");
assertThat(cookie.getValue()).isNotEmpty();
assertThat(cookie.getSecure()).isEqualTo(isSecured);
}
- private void mockPostJavaWsRequest(){
+ private void mockPostJavaWsRequest() {
when(request.getRequestURI()).thenReturn(JAVA_WS_URL);
when(request.getMethod()).thenReturn("POST");
}
- private void mockRequestCsrf(String csrfState){
+ private void mockRequestCsrf(String csrfState) {
when(request.getHeader("X-XSRF-TOKEN")).thenReturn(csrfState);
}
- private void executeVerifyStateDoesNotFailOnRequest(String uri, String method){
+ private void executeVerifyStateDoesNotFailOnRequest(String uri, String method) {
when(request.getRequestURI()).thenReturn(uri);
when(request.getMethod()).thenReturn(method);
}
@Test
- public void validate_token_removes_session_when_disconnected_timeout_is_reached() throws Exception {
+ public void validate_token_does_not_refresh_session_when_disconnected_timeout_is_reached() throws Exception {
addJwtCookie();
// Token was created 4 months ago, refreshed 4 minutes ago, and it expired in 5 minutes
when(jwtSerializer.decode(JWT_TOKEN)).thenReturn(Optional.of(claims));
assertThat(underTest.validateToken(request, response).isPresent()).isFalse();
-
- verifyCookie(findCookie("JWT-SESSION").get(), null, 0);
}
@Test
- public void validate_token_removes_session_when_user_is_disabled() throws Exception {
+ public void validate_token_does_not_refresh_session_when_user_is_disabled() throws Exception {
addJwtCookie();
UserDto user = addUser(false);
when(jwtSerializer.decode(JWT_TOKEN)).thenReturn(Optional.of(claims));
assertThat(underTest.validateToken(request, response).isPresent()).isFalse();
-
- verifyCookie(findCookie("JWT-SESSION").get(), null, 0);
}
@Test
- public void validate_token_removes_session_when_token_is_no_more_valid() throws Exception {
+ public void validate_token_does_not_refresh_session_when_token_is_no_more_valid() throws Exception {
addJwtCookie();
when(jwtSerializer.decode(JWT_TOKEN)).thenReturn(Optional.empty());
assertThat(underTest.validateToken(request, response).isPresent()).isFalse();
-
- verifyCookie(findCookie("JWT-SESSION").get(), null, 0);
}
@Test
verify(jwtCsrfVerifier).refreshState(response, "CSRF_STATE", 3 * 24 * 60 * 60);
}
- @Test
- public void validate_token_remove_state_when_removing_token() throws Exception {
- addJwtCookie();
- // Token is invalid => it will be removed
- when(jwtSerializer.decode(JWT_TOKEN)).thenReturn(Optional.empty());
-
- underTest.validateToken(request, response);
-
- verifyCookie(findCookie("JWT-SESSION").get(), null, 0);
- verify(jwtCsrfVerifier).removeState(response);
- }
-
- @Test
- public void remove_token() throws Exception {
- underTest.removeToken(response);
-
- verifyCookie(findCookie("JWT-SESSION").get(), null, 0);
- verify(jwtCsrfVerifier).removeState(response);
- }
-
private void verifyToken(JwtSerializer.JwtSession token, int expectedExpirationTime, long expectedRefreshTime) {
assertThat(token.getExpirationTimeInSeconds()).isEqualTo(expectedExpirationTime);
assertThat(token.getUserLogin()).isEqualTo(USER_LOGIN);
assertThat(underTest.initUserSession(request, response)).isTrue();
verify(response).setStatus(401);
+ verifyZeroInteractions(userSession);
}
@Test
assertThat(underTest.initUserSession(request, response)).isTrue();
verify(response).setStatus(401);
+ verifyZeroInteractions(userSession);
}
@Test
assertThat(underTest.initUserSession(request, response)).isFalse();
verify(response).setStatus(401);
+ verifyZeroInteractions(userSession);
}
@Test
assertThat(underTest.initUserSession(request, response)).isFalse();
verify(response).setStatus(401);
+ verifyZeroInteractions(userSession);
}
@Test
projects / sonarqube.git / commitdiff