spring-boot/spring-boot-samples/spring-boot-sample-web-secure/src/test/java/sample/web/secure/SampleSecureApplicationTest...

/*
 * Copyright 2012-2015 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package sample.web.secure;

import java.util.Arrays;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

import org.junit.Test;
import org.junit.runner.RunWith;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.test.IntegrationTest;
import org.springframework.boot.test.SpringApplicationConfiguration;
import org.springframework.boot.test.TestRestTemplate;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.ResponseEntity;
import org.springframework.test.annotation.DirtiesContext;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import org.springframework.test.context.web.WebAppConfiguration;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.util.MultiValueMap;

import sample.web.secure.SampleWebSecureApplication;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertTrue;

/**
 * Basic integration tests for demo application.
 *
 * @author Dave Syer
 */
@RunWith(SpringJUnit4ClassRunner.class)
@SpringApplicationConfiguration(classes = SampleWebSecureApplication.class)
@WebAppConfiguration
@IntegrationTest("server.port:0")
@DirtiesContext
public class SampleSecureApplicationTests {

	@Value("${local.server.port}")
	private int port;

	@Test
	public void testHome() throws Exception {
		HttpHeaders headers = new HttpHeaders();
		headers.setAccept(Arrays.asList(MediaType.TEXT_HTML));
		ResponseEntity<String> entity = new TestRestTemplate().exchange(
				"http://localhost:" + this.port, HttpMethod.GET, new HttpEntity<Void>(
						headers), String.class);
		assertEquals(HttpStatus.FOUND, entity.getStatusCode());
		assertTrue("Wrong location:\n" + entity.getHeaders(), entity.getHeaders()
				.getLocation().toString().endsWith(port + "/login"));
	}

	@Test
	public void testLoginPage() throws Exception {
		HttpHeaders headers = new HttpHeaders();
		headers.setAccept(Arrays.asList(MediaType.TEXT_HTML));
		ResponseEntity<String> entity = new TestRestTemplate().exchange(
				"http://localhost:" + this.port + "/login", HttpMethod.GET,
				new HttpEntity<Void>(headers), String.class);
		assertEquals(HttpStatus.OK, entity.getStatusCode());
		assertTrue("Wrong content:\n" + entity.getBody(),
				entity.getBody().contains("_csrf"));
	}

	@Test
	public void testLogin() throws Exception {
		HttpHeaders headers = getHeaders();
		headers.setAccept(Arrays.asList(MediaType.TEXT_HTML));
		headers.setContentType(MediaType.APPLICATION_FORM_URLENCODED);
		MultiValueMap<String, String> form = new LinkedMultiValueMap<String, String>();
		form.set("username", "user");
		form.set("password", "user");
		ResponseEntity<String> entity = new TestRestTemplate().exchange(
				"http://localhost:" + this.port + "/login", HttpMethod.POST,
				new HttpEntity<MultiValueMap<String, String>>(form, headers),
				String.class);
		assertEquals(HttpStatus.FOUND, entity.getStatusCode());
		assertTrue("Wrong location:\n" + entity.getHeaders(), entity.getHeaders()
				.getLocation().toString().endsWith(port + "/"));
		assertNotNull("Missing cookie:\n" + entity.getHeaders(),
				entity.getHeaders().get("Set-Cookie"));
	}

	private HttpHeaders getHeaders() {
		HttpHeaders headers = new HttpHeaders();
		ResponseEntity<String> page = new TestRestTemplate().getForEntity(
				"http://localhost:" + this.port + "/login", String.class);
		assertEquals(HttpStatus.OK, page.getStatusCode());
		String cookie = page.getHeaders().getFirst("Set-Cookie");
		headers.set("Cookie", cookie);
		Matcher matcher = Pattern.compile("(?s).*name=\"_csrf\".*?value=\"([^\"]+).*")
				.matcher(page.getBody());
		assertTrue("No csrf token: " + page.getBody(), matcher.matches());
		headers.set("X-CSRF-TOKEN", matcher.group(1));
		return headers;
	}

	@Test
	public void testCss() throws Exception {
		ResponseEntity<String> entity = new TestRestTemplate().getForEntity(
				"http://localhost:" + this.port + "/css/bootstrap.min.css", String.class);
		assertEquals(HttpStatus.OK, entity.getStatusCode());
		assertTrue("Wrong body:\n" + entity.getBody(), entity.getBody().contains("body"));
	}

}
Add sample with form login 2013-11-01 18:45:54 +08:00			`/*`
Polish copyright headers 2015-06-24 01:22:14 +08:00			`* Copyright 2012-2015 the original author or authors.`
Add sample with form login 2013-11-01 18:45:54 +08:00			`*`
			`* Licensed under the Apache License, Version 2.0 (the "License");`
			`* you may not use this file except in compliance with the License.`
			`* You may obtain a copy of the License at`
			`*`
			`* http://www.apache.org/licenses/LICENSE-2.0`
			`*`
			`* Unless required by applicable law or agreed to in writing, software`
			`* distributed under the License is distributed on an "AS IS" BASIS,`
			`* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`* See the License for the specific language governing permissions and`
			`* limitations under the License.`
			`*/`

Polish sample package names 2015-06-23 15:47:12 +08:00			`package sample.web.secure;`
Add sample with form login 2013-11-01 18:45:54 +08:00
			`import java.util.Arrays;`
Man up and deal with CSRF in integration test Fixes gh-979 2014-05-30 15:21:57 +08:00			`import java.util.regex.Matcher;`
			`import java.util.regex.Pattern;`
Add sample with form login 2013-11-01 18:45:54 +08:00
			`import org.junit.Test;`
Convert all sample tests to @IntegrationTest where appropriate Makes them a lot more readable IMO, and also enables @Autowiring from the context into the test case (sweeet). I added @DirtiesContext to all of them as well to be on the safe side, but possbly that can be optimized in some way as well. 2014-03-11 21:54:30 +08:00			`import org.junit.runner.RunWith;`
Convert remaining samples to use random port Partial fix for gh-337. See also gh-607 which complements this, but might conflict on a merge. 2014-04-18 11:25:50 +08:00			`import org.springframework.beans.factory.annotation.Value;`
Convert all sample tests to @IntegrationTest where appropriate Makes them a lot more readable IMO, and also enables @Autowiring from the context into the test case (sweeet). I added @DirtiesContext to all of them as well to be on the safe side, but possbly that can be optimized in some way as well. 2014-03-11 21:54:30 +08:00			`import org.springframework.boot.test.IntegrationTest;`
			`import org.springframework.boot.test.SpringApplicationConfiguration;`
Polish 2014-04-23 16:42:10 +08:00			`import org.springframework.boot.test.TestRestTemplate;`
Add sample with form login 2013-11-01 18:45:54 +08:00			`import org.springframework.http.HttpEntity;`
			`import org.springframework.http.HttpHeaders;`
			`import org.springframework.http.HttpMethod;`
			`import org.springframework.http.HttpStatus;`
			`import org.springframework.http.MediaType;`
			`import org.springframework.http.ResponseEntity;`
Convert all sample tests to @IntegrationTest where appropriate Makes them a lot more readable IMO, and also enables @Autowiring from the context into the test case (sweeet). I added @DirtiesContext to all of them as well to be on the safe side, but possbly that can be optimized in some way as well. 2014-03-11 21:54:30 +08:00			`import org.springframework.test.annotation.DirtiesContext;`
			`import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;`
			`import org.springframework.test.context.web.WebAppConfiguration;`
Adjust security.basic.enabled=false behaviour Actually the web-secure sample is misusing security.basic.enabled=false (IMO) - it should be a flag to say that you want to temporarily disable the basic security fallback on application endpoins, not way to disable all security autoconfiguration. Added test case to web-secure sample to ensure a user can log in. Fixes gh-979 2014-05-29 20:20:20 +08:00			`import org.springframework.util.LinkedMultiValueMap;`
			`import org.springframework.util.MultiValueMap;`
Polish 2014-03-15 07:17:08 +08:00
Polish sample package names 2015-06-23 15:47:12 +08:00			`import sample.web.secure.SampleWebSecureApplication;`
Formatting and cleanup 2014-06-27 00:41:15 +08:00			`import static org.junit.Assert.assertEquals;`
			`import static org.junit.Assert.assertNotNull;`
			`import static org.junit.Assert.assertTrue;`

Add sample with form login 2013-11-01 18:45:54 +08:00			`/**`
			`* Basic integration tests for demo application.`
Remote trailing whitespace 2014-07-03 05:43:43 +08:00			`*`
Add sample with form login 2013-11-01 18:45:54 +08:00			`* @author Dave Syer`
			`*/`
Convert all sample tests to @IntegrationTest where appropriate Makes them a lot more readable IMO, and also enables @Autowiring from the context into the test case (sweeet). I added @DirtiesContext to all of them as well to be on the safe side, but possbly that can be optimized in some way as well. 2014-03-11 21:54:30 +08:00			`@RunWith(SpringJUnit4ClassRunner.class)`
Add a @EnableWebSecurity if it looks like the user needs one If the user explicitly disables the basic security features and forgets to @EnableWebSecurity, and yet still wants a bean of type WebSecurityConfigurerAdapter, he is trying to use a custom security setup and the app would fail in a confusing way without this change. Fixes gh-568 2014-03-25 20:16:31 +08:00			`@SpringApplicationConfiguration(classes = SampleWebSecureApplication.class)`
Convert all sample tests to @IntegrationTest where appropriate Makes them a lot more readable IMO, and also enables @Autowiring from the context into the test case (sweeet). I added @DirtiesContext to all of them as well to be on the safe side, but possbly that can be optimized in some way as well. 2014-03-11 21:54:30 +08:00			`@WebAppConfiguration`
Man up and deal with CSRF in integration test Fixes gh-979 2014-05-30 15:21:57 +08:00			`@IntegrationTest("server.port:0")`
Convert all sample tests to @IntegrationTest where appropriate Makes them a lot more readable IMO, and also enables @Autowiring from the context into the test case (sweeet). I added @DirtiesContext to all of them as well to be on the safe side, but possbly that can be optimized in some way as well. 2014-03-11 21:54:30 +08:00			`@DirtiesContext`
Add sample with form login 2013-11-01 18:45:54 +08:00			`public class SampleSecureApplicationTests {`

Convert remaining samples to use random port Partial fix for gh-337. See also gh-607 which complements this, but might conflict on a merge. 2014-04-18 11:25:50 +08:00			`@Value("${local.server.port}")`
			`private int port;`

Add sample with form login 2013-11-01 18:45:54 +08:00			`@Test`
			`public void testHome() throws Exception {`
			`HttpHeaders headers = new HttpHeaders();`
			`headers.setAccept(Arrays.asList(MediaType.TEXT_HTML));`
Rename RestTemplates to TestRestTemplate Rename the RestTemplates to TestRestTemplate to help indicate that it's primarily intended for testing. Also now extend RestTemplate to allow direct use, rather than via factory methods. Fixes gh-599 2014-03-28 02:04:20 +08:00			`ResponseEntity<String> entity = new TestRestTemplate().exchange(`
Polish 2014-04-23 16:42:10 +08:00			`"http://localhost:" + this.port, HttpMethod.GET, new HttpEntity<Void>(`
			`headers), String.class);`
Man up and deal with CSRF in integration test Fixes gh-979 2014-05-30 15:21:57 +08:00			`assertEquals(HttpStatus.FOUND, entity.getStatusCode());`
Formatting and cleanup 2014-06-27 00:41:15 +08:00			`assertTrue("Wrong location:\n" + entity.getHeaders(), entity.getHeaders()`
			`.getLocation().toString().endsWith(port + "/login"));`
Adjust security.basic.enabled=false behaviour Actually the web-secure sample is misusing security.basic.enabled=false (IMO) - it should be a flag to say that you want to temporarily disable the basic security fallback on application endpoins, not way to disable all security autoconfiguration. Added test case to web-secure sample to ensure a user can log in. Fixes gh-979 2014-05-29 20:20:20 +08:00			`}`

Optimized login form - delegated CSRF token creation to thymeleaf Also added additional test to verify behaviour. Fixes gh-1039 2014-06-05 22:11:03 +08:00			`@Test`
			`public void testLoginPage() throws Exception {`
			`HttpHeaders headers = new HttpHeaders();`
			`headers.setAccept(Arrays.asList(MediaType.TEXT_HTML));`
			`ResponseEntity<String> entity = new TestRestTemplate().exchange(`
Formatting and cleanup 2014-06-27 00:41:15 +08:00			`"http://localhost:" + this.port + "/login", HttpMethod.GET,`
			`new HttpEntity<Void>(headers), String.class);`
Optimized login form - delegated CSRF token creation to thymeleaf Also added additional test to verify behaviour. Fixes gh-1039 2014-06-05 22:11:03 +08:00			`assertEquals(HttpStatus.OK, entity.getStatusCode());`
			`assertTrue("Wrong content:\n" + entity.getBody(),`
			`entity.getBody().contains("_csrf"));`
			`}`

Adjust security.basic.enabled=false behaviour Actually the web-secure sample is misusing security.basic.enabled=false (IMO) - it should be a flag to say that you want to temporarily disable the basic security fallback on application endpoins, not way to disable all security autoconfiguration. Added test case to web-secure sample to ensure a user can log in. Fixes gh-979 2014-05-29 20:20:20 +08:00			`@Test`
			`public void testLogin() throws Exception {`
Man up and deal with CSRF in integration test Fixes gh-979 2014-05-30 15:21:57 +08:00			`HttpHeaders headers = getHeaders();`
Adjust security.basic.enabled=false behaviour Actually the web-secure sample is misusing security.basic.enabled=false (IMO) - it should be a flag to say that you want to temporarily disable the basic security fallback on application endpoins, not way to disable all security autoconfiguration. Added test case to web-secure sample to ensure a user can log in. Fixes gh-979 2014-05-29 20:20:20 +08:00			`headers.setAccept(Arrays.asList(MediaType.TEXT_HTML));`
			`headers.setContentType(MediaType.APPLICATION_FORM_URLENCODED);`
			`MultiValueMap<String, String> form = new LinkedMultiValueMap<String, String>();`
			`form.set("username", "user");`
Add JDBC user details to web-secure sample See gh-1115 2014-06-18 18:57:11 +08:00			`form.set("password", "user");`
Adjust security.basic.enabled=false behaviour Actually the web-secure sample is misusing security.basic.enabled=false (IMO) - it should be a flag to say that you want to temporarily disable the basic security fallback on application endpoins, not way to disable all security autoconfiguration. Added test case to web-secure sample to ensure a user can log in. Fixes gh-979 2014-05-29 20:20:20 +08:00			`ResponseEntity<String> entity = new TestRestTemplate().exchange(`
			`"http://localhost:" + this.port + "/login", HttpMethod.POST,`
			`new HttpEntity<MultiValueMap<String, String>>(form, headers),`
			`String.class);`
			`assertEquals(HttpStatus.FOUND, entity.getStatusCode());`
Formatting and cleanup 2014-06-27 00:41:15 +08:00			`assertTrue("Wrong location:\n" + entity.getHeaders(), entity.getHeaders()`
			`.getLocation().toString().endsWith(port + "/"));`
Adjust security.basic.enabled=false behaviour Actually the web-secure sample is misusing security.basic.enabled=false (IMO) - it should be a flag to say that you want to temporarily disable the basic security fallback on application endpoins, not way to disable all security autoconfiguration. Added test case to web-secure sample to ensure a user can log in. Fixes gh-979 2014-05-29 20:20:20 +08:00			`assertNotNull("Missing cookie:\n" + entity.getHeaders(),`
			`entity.getHeaders().get("Set-Cookie"));`
Add sample with form login 2013-11-01 18:45:54 +08:00			`}`

Man up and deal with CSRF in integration test Fixes gh-979 2014-05-30 15:21:57 +08:00			`private HttpHeaders getHeaders() {`
			`HttpHeaders headers = new HttpHeaders();`
			`ResponseEntity<String> page = new TestRestTemplate().getForEntity(`
			`"http://localhost:" + this.port + "/login", String.class);`
			`assertEquals(HttpStatus.OK, page.getStatusCode());`
			`String cookie = page.getHeaders().getFirst("Set-Cookie");`
			`headers.set("Cookie", cookie);`
Formatting and cleanup 2014-06-27 00:41:15 +08:00			`Matcher matcher = Pattern.compile("(?s).name=\"_csrf\".?value=\"([^\"]+).*")`
			`.matcher(page.getBody());`
Man up and deal with CSRF in integration test Fixes gh-979 2014-05-30 15:21:57 +08:00			`assertTrue("No csrf token: " + page.getBody(), matcher.matches());`
			`headers.set("X-CSRF-TOKEN", matcher.group(1));`
			`return headers;`
			`}`

Add sample with form login 2013-11-01 18:45:54 +08:00			`@Test`
			`public void testCss() throws Exception {`
Rename RestTemplates to TestRestTemplate Rename the RestTemplates to TestRestTemplate to help indicate that it's primarily intended for testing. Also now extend RestTemplate to allow direct use, rather than via factory methods. Fixes gh-599 2014-03-28 02:04:20 +08:00			`ResponseEntity<String> entity = new TestRestTemplate().getForEntity(`
Polish 2014-04-23 16:42:10 +08:00			`"http://localhost:" + this.port + "/css/bootstrap.min.css", String.class);`
Add sample with form login 2013-11-01 18:45:54 +08:00			`assertEquals(HttpStatus.OK, entity.getStatusCode());`
			`assertTrue("Wrong body:\n" + entity.getBody(), entity.getBody().contains("body"));`
			`}`

			`}`