How to disable crsf protection in @WebFluxTest?

Question

Why am I receiving a 403 FORBIDDEN for the following test?

@RestController
public class MyServlet {
    @PostMapping("/")
    public Mono<String> accept(Authentication authentication) {}
}


@WebFluxTest(MyServlet.class)
@WithMockUser
public class MyServletTest {
    @Autowired
    private WebTestClient webClient;

    @Test
    public void test() {
        webClient.post().url("/")
            .exchange()
            .expectStatus().isOk();
    }
}

Result:

java.lang.AssertionError: Status expected:<200 OK> but was:<403 FORBIDDEN>

> POST /
> WebTestClient-Request-Id: [1]
> Content-Type: [application/json]

No content

< 403 FORBIDDEN Forbidden
< Content-Type: [text/plain]
< Cache-Control: [no-cache, no-store, max-age=0, must-revalidate]
< Pragma: [no-cache]
< Expires: [0]
< X-Content-Type-Options: [nosniff]
< X-Frame-Options: [DENY]
< X-XSS-Protection: [1 ; mode=block]
< Referrer-Policy: [no-referrer]

CSRF Token has been associated to this client

As far as I know, @WebFluxTest disables csrf. So why is it complaining?

membersound · Accepted Answer · 2022-09-19T20:24:36.393

12

webClient.mutateWith(SecurityMockServerConfigurers.csrf()).post()...;

edited Sep 19 '22 at 20:24

answered Mar 12 '20 at 11:24

membersound

81,582
193
585
1,120

5

SecurityMockServerConfigurers.csrf() – nagy.zsolt.hun Jul 20 '20 at 22:12

score 11 · Answer 2 · answered Apr 20 '20 at 14:54

This is happening because you probably have spring-boot-starter-security in your classpath. You need to create a config:

@Configuration
@EnableWebFluxSecurity
public class WebFluxSecurityConfig {
  @Bean
  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
    return http.csrf().disable().build();
  }
}

and import it into your test with

@Import(WebFluxSecurityConfig.class)

Apparently the SecurityConfig is not loaded by default in @WebFluxTest.

I found the solution here: https://github.com/spring-projects/spring-boot/issues/16088

ah thank-you, it wasn't imported the config when i had the @Profile({"local", "test" ... }) — ASH, Jul 22 '21 at 15:11

score 0 · Answer 3 · answered Jun 26 '21 at 19:16

0

You can load the default configuration using @SpringBootTest together with @AutoConfigureWebTestClient to have the test client configured and injected. Put both annotations on your test class.

answered Jun 26 '21 at 19:16

aix

1,063
2
13
24

score 0 · Answer 4 · answered Feb 16 '22 at 09:55

The root cause of this is because you have got spring-security dependency in your classpath.

In my case, it was Spring Reactive application, and the Security Configs is applied by creating a bean and annotate it with @EnableWebFluxSecurity

  @Configuration
   @EnableWebFluxSecurity
   public class SecurityConfig {
   
@Bean
  public SecurityWebFilterChain securityWebFilterChain(final ServerHttpSecurity http) {
    http.oauth2Client();
    return http.authorizeExchange().anyExchange().permitAll().and().build();
  }
}

So, by default the nature of SpringSecurity config, CSRF will be enabled. Now we have to decide the solution based on the question "Do you need CSRF enabled for your application?" If the answer is yes then your test should also use csrf which can be done by webClient.mutateWith(csrf()).post() If csrf is not required to be enabled, then disable it by http.authorizeExchange().anyExchange().permitAll().and().csrf().disable().build();

That should help you with the issue.

How to disable crsf protection in @WebFluxTest?

4 Answers4