Optimized login form - delegated CSRF token creation to thymeleaf

Also added additional test to verify behaviour. Fixes gh-1039
2024-09-03 04:26:12 +08:00 · 2014-06-05 16:11:03 +02:00 · 2014-06-05 16:11:03 +02:00 · b7d94d1364
commit b7d94d1364
parent aa30fdba18
3 changed files with 16 additions and 6 deletions
--- a/spring-boot-samples/spring-boot-sample-web-method-security/src/main/resources/templates/login.html
+++ b/spring-boot-samples/spring-boot-sample-web-method-security/src/main/resources/templates/login.html
@ -20,14 +20,13 @@
 			<p th:if="${param.logout}" class="alert">You have been logged out</p>
 			<p th:if="${param.error}" class="alert alert-error">There was an error, please try again</p>
 			<h2>Login with Username and Password</h2>
-			<form name="form" action="/login" method="POST">
+			<form name="form" th:action="@{/login}" action="/login" method="POST">
 				<fieldset>
 					<input type="text" name="username" value="" placeholder="Username" />
 					<input type="password" name="password" placeholder="Password" />
 				</fieldset>
 				<input type="submit" id="login" value="Login"
-					class="btn btn-primary" /> <input type="hidden"
-					th:name="${_csrf.parameterName}" th:value="${_csrf.token}" />
+					class="btn btn-primary" />
 			</form>
 		</div>
 	</div>
--- a/spring-boot-samples/spring-boot-sample-web-secure/src/main/resources/templates/login.html
+++ b/spring-boot-samples/spring-boot-sample-web-secure/src/main/resources/templates/login.html
@ -20,14 +20,13 @@
 			<p th:if="${param.logout}" class="alert">You have been logged out</p>
 			<p th:if="${param.error}" class="alert alert-error">There was an error, please try again</p>
 			<h2>Login with Username and Password</h2>
-			<form name="form" action="/login" method="POST">
+			<form name="form" th:action="@{/login}" action="/login" method="POST">
 				<fieldset>
 					<input type="text" name="username" value="" placeholder="Username" />
 					<input type="password" name="password" placeholder="Password" />
 				</fieldset>
 				<input type="submit" id="login" value="Login"
-					class="btn btn-primary" /> <input type="hidden"
-					th:name="${_csrf.parameterName}" th:value="${_csrf.token}"/>
+					class="btn btn-primary" />
 			</form>
 		</div>
 	</div>
--- a/spring-boot-samples/spring-boot-sample-web-secure/src/test/java/sample/ui/secure/SampleSecureApplicationTests.java
+++ b/spring-boot-samples/spring-boot-sample-web-secure/src/test/java/sample/ui/secure/SampleSecureApplicationTests.java
@ -69,6 +69,18 @@ public class SampleSecureApplicationTests {
 				entity.getHeaders().getLocation().toString().endsWith(port + "/login"));
 	}

+	@Test
+	public void testLoginPage() throws Exception {
+		HttpHeaders headers = new HttpHeaders();
+		headers.setAccept(Arrays.asList(MediaType.TEXT_HTML));
+		ResponseEntity<String> entity = new TestRestTemplate().exchange(
+				"http://localhost:" + this.port + "/login", HttpMethod.GET, new HttpEntity<Void>(
+						headers), String.class);
+		assertEquals(HttpStatus.OK, entity.getStatusCode());
+		assertTrue("Wrong content:\n" + entity.getBody(),
+				entity.getBody().contains("_csrf"));
+	}
+
 	@Test
 	public void testLogin() throws Exception {
 		HttpHeaders headers = getHeaders();