This is an automated email from the ASF dual-hosted git repository.

adelbene pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/wicket.git


The following commit(s) were added to refs/heads/master by this push:
     new 53ef2ff  Added documentation on setting request headers for unit tests.
53ef2ff is described below

commit 53ef2ff71ec2cd67f258ebadab9719affabeebaf
Author: Andrea Del Bene <adelb...@apache.org>
AuthorDate: Fri Nov 6 22:45:41 2020 +0100

    Added documentation on setting request headers for unit tests.
---
 .../src/main/asciidoc/security/security_5.adoc     |  2 ++
 .../src/main/asciidoc/testing/testing_1.adoc       | 32 ++++++++++++++++++++++
 2 files changed, 34 insertions(+)

diff --git a/wicket-user-guide/src/main/asciidoc/security/security_5.adoc 
b/wicket-user-guide/src/main/asciidoc/security/security_5.adoc
index 9518d5e..5f96e30 100644
--- a/wicket-user-guide/src/main/asciidoc/security/security_5.adoc
+++ b/wicket-user-guide/src/main/asciidoc/security/security_5.adoc
@@ -59,6 +59,8 @@ For example:
 
 _ResourceIsolationRequestCycleListener_ is not an alternative to 
_CryptoMapper_! Both of them could be used separately or in tandem to prevent 
CSRF attacks depending on the application requirements.
 
+NOTE: In the next chapter we will cover unit testing with Wicket. If your 
application is protected with _ResourceIsolationRequestCycleListener_ you have 
to properly set request header _"sec-fetch-site"_ to make you unit tests pass. 
In <<testing.adoc#_setting_request_headers,paragraph 23.1.10>> you will learn 
how to do it.
+
 Wicket also provides the deprecated (since version 9.1.0) 
_CsrfPreventionRequestCycleListener_ - a _IRequestCycleListener_ that forbids 
requests made from a different origin. Similar to the 
__ResourceIsolationRequestCycleListener__ by default only actions are 
forbidden, i.e. a request coming from different origin cannot execute 
_Link.onClick()_ or submit forms (_Form.onSubmit()_). Any request to render 
pages are still allowed so Wicket pages could be easily embedded in other 
applications.
 
 MyApplication.java
diff --git a/wicket-user-guide/src/main/asciidoc/testing/testing_1.adoc 
b/wicket-user-guide/src/main/asciidoc/testing/testing_1.adoc
index 27dadfa..6f8339e 100644
--- a/wicket-user-guide/src/main/asciidoc/testing/testing_1.adoc
+++ b/wicket-user-guide/src/main/asciidoc/testing/testing_1.adoc
@@ -285,3 +285,35 @@ public void tearDown(){
 }
 ----
 
+=== Setting request headers
+
+In some cases you might need to set one or more specific request headers to 
make your test pass. This holds true when your application is protected against 
CSRF attacks as explained in <<security.adoc#_csrf_protection,paragraph 22.5>>. 
In this particular case in order to make your tests green you must set header 
request _"sec-fetch-site"_ to _same-site_ before clicking on a page link or 
before invoking a callback URL:
+
+[source,java]
+----
+import static 
org.apache.wicket.protocol.http.FetchMetadataResourceIsolationPolicy.SAME_SITE;
+import static 
org.apache.wicket.protocol.http.FetchMetadataResourceIsolationPolicy.SEC_FETCH_SITE_HEADER;
+
+public class TestHomePage
+{
+       private WicketTester tester;
+
+       @BeforeEach
+       public void setUp()
+       {
+               tester = new WicketTester(new WicketApplication());
+       }
+
+       @Test
+       public void homepageRendersSuccessfully()
+       {
+               //start and render the test page
+               tester.startPage(HomePage.class);
+
+               tester.addRequestHeader(SEC_FETCH_SITE_HEADER, SAME_SITE);
+               tester.clickLink("click");
+       }
+}      
+----
+
+NOTE: keep in mind that request headers are immediately discarded after the 
use and thus are not re-used for following requests. 
\ No newline at end of file

Reply via email to