This is an automated email from the ASF dual-hosted git repository. adelbene pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/wicket.git
The following commit(s) were added to refs/heads/master by this push: new 53ef2ff Added documentation on setting request headers for unit tests. 53ef2ff is described below commit 53ef2ff71ec2cd67f258ebadab9719affabeebaf Author: Andrea Del Bene <adelb...@apache.org> AuthorDate: Fri Nov 6 22:45:41 2020 +0100 Added documentation on setting request headers for unit tests. --- .../src/main/asciidoc/security/security_5.adoc | 2 ++ .../src/main/asciidoc/testing/testing_1.adoc | 32 ++++++++++++++++++++++ 2 files changed, 34 insertions(+) diff --git a/wicket-user-guide/src/main/asciidoc/security/security_5.adoc b/wicket-user-guide/src/main/asciidoc/security/security_5.adoc index 9518d5e..5f96e30 100644 --- a/wicket-user-guide/src/main/asciidoc/security/security_5.adoc +++ b/wicket-user-guide/src/main/asciidoc/security/security_5.adoc @@ -59,6 +59,8 @@ For example: _ResourceIsolationRequestCycleListener_ is not an alternative to _CryptoMapper_! Both of them could be used separately or in tandem to prevent CSRF attacks depending on the application requirements. +NOTE: In the next chapter we will cover unit testing with Wicket. If your application is protected with _ResourceIsolationRequestCycleListener_ you have to properly set request header _"sec-fetch-site"_ to make you unit tests pass. In <<testing.adoc#_setting_request_headers,paragraph 23.1.10>> you will learn how to do it. + Wicket also provides the deprecated (since version 9.1.0) _CsrfPreventionRequestCycleListener_ - a _IRequestCycleListener_ that forbids requests made from a different origin. Similar to the __ResourceIsolationRequestCycleListener__ by default only actions are forbidden, i.e. a request coming from different origin cannot execute _Link.onClick()_ or submit forms (_Form.onSubmit()_). Any request to render pages are still allowed so Wicket pages could be easily embedded in other applications. MyApplication.java diff --git a/wicket-user-guide/src/main/asciidoc/testing/testing_1.adoc b/wicket-user-guide/src/main/asciidoc/testing/testing_1.adoc index 27dadfa..6f8339e 100644 --- a/wicket-user-guide/src/main/asciidoc/testing/testing_1.adoc +++ b/wicket-user-guide/src/main/asciidoc/testing/testing_1.adoc @@ -285,3 +285,35 @@ public void tearDown(){ } ---- +=== Setting request headers + +In some cases you might need to set one or more specific request headers to make your test pass. This holds true when your application is protected against CSRF attacks as explained in <<security.adoc#_csrf_protection,paragraph 22.5>>. In this particular case in order to make your tests green you must set header request _"sec-fetch-site"_ to _same-site_ before clicking on a page link or before invoking a callback URL: + +[source,java] +---- +import static org.apache.wicket.protocol.http.FetchMetadataResourceIsolationPolicy.SAME_SITE; +import static org.apache.wicket.protocol.http.FetchMetadataResourceIsolationPolicy.SEC_FETCH_SITE_HEADER; + +public class TestHomePage +{ + private WicketTester tester; + + @BeforeEach + public void setUp() + { + tester = new WicketTester(new WicketApplication()); + } + + @Test + public void homepageRendersSuccessfully() + { + //start and render the test page + tester.startPage(HomePage.class); + + tester.addRequestHeader(SEC_FETCH_SITE_HEADER, SAME_SITE); + tester.clickLink("click"); + } +} +---- + +NOTE: keep in mind that request headers are immediately discarded after the use and thus are not re-used for following requests. \ No newline at end of file