This is an automated email from the ASF dual-hosted git repository.
adelbene pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/wicket.git
The following commit(s) were added to refs/heads/master by this push:
new 53ef2ff Added documentation on setting request headers for unit tests.
53ef2ff is described below
commit 53ef2ff71ec2cd67f258ebadab9719affabeebaf
Author: Andrea Del Bene <adelb...@apache.org>
AuthorDate: Fri Nov 6 22:45:41 2020 +0100
Added documentation on setting request headers for unit tests.
---
.../src/main/asciidoc/security/security_5.adoc | 2 ++
.../src/main/asciidoc/testing/testing_1.adoc | 32 ++++++++++++++++++++++
2 files changed, 34 insertions(+)
diff --git a/wicket-user-guide/src/main/asciidoc/security/security_5.adoc
b/wicket-user-guide/src/main/asciidoc/security/security_5.adoc
index 9518d5e..5f96e30 100644
--- a/wicket-user-guide/src/main/asciidoc/security/security_5.adoc
+++ b/wicket-user-guide/src/main/asciidoc/security/security_5.adoc
@@ -59,6 +59,8 @@ For example:
_ResourceIsolationRequestCycleListener_ is not an alternative to
_CryptoMapper_! Both of them could be used separately or in tandem to prevent
CSRF attacks depending on the application requirements.
+NOTE: In the next chapter we will cover unit testing with Wicket. If your
application is protected with _ResourceIsolationRequestCycleListener_ you have
to properly set request header _"sec-fetch-site"_ to make you unit tests pass.
In <<testing.adoc#_setting_request_headers,paragraph 23.1.10>> you will learn
how to do it.
+
Wicket also provides the deprecated (since version 9.1.0)
_CsrfPreventionRequestCycleListener_ - a _IRequestCycleListener_ that forbids
requests made from a different origin. Similar to the
__ResourceIsolationRequestCycleListener__ by default only actions are
forbidden, i.e. a request coming from different origin cannot execute
_Link.onClick()_ or submit forms (_Form.onSubmit()_). Any request to render
pages are still allowed so Wicket pages could be easily embedded in other
applications.
MyApplication.java
diff --git a/wicket-user-guide/src/main/asciidoc/testing/testing_1.adoc
b/wicket-user-guide/src/main/asciidoc/testing/testing_1.adoc
index 27dadfa..6f8339e 100644
--- a/wicket-user-guide/src/main/asciidoc/testing/testing_1.adoc
+++ b/wicket-user-guide/src/main/asciidoc/testing/testing_1.adoc
@@ -285,3 +285,35 @@ public void tearDown(){
}
----
+=== Setting request headers
+
+In some cases you might need to set one or more specific request headers to
make your test pass. This holds true when your application is protected against
CSRF attacks as explained in <<security.adoc#_csrf_protection,paragraph 22.5>>.
In this particular case in order to make your tests green you must set header
request _"sec-fetch-site"_ to _same-site_ before clicking on a page link or
before invoking a callback URL:
+
+[source,java]
+----
+import static
org.apache.wicket.protocol.http.FetchMetadataResourceIsolationPolicy.SAME_SITE;
+import static
org.apache.wicket.protocol.http.FetchMetadataResourceIsolationPolicy.SEC_FETCH_SITE_HEADER;
+
+public class TestHomePage
+{
+ private WicketTester tester;
+
+ @BeforeEach
+ public void setUp()
+ {
+ tester = new WicketTester(new WicketApplication());
+ }
+
+ @Test
+ public void homepageRendersSuccessfully()
+ {
+ //start and render the test page
+ tester.startPage(HomePage.class);
+
+ tester.addRequestHeader(SEC_FETCH_SITE_HEADER, SAME_SITE);
+ tester.clickLink("click");
+ }
+}
+----
+
+NOTE: keep in mind that request headers are immediately discarded after the
use and thus are not re-used for following requests.
\ No newline at end of file
