Optimized login form - delegated CSRF token creation to thymeleaf

jgayoso · Dave Syer · commit b7d94d1364eb · 2014-06-09T10:56:01.000+01:00
Also added additional test to verify behaviour. Fixes spring-projectsgh-1039
diff --git a/spring-boot-samples/spring-boot-sample-web-method-security/src/main/resources/templates/login.html b/spring-boot-samples/spring-boot-sample-web-method-security/src/main/resources/templates/login.html
@@ -20,14 +20,13 @@
 			<p th:if="${param.logout}" class="alert">You have been logged out</p>
 			<p th:if="${param.error}" class="alert alert-error">There was an error, please try again</p>
 			<h2>Login with Username and Password</h2>
-			<form name="form" action="/login" method="POST">
+			<form name="form" th:action="@{/login}" action="/login" method="POST">
 				<fieldset>
 					<input type="text" name="username" value="" placeholder="Username" />
 					<input type="password" name="password" placeholder="Password" />
 				</fieldset>
 				<input type="submit" id="login" value="Login"
-					class="btn btn-primary" /> <input type="hidden"
-					th:name="${_csrf.parameterName}" th:value="${_csrf.token}" />
+					class="btn btn-primary" />
 			</form>
 		</div>
 	</div>
diff --git a/spring-boot-samples/spring-boot-sample-web-secure/src/main/resources/templates/login.html b/spring-boot-samples/spring-boot-sample-web-secure/src/main/resources/templates/login.html
@@ -20,14 +20,13 @@
 			<p th:if="${param.logout}" class="alert">You have been logged out</p>
 			<p th:if="${param.error}" class="alert alert-error">There was an error, please try again</p>
 			<h2>Login with Username and Password</h2>
-			<form name="form" action="/login" method="POST">
+			<form name="form" th:action="@{/login}" action="/login" method="POST">
 				<fieldset>
 					<input type="text" name="username" value="" placeholder="Username" />
 					<input type="password" name="password" placeholder="Password" />
 				</fieldset>
 				<input type="submit" id="login" value="Login"
-					class="btn btn-primary" /> <input type="hidden"
-					th:name="${_csrf.parameterName}" th:value="${_csrf.token}"/>
+					class="btn btn-primary" />
 			</form>
 		</div>
 	</div>
diff --git a/spring-boot-samples/spring-boot-sample-web-secure/src/test/java/sample/ui/secure/SampleSecureApplicationTests.java b/spring-boot-samples/spring-boot-sample-web-secure/src/test/java/sample/ui/secure/SampleSecureApplicationTests.java
@@ -69,6 +69,18 @@ public void testHome() throws Exception {
 				entity.getHeaders().getLocation().toString().endsWith(port + "/login"));
 	}
 
+	@Test
+	public void testLoginPage() throws Exception {
+		HttpHeaders headers = new HttpHeaders();
+		headers.setAccept(Arrays.asList(MediaType.TEXT_HTML));
+		ResponseEntity<String> entity = new TestRestTemplate().exchange(
+				"http://localhost:" + this.port + "/login", HttpMethod.GET, new HttpEntity<Void>(
+						headers), String.class);
+		assertEquals(HttpStatus.OK, entity.getStatusCode());
+		assertTrue("Wrong content:\n" + entity.getBody(),
+				entity.getBody().contains("_csrf"));
+	}
+
 	@Test
 	public void testLogin() throws Exception {
 		HttpHeaders headers = getHeaders();
