CSRF and test annotations

[ch4mpy]

I tried using @WithJwt with enabled CSRF, and it surprisingly doesn't work (403 forbidden). Am I doing something wrong or is it expected behaviour?

[ch4mpy]

It is expected behavior: test annotations are intended to populate the test security context with an Authentication instance at your hand. It do nothing about CSRF.

For CSRF, in addition to authentication annotation, use one of:

• mockMvc.perform(post("/").with(SecurityMockMvcRequestPostProcessors.csrf()))
• webTestClient.mutateWith(SecurityMockServerConfigurers.csrf())

As a reminder:

• resource servers are generally stateless (without sessions), which make it insensible to CSRF (CSRF protection can be disabled when sessions are disabled) => you should have to care about CSRF only when using @WithOAuth2Login or @WithOidcLogin on an OAuth2 client with oauth2Login, not when using @WithJwt or @WithOpaqueToken which are intended to mock resource server authentications
• CSRF security is checked only on requests changing the resources state (POST, PUT, PATCH and DELETE requests), not GET requests