hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/http/TestRestCsrfPreventionFilter.java - hadoop - Git at Google

 /**
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 package org.apache.hadoop.security.http;

 import static org.mockito.Mockito.atLeastOnce;
 import static org.mockito.Mockito.verify;

 import java.io.IOException;

 import javax.servlet.FilterChain;
 import javax.servlet.FilterConfig;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;

 import org.junit.Test;
 import org.mockito.Mockito;

 /**
  * This class tests the behavior of the RestCsrfPreventionFilter.
  *
  */
 public class TestRestCsrfPreventionFilter {

   private static final String NON_BROWSER = "java";
   private static final String BROWSER_AGENT =
       "Mozilla/5.0 (compatible; U; ABrowse 0.6; Syllable)" +
       " AppleWebKit/420+ (KHTML, like Gecko)";
   private static final String EXPECTED_MESSAGE =
       "Missing Required Header for CSRF Vulnerability Protection";
   private static final String X_CUSTOM_HEADER = "X-CUSTOM_HEADER";

   @Test
   public void testNoHeaderDefaultConfigBadRequest()
       throws ServletException, IOException {
     // Setup the configuration settings of the server
     FilterConfig filterConfig = Mockito.mock(FilterConfig.class);
     Mockito.when(filterConfig.getInitParameter(
       RestCsrfPreventionFilter.CUSTOM_HEADER_PARAM)).thenReturn(null);
     Mockito.when(filterConfig.getInitParameter(
       RestCsrfPreventionFilter.CUSTOM_METHODS_TO_IGNORE_PARAM)).
       thenReturn(null);

     // CSRF has not been sent
     HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class);
     Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_DEFAULT)).
       thenReturn(null);
     Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_USER_AGENT)).
       thenReturn(BROWSER_AGENT);

     // Objects to verify interactions based on request
     HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class);
     FilterChain mockChain = Mockito.mock(FilterChain.class);

     // Object under test
     RestCsrfPreventionFilter filter = new RestCsrfPreventionFilter();
     filter.init(filterConfig);
     filter.doFilter(mockReq, mockRes, mockChain);

     verify(mockRes, atLeastOnce()).sendError(
         HttpServletResponse.SC_BAD_REQUEST, EXPECTED_MESSAGE);
     Mockito.verifyZeroInteractions(mockChain);
   }

   @Test
   public void testNoHeaderCustomAgentConfigBadRequest()
       throws ServletException, IOException {
     // Setup the configuration settings of the server
     FilterConfig filterConfig = Mockito.mock(FilterConfig.class);
     Mockito.when(filterConfig.getInitParameter(
       RestCsrfPreventionFilter.CUSTOM_HEADER_PARAM)).thenReturn(null);
     Mockito.when(filterConfig.getInitParameter(
       RestCsrfPreventionFilter.CUSTOM_METHODS_TO_IGNORE_PARAM)).
       thenReturn(null);
     Mockito.when(filterConfig.getInitParameter(
         RestCsrfPreventionFilter.BROWSER_USER_AGENT_PARAM)).
         thenReturn("^Mozilla.*,^Opera.*,curl");

     // CSRF has not been sent
     HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class);
     Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_DEFAULT)).
       thenReturn(null);
     Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_USER_AGENT)).
       thenReturn("curl");

     // Objects to verify interactions based on request
     HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class);
     FilterChain mockChain = Mockito.mock(FilterChain.class);

     // Object under test
     RestCsrfPreventionFilter filter = new RestCsrfPreventionFilter();
     filter.init(filterConfig);
     filter.doFilter(mockReq, mockRes, mockChain);

     verify(mockRes, atLeastOnce()).sendError(
         HttpServletResponse.SC_BAD_REQUEST, EXPECTED_MESSAGE);
     Mockito.verifyZeroInteractions(mockChain);
   }

   @Test
   public void testNoHeaderDefaultConfigNonBrowserGoodRequest()
       throws ServletException, IOException {
     // Setup the configuration settings of the server
     FilterConfig filterConfig = Mockito.mock(FilterConfig.class);
     Mockito.when(filterConfig.getInitParameter(
       RestCsrfPreventionFilter.CUSTOM_HEADER_PARAM)).thenReturn(null);
     Mockito.when(filterConfig.getInitParameter(
       RestCsrfPreventionFilter.CUSTOM_METHODS_TO_IGNORE_PARAM)).
       thenReturn(null);

     // CSRF has not been sent
     HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class);
     Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_DEFAULT)).
       thenReturn(null);
     Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_USER_AGENT)).
       thenReturn(NON_BROWSER);

     // Objects to verify interactions based on request
     HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class);
     FilterChain mockChain = Mockito.mock(FilterChain.class);

     // Object under test
     RestCsrfPreventionFilter filter = new RestCsrfPreventionFilter();
     filter.init(filterConfig);
     filter.doFilter(mockReq, mockRes, mockChain);

     Mockito.verify(mockChain).doFilter(mockReq, mockRes);
   }

   @Test
   public void testHeaderPresentDefaultConfigGoodRequest()
       throws ServletException, IOException {
     // Setup the configuration settings of the server
     FilterConfig filterConfig = Mockito.mock(FilterConfig.class);
     Mockito.when(filterConfig.getInitParameter(
       RestCsrfPreventionFilter.CUSTOM_HEADER_PARAM)).thenReturn(null);
     Mockito.when(filterConfig.getInitParameter(
       RestCsrfPreventionFilter.CUSTOM_METHODS_TO_IGNORE_PARAM)).
       thenReturn(null);

     // CSRF HAS been sent
     HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class);
     Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_DEFAULT)).
       thenReturn("valueUnimportant");

     // Objects to verify interactions based on request
     HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class);
     FilterChain mockChain = Mockito.mock(FilterChain.class);

     // Object under test
     RestCsrfPreventionFilter filter = new RestCsrfPreventionFilter();
     filter.init(filterConfig);
     filter.doFilter(mockReq, mockRes, mockChain);

     Mockito.verify(mockChain).doFilter(mockReq, mockRes);
   }

   @Test
   public void testHeaderPresentCustomHeaderConfigGoodRequest()
       throws ServletException, IOException {
     // Setup the configuration settings of the server
     FilterConfig filterConfig = Mockito.mock(FilterConfig.class);
     Mockito.when(filterConfig.getInitParameter(
       RestCsrfPreventionFilter.CUSTOM_HEADER_PARAM)).
       thenReturn(X_CUSTOM_HEADER);
     Mockito.when(filterConfig.getInitParameter(
       RestCsrfPreventionFilter.CUSTOM_METHODS_TO_IGNORE_PARAM)).
       thenReturn(null);

     // CSRF HAS been sent
     HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class);
     Mockito.when(mockReq.getHeader(X_CUSTOM_HEADER)).
       thenReturn("valueUnimportant");

     // Objects to verify interactions based on request
     HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class);
     FilterChain mockChain = Mockito.mock(FilterChain.class);

     // Object under test
     RestCsrfPreventionFilter filter = new RestCsrfPreventionFilter();
     filter.init(filterConfig);
     filter.doFilter(mockReq, mockRes, mockChain);

     Mockito.verify(mockChain).doFilter(mockReq, mockRes);
   }

   @Test
   public void testMissingHeaderWithCustomHeaderConfigBadRequest()
       throws ServletException, IOException {
     // Setup the configuration settings of the server
     FilterConfig filterConfig = Mockito.mock(FilterConfig.class);
     Mockito.when(filterConfig.getInitParameter(
       RestCsrfPreventionFilter.CUSTOM_HEADER_PARAM)).
       thenReturn(X_CUSTOM_HEADER);
     Mockito.when(filterConfig.getInitParameter(
       RestCsrfPreventionFilter.CUSTOM_METHODS_TO_IGNORE_PARAM)).
       thenReturn(null);
     HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class);
     Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_USER_AGENT)).
       thenReturn(BROWSER_AGENT);

     // CSRF has not been sent
     Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_DEFAULT)).
       thenReturn(null);

     // Objects to verify interactions based on request
     HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class);
     FilterChain mockChain = Mockito.mock(FilterChain.class);

     // Object under test
     RestCsrfPreventionFilter filter = new RestCsrfPreventionFilter();
     filter.init(filterConfig);
     filter.doFilter(mockReq, mockRes, mockChain);

     Mockito.verifyZeroInteractions(mockChain);
   }

   @Test
   public void testMissingHeaderNoMethodsToIgnoreConfigBadRequest()
       throws ServletException, IOException {
     // Setup the configuration settings of the server
     FilterConfig filterConfig = Mockito.mock(FilterConfig.class);
     Mockito.when(filterConfig.getInitParameter(
       RestCsrfPreventionFilter.CUSTOM_HEADER_PARAM)).thenReturn(null);
     Mockito.when(filterConfig.getInitParameter(
       RestCsrfPreventionFilter.CUSTOM_METHODS_TO_IGNORE_PARAM)).
       thenReturn("");
     HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class);
     Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_USER_AGENT)).
       thenReturn(BROWSER_AGENT);

     // CSRF has not been sent
     Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_DEFAULT)).
       thenReturn(null);
     Mockito.when(mockReq.getMethod()).
       thenReturn("GET");

     // Objects to verify interactions based on request
     HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class);
     FilterChain mockChain = Mockito.mock(FilterChain.class);

     // Object under test
     RestCsrfPreventionFilter filter = new RestCsrfPreventionFilter();
     filter.init(filterConfig);
     filter.doFilter(mockReq, mockRes, mockChain);

     Mockito.verifyZeroInteractions(mockChain);
   }

   @Test
   public void testMissingHeaderIgnoreGETMethodConfigGoodRequest()
       throws ServletException, IOException {
     // Setup the configuration settings of the server
     FilterConfig filterConfig = Mockito.mock(FilterConfig.class);
     Mockito.when(filterConfig.getInitParameter(
       RestCsrfPreventionFilter.CUSTOM_HEADER_PARAM)).thenReturn(null);
     Mockito.when(filterConfig.getInitParameter(
       RestCsrfPreventionFilter.CUSTOM_METHODS_TO_IGNORE_PARAM)).
       thenReturn("GET");
     HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class);
     Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_USER_AGENT)).
       thenReturn(BROWSER_AGENT);

     // CSRF has not been sent
     Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_DEFAULT)).
       thenReturn(null);
     Mockito.when(mockReq.getMethod()).
       thenReturn("GET");

     // Objects to verify interactions based on request
     HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class);
     FilterChain mockChain = Mockito.mock(FilterChain.class);

     // Object under test
     RestCsrfPreventionFilter filter = new RestCsrfPreventionFilter();
     filter.init(filterConfig);
     filter.doFilter(mockReq, mockRes, mockChain);

     Mockito.verify(mockChain).doFilter(mockReq, mockRes);
   }

   @Test
   public void testMissingHeaderMultipleIgnoreMethodsConfigGoodRequest()
       throws ServletException, IOException {
     // Setup the configuration settings of the server
     FilterConfig filterConfig = Mockito.mock(FilterConfig.class);
     Mockito.when(filterConfig.getInitParameter(
       RestCsrfPreventionFilter.CUSTOM_HEADER_PARAM)).thenReturn(null);
     Mockito.when(filterConfig.getInitParameter(
       RestCsrfPreventionFilter.CUSTOM_METHODS_TO_IGNORE_PARAM)).
       thenReturn("GET,OPTIONS");
     HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class);
     Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_USER_AGENT)).
       thenReturn(BROWSER_AGENT);

     // CSRF has not been sent
     Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_DEFAULT)).
       thenReturn(null);
     Mockito.when(mockReq.getMethod()).
       thenReturn("OPTIONS");

     // Objects to verify interactions based on request
     HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class);
     FilterChain mockChain = Mockito.mock(FilterChain.class);

     // Object under test
     RestCsrfPreventionFilter filter = new RestCsrfPreventionFilter();
     filter.init(filterConfig);
     filter.doFilter(mockReq, mockRes, mockChain);

     Mockito.verify(mockChain).doFilter(mockReq, mockRes);
   }

   @Test
   public void testMissingHeaderMultipleIgnoreMethodsConfigBadRequest()
       throws ServletException, IOException {
     // Setup the configuration settings of the server
     FilterConfig filterConfig = Mockito.mock(FilterConfig.class);
     Mockito.when(filterConfig.getInitParameter(
       RestCsrfPreventionFilter.CUSTOM_HEADER_PARAM)).thenReturn(null);
     Mockito.when(filterConfig.getInitParameter(
       RestCsrfPreventionFilter.CUSTOM_METHODS_TO_IGNORE_PARAM)).
       thenReturn("GET,OPTIONS");
     HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class);
     Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_USER_AGENT)).
       thenReturn(BROWSER_AGENT);

     // CSRF has not been sent
     Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_DEFAULT)).
       thenReturn(null);
     Mockito.when(mockReq.getMethod()).
       thenReturn("PUT");

     // Objects to verify interactions based on request
     HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class);
     FilterChain mockChain = Mockito.mock(FilterChain.class);

     // Object under test
     RestCsrfPreventionFilter filter = new RestCsrfPreventionFilter();
     filter.init(filterConfig);
     filter.doFilter(mockReq, mockRes, mockChain);

     Mockito.verifyZeroInteractions(mockChain);
   }
 }
	/**
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	package org.apache.hadoop.security.http;

	import static org.mockito.Mockito.atLeastOnce;
	import static org.mockito.Mockito.verify;

	import java.io.IOException;

	import javax.servlet.FilterChain;
	import javax.servlet.FilterConfig;
	import javax.servlet.ServletException;
	import javax.servlet.http.HttpServletRequest;
	import javax.servlet.http.HttpServletResponse;

	import org.junit.Test;
	import org.mockito.Mockito;

	/**
	* This class tests the behavior of the RestCsrfPreventionFilter.
	*
	*/
	public class TestRestCsrfPreventionFilter {

	private static final String NON_BROWSER = "java";
	private static final String BROWSER_AGENT =
	"Mozilla/5.0 (compatible; U; ABrowse 0.6; Syllable)" +
	" AppleWebKit/420+ (KHTML, like Gecko)";
	private static final String EXPECTED_MESSAGE =
	"Missing Required Header for CSRF Vulnerability Protection";
	private static final String X_CUSTOM_HEADER = "X-CUSTOM_HEADER";

	@Test
	public void testNoHeaderDefaultConfigBadRequest()
	throws ServletException, IOException {
	// Setup the configuration settings of the server
	FilterConfig filterConfig = Mockito.mock(FilterConfig.class);
	Mockito.when(filterConfig.getInitParameter(
	RestCsrfPreventionFilter.CUSTOM_HEADER_PARAM)).thenReturn(null);
	Mockito.when(filterConfig.getInitParameter(
	RestCsrfPreventionFilter.CUSTOM_METHODS_TO_IGNORE_PARAM)).
	thenReturn(null);

	// CSRF has not been sent
	HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class);
	Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_DEFAULT)).
	thenReturn(null);
	Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_USER_AGENT)).
	thenReturn(BROWSER_AGENT);

	// Objects to verify interactions based on request
	HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class);
	FilterChain mockChain = Mockito.mock(FilterChain.class);

	// Object under test
	RestCsrfPreventionFilter filter = new RestCsrfPreventionFilter();
	filter.init(filterConfig);
	filter.doFilter(mockReq, mockRes, mockChain);

	verify(mockRes, atLeastOnce()).sendError(
	HttpServletResponse.SC_BAD_REQUEST, EXPECTED_MESSAGE);
	Mockito.verifyZeroInteractions(mockChain);
	}

	@Test
	public void testNoHeaderCustomAgentConfigBadRequest()
	throws ServletException, IOException {
	// Setup the configuration settings of the server
	FilterConfig filterConfig = Mockito.mock(FilterConfig.class);
	Mockito.when(filterConfig.getInitParameter(
	RestCsrfPreventionFilter.CUSTOM_HEADER_PARAM)).thenReturn(null);
	Mockito.when(filterConfig.getInitParameter(
	RestCsrfPreventionFilter.CUSTOM_METHODS_TO_IGNORE_PARAM)).
	thenReturn(null);
	Mockito.when(filterConfig.getInitParameter(
	RestCsrfPreventionFilter.BROWSER_USER_AGENT_PARAM)).
	thenReturn("^Mozilla.,^Opera.,curl");

	// CSRF has not been sent
	HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class);
	Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_DEFAULT)).
	thenReturn(null);
	Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_USER_AGENT)).
	thenReturn("curl");

	// Objects to verify interactions based on request
	HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class);
	FilterChain mockChain = Mockito.mock(FilterChain.class);

	// Object under test
	RestCsrfPreventionFilter filter = new RestCsrfPreventionFilter();
	filter.init(filterConfig);
	filter.doFilter(mockReq, mockRes, mockChain);

	verify(mockRes, atLeastOnce()).sendError(
	HttpServletResponse.SC_BAD_REQUEST, EXPECTED_MESSAGE);
	Mockito.verifyZeroInteractions(mockChain);
	}

	@Test
	public void testNoHeaderDefaultConfigNonBrowserGoodRequest()
	throws ServletException, IOException {
	// Setup the configuration settings of the server
	FilterConfig filterConfig = Mockito.mock(FilterConfig.class);
	Mockito.when(filterConfig.getInitParameter(
	RestCsrfPreventionFilter.CUSTOM_HEADER_PARAM)).thenReturn(null);
	Mockito.when(filterConfig.getInitParameter(
	RestCsrfPreventionFilter.CUSTOM_METHODS_TO_IGNORE_PARAM)).
	thenReturn(null);

	// CSRF has not been sent
	HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class);
	Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_DEFAULT)).
	thenReturn(null);
	Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_USER_AGENT)).
	thenReturn(NON_BROWSER);

	// Objects to verify interactions based on request
	HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class);
	FilterChain mockChain = Mockito.mock(FilterChain.class);

	// Object under test
	RestCsrfPreventionFilter filter = new RestCsrfPreventionFilter();
	filter.init(filterConfig);
	filter.doFilter(mockReq, mockRes, mockChain);

	Mockito.verify(mockChain).doFilter(mockReq, mockRes);
	}

	@Test
	public void testHeaderPresentDefaultConfigGoodRequest()
	throws ServletException, IOException {
	// Setup the configuration settings of the server
	FilterConfig filterConfig = Mockito.mock(FilterConfig.class);
	Mockito.when(filterConfig.getInitParameter(
	RestCsrfPreventionFilter.CUSTOM_HEADER_PARAM)).thenReturn(null);
	Mockito.when(filterConfig.getInitParameter(
	RestCsrfPreventionFilter.CUSTOM_METHODS_TO_IGNORE_PARAM)).
	thenReturn(null);

	// CSRF HAS been sent
	HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class);
	Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_DEFAULT)).
	thenReturn("valueUnimportant");

	// Objects to verify interactions based on request
	HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class);
	FilterChain mockChain = Mockito.mock(FilterChain.class);

	// Object under test
	RestCsrfPreventionFilter filter = new RestCsrfPreventionFilter();
	filter.init(filterConfig);
	filter.doFilter(mockReq, mockRes, mockChain);

	Mockito.verify(mockChain).doFilter(mockReq, mockRes);
	}

	@Test
	public void testHeaderPresentCustomHeaderConfigGoodRequest()
	throws ServletException, IOException {
	// Setup the configuration settings of the server
	FilterConfig filterConfig = Mockito.mock(FilterConfig.class);
	Mockito.when(filterConfig.getInitParameter(
	RestCsrfPreventionFilter.CUSTOM_HEADER_PARAM)).
	thenReturn(X_CUSTOM_HEADER);
	Mockito.when(filterConfig.getInitParameter(
	RestCsrfPreventionFilter.CUSTOM_METHODS_TO_IGNORE_PARAM)).
	thenReturn(null);

	// CSRF HAS been sent
	HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class);
	Mockito.when(mockReq.getHeader(X_CUSTOM_HEADER)).
	thenReturn("valueUnimportant");

	// Objects to verify interactions based on request
	HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class);
	FilterChain mockChain = Mockito.mock(FilterChain.class);

	// Object under test
	RestCsrfPreventionFilter filter = new RestCsrfPreventionFilter();
	filter.init(filterConfig);
	filter.doFilter(mockReq, mockRes, mockChain);

	Mockito.verify(mockChain).doFilter(mockReq, mockRes);
	}

	@Test
	public void testMissingHeaderWithCustomHeaderConfigBadRequest()
	throws ServletException, IOException {
	// Setup the configuration settings of the server
	FilterConfig filterConfig = Mockito.mock(FilterConfig.class);
	Mockito.when(filterConfig.getInitParameter(
	RestCsrfPreventionFilter.CUSTOM_HEADER_PARAM)).
	thenReturn(X_CUSTOM_HEADER);
	Mockito.when(filterConfig.getInitParameter(
	RestCsrfPreventionFilter.CUSTOM_METHODS_TO_IGNORE_PARAM)).
	thenReturn(null);
	HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class);
	Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_USER_AGENT)).
	thenReturn(BROWSER_AGENT);

	// CSRF has not been sent
	Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_DEFAULT)).
	thenReturn(null);

	// Objects to verify interactions based on request
	HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class);
	FilterChain mockChain = Mockito.mock(FilterChain.class);

	// Object under test
	RestCsrfPreventionFilter filter = new RestCsrfPreventionFilter();
	filter.init(filterConfig);
	filter.doFilter(mockReq, mockRes, mockChain);

	Mockito.verifyZeroInteractions(mockChain);
	}

	@Test
	public void testMissingHeaderNoMethodsToIgnoreConfigBadRequest()
	throws ServletException, IOException {
	// Setup the configuration settings of the server
	FilterConfig filterConfig = Mockito.mock(FilterConfig.class);
	Mockito.when(filterConfig.getInitParameter(
	RestCsrfPreventionFilter.CUSTOM_HEADER_PARAM)).thenReturn(null);
	Mockito.when(filterConfig.getInitParameter(
	RestCsrfPreventionFilter.CUSTOM_METHODS_TO_IGNORE_PARAM)).
	thenReturn("");
	HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class);
	Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_USER_AGENT)).
	thenReturn(BROWSER_AGENT);

	// CSRF has not been sent
	Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_DEFAULT)).
	thenReturn(null);
	Mockito.when(mockReq.getMethod()).
	thenReturn("GET");

	// Objects to verify interactions based on request
	HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class);
	FilterChain mockChain = Mockito.mock(FilterChain.class);

	// Object under test
	RestCsrfPreventionFilter filter = new RestCsrfPreventionFilter();
	filter.init(filterConfig);
	filter.doFilter(mockReq, mockRes, mockChain);

	Mockito.verifyZeroInteractions(mockChain);
	}

	@Test
	public void testMissingHeaderIgnoreGETMethodConfigGoodRequest()
	throws ServletException, IOException {
	// Setup the configuration settings of the server
	FilterConfig filterConfig = Mockito.mock(FilterConfig.class);
	Mockito.when(filterConfig.getInitParameter(
	RestCsrfPreventionFilter.CUSTOM_HEADER_PARAM)).thenReturn(null);
	Mockito.when(filterConfig.getInitParameter(
	RestCsrfPreventionFilter.CUSTOM_METHODS_TO_IGNORE_PARAM)).
	thenReturn("GET");
	HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class);
	Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_USER_AGENT)).
	thenReturn(BROWSER_AGENT);

	// CSRF has not been sent
	Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_DEFAULT)).
	thenReturn(null);
	Mockito.when(mockReq.getMethod()).
	thenReturn("GET");

	// Objects to verify interactions based on request
	HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class);
	FilterChain mockChain = Mockito.mock(FilterChain.class);

	// Object under test
	RestCsrfPreventionFilter filter = new RestCsrfPreventionFilter();
	filter.init(filterConfig);
	filter.doFilter(mockReq, mockRes, mockChain);

	Mockito.verify(mockChain).doFilter(mockReq, mockRes);
	}

	@Test
	public void testMissingHeaderMultipleIgnoreMethodsConfigGoodRequest()
	throws ServletException, IOException {
	// Setup the configuration settings of the server
	FilterConfig filterConfig = Mockito.mock(FilterConfig.class);
	Mockito.when(filterConfig.getInitParameter(
	RestCsrfPreventionFilter.CUSTOM_HEADER_PARAM)).thenReturn(null);
	Mockito.when(filterConfig.getInitParameter(
	RestCsrfPreventionFilter.CUSTOM_METHODS_TO_IGNORE_PARAM)).
	thenReturn("GET,OPTIONS");
	HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class);
	Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_USER_AGENT)).
	thenReturn(BROWSER_AGENT);

	// CSRF has not been sent
	Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_DEFAULT)).
	thenReturn(null);
	Mockito.when(mockReq.getMethod()).
	thenReturn("OPTIONS");

	// Objects to verify interactions based on request
	HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class);
	FilterChain mockChain = Mockito.mock(FilterChain.class);

	// Object under test
	RestCsrfPreventionFilter filter = new RestCsrfPreventionFilter();
	filter.init(filterConfig);
	filter.doFilter(mockReq, mockRes, mockChain);

	Mockito.verify(mockChain).doFilter(mockReq, mockRes);
	}

	@Test
	public void testMissingHeaderMultipleIgnoreMethodsConfigBadRequest()
	throws ServletException, IOException {
	// Setup the configuration settings of the server
	FilterConfig filterConfig = Mockito.mock(FilterConfig.class);
	Mockito.when(filterConfig.getInitParameter(
	RestCsrfPreventionFilter.CUSTOM_HEADER_PARAM)).thenReturn(null);
	Mockito.when(filterConfig.getInitParameter(
	RestCsrfPreventionFilter.CUSTOM_METHODS_TO_IGNORE_PARAM)).
	thenReturn("GET,OPTIONS");
	HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class);
	Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_USER_AGENT)).
	thenReturn(BROWSER_AGENT);

	// CSRF has not been sent
	Mockito.when(mockReq.getHeader(RestCsrfPreventionFilter.HEADER_DEFAULT)).
	thenReturn(null);
	Mockito.when(mockReq.getMethod()).
	thenReturn("PUT");

	// Objects to verify interactions based on request
	HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class);
	FilterChain mockChain = Mockito.mock(FilterChain.class);

	// Object under test
	RestCsrfPreventionFilter filter = new RestCsrfPreventionFilter();
	filter.init(filterConfig);
	filter.doFilter(mockReq, mockRes, mockChain);

	Mockito.verifyZeroInteractions(mockChain);
	}
	}