Working

src/test/java/org/primeframework/mvc/CSRFTest.java

@@ -81,33 +81,6 @@ public void post_CSRFRefererFailure() {
              .assertStatusCode(403); // Unauthorized
   }
 
-  @Test
-  public void post_CSRFTokenCompatibility() throws Exception {
-    // Use case: a CSRF token encrypted with CBC can be decrypted using the updated method
-    MockUserLoginSecurityContext.roles.add("admin");
-    securityContext.login(new User());
-    configuration.csrfEnabled = true;
-
-    // Craft a CSRF token, serialize to JSON, encrypt with CBC, base64url-encode
-    CSRFToken token = new CSRFToken(securityContext.getSessionId(), System.currentTimeMillis());
-    byte[] serialized = objectMapper.writeValueAsBytes(token);
-    // Instantiate DefaultEncryptor with two copies of CBCCipherProvider to encrypt with CBC
-    Encryptor cbcEncryptor = new DefaultEncryptor(new CBCCipherProvider(configuration), new CBCCipherProvider(configuration));
-    byte[] encrypted = cbcEncryptor.encrypt(serialized);
-    String encoded = Base64.getUrlEncoder().encodeToString(encrypted);
-
-    simulator.test("/secure")
-             .withSingleHeader("Referer", "http://localhost:" + simulator.getPort() + "/secure")
-             .withCSRFToken(encoded)
-             .post()
-             .assertStatusCode(200)
-             .assertBody("Secure!");
-
-    // A POST request will contain the CSRF token
-    // - This is just testing the RequestBuilder that will try and automatically add the CSRF token
-    assertTrue(SecureAction.UnknownParameters.containsKey(csrfProvider.getParameterName()));
-  }
-
   @Test
   public void post_CSRFTokenFailure() {
     MockUserLoginSecurityContext.roles.add("admin");
@@ -147,6 +120,33 @@ public void post_CSRFTokenSuccess() {
              .assertBody("Secure!");
   }
 
+  @Test
+  public void post_CSRFTokenCompatibility() throws Exception {
+    // Use case: a CSRF token encrypted with CBC can be decrypted using the updated method
+    MockUserLoginSecurityContext.roles.add("admin");
+    securityContext.login(new User());
+    configuration.csrfEnabled = true;
+
+    // Craft a CSRF token, serialize to JSON, encrypt with CBC, base64url-encode
+    CSRFToken token = new CSRFToken(securityContext.getSessionId(), System.currentTimeMillis());
+    byte[] serialized = objectMapper.writeValueAsBytes(token);
+    // Instantiate DefaultEncryptor with two copies of CBCCipherProvider to encrypt with CBC
+    Encryptor cbcEncryptor = new DefaultEncryptor(new CBCCipherProvider(configuration), new CBCCipherProvider(configuration));
+    byte[] encrypted = cbcEncryptor.encrypt(serialized);
+    String encoded = Base64.getUrlEncoder().encodeToString(encrypted);
+
+    simulator.test("/secure")
+             .withSingleHeader("Referer", "http://localhost:" + simulator.getPort() + "/secure")
+             .withCSRFToken(encoded)
+             .post()
+             .assertStatusCode(200)
+             .assertBody("Secure!");
+
+    // A POST request will contain the CSRF token
+    // - This is just testing the RequestBuilder that will try and automatically add the CSRF token
+    assertTrue(SecureAction.UnknownParameters.containsKey(csrfProvider.getParameterName()));
+  }
+
   // Add for testing legacy-encrypted CSRF token which is defined as a private class in DefaultEncryptionBasedTokenCSRFProvider
   private record CSRFToken(String sid, long instant) {
   }