DataTransferPublicAccessTest.ktDataTransferPublicSession (#101) — session management, brute-force protectionDataTransferPublicPageRest — returns page layout JSON for the anonymous React UIDataTransferPublicServicesRest (#100) — upload, download, delete, multiDownload endpointsLoginProtection — brute-force time offset enforcementexternal_download_enabled=true, externalAccessToken, externalPassword, calls DataTransferPublicSession.login() — verifies session contains area dataLoginProtection increments failed attempts, and after repeated failures the time offset kicks inlogin() returns LOGIN_TIME_OFFSET status — verified by calling login 3+ times faster than the offset windowisPersonalBox() areas always return LoginResultStatus.FAILED — the paranoia check in checkDataBaseEntry()MultipartFile (Spring's uploaded file wrapper), calls upload REST endpoint, verifies file ID appears in ownedFiles listInputStreamResource content matchesisOwnerOfFile() returns true, and delete succeedsisOwnerOfFile() returns falseZipInputStream contains all 3 entriesJSESSIONID changes (old session invalidated, new session created with transferred area data)Uses Mockito to mock HttpServletRequest and HttpSession — critical because DataTransferPublicSession stores data directly in HTTP session attributes. The mock session simulates getSession(false), getSession(true), getAttribute("transferAreas"), setAttribute(), and invalidate() — all exercised in the session fixation test.
Also mocks MultipartFile for upload tests and HttpServletResponse + ServletOutputStream → ByteArrayOutputStream for download content capture.
Integration test for the public (external) DataTransfer REST layer — the most comprehensive DataTransfer test at 227 lines. Tests the anonymous access flow: external link → login → upload/download/delete → logout, using mocked HTTP requests and JCR files.