Reputation: 3819
@WithMockUser doesn't pick Spring Security auth credentials
I have setup basic authentication in my controller with Spring Security in the classic way as follows:
@EnableWebSecurity
@EnableGlobalMethodSecurity
public class MySecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("user").password("user").roles("USER")
.and()
.withUser("admin").password("admin").roles("USER", "ADMIN");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers(....);
}
}
When it comes to the point of testing, I am using @WithMockUser to annotate my tests. A test might look like this for GET:
@RunWith(SpringRunner.class)
@WebMvcTest(controllers = SomeController.class)
public class SomeControllerTest {
@Autowired
private MockMvc mockMvc;
@Test
public void test1() {
mockMvc.perform(get(...)).andExpect(...);
}
or like this for POST:
@RunWith(SpringRunner.class)
@WebMvcTest(controllers = SomeController.class)
public class SomeControllerTest {
@Autowired
private MockMvc mockMvc;
@Test
public void test1() {
mockMvc.perform(post(...)).andExpect(...);
}
then something unexpected happens:
- when a test method is not annotated with @WithMockUser, it fails because of 401 status (Unauthorized) which is reasonable, because no basic authentication has been fullfilled
- when a test method is simply annotated with an empty @WithMockUser without specifying ANY credentials, it starts passing, which is not reasonable, because I did not provide the correct data for authentication (rather I left them empty)
- at this point a test method is passing also when filling in some correct credentials like in @WithMockUser(username = "user", password = "user", roles = "USER")
QUESTION: what's going on? How to fix this misbehaviour?
Looks like Spring Security is activated, however my testing is not using the authentication that I would expect to be used. Do I have to mock the authentication data myself?
EDIT The full configure method is the following
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers(URL1).hasAnyRole(ROLE_ADMIN)
.antMatchers(URL2).hasAnyRole(ROLE_USER)
.antMatchers(URL3).permitAll()
.and()
.httpBasic()
.and()
.csrf().disable();
}
Upvotes: 10
Views: 32119
Answers (4)
Reputation: 5297
I faced the same issue. I could resolve it by with the @WithMockUser annotation with authorities specified.
@Test
@DisplayName("Should create and return the student")
@WithMockUser(username = "admin", authorities = { "ADMIN", "USER" })
public void should_create_student() throws Exception {
mockMvc.perform(post(...)).andExpect(...);
}
Upvotes: 1
Reputation: 37
For information, this code has allowed me to successfully run a credentialed test, with credentials extracted from the application.properties file, without using an @WithMockUser annotation.
@Autowired
MockMvc mvc;
@Autowired
private WebApplicationContext context;
@MockBean
BookRepository bookRepository;
@Test
public void testFindAll() throws Exception {
mvc = MockMvcBuilders.webAppContextSetup(context).build();
this.mvc.perform(get("/books").accept(MediaType.APPLICATION_JSON))
.andExpect(status().isOk());
}
Upvotes: 0
Reputation: 195
There are two reasons behind this behavior:
@WithMockUserannotation is not intended to execute authentication. It creates a user which is authenticated already. By default his credentials areuser:password@WebMvcTestdoes not execute MySecurityConfig.java. This annotation creates Spring mockMvc object with Security defaults for testing. Those security defaults are applied byorg.springframework.boot.test.autoconfigure.web.servlet.MockMvcSecurityAutoConfigurationYou can double check this by putting break points onMySecurityConfigmethods and rerunning your test in debug mode. Break points are not hit.
Solving issue 1
Simply change your approach to what @WithMockUser annotation does. It gives already logged-in user. It is still possible to test urls security and roles configuration with specifying concrete username, password and roles.
Solving issue 2
Create a base class for all Integration tests. It will configure mockMvc with Spring Security applied. Also note @SpringBootTest annotation. Now test will use MySecurityConfig.java
import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity;
import static org.springframework.test.web.servlet.setup.MockMvcBuilders.webAppContextSetup;
import org.junit.Before;
import org.junit.runner.RunWith;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.security.web.FilterChainProxy;
import org.springframework.test.context.junit4.SpringRunner;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.web.context.WebApplicationContext;
@RunWith(SpringRunner.class)
@SpringBootTest
public abstract class IT {
@Autowired
protected WebApplicationContext wac;
@Autowired
private FilterChainProxy springSecurityFilterChain;
protected MockMvc mockMvc;
@Before
public void applySecurity() {
this.mockMvc = webAppContextSetup(wac)
.apply(springSecurity(springSecurityFilterChain))
.build();
}
}
Rewrite the test like this. Assuming you use http basic authentication. Credentials are provided inside the test. Note: no mock user annotation.
package com.example.demo;
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.httpBasic;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
import org.junit.Test;
import org.springframework.test.web.servlet.result.MockMvcResultMatchers;
public class SomeControllerIT extends IT {
@Test
public void test1() throws Exception {
mockMvc.perform(get("/some")
.with(httpBasic("user", "user")))
.andExpect(MockMvcResultMatchers.content().string("hello"));
}
}
Upvotes: 12
Reputation: 169
Here is how you can run your mockMVC tests with your configuration of spring security: for the USER role...
@RunWith(SpringRunner.class)
@WebMvcTest(controllers = SomeController.class)
public class SomeControllerTest {
@Autowired
private WebApplicationContext context;
@Autowired
private MockMvc mockMvc;
@Before
public void setup() {
mockMvc = MockMvcBuilders
.webAppContextSetup(context)
.defaultRequest(get("/")
.with(user("user").password("password").roles("USER")))
.apply(springSecurity())
.build();
}
@Test
public void test1() {
mockMvc.perform(get(...)).andExpect(...);
}
}
after making this change your GET tests should now work.
since spring security provides cross site request forgery protection for http requests such as POST and DELETE, you need to run these particular tests with crsf()
@Test
public void shouldPost() {
mockMvc.perform(post(...)).with(csrf().asHeader())
.andExpect(...);
}
Upvotes: 6
Related Questions
- Parametrize @WithMockUser Spring boot
- @WithMockUser ignores username, password fields?
- How can I use @WithMockUser and pass my username and password from my properties file?
- Spring Security Test @WithMockUser not working
- Cannot get rid of "An Authentication object was not found in the SecurityContext" in a Spring Boot application without @WithMockUser
- Spring Security @WithMockUser doesn't seem to work with state changing verbs (post, put..)
- @WithUserDetails and @WithMockUser when using springSecurity() in MockMVC with production authentication logic
- Spring Boot 2, Spring Security 5 and @WithMockUser
- WIthMockUser doesn't work
- @WithMockUser doesn't work in Integration Test - Spring boot