How to disable securty on controller Unit Test?

Question

I try to disable the security on controller Unit test but I allways have error 403.

My Unit Test :

@RunWith(SpringRunner.class)
@WebMvcTest(value = MeasureController.class, secure = false)
@AutoConfigureMockMvc(secure = false)
public class MeasureControllerTest {

    @Autowired
    private MockMvc mvc;
    @Autowired
    private ObjectMapper objectMapper;
    @MockBean
    private ObjectService objectService;
    @Autowired
    private MeasureController measureController;

    /**
     * Test of sayHello method, of class MeasureController.
     *
     * @throws java.lang.Exception
     */
    @Test
    public void OnPostShouldReturnCreatedStatusIfEmptyMeasure() throws Exception {
        final String url = "/object/" + uuidKey + "/measures/";
        this.mvc.perform(post(url)
                .content("[]")
                .contentType(MediaType.APPLICATION_JSON)
                .accept(MediaType.APPLICATION_JSON))
                .andExpect(status().isCreated());

        verifyZeroInteractions(objectService);
    }
}

The security configuration :

@Configuration
@EnableResourceServer
public class SecurityResourceServerConfig extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and().authorizeRequests()
                .antMatchers("/v2/api-docs", "/swagger-resources/**", "/swagger-ui.html", "/webjars/**").permitAll()
                .anyRequest().authenticated()
                ;
    }

    @Primary
    @Bean
    public RemoteTokenServices tokenServices() {
        final RemoteTokenServices tokenService = new RemoteTokenServices();
        tokenService.setCheckTokenEndpointUrl("https://..../oauth/check_token");
        tokenService.setClientId(".....");
        tokenService.setClientSecret(".....");
        return tokenService;
    }
}

The spring documentation say to put AutoConfigureMockMvc.secure to false or the WebMvcTest.secure to false. But the both not disable the security. I mis something?

I use Spring boot 2.0.4. and spring-security-oauth2 2.3.3.RELEASE

Answer 1

For others who come here looking for answers (and my future self), tested in Spring Boot 2.2:

@WebMvcTest(controllers = YourController.class,
        excludeFilters = { @ComponentScan.Filter(type = FilterType.ASSIGNABLE_TYPE, value = WebSecurityConfigurer.class) },
        excludeAutoConfiguration = { SecurityAutoConfiguration.class})

• excludeFilters will stop @WebMvcTest picking up any classes implementing security which it does by default: https://docs.spring.io/spring-boot/docs/2.2.1.RELEASE/reference/htmlsingle/#boot-features-testing-spring-boot-applications-testing-autoconfigured-mvc-tests This is needed if you're adding your own class for security (most likely by extending WebSecurityConfigurerAdapter), to stop Spring from picking up and creating these beans.
• the excludeAutoConfiguration will make sure that default spring boot's logic will ALSO not kick in

Answer 2

The "WebMvcTest.secure" was deprecated. You have to put to your controller test :

@RunWith(SpringRunner.class)
@WebMvcTest(value = PatientDeviceController.class, excludeAutoConfiguration = SecurityAutoConfiguration.class)
@AutoConfigureMockMvc(secure = false)