Reputation: 1
Why is the session already in the request while testing Spring Security's login process?
I'm writing code to test the login process that works with the filter. It was written using kotest.
describe("When you log in") {
context("When the e-mail and password are properly given") {
val requestBody = LoginRequest(fakeUser.email, fakeUser.password)
val mvcResult = login(requestBody)
it("need to return session and status 200.") {
mvcResult.response.status shouldBe HttpStatus.OK.value()
mvcResult.request.session!!
.getAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY)
.shouldNotBeNull()
}
}
At first, I tried to check the Set-Cookie in the header to see the session id. However, I found out from another article that this cannot be confirmed through mockMvc.
link: Spring MVC testing (security Integration test), JSESSIONID is not present
You also don't see Set-Cookie header. For me it's a big limitation of MockMVC.
However, I found that there are session attributes within the correct login request.
MockHttpServletRequest:
HTTP Method = POST
Request URI = /auth/login
Parameters = {remember-me=[false]}
Headers = [Content-Type:"application/json;charset=UTF-8", Content-Length:"42"]
Body = {"email":"[email protected]","password":"test"}
Session Attrs = {SPRING_SECURITY_CONTEXT=SecurityContextImpl [Authentication=CustomAuthenticationToken [Principal=org...domain.user.User@72008a41, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[ROLE_USER]]]}
I saw this and made sure that the request contained that session, and it actually existed and the test passed. And we also tested that it doesn't exist when the login request fails.
If it's normal, the request doesn't contain a session, and you have to set up a session in the response, right? The behavior of mockMvc doesn't make me understand.
If I simply guess, it is only expected that the MockHttpServletRequest will be output after the session is registered through the security filter.
It works fine, but it remains a question for me.
Upvotes: 0
Views: 26
Answers (0)
Related Questions
- Could not verify the provided CSRF token because your session was not found in spring security
- spring security 6.21version 403 fobiden error
- How Spring Security Filter Chain works
- How Spring Security's custom login works
- When the Auth Server redirects to the SSO Proxy server it doesn't know the login was successful
- Spring session creation policy per-request?
- Spring MockMvc doesn't contain cookies
- Why does Spring MockMvc result not contain a cookie?
- Missing CSFR_TOKEN session attribute after login process in Spring Security with Angular JS