Spring Test Security How to mock authentication

Question

I was trying to figure out how to unit test if my the URLs of my controllers are properly secured  Just in case someone changes things around and accidentally removes security settings    My controller method looks like this    RequestMapping   api v1 resource test     Secured  ROLE USER   public  ResonseBody String test         return  test       I set up a WebTestEnvironment like so   import javax annotation Resource  import javax naming NamingException  import javax sql DataSource   import org junit Before  import org junit runner RunWith  import org slf4j Logger  import org slf4j LoggerFactory  import org springframework beans factory annotation Autowired  import org springframework beans factory annotation Qualifier  import org springframework context support ClassPathXmlApplicationContext  import org springframework security authentication UsernamePasswordAuthenticationToken  import org springframework security core userdetails UserDetails  import org springframework security core userdetails UserDetailsService  import org springframework security web FilterChainProxy  import org springframework test context ActiveProfiles  import org springframework test context ContextConfiguration  import org springframework test context junit4 SpringJUnit4ClassRunner  import org springframework test context web WebAppConfiguration  import org springframework test web servlet MockMvc  import org springframework test web servlet setup MockMvcBuilders  import org springframework web context WebApplicationContext    RunWith SpringJUnit4ClassRunner class   WebAppConfiguration  ContextConfiguration             file src main webapp WEB-INF spring security xml            file src main webapp WEB-INF spring applicationContext xml            file src main webapp WEB-INF spring servlet-context xml     public class WebappTestEnvironment2         Resource     private FilterChainProxy springSecurityFilterChain        Autowired      Qualifier  databaseUserService       protected UserDetailsService userDetailsService        Autowired     private WebApplicationContext wac        Autowired     protected DataSource dataSource       protected MockMvc mockMvc       protected final Logger logger   LoggerFactory getLogger this getClass          protected UsernamePasswordAuthenticationToken getPrincipal String username             UserDetails user   this userDetailsService loadUserByUsername username            UsernamePasswordAuthenticationToken authentication                    new UsernamePasswordAuthenticationToken                          user                           user getPassword                             user getAuthorities              return authentication              Before     public void setupMockMvc   throws NamingException               setup mock MVC         this mockMvc   MockMvcBuilders                  webAppContextSetup this wac                   addFilters this springSecurityFilterChain                   build              In my actual test I tried to do something like this   import static org springframework test web servlet request MockMvcRequestBuilders get  import static org springframework test web servlet result MockMvcResultMatchers status   import org junit Test  import org springframework mock web MockHttpSession  import org springframework security authentication UsernamePasswordAuthenticationToken  import org springframework security core context SecurityContextHolder  import org springframework security web context HttpSessionSecurityContextRepository   import eu ubicon webapp test WebappTestEnvironment   public class CopyOfClaimTest extends WebappTestEnvironment         Test     public void signedIn   throws Exception            UsernamePasswordAuthenticationToken principal                    this getPrincipal  test1             SecurityContextHolder getContext   setAuthentication principal                    super mockMvc              perform                      get   api v1 resource test                          principal principal                       session session                andExpect status   isOk                I picked this up here    http   java dzone com articles spring-test-mvc-junit-testing here   http   techdive in solutions how-mock-securitycontextholder-perfrom-junit-tests-spring-controller or here   How to JUnit tests a  PreAuthorize annotation and its spring EL specified by a spring MVC Controller    Yet if one looks closely this only helps when not sending actual requests to URLs  but only when testing services on a function level  In my case an  access denied  exception was thrown   org springframework security access AccessDeniedException  Access is denied     at org springframework security access vote AffirmativeBased decide AffirmativeBased java 83    spring-security-core-3 1 3 RELEASE jar 3 1 3 RELEASE      at org springframework security access intercept AbstractSecurityInterceptor beforeInvocation AbstractSecurityInterceptor java 206    spring-security-core-3 1 3 RELEASE jar 3 1 3 RELEASE      at org springframework security access intercept aopalliance MethodSecurityInterceptor invoke MethodSecurityInterceptor java 60    spring-security-core-3 1 3 RELEASE jar 3 1 3 RELEASE      at org springframework aop framework ReflectiveMethodInvocation proceed ReflectiveMethodInvocation java 172    spring-aop-3 2 1 RELEASE jar 3 2 1 RELEASE                The following two log messages are noteworthy basically saying that no user was authenticated indicating that setting the Principal did not work  or that it was overwritten   14 20 34 454  main  DEBUG o s s a i a MethodSecurityInterceptor - Secure object  ReflectiveMethodInvocation  public java util List test TestController test    target is of class  test TestController   Attributes   ROLE USER  14 20 34 454  main  DEBUG o s s a i a MethodSecurityInterceptor - Previously Authenticated  org springframework security authentication AnonymousAuthenticationToken 9055e4a6  Principal  anonymousUser  Credentials   PROTECTED   Authenticated  true  Details  org springframework security web authentication WebAuthenticationDetails 957e  RemoteIpAddress  127 0 0 1  SessionId  null  Granted Authorities  ROLE ANONYMOUS

User · Answer

Options to avoid using SecurityContextHolder in tests    Option 1  use mocks - I mean mock SecurityContextHolder using some mock library - EasyMock for example Option 2  wrap call SecurityContextHolder get    in your code in some service - for example in SecurityServiceImpl with method getCurrentPrincipal that implements SecurityService interface and then in your tests you can simply create mock implementation of this interface that returns the desired principal without access to SecurityContextHolder

User · Answer

Here is an example for those who want to Test Spring MockMvc Security Config using Base64 basic authentication   String basicDigestHeaderValue    Basic     new String Base64 encodeBase64    lt username gt   lt password gt    getBytes      this mockMvc perform get   lt  get url gt    header  Authorization   basicDigestHeaderValue  accept MediaType APPLICATION JSON   andExpect status   isOk       Maven Dependency       lt dependency gt           lt groupId gt commons-codec lt  groupId gt           lt artifactId gt commons-codec lt  artifactId gt           lt version gt 1 3 lt  version gt       lt  dependency gt

User · Answer

It turned out that the SecurityContextPersistenceFilter  which is part of the Spring Security filter chain  always resets my SecurityContext  which I set calling SecurityContextHolder getContext   setAuthentication principal   or by using the  principal principal  method   This filter sets the SecurityContext in the SecurityContextHolder with a SecurityContext from a SecurityContextRepository OVERWRITING the one I set earlier  The repository is a HttpSessionSecurityContextRepository by default  The HttpSessionSecurityContextRepository inspects the given HttpRequest and tries to access the corresponding HttpSession  If it exists  it will try to read the SecurityContext from the HttpSession  If this fails  the repository generates an empty SecurityContext   Thus  my solution is to pass a HttpSession along with the request  which holds the SecurityContext   import static org springframework test web servlet request MockMvcRequestBuilders get  import static org springframework test web servlet result MockMvcResultMatchers status   import org junit Test  import org springframework mock web MockHttpSession  import org springframework security authentication UsernamePasswordAuthenticationToken  import org springframework security core context SecurityContextHolder  import org springframework security web context HttpSessionSecurityContextRepository   import eu ubicon webapp test WebappTestEnvironment   public class Test extends WebappTestEnvironment        public static class MockSecurityContext implements SecurityContext            private static final long serialVersionUID   -1386535243513362694L           private Authentication authentication           public MockSecurityContext Authentication authentication                this authentication   authentication                      Override         public Authentication getAuthentication                 return this authentication                      Override         public void setAuthentication Authentication authentication                this authentication   authentication                        Test     public void signedIn   throws Exception            UsernamePasswordAuthenticationToken principal                    this getPrincipal  test1             MockHttpSession session   new MockHttpSession            session setAttribute                  HttpSessionSecurityContextRepository SPRING SECURITY CONTEXT KEY                   new MockSecurityContext principal              super mockMvc              perform                      get   api v1 resource test                        session session                andExpect status   isOk

User · Answer

Seaching for answer I couldn t find any to be easy and flexible at the same time  then I found the Spring Security Reference and I realized there are near to perfect solutions  AOP solutions often are the greatest ones for testing  and Spring provides it with  WithMockUser   WithUserDetails and  WithSecurityContext  in this artifact   lt dependency gt       lt groupId gt org springframework security lt  groupId gt       lt artifactId gt spring-security-test lt  artifactId gt       lt version gt 4 2 2 RELEASE lt  version gt       lt scope gt test lt  scope gt   lt  dependency gt   In most cases   WithUserDetails gathers the flexibility and power I need  How  WithUserDetails works  Basically you just need to create a custom UserDetailsService with all the possible users profiles you want to test  E g  TestConfiguration public class SpringSecurityWebAuxTestConfig         Bean      Primary     public UserDetailsService userDetailsService             User basicUser   new UserImpl  quot Basic User quot    quot user company com quot    quot password quot            UserActive basicActiveUser   new UserActive basicUser  Arrays asList                  new SimpleGrantedAuthority  quot ROLE USER quot                    new SimpleGrantedAuthority  quot PERM FOO READ quot                        User managerUser   new UserImpl  quot Manager User quot    quot manager company com quot    quot password quot            UserActive managerActiveUser   new UserActive managerUser  Arrays asList                  new SimpleGrantedAuthority  quot ROLE MANAGER quot                    new SimpleGrantedAuthority  quot PERM FOO READ quot                    new SimpleGrantedAuthority  quot PERM FOO WRITE quot                    new SimpleGrantedAuthority  quot PERM FOO MANAGE quot                        return new InMemoryUserDetailsManager Arrays asList                  basicActiveUser  managerActiveUser                      Now we have our users ready  so imagine we want to test the access control to this controller function   RestController  RequestMapping  quot  foo quot   public class FooController         Secured  quot ROLE MANAGER quot        GetMapping  quot  salute quot       public String saluteYourManager  AuthenticationPrincipal User activeUser                return String format  quot Hi  s  Foo salutes you  quot   activeUser getUsername              Here we have a get mapped function to the route  foo salute and we are testing a role based security with the  Secured annotation  although you can test  PreAuthorize and  PostAuthorize as well  Let s create two tests  one to check if a valid user can see this salute response and the other to check if it s actually forbidden   RunWith SpringRunner class   SpringBootTest          webEnvironment   SpringBootTest WebEnvironment RANDOM PORT          classes   SpringSecurityWebAuxTestConfig class    AutoConfigureMockMvc public class WebApplicationSecurityTest         Autowired     private MockMvc mockMvc        Test      WithUserDetails  quot manager company com quot       public void givenManagerUser whenGetFooSalute thenOk   throws Exception               mockMvc perform MockMvcRequestBuilders get  quot  foo salute quot                    accept MediaType ALL                    andExpect status   isOk                     andExpect content   string containsString  quot manager company com quot                  Test      WithUserDetails  quot user company com quot       public void givenBasicUser whenGetFooSalute thenForbidden   throws Exception               mockMvc perform MockMvcRequestBuilders get  quot  foo salute quot                    accept MediaType ALL                    andExpect status   isForbidden              As you see we imported SpringSecurityWebAuxTestConfig to provide our users for testing  Each one used on its corresponding test case just by using a straightforward annotation  reducing code and complexity  Better use  WithMockUser for simpler Role Based Security As you see  WithUserDetails has all the flexibility you need for most of your applications  It allows you to use custom users with any GrantedAuthority  like roles or permissions  But if you are just working with roles  testing can be even easier and you could avoid constructing a custom UserDetailsService  In such cases  specify a simple combination of user  password and roles with  WithMockUser   Target  ElementType METHOD  ElementType TYPE    Retention RetentionPolicy RUNTIME   Inherited  Documented  WithSecurityContext      factory   WithMockUserSecurityContextFactory class   public  interface WithMockUser       String value   default  quot user quot        String username   default  quot  quot        String   roles   default   quot USER quot         String password   default  quot password quot      The annotation defines default values for a very basic user  As in our case the route we are testing just requires that the authenticated user be a manager  we can quit using SpringSecurityWebAuxTestConfig and do this   Test  WithMockUser roles    quot MANAGER quot   public void givenManagerUser whenGetFooSalute thenOk   throws Exception       mockMvc perform MockMvcRequestBuilders get  quot  foo salute quot                accept MediaType ALL                andExpect status   isOk                 andExpect content   string containsString  quot user quot         Notice that now instead of the user manager company com we are getting the default provided by  WithMockUser  user  yet it won t matter because what we really care about is his role  ROLE MANAGER  Conclusions As you see with annotations like  WithUserDetails and  WithMockUser we can switch between different authenticated users scenarios without building classes alienated from our architecture just for making simple tests  Its also recommended you to see how  WithSecurityContext works for even more flexibility

User · Answer

Pretty Late answer though  But This has worked for me   and could be useful  While Using Spring Security ans mockMvc  all you need to is use  WithMockUser annotation like others are mentioned  Spring security also provides another annotation called  WithAnonymousUser for testing unauthenticated requests  However you should be careful here  You would be expecting 401  but I got 403 Forbidden Error by default  In actual scenarios  when you are running actual service  It is redirected and you end up getting the correct 401 response code Use this annotation for anonymous requests  You may also think of ommitting the annotaions and simply keep it unauthorized  But this usually raises the correct exceptions like AuthenticationException   but you will get correct status code if it is handled correctly If you are using custom handler   I used to get 500 for this  So look for the exceptions raised in the debugger  and check if it is handled rightly and returns the correct status code

User · Answer

Create a class TestUserDetailsImpl on your test package   Service  Primary  Profile  quot test quot   public class TestUserDetailsImpl implements UserDetailsService       public static final String API USER    quot apiuser example com quot        private User getAdminUser             User user   new User            user setUsername API USER            SimpleGrantedAuthority role   new SimpleGrantedAuthority  quot ROLE API USER quot            user setAuthorities Collections singletonList role             return user              Override     public UserDetails loadUserByUsername String username                                            throws UsernameNotFoundException           if  Objects equals username  ADMIN USERNAME               return getAdminUser            throw new UsernameNotFoundException username             Rest endpoint   GetMapping  quot  invoice quot    Secured  quot ROLE API USER quot   public Page lt InvoiceDTO gt  getInvoices              Test endpoint   Test  WithUserDetails  quot apiuser example com quot   public void testApi   throws Exception

User · Answer

Short answer    Autowired private WebApplicationContext webApplicationContext    Autowired private Filter springSecurityFilterChain    Before public void setUp   throws Exception       final MockHttpServletRequestBuilder defaultRequestBuilder   get   dummy-path        this mockMvc   MockMvcBuilders webAppContextSetup this webApplicationContext               defaultRequest defaultRequestBuilder               alwaysDo result - gt  setSessionBackOnRequestBuilder defaultRequestBuilder  result getRequest                  apply springSecurity springSecurityFilterChain                build       private MockHttpServletRequest setSessionBackOnRequestBuilder final MockHttpServletRequestBuilder requestBuilder                                                               final MockHttpServletRequest request        requestBuilder session  MockHttpSession  request getSession         return request      After perform formLogin from spring security test each of your requests will be automatically called as logged in user   Long answer   Check this solution  the answer is for spring 4   How to login a user with spring 3 2 new mvc testing

User · Answer

Since Spring 4 0   the best solution is to annotate the test method with  WithMockUser   Test  WithMockUser username    user1   password    pwd   roles    USER   public void mytest1   throws Exception       mockMvc perform get   someApi             andExpect status   isOk         Remember to add the following dependency to your project   org springframework security spring-security-test 4 2 3 RELEASE

User · Answer

Add in pom xml        lt dependency gt           lt groupId gt org springframework security lt  groupId gt           lt artifactId gt spring-security-test lt  artifactId gt           lt version gt 4 0 0 RC2 lt  version gt       lt  dependency gt    and use org springframework security test web servlet request SecurityMockMvcRequestPostProcessors for authorization request   See the sample usage at https   github com rwinch spring-security-test-blog  https   jira spring io browse SEC-2592    Update   4 0 0 RC2 works for spring-security 3 x   For spring-security 4 spring-security-test become part of spring-security  http   docs spring io spring-security site docs 4 0 x reference htmlsingle  test  version is the same     Setting Up is changed  http   docs spring io spring-security site docs 4 0 x reference htmlsingle  test-mockmvc  public void setup         mvc   MockMvcBuilders              webAppContextSetup context               apply springSecurity                   build        Sample for basic-authentication  http   docs spring io spring-security site docs 4 0 x reference htmlsingle  testing-http-basic-authentication

[spring] Spring Test & Security: How to mock authentication?

Examples related to spring

Examples related to security

Examples related to model-view-controller

Examples related to testing

Examples related to junit