Spring Security(三十六):12. Spring MVC Test Integration
Spring Security provides comprehensive integration with Spring MVC Test
12.1 Setting Up MockMvc and Spring Security
In order to use Spring Security with Spring MVC Test it is necessary to add the Spring Security FilterChainProxy
as a Filter
. It is also necessary to add Spring Security’s TestSecurityContextHolderPostProcessor
to support Running as a User in Spring MVC Test with Annotations. This can be done using Spring Security’s SecurityMockMvcConfigurers.springSecurity()
. For example:
Spring Security’s testing support requires spring-test-4.1.3.RELEASE or greater.
import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.*; @RunWith(SpringJUnit4ClassRunner.class)
@ContextConfiguration
@WebAppConfiguration
public class CsrfShowcaseTests { @Autowired
private WebApplicationContext context; private MockMvc mvc; @Before
public void setup() {
mvc = MockMvcBuilders
.webAppContextSetup(context)
.apply(springSecurity()) 1
.build();
} ...
1.SecurityMockMvcConfigurers.springSecurity()
will perform all of the initial setup we need to integrate Spring Security with Spring MVC Test
12.2 SecurityMockMvcRequestPostProcessors
Spring MVC Test provides a convenient interface called a RequestPostProcessor
that can be used to modify a request. Spring Security provides a number of RequestPostProcessor
implementations that make testing easier. In order to use Spring Security’s RequestPostProcessor
implementations ensure the following static import is used:
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.*;
12.2.1 Testing with CSRF Protection
When testing any non-safe HTTP methods and using Spring Security’s CSRF protection, you must be sure to include a valid CSRF Token in the request. To specify a valid CSRF token as a request parameter using the following:
mvc.perform(post("/").with(csrf()))
If you like you can include CSRF token in the header instead:
mvc.perform(post("/").with(csrf().asHeader()))
You can also test providing an invalid CSRF token using the following:
mvc.perform(post("/").with(csrf().useInvalidToken()))
12.2.2 Running a Test as a User in Spring MVC Test
It is often desirable to run tests as a specific user. There are two simple ways of populating the user:
- Running as a User in Spring MVC Test with RequestPostProcessor
- 使用RequestPostProcessor在Spring MVC Test中作为用户运行
- Running as a User in Spring MVC Test with Annotations
- 在带有注释的Spring MVC测试中作为用户运行
12.2.3 Running as a User in Spring MVC Test with RequestPostProcessor
There are a number of options available to associate a user to the current HttpServletRequest
. For example, the following will run as a user (which does not need to exist) with the username "user", the password "password", and the role "ROLE_USER":
The support works by associating the user to the HttpServletRequest
. To associate the request to the SecurityContextHolder
you need to ensure that the SecurityContextPersistenceFilter
is associated with the MockMvc
instance. A few ways to do this are:
- Invoking apply(springSecurity())
- Adding Spring Security’s
FilterChainProxy
toMockMvc
- Manually adding
SecurityContextPersistenceFilter
to theMockMvc
instance may make sense when usingMockMvcBuilders.standaloneSetup
- 使用MockMvcBuilders.standaloneSetup时,手动将SecurityContextPersistenceFilter添加到MockMvc实例可能有意义
mvc.perform(get("/").with(user("user")))
You can easily make customizations. For example, the following will run as a user (which does not need to exist) with the username "admin", the password "pass", and the roles "ROLE_USER" and "ROLE_ADMIN".
mvc.perform(get("/admin").with(user("admin").password("pass").roles("USER","ADMIN")))
If you have a custom UserDetails
that you would like to use, you can easily specify that as well. For example, the following will use the specified UserDetails
(which does not need to exist) to run with a UsernamePasswordAuthenticationToken
that has a principal of the specified UserDetails
:
mvc.perform(get("/").with(anonymous()))
This is especially useful if you are running with a default user and wish to execute a few requests as an anonymous user.
Authentication
(which does not need to exist) you can do so using the following:mvc.perform(get("/").with(authentication(authentication)))
You can even customize the SecurityContext
using the following:
mvc.perform(get("/").with(securityContext(securityContext)))
We can also ensure to run as a specific user for every request by using MockMvcBuilders
's default request. For example, the following will run as a user (which does not need to exist) with the username "admin", the password "password", and the role "ROLE_ADMIN":
mvc = MockMvcBuilders
.webAppContextSetup(context)
.defaultRequest(get("/").with(user("user").roles("ADMIN")))
.apply(springSecurity())
.build();
If you find you are using the same user in many of your tests, it is recommended to move the user to a method. For example, you can specify the following in your own class named CustomSecurityMockMvcRequestPostProcessors
:
public static RequestPostProcessor rob() {
return user("rob").roles("ADMIN");
}
Now you can perform a static import on SecurityMockMvcRequestPostProcessors
and use that within your tests:
import static sample.CustomSecurityMockMvcRequestPostProcessors.*; ... mvc
.perform(get("/").with(rob()))
Running as a User in Spring MVC Test with Annotations
RequestPostProcessor
to create your user, you can use annotations described in Chapter 11, Testing Method Security. For example, the following will run the test with the user with username "user", password "password", and role "ROLE_USER":@Test
@WithMockUser
public void requestProtectedUrlWithUser() throws Exception {
mvc
.perform(get("/"))
...
}
Alternatively, the following will run the test with the user with username "user", password "password", and role "ROLE_ADMIN":
@Test
@WithMockUser(roles="ADMIN")
public void requestProtectedUrlWithUser() throws Exception {
mvc
.perform(get("/"))
...
}
12.2.4 Testing HTTP Basic Authentication
While it has always been possible to authenticate with HTTP Basic, it was a bit tedious to remember the header name, format, and encode the values. Now this can be done using Spring Security’s httpBasic
RequestPostProcessor
. For example, the snippet below:
mvc.perform(get("/").with(httpBasic("user","password")))
will attempt to use HTTP Basic to authenticate a user with the username "user" and the password "password" by ensuring the following header is populated on the HTTP Request:
Authorization: Basic dXNlcjpwYXNzd29yZA==
12.3 SecurityMockMvcRequestBuilders
Spring MVC Test also provides a RequestBuilder
interface that can be used to create the MockHttpServletRequest
used in your test. Spring Security provides a few RequestBuilder
implementations that can be used to make testing easier. In order to use Spring Security’s RequestBuilder
implementations ensure the following static import is used:
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders.*;
12.3.1 Testing Form Based Authentication
You can easily create a request to test a form based authentication using Spring Security’s testing support. For example, the following will submit a POST to "/login" with the username "user", the password "password", and a valid CSRF token:
mvc.perform(formLogin())
It is easy to customize the request. For example, the following will submit a POST to "/auth" with the username "admin", the password "pass", and a valid CSRF token:
mvc.perform(formLogin("/auth").user("admin").password("pass"))
We can also customize the parameters names that the username and password are included on. For example, this is the above request modified to include the username on the HTTP parameter "u" and the password on the HTTP parameter "p".
mvc.perform(formLogin("/auth").user("u","admin").password("p","pass"))
12.3.2 Testing Logout
While fairly trivial using standard Spring MVC Test, you can use Spring Security’s testing support to make testing log out easier. For example, the following will submit a POST to "/logout" with a valid CSRF token:
mvc.perform(logout())
You can also customize the URL to post to. For example, the snippet below will submit a POST to "/signout" with a valid CSRF token:
mvc.perform(logout("/signout"))
12.4 SecurityMockMvcResultMatchers
At times it is desirable to make various security related assertions about a request. To accommodate this need, Spring Security Test support implements Spring MVC Test’s ResultMatcher
interface. In order to use Spring Security’s ResultMatcher
implementations ensure the following static import is used:
mvc
.perform(formLogin().password("invalid"))
.andExpect(unauthenticated());
12.4.2 Authenticated Assertion
It is often times that we must assert that an authenticated user exists. For example, we may want to verify that we authenticated successfully. We could verify that a form based login was successful with the following snippet of code:
mvc
.perform(formLogin())
.andExpect(authenticated());
If we wanted to assert the roles of the user, we could refine our previous code as shown below:
mvc
.perform(formLogin().user("admin"))
.andExpect(authenticated().withRoles("USER","ADMIN"));
Alternatively, we could verify the username:
mvc
.perform(formLogin().user("admin"))
.andExpect(authenticated().withUsername("admin"));
We can also combine the assertions:
mvc
.perform(formLogin().user("admin").roles("USER","ADMIN"))
.andExpect(authenticated().withUsername("admin"));
最新文章
- 计算机网络-IP类型判断
- iOS学习09C语言函数指针
- (10)odoo控制器操作
- 李洪强漫谈iOS开发[C语言-006]-程序的描述方式
- testNG小试牛刀
- Javascript/Jquery——简单定时器的多种实现方法
- HDU 2122
- GO:格式化代码
- Linxu安装Lamp环境
- Java引用详解
- dubbo与zookeeper的关系
- CSS3学习手记
- TP5.0实现无限极回复功能
- java反射获取字段的属性值,以及为字段赋值等方法
- ecshop自动确认收货(无其他商家)
- Wireless Penetration Testing(命令总结)
- ubuntu下使用matplotlib绘图无法显示中文label
- 【BZOJ2749】【HAOI2012】外星人[欧拉函数]
- ECMAScript 6 入门之let和const的用法
- Python :数据结构
热门文章
- Kafka控制器选举流程剖析
- Jenkins时间修改为北京时间
- kubernetes进阶之二:概述
- ASP.NET Core 2.1 : 十三.httpClient.GetAsync 报SSL错误的问题
- Springboot 系列(二)Spring Boot 配置文件
- 【Config】类库读取自己的配置文件,配置文件的扩展
- [PHP]MySQL的wait_timeout与pdo对象
- Activiti(二) springBoot2集成activiti,集成activiti在线设计器
- 小tips:path的join和resolve的使用区别
- ArcGIS Server较早版本切片迁移注意事项