Spring boot, disable security for tests
I use spring boot version \"1.3.0.M5\" (I also tried version \"1.2.5.RELEASE\"). I added spring security:
org.springframework
-
You have to do some changes to your config and test to solve your problem(s).
First I'll explain why your solution isn't working:
- The Spring
RestTemplateclass is a possible way to access your REST service but lacks some header informations the way it is constructed (Which doesn't mean it's impossible with theRestTemplate). Thats why the authentication didn't work. - My first solution attempt isn't working because of the usage of the
RestTemplateclass, as theRestTemplaterequest is likely to create a new session. It sets an entirely different environment. My code works if you want to test Methods secured with the@PreAuthorizeannotation but only if you want to execute such a method directly in your test and you need a valid authentication. - You can't automatically authorize any user as of your current spring security configuration.
Second, here are the necessary changes to your code:
First the configuration class
@Configuration @EnableWebSecurity public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER" ); } @Override protected void configure(HttpSecurity http) throws Exception { http.httpBasic().and().csrf().disable() .authorizeRequests().antMatchers("/api/sampleentity").authenticated() .and().authorizeRequests().antMatchers("/users").hasRole("ADMIN") .and().formLogin().permitAll() .and().logout().permitAll().logoutUrl("/logout") .logoutSuccessUrl("/"); } @Override @Bean public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } }I had to add httpBasic Authentication support (to enable authentication via http header attribute) and I disabled csrf tokens (the latter just for convenience, you should reenable them according to criticality of your application).
And second the Testclass:
import java.io.IOException; import java.nio.charset.Charset; import java.util.Arrays; import javax.servlet.Filter; import org.junit.Assert; import org.junit.Before; import org.junit.Test; import org.junit.runner.RunWith; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.IntegrationTest; import org.springframework.boot.test.SpringApplicationConfiguration; import org.springframework.http.MediaType; import org.springframework.http.converter.HttpMessageConverter; import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter; import org.springframework.mock.http.MockHttpOutputMessage; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; import org.springframework.test.context.web.WebAppConfiguration; import org.springframework.test.web.servlet.MockMvc; import org.springframework.test.web.servlet.setup.MockMvcBuilders; import org.springframework.web.context.WebApplicationContext; import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*; import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.*; @RunWith(SpringJUnit4ClassRunner.class) @SpringApplicationConfiguration(classes = SpringBootMainApplication.class) @WebAppConfiguration @IntegrationTest({ "server.port=0" }) public class SampleEntityTest { private String url; private MockMvc mockMvc; private HttpMessageConverter mappingJackson2HttpMessageConverter; private MediaType contentType = new MediaType( MediaType.APPLICATION_JSON.getType(), MediaType.APPLICATION_JSON.getSubtype(), Charset.forName("utf8")); @Autowired private WebApplicationContext webApplicationContext; @Autowired private Filter springSecurityFilterChain; @Autowired void setConverters(HttpMessageConverter<?>[] converters) { for (HttpMessageConverter hmc : Arrays.asList(converters)) { if (hmc instanceof MappingJackson2HttpMessageConverter) { this.mappingJackson2HttpMessageConverter = hmc; } } Assert.assertNotNull("the JSON message converter must not be null", this.mappingJackson2HttpMessageConverter); } @Before public void setUp() { url = "/api/sampleentity"; mockMvc = MockMvcBuilders.webAppContextSetup(webApplicationContext) .addFilters(springSecurityFilterChain).build(); } @Test public void testEntityGet() throws Exception { mockMvc.perform( get(url) .with(httpBasic("user", "password"))) .andExpect(status().isOk()); } @Test public void testEntityPost() throws Exception { SampleEntity sampleEntity = new SampleEntity(); sampleEntity.setName("name"); sampleEntity.setId(1); String json = json(sampleEntity); mockMvc.perform( post(url) .contentType(contentType) .content(json) .with(httpBasic("user", "password"))) .andExpect(status().isCreated()); } protected String json(Object o) throws IOException { MockHttpOutputMessage mockHttpOutputMessage = new MockHttpOutputMessage(); this.mappingJackson2HttpMessageConverter.write(o, MediaType.APPLICATION_JSON, mockHttpOutputMessage); return mockHttpOutputMessage.getBodyAsString(); }}
I have used the spring/ spring security test approach here.
Versions used:
<parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>1.2.5.RELEASE</version> </parent> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-core</artifactId> <version>4.0.2.RELEASE</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-web</artifactId> <version>4.0.2.RELEASE</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-config</artifactId> <version>4.0.2.RELEASE</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-test</artifactId> <version>4.0.2.RELEASE</version> <scope>test</scope> </dependency>If you want to test your rest api i can recommend you the Postman plugin for Chrome. As that can help you identify the problem much faster.
I hope this helps you to finally solve your problem.
讨论(0) - The Spring
-
If you want to see what's being auto-configured, launch your web app and access the autoconfig endpoint (e.g., http://localhost:8080/autoconfig). Then search for '
Security' to see which 'AutoConfiguration' classes are being detected.You can then disable auto-configuration of security by excluding those classes like this:
@EnableAutoConfiguration(exclude = { SecurityAutoConfiguration.class, ManagementSecurityAutoConfiguration.class })Of course, you won't want to exclude them for production deployments. Thus you'll need to have a separate
@Configurationclass for production and tests.Or if you want a detailed answer go for below-mentioned steps
Add annotation
@Profile(value = {"development", "production"})to my implementation ofWebSecurityConfigurerAdapter@Configuration @EnableWebSecurity @Profile(value = {"development", "production"}) public class WebSecurityConfig extends WebSecurityConfigurerAdapter {Now, in test/resources, create application-test.yml to define properties for test profile and add this -
# Security enable/disable security: basic: enabled: falseNow, to your test cases, add this annotation to apply the active profile @ActiveProfiles(value = "test"). This is how my class looked -
@RunWith(SpringJUnit4ClassRunner.class) @SpringApplicationConfiguration(classes = Application.class) @WebAppConfiguration @ActiveProfiles(value = "test") @IntegrationTest({"server.port=0"}) public class SampleControllerIntegrationTest {Doing this will disabled security for tests. Best of luck!!!
讨论(0)
加载中...
- 热议问题