Spring Test & Security: How to mock authentication?

by

Seaching for answer I couldn’t find any to be easy and flexible at the same time, then I found the Spring Security Reference and I realized there are near to perfect solutions. AOP solutions often are the greatest ones for testing, and Spring provides it with @WithMockUser, @WithUserDetails and @WithSecurityContext, in this artifact:

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-test</artifactId>
    <version>4.2.2.RELEASE</version>
    <scope>test</scope>
</dependency>

In most cases, @WithUserDetails gathers the flexibility and power I need.

How @WithUserDetails works?

Basically you just need to create a custom UserDetailsService with all the possible users profiles you want to test. E.g

@TestConfiguration
public class SpringSecurityWebAuxTestConfig {

    @Bean
    @Primary
    public UserDetailsService userDetailsService() {
        User basicUser = new UserImpl("Basic User", "[email protected]", "password");
        UserActive basicActiveUser = new UserActive(basicUser, Arrays.asList(
                new SimpleGrantedAuthority("ROLE_USER"),
                new SimpleGrantedAuthority("PERM_FOO_READ")
        ));

        User managerUser = new UserImpl("Manager User", "[email protected]", "password");
        UserActive managerActiveUser = new UserActive(managerUser, Arrays.asList(
                new SimpleGrantedAuthority("ROLE_MANAGER"),
                new SimpleGrantedAuthority("PERM_FOO_READ"),
                new SimpleGrantedAuthority("PERM_FOO_WRITE"),
                new SimpleGrantedAuthority("PERM_FOO_MANAGE")
        ));

        return new InMemoryUserDetailsManager(Arrays.asList(
                basicActiveUser, managerActiveUser
        ));
    }
}

Now we have our users ready, so imagine we want to test the access control to this controller function:

@RestController
@RequestMapping("/foo")
public class FooController {

    @Secured("ROLE_MANAGER")
    @GetMapping("/salute")
    public String saluteYourManager(@AuthenticationPrincipal User activeUser)
    {
        return String.format("Hi %s. Foo salutes you!", activeUser.getUsername());
    }
}

Here we have a get mapped function to the route /foo/salute and we are testing a role based security with the @Secured annotation, although you can test @PreAuthorize and @PostAuthorize as well.
Let’s create two tests, one to check if a valid user can see this salute response and the other to check if it’s actually forbidden.

@RunWith(SpringRunner.class)
@SpringBootTest(
        webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT,
        classes = SpringSecurityWebAuxTestConfig.class
)
@AutoConfigureMockMvc
public class WebApplicationSecurityTest {

    @Autowired
    private MockMvc mockMvc;

    @Test
    @WithUserDetails("[email protected]")
    public void givenManagerUser_whenGetFooSalute_thenOk() throws Exception
    {
        mockMvc.perform(MockMvcRequestBuilders.get("/foo/salute")
                .accept(MediaType.ALL))
                .andExpect(status().isOk())
                .andExpect(content().string(containsString("[email protected]")));
    }

    @Test
    @WithUserDetails("[email protected]")
    public void givenBasicUser_whenGetFooSalute_thenForbidden() throws Exception
    {
        mockMvc.perform(MockMvcRequestBuilders.get("/foo/salute")
                .accept(MediaType.ALL))
                .andExpect(status().isForbidden());
    }
}

As you see we imported SpringSecurityWebAuxTestConfig to provide our users for testing. Each one used on its corresponding test case just by using a straightforward annotation, reducing code and complexity.

Better use @WithMockUser for simpler Role Based Security

As you see @WithUserDetails has all the flexibility you need for most of your applications. It allows you to use custom users with any GrantedAuthority, like roles or permissions. But if you are just working with roles, testing can be even easier and you could avoid constructing a custom UserDetailsService. In such cases, specify a simple combination of user, password and roles with @WithMockUser.

@Target({ElementType.METHOD, ElementType.TYPE})
@Retention(RetentionPolicy.RUNTIME)
@Inherited
@Documented
@WithSecurityContext(
    factory = WithMockUserSecurityContextFactory.class
)
public @interface WithMockUser {
    String value() default "user";

    String username() default "";

    String[] roles() default {"USER"};

    String password() default "password";
}

The annotation defines default values for a very basic user. As in our case the route we are testing just requires that the authenticated user be a manager, we can quit using SpringSecurityWebAuxTestConfig and do this.

@Test
@WithMockUser(roles = "MANAGER")
public void givenManagerUser_whenGetFooSalute_thenOk() throws Exception
{
    mockMvc.perform(MockMvcRequestBuilders.get("/foo/salute")
            .accept(MediaType.ALL))
            .andExpect(status().isOk())
            .andExpect(content().string(containsString("user")));
}

Notice that now instead of the user [email protected] we are getting the default provided by @WithMockUser: user; yet it won’t matter because what we really care about is his role: ROLE_MANAGER.

Conclusions

As you see with annotations like @WithUserDetails and @WithMockUser we can switch between different authenticated users scenarios without building classes alienated from our architecture just for making simple tests. Its also recommended you to see how @WithSecurityContext works for even more flexibility.

More Related Contents:

  1. How to test a mocked JNDI datasource with Spring?
  2. Injecting Mockito mocks into a Spring bean
  3. Content type ‘application/x-www-form-urlencoded;charset=UTF-8’ not supported for @RequestBody MultiValueMap
  4. How to add a hook to the application context initialization event?
  5. How to test Spring’s declarative caching support on Spring Data repositories?
  6. How to in-memory unit test Spring-Jersey
  7. How to test a spring controller method by using MockMvc?
  8. Disable @EnableScheduling on Spring Tests
  9. No Spring WebApplicationInitializer types detected on classpath
  10. Reuse spring application context across junit test classes
  11. Another unnamed CacheManager already exists in the same VM (ehCache 2.5)
  12. spring junit load application context for tests
  13. Getting Spring Error “Bean named ‘x’ must be of type [y], but was actually of type [$Proxy]” in Jenkins
  14. Spring Framework TEST RESTful Web Service (Controller) Offline i.e. No Server, No Database
  15. Why does self-invocation not work for Spring proxies (e.g. with AOP)?
  16. Spring Resttemplate exception handling
  17. Spring Boot CORS filter – CORS preflight channel did not succeed
  18. Spring CSRF token does not work, when the request to be sent is a multipart request
  19. Spring catch all route for index.html
  20. Transactional annotation avoids services being mocked
  21. Handling ambiguous handler methods mapped in REST application with Spring
  22. How to use LocalDateTime RequestParam in Spring? I get “Failed to convert String to LocalDateTime”
  23. Spring REST using Jackson – 400 bad request logging
  24. Reloading/Refreshing Spring configuration file without restarting the servlet container
  25. Create Account, Forgot Password and Change Password
  26. Spring Boot Data JPA – Modifying update query – Refresh persistence context
  27. Spring boot: configure it to find the webapp folder
  28. Self-invocation behaviour in @Configuration vs. @Component classes
  29. Programmatic access to properties created by property-placeholder
  30. @SpringBootTest vs @ContextConfiguration vs @Import in Spring Boot Unit Test

Leave a Comment