Announcement Announcement Module
Collapse
No announcement yet.
Having trouble testing secured web resources with spring test mvc Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Having trouble testing secured web resources with spring test mvc

    Hello,

    I am trying to test web resources secured with Spring security but it seems that my tests are always able to access the secured resources i.e. I always get a status of 200 even though the credentials are dummy.

    I am not sure what I get wrong.

    Here is the test class:
    Code:
    @RunWith(SpringJUnit4ClassRunner.class)
    @ContextConfiguration(locations = { "classpath:/META-INF/spring/applicationContext*.xml" })
    public class AuthorizationTest {
    
    	private String contextLocWeb = "file:src/main/webapp/WEB-INF/spring/webmvc-config.xml";
    	private String contextLoc = "classpath:/META-INF/spring/applicationContext*.xml";
    	private String warDir = "src/main/webapp";
    
    	@Autowired
    	private FilterChainProxy springSecurityFilterChain;
    	
    	private Authentication authentication;
    
    	@Before
    	public void setup() {
    		List<GrantedAuthority> authorities = AuthorityUtils.createAuthorityList("ROLE_DUMMY");
    		authentication = new UsernamePasswordAuthenticationToken("jumartin", "dummy", authorities);
    		SecurityContextHolder.getContext().setAuthentication(authentication);
    	}
    
    	@Test
    	public void testFailedAuthorization() throws Exception {
    		MockMvc mockMvc = MockMvcBuilders.xmlConfigSetup(contextLocWeb, contextLoc).configureWebAppRootDir(warDir, false).addFilters(springSecurityFilterChain).build();
    		mockMvc.perform(MockMvcRequestBuilders.get("/admin/clients").principal(authentication).param("form", "")).andExpect(MockMvcResultMatchers.status().isForbidden());
    	}
    
    }
    and the relevant snippet from applicationContext-security.xml file:

    Code:
    <global-method-security pre-post-annotations="enabled"/>
    	<!-- HTTP security configurations Enlever les commentaires pour Spring security -->
    	<http auto-config="true" use-expressions="true">
    		<!-- Session control -->
    		<session-management>
    			<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" expired-url="/login" />
    		</session-management>
    		<form-login login-processing-url="/resources/j_spring_security_check" login-page="/login" authentication-failure-url="/login?login_error=t" />
    		<logout logout-url="/resources/j_spring_security_logout" />
    		<intercept-url pattern='/css/**' access="permitAll" />
    		<intercept-url pattern='/resources/**' access="permitAll" />
    		<!-- Page accès interdit -->
    		<intercept-url pattern='/authzError/**' access="permitAll" />
    		<!-- login -->
    		<intercept-url pattern='/login' access="permitAll" />
    		<!-- Entité utilisateur -->
    		<intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
    		<!-- Définir les rôles dans l’application -->
    		<intercept-url pattern="/**" access="hasAnyRole('ROLE_ADMIN','ROLE_OPE_NUM','ROLE_OPE_NUM_RENFORT','ROLE_ACCN','ROLE_CHEF_EQUIPE','ROLE_RESP_PROD','ROLE_CODIR')" />
    	</http>
    Can anyone please help?

    Regards,

    J.
Working...
X