Announcement Announcement Module
No announcement yet.
Junit testing on Spring security stuff Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Junit testing on Spring security stuff

    Hi all,
    I am having hard time in findind a solution to test the spring security.
    Always my test case returns null authentication. Please see the attachement for my full junit code and testsecurity.xml.

    MockHttpServletRequest request = new MockHttpServletRequest();
    MockHttpServletResponse response = new MockHttpServletResponse();
    XmlWebApplicationContext ctx = new XmlWebApplicationContext();
    ctx.setConfigLocations(new String[] { "file:war/WEB-INF/testadjudication-security.xml","file:war/WEB-INF/adjudication-dao.xml" ,"file:war/WEB-INF/adjudication-base.xml","file:war/WEB-INF/adjudication-datasource.xml"});
    Filter f = (Filter) ctx.getBean("springSecurityFilterChain", Filter.class);
    try {
    f.doFilter(request, response,new MockFilterChain());
    } catch (IOException e) {
    // TODO Auto-generated catch block
    } catch (ServletException e) {
    // TODO Auto-generated catch block


    And i am always getting reponse.getRedirectedUrl() as null. Please help me in resolving this issue.

  • #2
    A few pointers:

    When posting code please use the code tags as it makes the code a lot more readable.

    You may want to look into the Spring Testing chapter rather than creating the application context yourself (it makes it a bit easier and will give you added performance by caching the configurations)

    A few questions:

    You mentioned "Always my test case returns null authentication."...How are you trying to assert a non null authentication (I must be missing that piece)?

    I didn't see an attachment...can you post your configuration files?

    Rob Winch


    • #3
      I have attached my test case and testsecuirty.xml file

      Please go through it and let me know what i am doing wrong????


      • #4
        1) I assume you have truncated your configuration because you only include one spring config in the attachments, but the tests lists out numerous config files. I assume that means you have tried to simplify a little bit which is ok but may impact my comments.

        2) The Spring configuration that you provide states that the redirect url should look like https://localhost/spring_security_login, not "/adjudication.html". This is because the user is expected to go to the login page (the default is spring_security_login) not the projected resource. This occurs because the user is not logged in and accessing a protected resource.

        3) If you are authenticated, the SecurityContextHolder.getContext().getAuthenticati on() will only be authenticated inside the FilterChain. Spring Security starts by setting up the SecurityContext in the SecurityContextHolder, but removes it after the FilterChain is invoked.

        However, in this scenario the user is not authenticated so the MockFilterChain doesn't even get executed. In order to simulate being authenticated you will need to populate the session with the UserDetails. You want to not only validate the authentication, but also validate that the mockfilterchain was executed. An example is below:

        MockHttpSession session = new MockHttpSession();
        SecurityContext context = new SecurityContextImpl();
        context.setAuthentication(new UsernamePasswordAuthenticationToken("oasysadmin", "password",new GrantedAuthority[] { new GrantedAuthorityImpl("ROLE_CDAC_ADJUDICATION") }));
        MockFilterChain chain = new MockFilterChain() {
        	public void doFilter(ServletRequest request,
        			ServletResponse response) {
        		super.doFilter(request, response);
        f.doFilter(request, response, chain);
        // ensure the filterchain was callled (i.e. make sure it didn't do a
        // redirect and not continue calling the fitlerchain
        4) With the configuration you provided I'm not sure where you are going to get an OASYSUserDetails object so that cast may be invalid

        Rob Winch


        • #5
          Thank you for replying me very soon. I will try the ideas what you have said and let you know tomorrow.