在Spring Boot 1.4中测试安全性 [英] Testing security in Spring Boot 1.4

问题描述

我正在尝试使用 SecurityConfig 类中定义的自定义安全设置测试 @WebMvcTest ：

I'm trying to test @WebMvcTest with custom security settings defined in SecurityConfig class:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/admin*").access("hasRole('ADMIN')").antMatchers("/**").permitAll().and().formLogin();
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication().withUser("user").password("password").roles("ADMIN");
    }
}

测试类是：

@RunWith(SpringRunner.class)
@WebMvcTest(value = ExampleController.class)
public class ExampleControllerMockMVCTest {

    @Autowired
    private MockMvc mockMvc;

    @Test
    public void indexTest() throws Exception {
        mockMvc.perform(get("/"))
        .andExpect(status().isOk())
        .andExpect(view().name("index"));
    }

    @Test
    public void adminTestWithoutAuthentication() throws Exception {
        mockMvc.perform(get("/admin"))
        .andExpect(status().is3xxRedirection()); //login form redirect
    }

    @Test
    @WithMockUser(username="example", password="password", roles={"ANONYMOUS"})
    public void adminTestWithBadAuthentication() throws Exception {
        mockMvc.perform(get("/admin"))
        .andExpect(status().isForbidden());
    }

    @Test
    @WithMockUser(username="user", password="password", roles={"ADMIN"})
    public void adminTestWithAuthentication() throws Exception {
        mockMvc.perform(get("/admin"))
        .andExpect(status().isOk())
        .andExpect(view().name("admin"))
        .andExpect(model().attributeExists("name"))
        .andExpect(model().attribute("name", is("user")));
    }
}

测试失败，因为他们使用的是默认安全设置Spring Boot。

Tests fail because they are using the default security settings of Spring Boot.

我可以使用 @SpringBootTest + @AutoConfigureMockMvc ，但在没有运行所有自动配置的情况下进行测试会很有趣。

I can fix this using @SpringBootTest + @AutoConfigureMockMvc, but it would be interesting to test without running all auto-configuration.

@RunWith(SpringRunner.class)
@SpringBootTest(webEnvironment = WebEnvironment.MOCK)
@AutoConfigureMockMvc
public class ExampleControllerSpringBootTest {

    @Autowired
    private MockMvc mockMvc;

    // tests
}

有没有办法 @WebMvcTest 可以使用 SecurityConfig 类中定义的设置吗？

Is there any way that @WebMvcTest can use settings defined in SecurityConfig class?

推荐答案

WebMvcTest 只会加载您的控制器，而不是其他任何东西（这就是我们称之为切片的原因）。我们无法确定您想要的配置部分以及您不需要的部分。如果安全配置不在主 @SpringBootApplication 上，则必须明确导入它。否则，Spring Boot将启用默认安全设置。

WebMvcTest is only going to load your controller and nothing else (that's why we call that slicing). We can't figure out which part of your configuration you want and which one you don't. If the security config isn't on your main @SpringBootApplication you'll have to import it explicitly. Otherwise, Spring Boot is going to enable default security settings.

如果您使用的是OAuth之类的东西，这是一件好事，因为您真的不想开始用它进行模拟测试。如果在测试中添加 @Import（SecurityConfig.class）会发生什么？

If you're using something like OAuth, that's a good thing though because you really don't want to start using that for a mock test. What happens if you add @Import(SecurityConfig.class) to your test?

这篇关于在Spring Boot 1.4中测试安全性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！