Grails 2.4.4在使用Spring安全代码的情况下测试许可 [英] Grails 2.4.4 Testing for permission where spring security code is being used

问题描述

我正在使用spock进行应用程序测试并使用Grails 2.4.4.我已经完成了域，控制器和服务单元测试.但是在控制器部分，我坚持使用角色明智的访问方式.为了进行身份验证，我使用的是Spring Security Core插件.下面是我的示例代码.

I am using spock for may application testing and using Grails 2.4.4. I have done domain, controller, and service unit testing. But in controller sections I am stuck with the role wise access. For authentication I am using Spring Security Core Plugin. Below is my sample code.

@Secured(["IS_AUTHENTICATED_FULLY"])
def index(Integer max) {

}

@Secured(["ROLE_A","ROLE_B"])
def create() {
    respond new DomainName(params)
}

@Transactional
@Secured(["ROLE_A","ROLE_B"])
def save(DomainName DomainNameInstance) {
}

如何测试只有具有ROLE_A和ROLE_B的用户才能创建和保存，而其他用户则不能创建?我还要检查用户IS_AUTHENTICATED_FULLY是否可以访问索引操作?

推荐答案

从您的问题看来，您似乎正在尝试测试Spring Security代码是否正常工作.我对单元测试控制器的看法是，如果我不写，就不会对其进行测试."我的控制器使用的服务被模拟，我的控制器使用的配置值被模拟.同样，Spring Security行为是模拟的(实际上).这意味着要承担与您在应用程序中使用的插件有关的一定风险.您是否相信Spring Security能够正确处理角色和权限?我通常会这么做.

From your question, it sounds like you are trying to test whether the Spring Security code is working. My take on unit testing controllers is that 'if I didn't write I'm not testing it.' Services used by my controllers are mocked, configuration values used by my controller are mocked. Likewise, Spring Security behaviors are mocked (in effect). This means accepting some amount of risk related to the plugins that you use in your application. Do you trust Spring Security to handle roles and authorities correctly? I generally do.

我对代码的行为更感兴趣，因此我通常只是在单元测试中绕过弹簧检查.如果您要验证应用程序的行为(如果用户已登录或未登录，或者具有或没有特定角色)，则可以执行此操作.

I'm more interested in the behaviors of my code, so I generally just bypass the spring check in my Unit tests. If you want to verify the behaviors of your application if the user is or is not logged in, or does or does not have a certain role, you can do that.

def "test create method without required role"() {
    setup:
    // tell Spring to behave as if the user does not have the desired role(s)
    SpringSecurityUtils.metaClass.static.ifAllGranted = { String role ->
        return false
    }

    when:
    controller.index()

    then:
    // without the required role, what does the controller return?
    controller.response.status == ??

    cleanup:
    SpringSecurityUtils.metaClass = null
}

def "test create method with required role"() {
    setup:
    // tell Spring to behave as if the user has the required role(s)
    SpringSecurityUtils.metaClass.static.ifAllGranted = { String role ->
        return true
    }

    when:
    controller.index()

    then:
    // with the required role(s), what does the controller return?
    controller.response.status == 200
    controller.response.mimeType.name == "application/json"
    controller.response.getText() == "whatever"

    cleanup:
    SpringSecurityUtils.metaClass = null
}

这篇关于Grails 2.4.4在使用Spring安全代码的情况下测试许可的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！