在 Spring Boot 1.4 中测试安全性 [英] Testing security in Spring Boot 1.4

问题描述

我正在尝试使用 SecurityConfig 类中定义的自定义安全设置来测试 @WebMvcTest:

I'm trying to test @WebMvcTest with custom security settings defined in SecurityConfig class:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/admin*").access("hasRole('ADMIN')").antMatchers("/**").permitAll().and().formLogin();
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication().withUser("user").password("password").roles("ADMIN");
    }
}

测试类是:

@RunWith(SpringRunner.class)
@WebMvcTest(value = ExampleController.class)
public class ExampleControllerMockMVCTest {

    @Autowired
    private MockMvc mockMvc;

    @Test
    public void indexTest() throws Exception {
        mockMvc.perform(get("/"))
        .andExpect(status().isOk())
        .andExpect(view().name("index"));
    }

    @Test
    public void adminTestWithoutAuthentication() throws Exception {
        mockMvc.perform(get("/admin"))
        .andExpect(status().is3xxRedirection()); //login form redirect
    }

    @Test
    @WithMockUser(username="example", password="password", roles={"ANONYMOUS"})
    public void adminTestWithBadAuthentication() throws Exception {
        mockMvc.perform(get("/admin"))
        .andExpect(status().isForbidden());
    }

    @Test
    @WithMockUser(username="user", password="password", roles={"ADMIN"})
    public void adminTestWithAuthentication() throws Exception {
        mockMvc.perform(get("/admin"))
        .andExpect(status().isOk())
        .andExpect(view().name("admin"))
        .andExpect(model().attributeExists("name"))
        .andExpect(model().attribute("name", is("user")));
    }
}

测试失败，因为它们使用的是 Spring Boot 的默认安全设置.

Tests fail because they are using the default security settings of Spring Boot.

我可以使用 @SpringBootTest + @AutoConfigureMockMvc 解决这个问题，但是在不运行所有自动配置的情况下进行测试会很有趣.

I can fix this using @SpringBootTest + @AutoConfigureMockMvc, but it would be interesting to test without running all auto-configuration.

@RunWith(SpringRunner.class)
@SpringBootTest(webEnvironment = WebEnvironment.MOCK)
@AutoConfigureMockMvc
public class ExampleControllerSpringBootTest {

    @Autowired
    private MockMvc mockMvc;

    // tests
}

@WebMvcTest 是否可以使用 SecurityConfig 类中定义的设置?

Is there any way that @WebMvcTest can use settings defined in SecurityConfig class?

推荐答案

WebMvcTest 只会加载您的控制器，而不会加载其他任何内容(这就是我们称之为切片的原因).我们无法确定您想要配置的哪一部分，您不想要哪一部分.如果安全配置不在您的主 @SpringBootApplication 上，您必须明确导入它.否则，Spring Boot 将启用默认安全设置.

WebMvcTest is only going to load your controller and nothing else (that's why we call that slicing). We can't figure out which part of your configuration you want and which one you don't. If the security config isn't on your main @SpringBootApplication you'll have to import it explicitly. Otherwise, Spring Boot is going to enable default security settings.

如果您使用的是 OAuth 之类的东西，这是一件好事，因为您真的不想开始将其用于模拟测试.如果将 @Import(SecurityConfig.class) 添加到测试中会发生什么?

If you're using something like OAuth, that's a good thing though because you really don't want to start using that for a mock test. What happens if you add @Import(SecurityConfig.class) to your test?

这篇关于在 Spring Boot 1.4 中测试安全性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！