测试期间的 Spring MockMVC、Spring 安全性和全局方法安全性

Question

I have following user resource, method createUser is secured to ADMIN role.

@RestController
@RequestMapping("/api")
public class UserResource {

    @PostMapping("/users")
    @Secured(AuthoritiesConstants.ADMIN)
    public ResponseEntity<User> createUser(@Valid @RequestBody UserDTO userDTO) throws URISyntaxException {
        log.debug("REST request to save User : {}", userDTO);
        // rest of code
    }
}

And following spring boot test

@RunWith(SpringRunner.class)
@SpringBootTest(classes = MyappApp.class)
public class UserResourceIntTest {

    // other dependencies

    @Autowired
    FilterChainProxy springSecurityFilterChain;

    private MockMvc restUserMockMvc;

    private User user;

    @Before
    public void setup() {
        MockitoAnnotations.initMocks(this);
        UserResource userResource = new UserResource(userRepository, userService, mailService);
        this.restUserMockMvc = MockMvcBuilders.standaloneSetup(userResource)
            .setCustomArgumentResolvers(pageableArgumentResolver)
            .setControllerAdvice(exceptionTranslator)
            .setMessageConverters(jacksonMessageConverter)
            .apply(SecurityMockMvcConfigurers.springSecurity(springSecurityFilterChain))
            .build();
    }



@Test
@Transactional
@WithMockUser(username="user", password = "user", authorities = {"ROLE_USER"})
public void createUser() throws Exception {
    // Create the User
    ManagedUserVM managedUserVM = new ManagedUserVM();
    // set user properties

    restUserMockMvc.perform(post("/api/users")
        .contentType(TestUtil.APPLICATION_JSON_UTF8)
        .content(TestUtil.convertObjectToJsonBytes(managedUserVM)))
        .andExpect(status().isCreated());
    }
}

I expect the test to fail because api is only allowed for ADMIN role while mock is using USER role, but test is passing. Any help will be really appreciated.

Answer 1

Note: The JHipster version I'm using is 5.2.0. No guarantees that this will work for all versions.

If you are using a service (which you should), you can annotate the service method. Using @WithMockUser in the integration test should then just work without having to make any other changes. Here's an example. Note that I'm also using a service interface (pass the "serviceImpl" flag in JDL), but it will work in the service implementation as well.

/**
* Service Interface for managing Profile.
*/
public interface ProfileService {

/**
 * Delete the "id" profile.
 *
 * @param id the id of the entity
 */
@Secured(AuthoritiesConstants.ADMIN)
void delete(Long id);

The corresponding rest controller method (auto-generated by JHipster):

/**
 * DELETE  /profiles/:id : delete the "id" profile.
 *
 * @param id the id of the profileDTO to delete
 * @return the ResponseEntity with status 200 (OK)
 */
@DeleteMapping("/profiles/{id}")
@Timed
public ResponseEntity<Void> deleteProfile(@PathVariable Long id) {
    log.debug("REST request to delete Profile : {}", id);
    profileService.delete(id);
    return ResponseEntity.ok().headers(HeaderUtil.createEntityDeletionAlert(ENTITY_NAME, id.toString())).build();
}

Answer 2

JHipster uses MockMvcBuilders.standaloneSetup that get passed a controller instantiated manually (not with Spring and therefore not with AOP). Therefore the PreAuthorize is not intercepted and security check is skipped. You can therefore either @Autowire your controller and pass it to MockMvcBuilders.standaloneSetup which kind of defies the purpose of usesing standalone setup or simply use a WebApplicationContext: MockMvcBuilders.webAppContextSetup with and autowired WepAppContext.

Answer 3

Try removing @WithMockUser annotation and change the test method as below

ManagedUserVM managedUserVM = new ManagedUserVM();
    managedUserVM.setLogin(DEFAULT_LOGIN);
    managedUserVM.setPassword(DEFAULT_PASSWORD);
   managedUserVM.setAuthorities(Collections.singleton(AuthoritiesConstants.USER));

For complete test. You can refer to this.

Test Class