堆栈内存溢出
  简体   繁体   English

由 spring 安全保护的测试方法

[英]Test method secured by spring security

 原文  2021-04-25 09:47:40       java/ spring-boot/ unit-testing/ spring-security

问题描述

I have just added spring security for my project with configuration:我刚刚为我的项目添加了 spring 安全配置:

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
    private final DataSource dataSource;

    @Autowired
    public SecurityConfiguration(DataSource dataSource) {
        this.dataSource = dataSource;
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.jdbcAuthentication()
                .withDefaultSchema()
                .dataSource(dataSource)
                .withUser("user")
                .password("{bcrypt}" + new BCryptPasswordEncoder().encode("password"))
                .roles("USER")
                .and()
                .withUser("admin")
                .password("{bcrypt}" + new BCryptPasswordEncoder().encode("admin"))
                .roles("ADMIN");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
                .authorizeRequests()
                .antMatchers("/h2-console/**").permitAll()
                .antMatchers("/user").hasAnyRole("USER", "ADMIN")
                .antMatchers("/admin").hasRole("ADMIN")
                .anyRequest().authenticated()
                .and()
                .formLogin().permitAll();
        http.headers().frameOptions().disable();
    }
}

And added some dummy methods just to test it:并添加了一些虚拟方法来测试它:

@RestController
public class LoginController {

    @PostMapping("/user")
    public String userPanel() {
        return "userPanel";
    }

    @PostMapping("/admin")
    public String adminPanel() {
        return "adminPanel";
    }
}

From browser it works okay, so when I login as admin then I can access both endpoints (405 http error code) and when I am login with user and try to access /admin endpoint then I get 403 Forbidden which is perfectly fine.从浏览器它工作正常,所以当我以管理员身份登录时,我可以访问两个端点(405 http 错误代码),当我以用户身份登录并尝试访问/admin端点时,我得到 403 Forbidden 这非常好。 However when I wrote test for it:但是,当我为它编写测试时:

@RunWith(SpringJUnit4ClassRunner.class)
@ContextConfiguration
public class SecurityTest {
    private LoginController loginController;

    @Before
    public void setUp(){
        loginController = new LoginController();
    }

    @Test
    @WithMockUser(username = "admin", roles = {"USER", "ADMIN"})
    public void testUserPanel() {
        assertThat(loginController.userPanel()).isEqualTo("userPanel");
    }

    @Test
    @WithMockUser(username = "user", roles = {"USER"})
    public void testAdminPanel() {
        assertThat(loginController.adminPanel()).isEqualTo("adminPanel");
    }
}

both tests are working even when I am trying to access /admin endpoint with USER role.即使我尝试使用USER角色访问/admin端点,这两个测试都可以正常工作。 I would expect this test to fail and throw 403 as in browser.我希望这个测试失败并像在浏览器中一样抛出 403。 What's wrong here?这里有什么问题?

Final response after @crizzis answer: @crizzis 回答后的最终回复:

import com.storageroom.StorageRoomApplication;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.http.MediaType;
import org.springframework.security.test.context.support.WithMockUser;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
import org.springframework.web.context.WebApplicationContext;

import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;

@RunWith(SpringJUnit4ClassRunner.class)
@SpringBootTest(classes = StorageRoomApplication.class)
public class SecurityTest {
    @Autowired
    private WebApplicationContext context;

    private MockMvc mockMvc;

    @Before
    public void setup() {
        mockMvc = MockMvcBuilders
                .webAppContextSetup(context)
                .apply(springSecurity())
                .build();
    }

    @Test
    @WithMockUser(value = "user", roles = {"USER"})
    public void testUserPanelWithUserRole() throws Exception {
        mockMvc
                .perform(
                        post("/user")
                                .contentType(
                                        MediaType.APPLICATION_JSON).
                                content("")).
                andExpect(status().isOk())
                .andReturn().getResponse().getContentAsString();
    }

    @Test
    @WithMockUser(value = "user", roles = {"USER"})
    public void testAdminPanelWithUserRole() throws Exception {
        mockMvc
                .perform(
                        post("/admin")
                                .contentType(
                                        MediaType.APPLICATION_JSON).
                                content("")).
                andExpect(status().isForbidden())
                .andReturn().getResponse().getContentAsString();
    }

    @Test
    @WithMockUser(value = "admin", roles = {"ADMIN"})
    public void testAdminPanelWithAdminRole() throws Exception {
        mockMvc
                .perform(
                        post("/admin")
                                .contentType(
                                        MediaType.APPLICATION_JSON).
                                content("")).
                andExpect(status().isOk())
                .andReturn().getResponse().getContentAsString();
    }
}

1 个解决方案

解决方案1
 1 已采纳  2021-04-25 16:54:58

You created a plain new LoginController() , how did you expect it to have security rules applied?您创建了一个普通的new LoginController() ,您如何期望它应用安全规则?

It's called HttpSecurity for a reason, you need to make the request via HTTP for the rules to actually have any effect.它被称为HttpSecurity是有原因的,您需要通过HTTP发出请求才能使规则真正生效。

Instead of interacting with LoginController directly, add @AutoConfigureMockMvc and inject MockMvc into your test.不要直接与LoginController交互,而是添加@AutoConfigureMockMvc并将MockMvc注入到您的测试中。 Then use it to execute a request against your endpoints.然后使用它对您的端点执行请求。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Spring Security:方法不受@PreAuthorize 注释保护 - Spring Security: method is not secured with @PreAuthorize annotation 设置一个方法是不安全的Spring Security - Set one method to be not secured Spring Security Spring Security,Method Security annotation(@Secured)无效(java config) - Spring Security, Method Security annotation (@Secured ) is not working (java config) 如何使用 Spring 安全 @Secured 注释测试 Spring 引导 @WebFluxTest - How to test Spring Boot @WebFluxTest with Spring Security @Secured annotation 无法在Spring Security中使用@Secured Method Security批注 - Can not get the @Secured Method Security annotations working in Spring Security Spring Security和@Secured禁止使用 - Forbidden with Spring Security and @Secured Spring 安全6:认证后无法访问安全方法 - Spring Security 6 : can't access to secured method after authentication Spring Security,安全访问和非安全访问 - Spring Security, secured and none secured access Spring Security,注释@Secured 不起作用 - Spring Security, annotation @Secured is not working Spring Data Rest + Spring Security:@Secured无法正常工作 - Spring Data Rest + Spring Security: @Secured not working
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM