单元测试返回 401 Unauthorized on a permitted route in Spring WebFlux Security

Question

I am trying to test a route that returns array of objects but the test fails because it returns Unauthorized instead of 200 OK

My test class

@RunWith(SpringRunner.class)
@WebFluxTest(value = CatController.class)
class ContentManagementTestApplicationTests {

    @Autowired
    ApplicationContext context;
    @Autowired
    private WebTestClient webTestClient;
    
    @MockBean
    CatRepository catRepository;

    @BeforeEach
    public void setup(){
        webTestClient=WebTestClient.bindToApplicationContext(context)
                .apply(SecurityMockServerConfigurers.springSecurity())
                .configureClient()
                .build();
    }
    @Test
    void contextLoads() {

    }
    

  @Test
  public void getApprovedCats(){
        webTestClient.get()
                .uri("/cat")
                .accept(MediaType.APPLICATION_JSON)
                .exchange()
                .expectStatus().isOk();
  }

}

And ApplicationSecurityConfig class, has a SecurityWebFilterChain Bean

   @Bean
    SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http, AuthConverter jwtAuthConverter, AuthManager jwtAuthManager){

        AuthenticationWebFilter jwtFilter = new AuthenticationWebFilter(jwtAuthManager);
        jwtFilter.setServerAuthenticationConverter(jwtAuthConverter);

        return http .csrf().disable()
              .authorizeExchange()

              .pathMatchers(HttpMethod.GET,"/cat").permitAll()
              
                .anyExchange()
               .authenticated()
               .and()
              .addFilterAt(jwtFilter, SecurityWebFiltersOrder.AUTHORIZATION)
              .formLogin().disable()
               .httpBasic().disable()

               .build();
    }

The Error on JUint test shows following

java.lang.AssertionError: Status expected:<200 OK> but was:<401 UNAUTHORIZED> Expected:200 OK Actual:401 UNAUTHORIZED

Before test fails and shows Unauthorized, in console it prints "Using generated security password: 8e5dd468-3fd1-42b6-864a-c4c2ed2227b7" And I believe that should not be printed since I disabled it in securityFilterChain

Answer 1

From the Javadoc of @WebFluxTest :

Annotation that can be used for a Spring WebFlux test that focuses only on Spring WebFlux components. Using this annotation will disable full auto-configuration and instead apply only configuration relevant to WebFlux tests

If you are looking to load your full application configuration and use WebTestClient, you should consider @SpringBootTest combined with @AutoConfigureWebTestClient rather than this annotation.

In other words, when using @WebFluxTest in your test, your SecurityWebFilterChain is not picked up.

Try annotating your class with @SpringBootTest instead.