spring-security/docs/manual/src/docs/asciidoc/_includes/reactive/webtestclient.adoc

[[test-webflux]]
= WebFlux Support

[[test-erms]]
== Reactive Method Security

For example, we can test our example from <<jc-erms>> using the same setup and annotations we did in <<test-method>>.
Here is a minimal sample of what we can do:

[source,java]
----
@RunWith(SpringRunner.class)
@ContextConfiguration(classes = HelloWebfluxMethodApplication.class)
public class HelloWorldMessageServiceTests {
	@Autowired
	HelloWorldMessageService messages;

	@Test
	public void messagesWhenNotAuthenticatedThenDenied() {
		StepVerifier.create(this.messages.findMessage())
			.expectError(AccessDeniedException.class)
			.verify();
	}

	@Test
	@WithMockUser
	public void messagesWhenUserThenDenied() {
		StepVerifier.create(this.messages.findMessage())
			.expectError(AccessDeniedException.class)
			.verify();
	}

	@Test
	@WithMockUser(roles = "ADMIN")
	public void messagesWhenAdminThenOk() {
		StepVerifier.create(this.messages.findMessage())
			.expectNext("Hello World!")
			.verifyComplete();
	}
}
----

[[test-webtestclient]]
== WebTestClientSupport

Spring Security provides integration with `WebTestClient`.
The basic setup looks like this:

[source,java]
----
@RunWith(SpringRunner.class)
@ContextConfiguration(classes = HelloWebfluxMethodApplication.class)
public class HelloWebfluxMethodApplicationTests {
	@Autowired
	ApplicationContext context;

	WebTestClient rest;

	@Before
	public void setup() {
		this.rest = WebTestClient
			.bindToApplicationContext(this.context)
			// add Spring Security test Support
			.apply(springSecurity())
			.configureClient()
			.filter(basicAuthentication())
			.build();
	}
	// ...
}
----

=== Authentication

After applying the Spring Security support to `WebTestClient` we can use either annotations or `mutateWith` support.
For example:

[source,java]
----
@Test
public void messageWhenNotAuthenticated() throws Exception {
	this.rest
		.get()
		.uri("/message")
		.exchange()
		.expectStatus().isUnauthorized();
}

// --- WithMockUser ---

@Test
@WithMockUser
public void messageWhenWithMockUserThenForbidden() throws Exception {
	this.rest
		.get()
		.uri("/message")
		.exchange()
		.expectStatus().isEqualTo(HttpStatus.FORBIDDEN);
}

@Test
@WithMockUser(roles = "ADMIN")
public void messageWhenWithMockAdminThenOk() throws Exception {
	this.rest
		.get()
		.uri("/message")
		.exchange()
		.expectStatus().isOk()
		.expectBody(String.class).isEqualTo("Hello World!");
}

// --- mutateWith mockUser ---

@Test
public void messageWhenMutateWithMockUserThenForbidden() throws Exception {
	this.rest
		.mutateWith(mockUser())
		.get()
		.uri("/message")
		.exchange()
		.expectStatus().isEqualTo(HttpStatus.FORBIDDEN);
}

@Test
public void messageWhenMutateWithMockAdminThenOk() throws Exception {
	this.rest
		.mutateWith(mockUser().roles("ADMIN"))
		.get()
		.uri("/message")
		.exchange()
		.expectStatus().isOk()
		.expectBody(String.class).isEqualTo("Hello World!");
}
----


=== CSRF Support

Spring Security also provides support for CSRF testing with `WebTestClient`.
For example:

[source,java]
----
this.rest
	// provide a valid CSRF token
	.mutateWith(csrf())
	.post()
	.uri("/login")
	...
----
Extract test subsections Issue: gh-2567 2018-03-06 09:24:13 -06:00			`[[test-webflux]]`
Separate Servlet and WebFlux Fixes: gh-5836 2018-09-11 21:01:07 -05:00			`= WebFlux Support`
Extract test subsections Issue: gh-2567 2018-03-06 09:24:13 -06:00
			`[[test-erms]]`
Separate Servlet and WebFlux Fixes: gh-5836 2018-09-11 21:01:07 -05:00			`== Reactive Method Security`
Extract test subsections Issue: gh-2567 2018-03-06 09:24:13 -06:00
			`For example, we can test our example from <<jc-erms>> using the same setup and annotations we did in <<test-method>>.`
			`Here is a minimal sample of what we can do:`

			`[source,java]`
			`----`
			`@RunWith(SpringRunner.class)`
			`@ContextConfiguration(classes = HelloWebfluxMethodApplication.class)`
			`public class HelloWorldMessageServiceTests {`
			`@Autowired`
			`HelloWorldMessageService messages;`

			`@Test`
			`public void messagesWhenNotAuthenticatedThenDenied() {`
			`StepVerifier.create(this.messages.findMessage())`
			`.expectError(AccessDeniedException.class)`
			`.verify();`
			`}`

			`@Test`
			`@WithMockUser`
			`public void messagesWhenUserThenDenied() {`
			`StepVerifier.create(this.messages.findMessage())`
			`.expectError(AccessDeniedException.class)`
			`.verify();`
			`}`

			`@Test`
			`@WithMockUser(roles = "ADMIN")`
			`public void messagesWhenAdminThenOk() {`
			`StepVerifier.create(this.messages.findMessage())`
			`.expectNext("Hello World!")`
			`.verifyComplete();`
			`}`
			`}`
			`----`

			`[[test-webtestclient]]`
Separate Servlet and WebFlux Fixes: gh-5836 2018-09-11 21:01:07 -05:00			`== WebTestClientSupport`
Extract test subsections Issue: gh-2567 2018-03-06 09:24:13 -06:00
			Spring Security provides integration with `WebTestClient`.
			`The basic setup looks like this:`

			`[source,java]`
			`----`
			`@RunWith(SpringRunner.class)`
			`@ContextConfiguration(classes = HelloWebfluxMethodApplication.class)`
			`public class HelloWebfluxMethodApplicationTests {`
			`@Autowired`
			`ApplicationContext context;`

			`WebTestClient rest;`

			`@Before`
			`public void setup() {`
			`this.rest = WebTestClient`
			`.bindToApplicationContext(this.context)`
			`// add Spring Security test Support`
			`.apply(springSecurity())`
			`.configureClient()`
			`.filter(basicAuthentication())`
			`.build();`
			`}`
			`// ...`
			`}`
			`----`

Separate Servlet and WebFlux Fixes: gh-5836 2018-09-11 21:01:07 -05:00			`=== Authentication`
Extract test subsections Issue: gh-2567 2018-03-06 09:24:13 -06:00
			After applying the Spring Security support to `WebTestClient` we can use either annotations or `mutateWith` support.
			`For example:`

			`[source,java]`
			`----`
			`@Test`
			`public void messageWhenNotAuthenticated() throws Exception {`
			`this.rest`
			`.get()`
			`.uri("/message")`
			`.exchange()`
			`.expectStatus().isUnauthorized();`
			`}`

			`// --- WithMockUser ---`

			`@Test`
			`@WithMockUser`
			`public void messageWhenWithMockUserThenForbidden() throws Exception {`
			`this.rest`
			`.get()`
			`.uri("/message")`
			`.exchange()`
			`.expectStatus().isEqualTo(HttpStatus.FORBIDDEN);`
			`}`

			`@Test`
			`@WithMockUser(roles = "ADMIN")`
			`public void messageWhenWithMockAdminThenOk() throws Exception {`
			`this.rest`
			`.get()`
			`.uri("/message")`
			`.exchange()`
			`.expectStatus().isOk()`
			`.expectBody(String.class).isEqualTo("Hello World!");`
			`}`

			`// --- mutateWith mockUser ---`

			`@Test`
			`public void messageWhenMutateWithMockUserThenForbidden() throws Exception {`
			`this.rest`
			`.mutateWith(mockUser())`
			`.get()`
			`.uri("/message")`
			`.exchange()`
			`.expectStatus().isEqualTo(HttpStatus.FORBIDDEN);`
			`}`

			`@Test`
			`public void messageWhenMutateWithMockAdminThenOk() throws Exception {`
			`this.rest`
			`.mutateWith(mockUser().roles("ADMIN"))`
			`.get()`
			`.uri("/message")`
			`.exchange()`
			`.expectStatus().isOk()`
			`.expectBody(String.class).isEqualTo("Hello World!");`
			`}`
			`----`


Separate Servlet and WebFlux Fixes: gh-5836 2018-09-11 21:01:07 -05:00			`=== CSRF Support`
Extract test subsections Issue: gh-2567 2018-03-06 09:24:13 -06:00
			Spring Security also provides support for CSRF testing with `WebTestClient`.
			`For example:`

			`[source,java]`
			`----`
			`this.rest`
			`// provide a valid CSRF token`
			`.mutateWith(csrf())`
			`.post()`
			`.uri("/login")`
			`...`
			`----`