mirror of
				https://github.com/spring-projects/spring-security.git
				synced 2025-10-25 11:48:42 +00:00 
			
		
		
		
	
		
			
				
	
	
		
			706 lines
		
	
	
		
			20 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
			
		
		
	
	
			706 lines
		
	
	
		
			20 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
| [[test-method]]
 | |
| = Testing Method Security
 | |
| 
 | |
| This section demonstrates how to use Spring Security's Test support to test method-based security.
 | |
| We first introduce a `MessageService` that requires the user to be authenticated to be able to access it:
 | |
| 
 | |
| [tabs]
 | |
| ======
 | |
| Java::
 | |
| +
 | |
| [source,java,role="primary"]
 | |
| ----
 | |
| public class HelloMessageService implements MessageService {
 | |
| 
 | |
| 	@PreAuthorize("authenticated")
 | |
| 	public String getMessage() {
 | |
| 		Authentication authentication = SecurityContextHolder.getContext()
 | |
| 			.getAuthentication();
 | |
| 		return "Hello " + authentication;
 | |
| 	}
 | |
| }
 | |
| ----
 | |
| 
 | |
| Kotlin::
 | |
| +
 | |
| [source,kotlin,role="secondary"]
 | |
| ----
 | |
| class HelloMessageService : MessageService {
 | |
|     @PreAuthorize("authenticated")
 | |
|     fun getMessage(): String {
 | |
|         val authentication: Authentication = SecurityContextHolder.getContext().authentication
 | |
|         return "Hello $authentication"
 | |
|     }
 | |
| }
 | |
| ----
 | |
| ======
 | |
| 
 | |
| The result of `getMessage` is a `String` that says "`Hello`" to the current Spring Security `Authentication`.
 | |
| The following listing shows example output:
 | |
| 
 | |
| [source,text]
 | |
| ----
 | |
| Hello org.springframework.security.authentication.UsernamePasswordAuthenticationToken@ca25360: Principal: org.springframework.security.core.userdetails.User@36ebcb: Username: user; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_USER
 | |
| ----
 | |
| 
 | |
| [[test-method-setup]]
 | |
| == Security Test Setup
 | |
| 
 | |
| Before we can use the Spring Security test support, we must perform some setup:
 | |
| 
 | |
| [tabs]
 | |
| ======
 | |
| Java::
 | |
| +
 | |
| [source,java,role="primary"]
 | |
| ----
 | |
| @ExtendWith(SpringExtension.class) // <1>
 | |
| @ContextConfiguration // <2>
 | |
| public class WithMockUserTests {
 | |
| 	// ...
 | |
| }
 | |
| ----
 | |
| 
 | |
| Kotlin::
 | |
| +
 | |
| [source,kotlin,role="secondary"]
 | |
| ----
 | |
| @ExtendWith(SpringExtension.class)
 | |
| @ContextConfiguration
 | |
| class WithMockUserTests {
 | |
|     // ...
 | |
| }
 | |
| ----
 | |
| ======
 | |
| <1> `@ExtendWith` instructs the spring-test module that it should create an `ApplicationContext`. For additional information, refer to the {spring-framework-reference-url}testing.html#testcontext-junit-jupiter-extension[Spring reference].
 | |
| <2> `@ContextConfiguration` instructs the spring-test the configuration to use to create the `ApplicationContext`. Since no configuration is specified, the default configuration locations will be tried. This is no different than using the existing Spring Test support. For additional information, refer to the {spring-framework-reference-url}testing.html#spring-testing-annotation-contextconfiguration[Spring Reference].
 | |
| 
 | |
| [NOTE]
 | |
| ====
 | |
| Spring Security hooks into Spring Test support through the `WithSecurityContextTestExecutionListener`, which ensures that our tests are run with the correct user.
 | |
| It does this by populating the `SecurityContextHolder` prior to running our tests.
 | |
| If you use reactive method security, you also need `ReactorContextTestExecutionListener`, which populates `ReactiveSecurityContextHolder`.
 | |
| After the test is done, it clears out the `SecurityContextHolder`.
 | |
| If you need only Spring Security related support, you can replace `@ContextConfiguration` with `@SecurityTestExecutionListeners`.
 | |
| ====
 | |
| 
 | |
| Remember, we added the `@PreAuthorize` annotation to our `HelloMessageService`, so it requires an authenticated user to invoke it.
 | |
| If we run the tests, we expect the following test will pass:
 | |
| 
 | |
| [tabs]
 | |
| ======
 | |
| Java::
 | |
| +
 | |
| [source,java,role="primary"]
 | |
| ----
 | |
| @Test(expected = AuthenticationCredentialsNotFoundException.class)
 | |
| public void getMessageUnauthenticated() {
 | |
| 	messageService.getMessage();
 | |
| }
 | |
| ----
 | |
| 
 | |
| Kotlin::
 | |
| +
 | |
| [source,kotlin,role="secondary"]
 | |
| ----
 | |
| @Test(expected = AuthenticationCredentialsNotFoundException::class)
 | |
| fun getMessageUnauthenticated() {
 | |
|     messageService.getMessage()
 | |
| }
 | |
| ----
 | |
| ======
 | |
| 
 | |
| [[test-method-withmockuser]]
 | |
| == @WithMockUser
 | |
| 
 | |
| The question is "How could we most easily run the test as a specific user?"
 | |
| The answer is to use `@WithMockUser`.
 | |
| The following test will be run as a user with the username "user", the password "password", and the roles "ROLE_USER".
 | |
| 
 | |
| [tabs]
 | |
| ======
 | |
| Java::
 | |
| +
 | |
| [source,java,role="primary"]
 | |
| ----
 | |
| @Test
 | |
| @WithMockUser
 | |
| public void getMessageWithMockUser() {
 | |
| String message = messageService.getMessage();
 | |
| ...
 | |
| }
 | |
| ----
 | |
| 
 | |
| Kotlin::
 | |
| +
 | |
| [source,kotlin,role="secondary"]
 | |
| ----
 | |
| @Test
 | |
| @WithMockUser
 | |
| fun getMessageWithMockUser() {
 | |
|     val message: String = messageService.getMessage()
 | |
|     // ...
 | |
| }
 | |
| ----
 | |
| ======
 | |
| 
 | |
| Specifically the following is true:
 | |
| 
 | |
| * The user with a username of `user` does not have to exist, since we mock the user object.
 | |
| * The `Authentication` that is populated in the `SecurityContext` is of type `UsernamePasswordAuthenticationToken`.
 | |
| * The principal on the `Authentication` is Spring Security's `User` object.
 | |
| * The `User` has a username of `user`.
 | |
| * The `User` has a password of `password`.
 | |
| * A single `GrantedAuthority` named `ROLE_USER` is used.
 | |
| 
 | |
| The preceding example is handy, because it lets us use a lot of defaults.
 | |
| What if we wanted to run the test with a different username?
 | |
| The following test would run with a username of `customUser` (again, the user does not need to actually exist):
 | |
| 
 | |
| [tabs]
 | |
| ======
 | |
| Java::
 | |
| +
 | |
| [source,java,role="primary"]
 | |
| ----
 | |
| @Test
 | |
| @WithMockUser("customUsername")
 | |
| public void getMessageWithMockUserCustomUsername() {
 | |
| 	String message = messageService.getMessage();
 | |
| ...
 | |
| }
 | |
| ----
 | |
| 
 | |
| Kotlin::
 | |
| +
 | |
| [source,kotlin,role="secondary"]
 | |
| ----
 | |
| @Test
 | |
| @WithMockUser("customUsername")
 | |
| fun getMessageWithMockUserCustomUsername() {
 | |
|     val message: String = messageService.getMessage()
 | |
|     // ...
 | |
| }
 | |
| ----
 | |
| ======
 | |
| 
 | |
| We can also easily customize the roles.
 | |
| For example, the following test is invoked with a username of `admin` and roles of `ROLE_USER` and `ROLE_ADMIN`.
 | |
| 
 | |
| [tabs]
 | |
| ======
 | |
| Java::
 | |
| +
 | |
| [source,java,role="primary"]
 | |
| ----
 | |
| @Test
 | |
| @WithMockUser(username="admin",roles={"USER","ADMIN"})
 | |
| public void getMessageWithMockUserCustomUser() {
 | |
| 	String message = messageService.getMessage();
 | |
| 	...
 | |
| }
 | |
| ----
 | |
| 
 | |
| Kotlin::
 | |
| +
 | |
| [source,kotlin,role="secondary"]
 | |
| ----
 | |
| @Test
 | |
| @WithMockUser(username="admin",roles=["USER","ADMIN"])
 | |
| fun getMessageWithMockUserCustomUser() {
 | |
|     val message: String = messageService.getMessage()
 | |
|     // ...
 | |
| }
 | |
| ----
 | |
| ======
 | |
| 
 | |
| If we do not want the value to automatically be prefixed with `ROLE_` we can use the `authorities` attribute.
 | |
| For example, the following test is invoked with a username of `admin` and the `USER` and `ADMIN` authorities.
 | |
| 
 | |
| [tabs]
 | |
| ======
 | |
| Java::
 | |
| +
 | |
| [source,java,role="primary"]
 | |
| ----
 | |
| @Test
 | |
| @WithMockUser(username = "admin", authorities = { "ADMIN", "USER" })
 | |
| public void getMessageWithMockUserCustomAuthorities() {
 | |
| 	String message = messageService.getMessage();
 | |
| 	...
 | |
| }
 | |
| ----
 | |
| 
 | |
| Kotlin::
 | |
| +
 | |
| [source,kotlin,role="secondary"]
 | |
| ----
 | |
| @Test
 | |
| @WithMockUser(username = "admin", authorities = ["ADMIN", "USER"])
 | |
| fun getMessageWithMockUserCustomUsername() {
 | |
|     val message: String = messageService.getMessage()
 | |
|     // ...
 | |
| }
 | |
| ----
 | |
| ======
 | |
| 
 | |
| It can be a bit tedious to place the annotation on every test method.
 | |
| Instead, we can place the annotation at the class level. Then every test uses the specified user.
 | |
| The following example runs every test with a user whose username is `admin`, whose password is `password`, and who has the `ROLE_USER` and `ROLE_ADMIN` roles:
 | |
| 
 | |
| [tabs]
 | |
| ======
 | |
| Java::
 | |
| +
 | |
| [source,java,role="primary"]
 | |
| ----
 | |
| @ExtendWith(SpringExtension.class)
 | |
| @ContextConfiguration
 | |
| @WithMockUser(username="admin",roles={"USER","ADMIN"})
 | |
| public class WithMockUserTests {
 | |
| 	// ...
 | |
| }
 | |
| ----
 | |
| 
 | |
| Kotlin::
 | |
| +
 | |
| [source,kotlin,role="secondary"]
 | |
| ----
 | |
| @ExtendWith(SpringExtension.class)
 | |
| @ContextConfiguration
 | |
| @WithMockUser(username="admin",roles=["USER","ADMIN"])
 | |
| class WithMockUserTests {
 | |
|     // ...
 | |
| }
 | |
| ----
 | |
| ======
 | |
| 
 | |
| If you use JUnit 5's `@Nested` test support, you can also place the annotation on the enclosing class to apply to all nested classes.
 | |
| The following example runs every test with a user whose username is `admin`, whose password is `password`, and who has the `ROLE_USER` and `ROLE_ADMIN` roles for both test methods.
 | |
| 
 | |
| [tabs]
 | |
| ======
 | |
| Java::
 | |
| +
 | |
| [source,java,role="primary"]
 | |
| ----
 | |
| @ExtendWith(SpringExtension.class)
 | |
| @ContextConfiguration
 | |
| @WithMockUser(username="admin",roles={"USER","ADMIN"})
 | |
| public class WithMockUserTests {
 | |
| 
 | |
| 	@Nested
 | |
| 	public class TestSuite1 {
 | |
| 		// ... all test methods use admin user
 | |
| 	}
 | |
| 
 | |
| 	@Nested
 | |
| 	public class TestSuite2 {
 | |
| 		// ... all test methods use admin user
 | |
| 	}
 | |
| }
 | |
| ----
 | |
| 
 | |
| Kotlin::
 | |
| +
 | |
| [source,kotlin,role="secondary"]
 | |
| ----
 | |
| @ExtendWith(SpringExtension::class)
 | |
| @ContextConfiguration
 | |
| @WithMockUser(username = "admin", roles = ["USER", "ADMIN"])
 | |
| class WithMockUserTests {
 | |
|     @Nested
 | |
|     inner class TestSuite1 { // ... all test methods use admin user
 | |
|     }
 | |
| 
 | |
|     @Nested
 | |
|     inner class TestSuite2 { // ... all test methods use admin user
 | |
|     }
 | |
| }
 | |
| ----
 | |
| ======
 | |
| 
 | |
| By default, the `SecurityContext` is set during the `TestExecutionListener.beforeTestMethod` event.
 | |
| This is the equivalent of happening before JUnit's `@Before`.
 | |
| You can change this to happen during the `TestExecutionListener.beforeTestExecution` event, which is after JUnit's `@Before` but before the test method is invoked:
 | |
| 
 | |
| [source,java]
 | |
| ----
 | |
| @WithMockUser(setupBefore = TestExecutionEvent.TEST_EXECUTION)
 | |
| ----
 | |
| 
 | |
| 
 | |
| [[test-method-withanonymoususer]]
 | |
| == @WithAnonymousUser
 | |
| 
 | |
| Using `@WithAnonymousUser` allows running as an anonymous user.
 | |
| This is especially convenient when you wish to run most of your tests with a specific user but want to run a few tests as an anonymous user.
 | |
| The following example runs `withMockUser1` and `withMockUser2` by using <<test-method-withmockuser,@WithMockUser>> and `anonymous` as an anonymous user:
 | |
| 
 | |
| [tabs]
 | |
| ======
 | |
| Java::
 | |
| +
 | |
| [source,java,role="primary"]
 | |
| ----
 | |
| @ExtendWith(SpringExtension.class)
 | |
| @WithMockUser
 | |
| public class WithUserClassLevelAuthenticationTests {
 | |
| 
 | |
| 	@Test
 | |
| 	public void withMockUser1() {
 | |
| 	}
 | |
| 
 | |
| 	@Test
 | |
| 	public void withMockUser2() {
 | |
| 	}
 | |
| 
 | |
| 	@Test
 | |
| 	@WithAnonymousUser
 | |
| 	public void anonymous() throws Exception {
 | |
| 		// override default to run as anonymous user
 | |
| 	}
 | |
| }
 | |
| ----
 | |
| 
 | |
| Kotlin::
 | |
| +
 | |
| [source,kotlin,role="secondary"]
 | |
| ----
 | |
| @ExtendWith(SpringExtension.class)
 | |
| @WithMockUser
 | |
| class WithUserClassLevelAuthenticationTests {
 | |
|     @Test
 | |
|     fun withMockUser1() {
 | |
|     }
 | |
| 
 | |
|     @Test
 | |
|     fun withMockUser2() {
 | |
|     }
 | |
| 
 | |
|     @Test
 | |
|     @WithAnonymousUser
 | |
|     fun anonymous() {
 | |
|         // override default to run as anonymous user
 | |
|     }
 | |
| }
 | |
| ----
 | |
| ======
 | |
| 
 | |
| By default, the `SecurityContext` is set during the `TestExecutionListener.beforeTestMethod` event.
 | |
| This is the equivalent of happening before JUnit's `@Before`.
 | |
| You can change this to happen during the `TestExecutionListener.beforeTestExecution` event, which is after JUnit's `@Before` but before the test method is invoked:
 | |
| 
 | |
| [source,java]
 | |
| ----
 | |
| @WithAnonymousUser(setupBefore = TestExecutionEvent.TEST_EXECUTION)
 | |
| ----
 | |
| 
 | |
| 
 | |
| [[test-method-withuserdetails]]
 | |
| == @WithUserDetails
 | |
| 
 | |
| While `@WithMockUser` is a convenient way to get started, it may not work in all instances.
 | |
| For example, some applications expect the `Authentication` principal to be of a specific type.
 | |
| This is done so that the application can refer to the principal as the custom type and reduce coupling on Spring Security.
 | |
| 
 | |
| The custom principal is often returned by a custom `UserDetailsService` that returns an object that implements both `UserDetails` and the custom type.
 | |
| For situations like this, it is useful to create the test user by using a custom `UserDetailsService`.
 | |
| That is exactly what `@WithUserDetails` does.
 | |
| 
 | |
| Assuming we have a `UserDetailsService` exposed as a bean, the following test is invoked with an `Authentication` of type `UsernamePasswordAuthenticationToken` and a principal that is returned from the `UserDetailsService` with the username of `user`:
 | |
| 
 | |
| [tabs]
 | |
| ======
 | |
| Java::
 | |
| +
 | |
| [source,java,role="primary"]
 | |
| ----
 | |
| @Test
 | |
| @WithUserDetails
 | |
| public void getMessageWithUserDetails() {
 | |
| 	String message = messageService.getMessage();
 | |
| 	...
 | |
| }
 | |
| ----
 | |
| 
 | |
| Kotlin::
 | |
| +
 | |
| [source,kotlin,role="secondary"]
 | |
| ----
 | |
| @Test
 | |
| @WithUserDetails
 | |
| fun getMessageWithUserDetails() {
 | |
|     val message: String = messageService.getMessage()
 | |
|     // ...
 | |
| }
 | |
| ----
 | |
| ======
 | |
| 
 | |
| We can also customize the username used to lookup the user from our `UserDetailsService`.
 | |
| For example, this test can be run with a principal that is returned from the `UserDetailsService` with the username of `customUsername`:
 | |
| 
 | |
| [tabs]
 | |
| ======
 | |
| Java::
 | |
| +
 | |
| [source,java,role="primary"]
 | |
| ----
 | |
| @Test
 | |
| @WithUserDetails("customUsername")
 | |
| public void getMessageWithUserDetailsCustomUsername() {
 | |
| 	String message = messageService.getMessage();
 | |
| 	...
 | |
| }
 | |
| ----
 | |
| 
 | |
| Kotlin::
 | |
| +
 | |
| [source,kotlin,role="secondary"]
 | |
| ----
 | |
| @Test
 | |
| @WithUserDetails("customUsername")
 | |
| fun getMessageWithUserDetailsCustomUsername() {
 | |
|     val message: String = messageService.getMessage()
 | |
|     // ...
 | |
| }
 | |
| ----
 | |
| ======
 | |
| 
 | |
| We can also provide an explicit bean name to look up the `UserDetailsService`.
 | |
| The following test looks up the username of `customUsername` by using the `UserDetailsService` with a bean name of `myUserDetailsService`:
 | |
| 
 | |
| [tabs]
 | |
| ======
 | |
| Java::
 | |
| +
 | |
| [source,java,role="primary"]
 | |
| ----
 | |
| @Test
 | |
| @WithUserDetails(value="customUsername", userDetailsServiceBeanName="myUserDetailsService")
 | |
| public void getMessageWithUserDetailsServiceBeanName() {
 | |
| 	String message = messageService.getMessage();
 | |
| 	...
 | |
| }
 | |
| ----
 | |
| 
 | |
| Kotlin::
 | |
| +
 | |
| [source,kotlin,role="secondary"]
 | |
| ----
 | |
| @Test
 | |
| @WithUserDetails(value="customUsername", userDetailsServiceBeanName="myUserDetailsService")
 | |
| fun getMessageWithUserDetailsServiceBeanName() {
 | |
|     val message: String = messageService.getMessage()
 | |
|     // ...
 | |
| }
 | |
| ----
 | |
| ======
 | |
| 
 | |
| As we did with `@WithMockUser`, we can also place our annotation at the class level so that every test uses the same user.
 | |
| However, unlike `@WithMockUser`, `@WithUserDetails` requires the user to exist.
 | |
| 
 | |
| By default, the `SecurityContext` is set during the `TestExecutionListener.beforeTestMethod` event.
 | |
| This is the equivalent of happening before JUnit's `@Before`.
 | |
| You can change this to happen during the `TestExecutionListener.beforeTestExecution` event, which is after JUnit's `@Before` but before the test method is invoked:
 | |
| 
 | |
| [source,java]
 | |
| ----
 | |
| @WithUserDetails(setupBefore = TestExecutionEvent.TEST_EXECUTION)
 | |
| ----
 | |
| 
 | |
| [[test-method-withsecuritycontext]]
 | |
| == @WithSecurityContext
 | |
| 
 | |
| We have seen that `@WithMockUser` is an excellent choice if we do not use a custom `Authentication` principal.
 | |
| Next, we discovered that `@WithUserDetails` lets us use a custom `UserDetailsService` to create our `Authentication` principal but requires the user to exist.
 | |
| We now see an option that allows the most flexibility.
 | |
| 
 | |
| We can create our own annotation that uses the `@WithSecurityContext` to create any `SecurityContext` we want.
 | |
| For example, we might create an annotation named `@WithMockCustomUser`:
 | |
| 
 | |
| [tabs]
 | |
| ======
 | |
| Java::
 | |
| +
 | |
| [source,java,role="primary"]
 | |
| ----
 | |
| @Retention(RetentionPolicy.RUNTIME)
 | |
| @WithSecurityContext(factory = WithMockCustomUserSecurityContextFactory.class)
 | |
| public @interface WithMockCustomUser {
 | |
| 
 | |
| 	String username() default "rob";
 | |
| 
 | |
| 	String name() default "Rob Winch";
 | |
| }
 | |
| ----
 | |
| 
 | |
| Kotlin::
 | |
| +
 | |
| [source,kotlin,role="secondary"]
 | |
| ----
 | |
| @Retention(AnnotationRetention.RUNTIME)
 | |
| @WithSecurityContext(factory = WithMockCustomUserSecurityContextFactory::class)
 | |
| annotation class WithMockCustomUser(val username: String = "rob", val name: String = "Rob Winch")
 | |
| ----
 | |
| ======
 | |
| 
 | |
| You can see that `@WithMockCustomUser` is annotated with the `@WithSecurityContext` annotation.
 | |
| This is what signals to Spring Security test support that we intend to create a `SecurityContext` for the test.
 | |
| The `@WithSecurityContext` annotation requires that we specify a `SecurityContextFactory` to create a new `SecurityContext`, given our `@WithMockCustomUser` annotation.
 | |
| The following listing shows our `WithMockCustomUserSecurityContextFactory` implementation:
 | |
| 
 | |
| [tabs]
 | |
| ======
 | |
| Java::
 | |
| +
 | |
| [source,java,role="primary"]
 | |
| ----
 | |
| public class WithMockCustomUserSecurityContextFactory
 | |
| 	implements WithSecurityContextFactory<WithMockCustomUser> {
 | |
| 	@Override
 | |
| 	public SecurityContext createSecurityContext(WithMockCustomUser customUser) {
 | |
| 		SecurityContext context = SecurityContextHolder.createEmptyContext();
 | |
| 
 | |
| 		CustomUserDetails principal =
 | |
| 			new CustomUserDetails(customUser.name(), customUser.username());
 | |
| 		Authentication auth =
 | |
| 			UsernamePasswordAuthenticationToken.authenticated(principal, "password", principal.getAuthorities());
 | |
| 		context.setAuthentication(auth);
 | |
| 		return context;
 | |
| 	}
 | |
| }
 | |
| ----
 | |
| 
 | |
| Kotlin::
 | |
| +
 | |
| [source,kotlin,role="secondary"]
 | |
| ----
 | |
| class WithMockCustomUserSecurityContextFactory : WithSecurityContextFactory<WithMockCustomUser> {
 | |
|     override fun createSecurityContext(customUser: WithMockCustomUser): SecurityContext {
 | |
|         val context = SecurityContextHolder.createEmptyContext()
 | |
|         val principal = CustomUserDetails(customUser.name, customUser.username)
 | |
|         val auth: Authentication =
 | |
|             UsernamePasswordAuthenticationToken(principal, "password", principal.authorities)
 | |
|         context.authentication = auth
 | |
|         return context
 | |
|     }
 | |
| }
 | |
| ----
 | |
| ======
 | |
| 
 | |
| We can now annotate a test class or a test method with our new annotation and Spring Security's `WithSecurityContextTestExecutionListener` to ensure that our `SecurityContext` is populated appropriately.
 | |
| 
 | |
| When creating your own `WithSecurityContextFactory` implementations, it is nice to know that they can be annotated with standard Spring annotations.
 | |
| For example, the `WithUserDetailsSecurityContextFactory` uses the `@Autowired` annotation to acquire the `UserDetailsService`:
 | |
| 
 | |
| [tabs]
 | |
| ======
 | |
| Java::
 | |
| +
 | |
| [source,java,role="primary"]
 | |
| ----
 | |
| final class WithUserDetailsSecurityContextFactory
 | |
| 	implements WithSecurityContextFactory<WithUserDetails> {
 | |
| 
 | |
| 	private UserDetailsService userDetailsService;
 | |
| 
 | |
| 	@Autowired
 | |
| 	public WithUserDetailsSecurityContextFactory(UserDetailsService userDetailsService) {
 | |
| 		this.userDetailsService = userDetailsService;
 | |
| 	}
 | |
| 
 | |
| 	public SecurityContext createSecurityContext(WithUserDetails withUser) {
 | |
| 		String username = withUser.value();
 | |
| 		Assert.hasLength(username, "value() must be non-empty String");
 | |
| 		UserDetails principal = userDetailsService.loadUserByUsername(username);
 | |
| 		Authentication authentication = UsernamePasswordAuthenticationToken.authenticated(principal, principal.getPassword(), principal.getAuthorities());
 | |
| 		SecurityContext context = SecurityContextHolder.createEmptyContext();
 | |
| 		context.setAuthentication(authentication);
 | |
| 		return context;
 | |
| 	}
 | |
| }
 | |
| ----
 | |
| 
 | |
| Kotlin::
 | |
| +
 | |
| [source,kotlin,role="secondary"]
 | |
| ----
 | |
| class WithUserDetailsSecurityContextFactory @Autowired constructor(private val userDetailsService: UserDetailsService) :
 | |
|     WithSecurityContextFactory<WithUserDetails> {
 | |
|     override fun createSecurityContext(withUser: WithUserDetails): SecurityContext {
 | |
|         val username: String = withUser.value
 | |
|         Assert.hasLength(username, "value() must be non-empty String")
 | |
|         val principal = userDetailsService.loadUserByUsername(username)
 | |
|         val authentication: Authentication =
 | |
|             UsernamePasswordAuthenticationToken(principal, principal.password, principal.authorities)
 | |
|         val context = SecurityContextHolder.createEmptyContext()
 | |
|         context.authentication = authentication
 | |
|         return context
 | |
|     }
 | |
| }
 | |
| ----
 | |
| ======
 | |
| 
 | |
| By default, the `SecurityContext` is set during the `TestExecutionListener.beforeTestMethod` event.
 | |
| This is the equivalent of happening before JUnit's `@Before`.
 | |
| You can change this to happen during the `TestExecutionListener.beforeTestExecution` event, which is after JUnit's `@Before` but before the test method is invoked:
 | |
| 
 | |
| [source,java]
 | |
| ----
 | |
| @WithSecurityContext(setupBefore = TestExecutionEvent.TEST_EXECUTION)
 | |
| ----
 | |
| 
 | |
| 
 | |
| [[test-method-meta-annotations]]
 | |
| == Test Meta Annotations
 | |
| 
 | |
| If you reuse the same user within your tests often, it is not ideal to have to repeatedly specify the attributes.
 | |
| For example, if you have many tests related to an administrative user with a username of `admin` and roles of `ROLE_USER` and `ROLE_ADMIN`, you have to write:
 | |
| 
 | |
| [tabs]
 | |
| ======
 | |
| Java::
 | |
| +
 | |
| [source,java,role="primary"]
 | |
| ----
 | |
| @WithMockUser(username="admin",roles={"USER","ADMIN"})
 | |
| ----
 | |
| 
 | |
| Kotlin::
 | |
| +
 | |
| [source,kotlin,role="secondary"]
 | |
| ----
 | |
| @WithMockUser(username="admin",roles=["USER","ADMIN"])
 | |
| ----
 | |
| ======
 | |
| 
 | |
| Rather than repeating this everywhere, we can use a meta annotation.
 | |
| For example, we could create a meta annotation named `WithMockAdmin`:
 | |
| 
 | |
| [tabs]
 | |
| ======
 | |
| Java::
 | |
| +
 | |
| [source,java,role="primary"]
 | |
| ----
 | |
| @Retention(RetentionPolicy.RUNTIME)
 | |
| @WithMockUser(value="rob",roles="ADMIN")
 | |
| public @interface WithMockAdmin { }
 | |
| ----
 | |
| 
 | |
| Kotlin::
 | |
| +
 | |
| [source,kotlin,role="secondary"]
 | |
| ----
 | |
| @Retention(AnnotationRetention.RUNTIME)
 | |
| @WithMockUser(value = "rob", roles = ["ADMIN"])
 | |
| annotation class WithMockAdmin
 | |
| ----
 | |
| ======
 | |
| 
 | |
| Now we can use `@WithMockAdmin` in the same way as the more verbose `@WithMockUser`.
 | |
| 
 | |
| Meta annotations work with any of the testing annotations described above.
 | |
| For example, this means we could create a meta annotation for `@WithUserDetails("admin")` as well.
 |