我已经配置了一个带有相应 xml 安全配置的独立模拟Mvc,用于测试用 @PreAuthorize(hasAnyRole('DM,CD')) 注释的 Controller 。但我的测试结果始终是 tatus 200,即使我与角色不正确的用户进行调用也是如此。我相信我的 xml 配置遗漏了一些东西,但这只是一个假设。
这是我要测试的 Controller :
@RestController
@RequestMapping(value = "/v1/view")
@PreAuthorize("hasAnyRole('Data Manager,Content Designer')")
public class ViewController {
ObjectMapper objectMapper = new JSONMapper();
@Autowired
ViewApiService viewApiService;
//Constructor is needed for tests
ViewController(ViewApiService viewApiService) {
this.viewApiService = viewApiService;
}
public ViewController() {
}
@TruncateLogData
@RequestMapping(method = RequestMethod.GET)
public List<View> getViewItems() throws GenericEngineException {
return viewApiService.getViews();
}
}
这是从主配置借用的测试 spring-security.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:aop="http://www.springframework.org/schema/aop"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<!-- ****** START Spring Security Configuration *******-->
<bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">
<constructor-arg>
<list>
<security:filter-chain pattern="/**" filters="
httpSessionContextIntegrationFilter,
logoutFilter,
basicAuthenticationProcessingFilter,
basicExceptionTranslationFilter,
servletApiBridge,
filterSecurityInterceptor"/>
</list>
</constructor-arg>
</bean>
<!-- ****** START Spring Filters *******-->
<!-- Session integration filter -->
<bean id="httpSessionContextIntegrationFilter"
class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
<constructor-arg>
<bean class='org.springframework.security.web.context.HttpSessionSecurityContextRepository'>
<property name='allowSessionCreation' value='false'/>
</bean>
</constructor-arg>
</bean>
<!-- Basic Authentication processing filter -->
<bean id="basicAuthenticationProcessingFilter" class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
<constructor-arg ref="authenticationManager"/>
<constructor-arg ref="basicAuthenticationEntryPoint"/>
</bean>
<bean id="basicAuthenticationEntryPoint" class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
<property name="realmName" value="restapi"/>
</bean>
<!-- Basic Exception translation filter -->
<bean id="basicExceptionTranslationFilter" class="org.springframework.security.web.access.ExceptionTranslationFilter">
<constructor-arg ref="basicAuthenticationEntryPoint"/>
</bean>
<!-- Security Context Holder Aware Request filter
Filter that passes wrapped HttpServletRequest which overrides getUserPrincipal() to return current Authentication
-->
<bean id="servletApiBridge" class="org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter"/>
<!-- Logout filter
Filter that logs the user out in SpringSecurity
-->
<bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<constructor-arg value="/" index="0"/>
<constructor-arg index="1">
<bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/>
</constructor-arg>
</bean>
<!-- ****** END Spring Filters *******-->
<!-- ****** START Spring Security interceptor config *******-->
<!--Define authentication manager, decision manager and secure URL patterns -->
<bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="accessDecisionManager" ref="accessDecisionManager"/>
<property name="securityMetadataSource">
<security:filter-security-metadata-source>
<security:intercept-url pattern="/api/**" access="ROLE_ADMIN"/>
</security:filter-security-metadata-source>
</property>
</bean>
<!-- ****** END Spring Security interceptor config *******-->
<!-- ****** START Spring authentication config *******-->
<bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
<constructor-arg>
<list>
<ref bean="usernamePasswordAuthenticationProvider"/>
</list>
</constructor-arg>
</bean>
<!-- Custom UsernamePassword Authentication Provider -->
<bean id="usernamePasswordAuthenticationProvider" class="com.custom.UsernamePasswordAuthenticationProvider">
<property name="adminLogin" value="true"/>
<property name="customLoginFacade" ref="userSessionFactoryFacade"/>
<property name="additionalRole" value="ROLE_ADMIN"/>
<property name="userInterfaceType" value="API"/>
</bean>
<!-- ****** END Spring authentication config *******-->
<!-- ****** START Spring authorization config *******-->
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
<constructor-arg>
<list>
<bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter"/>
</list>
</constructor-arg>
</bean>
<!-- ****** END Spring authorization config *******-->
<!-- ****** END Spring Security Configuration *******-->
<bean id="userSessionFactoryFacade" class="com.custom.CustomLoginFacadeImpl"/>
</beans>
这是我对 Controller 的测试:
@RunWith(SpringJUnit4ClassRunner.class)
@ContextConfiguration(locations = {"/testContextConfig.xml", "/spring-security.xml"})
@WebAppConfiguration
public class ViewControllerTest {
private MockMvc mockMvc;
private List<View> viewList;
@Mock
private ViewApiService viewApiService;
@Autowired
private Filter springSecurityFilterChain;
@Before
public void setup() throws JSONException {
MockitoAnnotations.initMocks(this);
mockMvc = MockMvcBuilders
.standaloneSetup(new ViewController(viewApiService))
.addFilter(springSecurityFilterChain)
.setHandlerExceptionResolvers(TestServletExceptionHandler.exceptionResolver())
.build();
viewList = new ArrayList<>();
//initialization of resource to get
viewList.add(new View("1", "view1", content1));
}
@Test
@WithMockUser(username = "testUser3", roles = {"DM"})
public void testIncorrectAccessToControllersMethods() throws Exception {
when(viewApiService.getViews()).thenReturn(viewList);
mockMvc.perform(get("/v1/view"))
.andExpect(status().isOk())
.andReturn().getResponse().getContentAsString();
verify(viewApiService, times(1)).getViews();
}
@Test
@WithMockUser(username = "testUser4", roles = {"OTHER_ROLE"})
public void testDMAccessToControllersMethods() throws Exception {
when(viewApiService.getViews()).thenReturn(viewList);
mockMvc.perform(get("/v1/view"))
.andExpect(status().isUnauthorized());
verify(viewApiService, times(0)).getViews();
}
但结果我得到
ViewControllerTest.testIncorrectAccessToControllersMethods Status expected:<401> but was:<200>
testContextConfig.xml 文件只是一个空上下文。
如有任何建议,我们将不胜感激
更新 创建 ViewControllerInterface 及其相应的注释并没有帮助,以及添加
<global-method-security pre-post-annotations="enabled" />
到配置文件
更新2
有趣的是,当我尝试使用 mockMvc.perform(get("/v1/view").with(user("name"))).andReturn().getResponse()
我收到
NoSuchMethodError: javax.servlet.http.HttpServletRequest.getServletContext()Ljavax/servlet/ServletContext;
at org.springframework.security.test.web.support.WebTestUtils.findFilter(WebTestUtils.java:120)
所以看起来我的 securityFilterChain 没有应用于请求(但是,在调试中我可以看到mockMvc实例中的所有过滤器)
最佳答案
经过几个小时的挖掘,原因如下:
MockMvcBuilders.standaloneSetup 手动获取 ViewController 实例化(不使用 Spring,因此不使用 AOP)。因此,预授权不会被拦截,安全检查也会被跳过。因此,您可以@Autowire您的 Controller 并将其传递给MockMvcBuilders.standaloneSetup来模拟您的服务使用@MockBean,以便ViewApiService的每个实例都获得替换为 Mock 。
关于java - 测试时似乎没有应用 spring-security 的配置,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/46276970/