How to use use `with(user(` when using Spring Session/Security in REST environment

Question

Is it possible to pouplate a Test User with SecurityMockMvcRequestPostProcessors.user when using Spring Session with HeaderHttpSessionStrategy.

I tried something like:

mockMvc.perform(
    get(URL)
        .with(user("user").password("pwd").roles("USER", "ADMIN")))
    .andExpect(status().isOk())

But it returns a 403. Without the with(user( I get the a 401 so there is a difference.

I've a faily simple SecurityConfig containing:

    http
        .anonymous()
            .and()
        .authorizeRequests()
            .antMatchers("/api/**").hasAuthority("USER")
            .and()
        .csrf()
            .disable()
        .httpBasic()
            .and()
        .requestCache()
            .requestCache(new NullRequestCache());

I's very similar like https://github.com/spring-projects/spring-session/tree/1.0.1.RELEASE/samples/rest as I have an endpoint with I authenticate to with http basic. It returns the authentication token via the header which is then used in other REST calls.

So I was hoping that I just could use the with(user( in this scenario to make my tests easier.

Rob Winch · Accepted Answer · 2015-07-09T20:21:00.107

0

Yes you should be able to do this. The problem is that

.with(user("user").password("pwd").roles("USER", "ADMIN")))

is applying roles which means the ROLE_ prefix is automatically added.

In contrast, your configuration is using:

.antMatchers("/api/**").hasAuthority("USER")

which does not automatically add the ROLE_ prefix. Instead, try using:

.antMatchers("/api/**").hasRole("USER")

NOTE: I have also updated the tests to include an example of with(user("user")).

edited Jul 09 '15 at 20:21

answered Jul 09 '15 at 20:13

Rob Winch

21,440
2
59
76

Thanks Rob, this indeed was the issue. – Marcel Overdijk Jul 13 '15 at 14:24

How to use use `with(user(` when using Spring Session/Security in REST environment

1 Answers1