SpringBoot @WebMvcTest security issue

Question

I have a spring rest mvc controller which has the url "/public/rest/vehicle/get". In my security configuration, I have defined that any requests for /public/rest should not require authentication.

    http.
             csrf().disable()
            .authorizeRequests()
            .antMatchers("/home/**", "/**", "/css/**", "/js/**", "/fonts/**", "/images/**", "/public/rest/**","/login*","/signin/**","/signup/**").permitAll()
            .antMatchers("/property/**").authenticated()
            .and()
            .formLogin().loginPage("/login").permitAll()
            .and().httpBasic().disable();

This configuration works fine when I start my application and submit request using browser or any other mean. Now, I have a test class which looks like this,

@RunWith(SpringRunner.class)
@WebMvcTest(VehicleController.class)
public class VehicleControllerTest {

    @Autowired
    private MockMvc mockMvc;

    @MockBean
    private VehicleService vehicleService;


    @Test
    public void getVehicle() throws Exception {
       given(this.vehicleService.get(0)).
               willReturn(new VehicleEquipmentDTO());
        this.mockMvc.perform(get("/public/rest/vehicle/get").param("id","0"))
                .andDo(print())
                .andExpect(status().isOk());//.andExpect(content().string("Honda Civic"));
    }}

Now, when I run this test, it says

java.lang.AssertionError: Status 
Expected :200
Actual   :401

When I print the request response, I see it is complaining because of security. "Error message = Full authentication is required to access this resource" Any ideas why it is not working with the security config that I have, and what is the work around to force it to use the correct configurations? Thanks in advance

score 16 · Accepted Answer · answered Jul 15 '17 at 11:05

16

Finally found the reason. Since WebMvcTest is only sliced testing, it would not take the security configurations. The work around is to explicitly import it like,

@Import(WebSecurityConfig.class)

answered Jul 15 '17 at 11:05

Imran

1,732
3
21
46

score 6 · Answer 2 · edited Nov 14 '18 at 14:37

6

I had the same issue and after searching for a while, I found the following solution.

Because, you have Spring Security enabled in your application, along with other annotations, you can specify the secure=false parameter in @AutoConfigureMockMvc annotation like this:

@AutoConfigureMockMvc(secure=false)
public class YourControllerTest {
//All your test methods here
}

Explanation: To disable the Spring Security auto-configuration, we can use the MockMvc instance to disable security with @AutoConfigureMockMvc(secure=false)

edited Nov 14 '18 at 14:37

Matt

3,422
1
23
28

answered May 09 '18 at 05:32

Abhishek Ransingh

197
2
3

1

Thanks. This also works with the handy `@WebMvcTest` annotation which also have a `secure` parameter – Matt Nov 14 '18 at 13:58
5

sadly the secure flag is deprecated now – dermoritz Aug 14 '19 at 15:30

score 5 · Answer 3 · answered Apr 16 '18 at 03:36

5

This solved me the same issue

@RunWith(SpringRunner.class)
@SpringBootTest
@AutoConfigureMockMvc
public class ClientResourceControllerTest {

answered Apr 16 '18 at 03:36

Udara S.S Liyanage

6,189
9
33
34

This will work but this is different kind of test. "The main difference between SpringBootTest and WebMvcTest annotations is that SpringBootTest annotation will start the full application context. Whereas WebMvcTest annotation will make Spring Framework create application context with a limited number of beans." – fascynacja Mar 29 '23 at 10:11

SpringBoot @WebMvcTest security issue

3 Answers3

Linked