How to disable securty on controller Unit Test?

Question

I try to disable the security on controller Unit test but I allways have error 403.

My Unit Test :

@RunWith(SpringRunner.class)
@WebMvcTest(value = MeasureController.class, secure = false)
@AutoConfigureMockMvc(secure = false)
public class MeasureControllerTest {

    @Autowired
    private MockMvc mvc;
    @Autowired
    private ObjectMapper objectMapper;
    @MockBean
    private ObjectService objectService;
    @Autowired
    private MeasureController measureController;

    /**
     * Test of sayHello method, of class MeasureController.
     *
     * @throws java.lang.Exception
     */
    @Test
    public void OnPostShouldReturnCreatedStatusIfEmptyMeasure() throws Exception {
        final String url = "/object/" + uuidKey + "/measures/";
        this.mvc.perform(post(url)
                .content("[]")
                .contentType(MediaType.APPLICATION_JSON)
                .accept(MediaType.APPLICATION_JSON))
                .andExpect(status().isCreated());

        verifyZeroInteractions(objectService);
    }
}

The security configuration :

@Configuration
@EnableResourceServer
public class SecurityResourceServerConfig extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and().authorizeRequests()
                .antMatchers("/v2/api-docs", "/swagger-resources/**", "/swagger-ui.html", "/webjars/**").permitAll()
                .anyRequest().authenticated()
                ;
    }

    @Primary
    @Bean
    public RemoteTokenServices tokenServices() {
        final RemoteTokenServices tokenService = new RemoteTokenServices();
        tokenService.setCheckTokenEndpointUrl("https://..../oauth/check_token");
        tokenService.setClientId(".....");
        tokenService.setClientSecret(".....");
        return tokenService;
    }
}

The spring documentation say to put AutoConfigureMockMvc.secure to false or the WebMvcTest.secure to false. But the both not disable the security. I mis something?

I use Spring boot 2.0.4. and spring-security-oauth2 2.3.3.RELEASE

score 2 · Answer 1 · answered Sep 18 '20 at 10:51

For others who come here looking for answers (and my future self), tested in Spring Boot 2.2:

@WebMvcTest(controllers = YourController.class,
        excludeFilters = { @ComponentScan.Filter(type = FilterType.ASSIGNABLE_TYPE, value = WebSecurityConfigurer.class) },
        excludeAutoConfiguration = { SecurityAutoConfiguration.class})

excludeFilters will stop @WebMvcTest picking up any classes implementing security which it does by default: https://docs.spring.io/spring-boot/docs/2.2.1.RELEASE/reference/htmlsingle/#boot-features-testing-spring-boot-applications-testing-autoconfigured-mvc-tests This is needed if you're adding your own class for security (most likely by extending WebSecurityConfigurerAdapter), to stop Spring from picking up and creating these beans.
the excludeAutoConfiguration will make sure that default spring boot's logic will ALSO not kick in

score 1 · Answer 2 · answered Aug 13 '18 at 15:58

1

The "WebMvcTest.secure" was deprecated. You have to put to your controller test :

@RunWith(SpringRunner.class)
@WebMvcTest(value = PatientDeviceController.class, excludeAutoConfiguration = SecurityAutoConfiguration.class)
@AutoConfigureMockMvc(secure = false)

answered Aug 13 '18 at 15:58

BokC

333
5
19

What makes you think the `secure` attribute is deprecated? The Spring Boot 2.0.4 documentation does not indicate that: https://docs.spring.io/spring-boot/docs/current/api/org/springframework/boot/test/autoconfigure/web/servlet/WebMvcTest.html#secure-- – Sam Brannen Aug 15 '18 at 10:03
6

Both are now deprecated as of today. – blackr1234 Mar 25 '19 at 08:14
From source `@deprecated since 2.1.0 in favor of Spring Security's testing support` – muttonUp Oct 08 '19 at 10:25

How to disable securty on controller Unit Test?

2 Answers2