2

I'm working on a integration test where authentication is needed. Session state (ie. cookie) seems not to be maintain beetween requests. Is there a CookieManager or something like that ?

@Test
public void whenAuthenticatedUserRequestAForbiddenUrlShouldObtain403() {
    def client = new RESTClient('http://127.0.0.1:8080/app/')

    def login = client .post(
            path: 'api/login.json',
            body: [j_username: 'user', j_password: 'test'],
            requestContentType: ContentType.URLENC)



    def resp = client .get(path: 'forbidden-url')
    assert (resp.status == 403) 
    ==> FAILS status = 200
}
skaffman
  • 398,947
  • 96
  • 818
  • 769
Benoît Guérout
  • 1,977
  • 3
  • 21
  • 30

1 Answers1

0

It looks to me like the problem is not losing session state but rather the 'forbidden-url' might not be specified as secure in the first place. If it were, it does not seem that client request request should succeed EVEN IF you login. Try removing the login at the top and if you still get 200, you probably don't have the URL secured anyway.

Todd W Crone
  • 1,185
  • 8
  • 23