Issue
I want to unit test my controllers security using the method based security when I've checked the docs I've found this but it uses @RunWith
and it doesn't seem to be loading only the security config.
What I tried to do: Loading my secuirty config
@ContextConfiguration(classes = {SecurityConfigImpl.class})
public class PeopleGQLApiSecutiryTest {
private final PersonService personService = mock(PersonService.class);
private final PeopleGQLApi peopleGQLApi = new PeopleGQLApi(personService);
@Test
@WithAnonymousUser
void itShouldCreateNewPerson() {
when(personService.createNewPerson(any(Person.class))).thenReturn(new Person());
// this should fail!
peopleGQLApi.createPerson(
Person.LevelEnum.WEAK,
// rest of the arguments
);
}
}
This one should fail (by throwing an expection or anything like that) because create person is a secured function with ROLE_ADMIN
.
Note: this is a GraphQL mutation
@MutationMapping("createPerson")
@Secured({"ROLE_ADMIN"})
public Person createPerson(
@Argument("level") Level level,
// rest of the arguments
) {
// method implementation
}
I can't use a fully fledged @SpringBootTest
because I will have to provide mongodb config too which out of the scope of this test.
Solution
I think the word you are looking for is @WithMockUser
You can use something like @WithMockUser(authorities = "ROLE_ADMIN")
to mock a user with this role
Also for more tweaks, you can use the Spring Security Context
SecurityContext securityContext = SecurityContextHolder.createEmptyContext();
securityContext.setAuthentication(new UsernamePasswordAuthenticationToken("username", "password"));
SecurityContextHolder.setContext(securityContext);
And you can add any authorities to your security context or read them.
better to add them to securityUtil class to be used in multiple situations as well.
Please make sure that you have an assertion to validate the unauthorized requests inside your test case
Answered By - Ayman