Let us apply security model to some service methods and test them using Spring TestContext:
- Add the Spring Test module, JUnit 4, and Mockito Maven dependencies to the project's pom.xml file.
- Add a specialized Spring Security Test dependency to the pom.xml file:
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<version>4.2.2.BUILD-SNAPSHOT</version>
<scope>test</scope>
</dependency>
- Inside src/test/java, create a org.packt.mvc.secured.test package and drop inside it a test class that builds MockMvc from a secured WebApplicationContext method. Also, it tests controllers by providing some Spring Security details such as the username and password:
import static
org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.
springSecurity; @RunWith(SpringJUnit4ClassRunner.class) @WebAppConfiguration @ContextConfiguration(classes = { SpringWebinitializer.class, SpringDispatcherConfig.class , SpringContextConfig.class}) public class TestSecuredControllers { @Autowired private WebApplicationContext ctx; private MockMvc mockMvc; @Before public void setUp() { this.mockMvc = MockMvcBuilders.webAppContextSetup(ctx) .apply(springSecurity()).build(); } @Test public void testApplicaticatonContextBeans() { ServletContext servletContext = ctx.getServletContext(); Assert.assertNotNull(servletContext); } @Test public void adminCanCreateOrganization() throws Exception { this.mockMvc.perform(get("/deptform.html").with(user("sjctrags") .password("sjctrags").roles("USER")) .contentType(MediaType.APPLICATION_FORM_URLENCODED) .accept(MediaType.APPLICATION_FORM_URLENCODED)) .andDo(print()) .andExpect(status().isOk()); } }
- Using invalid credentials, the execution of adminCanCreateOrganization()will lead to HTTP 302:
- Create another test class that tests a secured method using the correct login credentials and role. Recall from Chapter 4, Applying Aspect-Oriented Programming, that three roles were created for the entire application, namely ROLE_USER, ROLE_ADMIN, and ROLE_HR, and each is assigned to different DepartmentService methods. Accessing the readDepartments() method requires a ROLE_USER role:
import static org.springframework.security.test.web.servlet.setup.
SecurityMockMvcConfigurers.springSecurity; import static org.junit.Assert.*; @RunWith(SpringJUnit4ClassRunner.class) @WebAppConfiguration @ContextConfiguration(classes = { SpringWebinitializer.class, SpringDispatcherConfig.class, SpringContextConfig.class}) public class TestSecuredServices { @Autowired private DepartmentService departmentServiceImpl; @Autowired private WebApplicationContext ctx; private MockMvc mockMvc; @Before public void setUp() { this.mockMvc = MockMvcBuilders.webAppContextSetup(ctx) .apply(springSecurity()).build(); } @Test @WithMockUser(roles="USER") public void testListDepts(){ SecurityContextHolder.getContext() .setAuthentication(new UsernamePasswordAuthenticationToken( "sjctrags", "sjctrags")); List<Department> depts = departmentServiceImpl.readDepartments(); assertNotNull(depts); for(Department dept : depts){ System.out.println(dept.getDeptId()); } } }
- Running the test method testListDepts() with the wrong credentials and role will lead to the following exception:
