I am using Spring Test MVC HtmlUnit with Geb to drive functional tests for my Spring MVC application. I would like to check that some session variables are saved properly during an interaction. I tried creating a test controller to return those variables, but HtmlUnit and mvc.perform() are using different sessions. Is there a way to use a single shared session between them?
driver setup:
MockMvc mvc = MockMvcBuilders.webAppContextSetup(ctx)
.apply(SecurityMockMvcConfigurers.springSecurity())
.build()
HtmlUnitDriver driver = MockMvcHtmlUnitDriverBuilder.mockMvcSetup(mvc).javascriptEnabled(true).build()
test:
when:
via ProtectedPage
then:
// this uses session A
at LoginPage
and:
// this uses session B
println mvc.perform(get('/test/sessionAttributes')).andReturn().response.contentAsString
Summary
Can I ask why you are trying to do some of your work in MockMvc and some of it in HtmlUnit? It really isn't designed to be used this way. Instead, I would recommend interacting with HtmlUnit to consume the session (as your browser would) and verifying those results.
The reason this doesn't work is that MockMvc.perform works in isolation. The HtmlUnit integration bridges the MockMvc.perform invocations to ensure they work as you would expect in a browser (i.e. tracking sessions). However, the logic to bridge the the MockMvc.perform invocations is encapsulated.
MockMvc Behavior
MockMvc requests work in isolation and will by default use a new session on every request. For example, the following two requests operate on distinct sessions:
// this uses session A
mvc.perform(get("/test"))
// this uses session B
mvc.perform(get("/test"))
In order to reuse the session, you must obtain the session from the first MockMvc.perform invocation and set it on the second the MockMvc.perform invocation. For example:
MvcResult mvcResult = mvc
.perform(get("/a"))
.andReturn();
// reuse the previous session
MockHttpSession session = (MockHttpSession) mvcResult
.getRequest().getSession();
mvc.perform(get("/b").session(session));
The HtmlUnit support keeps track of the sessions in MockMvcWebConnection and sets the appropriate session (similar to what you saw above) based upon the JSESSIONID cookie.
In order for you to reuse the HttpSession from the HtmlUnit support in a MockMvc request, you would need access to the original session. However, this logic is encapsulated within the HtmlUnit support and thus you cannot access it.
Workaround
I don't expect that we will expose the internals of the HtmlUnit integration. I also would not recommend mixing and matching MockMvc HtmlUnit integration with straight MockMvc usage. However, you can workaround the issue.
The first step is to create a ResultHandler that tracks the last session.
public class SessionTracking implements ResultHandler {
private MockHttpSession lastSession;
#Override
public void handle(MvcResult result) throws Exception {
lastSession = (MockHttpSession) result.getRequest().getSession(false);
}
public MockHttpSession getLastSession() {
return lastSession;
}
}
The next step is to ensure you register SessionTracking with your MockMvc instance.
SessionTracking sessions = new SessionTracking();
MockMvc mvc = MockMvcBuilders
.webAppContextSetup(context)
.apply(SecurityMockMvcConfigurers.springSecurity())
// ADD THIS
.alwaysDo(sessions)
.build();
HtmlUnitDriver driver = MockMvcHtmlUnitDriverBuilder
.mockMvcSetup(mvc)
.build();
Now if you need to make a MockMvc request, you can access the previous session using the SessionTracking object.
when:
via ProtectedPage
then:
// this uses session A
at LoginPage
and:
// this uses session A
println mvc.perform(get('/test/sessionAttributes').session(sessions.lastSession).andReturn().response.contentAsString
Related
We have a couple of Spring tests that call a secured controller endpoints. Our goal is to assure that absence of particular user roles will result into HTTP 403 status.
Our issue is that execution of those tests also bootstraps DB connection which we don't actually need.
I've already tried countless number of all kind of annotations and manual configurations to avoid initialization of DB connection but so far without luck. Can you please share example how to do that?
We use Spring Boot 2.7.
Yes, you can use #WebMvcTest, take a look at the docs. In summary, using #WebMvcTest will only bootstrap the Spring MVC components and avoid loading other application's layers. This annotation also automatically configures Spring Security for you, therefore you can test authentication/authorization rules.
Example:
#WebMvcTest(UserVehicleController.class)
class MyControllerTests {
#Autowired
private MockMvc mvc;
#MockBean
private UserVehicleService userVehicleService;
#Test
#WithMockUser(roles = "ADMIN")
void testAdminSuccess() throws Exception {
given(this.userVehicleService.getVehicleDetails("sboot"))
.willReturn(new VehicleDetails("Honda", "Civic"));
this.mvc.perform(get("/sboot/vehicle").accept(MediaType.TEXT_PLAIN))
.andExpect(status().isOk())
.andExpect(content().string("Honda Civic"));
}
#Test
#WithMockUser(roles = "USER")
void testUserForbidden() throws Exception {
this.mvc.perform(get("/sboot/vehicle").accept(MediaType.TEXT_PLAIN))
.andExpect(status().isForbidden());
}
}
My SpringBoot application is a packaged software application, to customize it I want to manipulate the authentication object when users first login, and I expect this object would be pushed back to the user's session for subsequent connection.
I managed to use an Around advice to intercept a REST endpoint that will be triggered when first login:
#Around("execution( * com.myproject.CurrentUser.get(..)))"
public ResponseEntity getCurrentUser(ProceedingJoinPoint pjp) throws Exception {
SecurityContextHolder.getContext().setAuthentication(getNewAuthentication());
((ServletRequestAttributes) RequestContextController.currentRequestAttributes())
.getRequest().getSession().setAttribute(HttpSessionSecurityContextRepository.SPRING.SECURITY_CONTEXT_KEY, SecurityContextHolder.getContext());
ResponseEntity response = (ResponseEntity) pjp.proceed();
return response;
}
The getNewAuthentication() method is confirmed OK, it returns a PreAuthenticatedAuthenticationToken that includes additional authorities.
However in the subsequent REST calls when I check the Security Context object the authentication is still the original one.
May I know what would be the proper way to do this? I need to manipulate the authentication object at the very beginning and make sure the subsequent calls will make use of it.
Any idea?
I'm using spring boot and I want to assert an asynchronous side effect by calling a secured endpoint with MockMvc.
I have been using Awaitility, but apparently the mocked security context is lost when executing in a different thread.
I couldn't find a way of passing the context, I tried with SecurityContextHolder.setContext() but it didn't work, I guess spring's MockMvc stores the context in a different way.
#Test
#WithMockUser(authorities = "admin", username = "user")
void shouldRunSideEffectAsync() throws Exception {
mockMvc.perform(post("/foo")).andExpect(status().isAccepted());
await()
.atMost(TIMEOUT)
.untilAsserted(() -> mockMvc.perform(get("/foo")).andExpect(status().isOk()));
}
The GET would return 404 for a while and then 200 when the async task is completed. However this will always return 403 as the MockUser info is lost.
How can I solve this?
You almost got it. Security for MockMvc is implemented by TestSecurityContextHolderPostProcessor, which uses the TestSecurityContextHolder to set/get the security context. That is just a wrapper around the SecurityContextHolder.
So you can use TestSecurityContextHolder.setContext() in the awaitility thread and it should work.
I have a SOAP web service written in Spring Web Services that I would like to integration test.
I would like to use spring-ws-test as the reference documentation points to. So, the test code is similar to the example in the reference, something like that:
#Autowired
private ApplicationContext applicationContext;
private MockWebServiceClient mockClient;
#Before
public void createClient() {
mockClient = MockWebServiceClient.createClient(applicationContext);
}
#Test
public void customerEndpoint() throws Exception {
Source requestEnvelope = new ResourceSource(new ClassPathResource("request.xml"));
Source responsePayload = new ResourceSource(new ClassPathResource("response.xml"));
mockClient.sendRequest(withSoapEnvelope(requestPayload)).
andExpect(payload(responsePayload));
}
However, the endpoint I am testing is using basic authentication and it expects to read values in the Authorization header. It is not using spring-security for that task but it has custom logic that gets the HTTP headers by getting the HttpServletResponse from the TransportContextHolder. So, the request triggers the endpoint but it fails to retrieve the basic authentication base64 token.
The question is, how may I pass HTTP headers in that situation? Is it possible at all? If not what is the preferred alternative?
I have read the javadoc and I cannot find a way to pass the headers. Also, I have found this question which is similar but it doesn't help me much.
I've got spring web application with jersey rest services. However rest is secured via spring security and login process is very hard to perform from unit test code. I'd like to test rest services with whole spring security disabled. Is it even possible?
One of the advantages of annotation based web services is that you can unit-test them easily.
class WebServiceEndpoint {
#Path("/foo/{fooId}")
#POST
#Produces({ MediaType.APPLICATION_XML })
public Response doFoo(#PathParam("fooId") Integer fooId) {
/// ... web service endpoint implementation
}
}
If you're using Spring's servlet filter for security, then there shouldn't be any security-related code in the doFoo method, so you can just create a new WebServiceEndpoint class and call the method. So that's one way of 'disabling' security.
When you say the login process is 'hard', what do you mean? If you've succeeded in logging in once, then you can just reuse the same code in your other unit tests (e.g. in a #Before method).
Just test it as a pojo. Pass in whatever, return whatever, don't load an app context at all - that would be an integration test.
The ability to easily test functionality without the framework loaded is one of the key advantages of spring.
You don't say what's "hard," so I'm assuming that you've got something in your REST service, i.e. in the java method that you want to test, which requires authentication results. Spring has utilities for mocking the authentication results. For example, you can do the following in a #Before setup method:
Object principal = null; // fix this
Object credentials = null; // fix this
Authentication auth = new org.springframework.security.authentication.TestingAuthenticationToken(principal, credentials);
SecurityContextHolder.getContext().setAuthentication(auth);
But again, you haven't said what problem you're actually trying to solve...