unit-testingspring-bootspring-securityspring-socialspring-boot-test

@WithUserDetails does not seem to work


I have an application in which I use Spring Social Security for authentication and authorization. Unfortunately I am having some problems with mocking Spring Security. It seems that it does not work at all.

I have a REST controller that returns 404 Not Found if the identifier of the entity it should return is not available. If the user is not logged in then any page redirects to the social login page of my app.

I have read here that the @WithUserDetails annotation would suit me the best.

So my test method looks like this

@Test
@SqlGroup({
    @Sql(executionPhase = ExecutionPhase.BEFORE_TEST_METHOD, statements = "INSERT INTO UserAccount(id, creationtime, modificationtime, version, email, firstname, lastname, role, signinprovider) VALUES (1, '2008-08-08 20:08:08', '2008-08-08 20:08:08', 1, 'user', 'John', 'Doe', 'ROLE_USER', 'FACEBOOK')"), })
@Rollback
@WithUserDetails
public void ifNoTeamsInTheDatabaseThenTheRestControllerShouldReturnNotFoundHttpStatus() {
    ResponseEntity<String> response = restTemplate.getForEntity("/getTeamHistory/{team}", String.class, "Team");
    Assert.assertEquals(HttpStatus.NOT_FOUND, response.getStatusCode());
}

But this does not seem to work at all. It looks like the test method is executed with anonymous user, because the status I get is 200 OK.

My test class is annotated like this

@RunWith(SpringRunner.class)
@ActiveProfiles("dev")
@SpringBootTest(webEnvironment = WebEnvironment.RANDOM_PORT)
@Transactional
public class TeamRestControllerTest {
    //...
}

Has anyone ever experienced such an issue with mocking Spring Security that is delivered by Spring Social?


Solution

  • I'm unable to test it at the moment, but here's a possible solution.

    Looking at @WithUserDetails implementation:

    @WithSecurityContext(factory = WithUserDetailsSecurityContextFactory.class)
    public @interface WithUserDetails {
        ...
    }
    
    final class WithUserDetailsSecurityContextFactory implements
            WithSecurityContextFactory<WithUserDetails> {
    
        private BeanFactory beans;
    
        @Autowired
        public WithUserDetailsSecurityContextFactory(BeanFactory beans) {
            this.beans = beans;
        }
    
        public SecurityContext createSecurityContext(WithUserDetails withUser) {
            String beanName = withUser.userDetailsServiceBeanName();
            UserDetailsService userDetailsService = StringUtils.hasLength(beanName)
                    ? this.beans.getBean(beanName, UserDetailsService.class)
                    : this.beans.getBean(UserDetailsService.class);
            String username = withUser.value();
            Assert.hasLength(username, "value() must be non empty String");
            UserDetails principal = userDetailsService.loadUserByUsername(username);
            Authentication authentication = new UsernamePasswordAuthenticationToken(
                    principal, principal.getPassword(), principal.getAuthorities());
            SecurityContext context = SecurityContextHolder.createEmptyContext();
            context.setAuthentication(authentication);
            return context;
        }
    }
    

    You could create the Security Context of your choice following the same pattern:

    @Target({ElementType.METHOD, ElementType.TYPE})
    @Retention(RetentionPolicy.RUNTIME)
    @Inherited
    @Documented
    @WithSecurityContext(factory = WithoutUserFactory.class)
    public @interface WithoutUser {
    }
    
    public class WithoutUserFactory implements WithSecurityContextFactory<WithoutUser> {
        public SecurityContext createSecurityContext(WithoutUser withoutUser) {
            return SecurityContextHolder.createEmptyContext();
        }
    }
    

    The other available annotations: WithAnonymousUser, WithMockUser, WithSecurityContext (and WithUserDetails)