Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Include web security configuration classes when is true #6514

sbrannen opened this issue Jul 30, 2016 · 9 comments


Copy link

@sbrannen sbrannen commented Jul 30, 2016

Status Quo

WebMvcTypeExcludeFilter picks up web-specific components for the web testing slice, but it currently does not include @EnableWebSecurity configuration classes, which are for the web (albeit for security in the web tier).

The Javadoc for @WebMvcTest states that it "can be used when a test focuses only on Spring MVC components." This is, however, in slight contradiction to the subsequent claim that "by default, tests annotated with @WebMvcTest will also auto-configure Spring Security and MockMvc."

The aforementioned claims in the Javadoc lead the user to believe that their own Spring Security configuration will be used, thereby requiring roles and authentication mechanisms known to the user. Furthermore, the user naturally assumes that authentication will not be required to access paths for which he or she has not required authentication.

On the contrary, since the user's custom @EnableWebSecurity is not included in the @WebMvcTest slice, Spring Boot configures HTTP BASIC authentication for all request paths.

Consequently, when a user uses @WebMvcTest and then executes a MockMvc test -- without supplying the BASIC authentication headers -- the test fails with a 401 response status (Full authentication is required to access this resource). This can be extremely baffling to the user, especially for non-secured paths such as a home page, login page, etc.

Setting the flag to false turns off Spring Security entirely, but that is often undesirable.

Known Workarounds

In my Spring Events sample application, I came up with the following two workarounds.

Generic solution:

@WebMvcTest(includeFilters = @Filter(classes = EnableWebSecurity.class))

Custom solution specific to my project:


Note that WebSecurityConfig is annotated with @EnableWebSecurity.

Related Discussions

  1. Whenever is set to true, include @Configuration classes annotated with @EnableWebSecurity in WebMvcTypeExcludeFilter.
    • Alternatively, introduce a new boolean flag or enum to enable automatic inclusion of user-defined @EnableWebSecurity classes.
  2. The Javadoc for should be augmented to point out that setting it to false actually disables auto-configuration for Spring Security completely, instead of implying that it only disables Spring Security Test support in MockMvc.
Copy link

@wilkinsona wilkinsona commented Aug 8, 2016

Using @EnableWebSecurity in a Spring Boot app is somewhat atypical as it switches off all of Boot's security auto-configuration. I think the broader point still stands though. We could do more by looking for @EnableWebSecurity-annotated beans as well as those that extend WebSecurityConfigurerAdapter etc.

@wilkinsona wilkinsona changed the title Include @EnableWebSecurity classes when is true Include security configuration classes when is true Aug 8, 2016
@wilkinsona wilkinsona changed the title Include security configuration classes when is true Include web security configuration classes when is true Aug 8, 2016
@philwebb philwebb added this to the 1.5.0 milestone Aug 9, 2016
Copy link

@btiernay btiernay commented Aug 24, 2016

This would be quite useful. Hit the same issue today

Copy link

@adenix adenix commented Apr 30, 2017

Hit same issue with Oauth2

Copy link

@juzerali juzerali commented Jun 21, 2017

Spent two days before figuring this out.

Copy link

@snicoll snicoll commented Jun 21, 2017

@juzerali perhaps you could improve your comment and make it productive by sharing what would have helped you to figure this out sooner?

juzerali pushed a commit to juzerali/spring-boot that referenced this issue Jun 21, 2017
juzerali pushed a commit to juzerali/spring-boot that referenced this issue Jun 21, 2017
juzerali pushed a commit to juzerali/spring-boot that referenced this issue Jun 21, 2017
@philwebb philwebb added this to the Backlog milestone Mar 21, 2018
Copy link

@philwebb philwebb commented Mar 21, 2018

See eef6fdb (#12275) which we reverted late in 2.0

Copy link

@mbhave mbhave commented Apr 25, 2018

We might have to do this a bit differently from eef6fdb since that commit would pull in the custom WebSecurityConfigurerAdapters even if secure=false is configured on @WebMvcTest.

Copy link

@martijnhiemstra martijnhiemstra commented Aug 9, 2018

2 years later and still no fix!!! This is really bad support from Spring. All urls are returning a 401 which means security is on however the rules defined in ResourceServerConfigurerAdapter in the configure methode aren't being loaded. They are loaded when running the application however when testing they aren't laoded and the above solutions don't work!!!

Copy link

@wilkinsona wilkinsona commented Aug 9, 2018

Please try to be constructive. Describing something as "really bad support from Spring" doesn't help anyone. The most likely outcome is that anyone who had the time and motivation to look at this will now choose to spend their time on something more rewarding.

If you are unhappy about the situation, perhaps you could make some suggestions about what form you'd like the proposed enhancements to take? Or, even better than that, perhaps you'd like to contribute something that improves Spring Boot for everyone?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
10 participants