New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Include web security configuration classes when @WebMvcTest.secure is true #6514

Closed
sbrannen opened this Issue Jul 30, 2016 · 9 comments

Comments

Projects
None yet
10 participants
@sbrannen
Copy link
Member

sbrannen commented Jul 30, 2016

Status Quo

WebMvcTypeExcludeFilter picks up web-specific components for the web testing slice, but it currently does not include @EnableWebSecurity configuration classes, which are for the web (albeit for security in the web tier).

The Javadoc for @WebMvcTest states that it "can be used when a test focuses only on Spring MVC components." This is, however, in slight contradiction to the subsequent claim that "by default, tests annotated with @WebMvcTest will also auto-configure Spring Security and MockMvc."

The aforementioned claims in the Javadoc lead the user to believe that their own Spring Security configuration will be used, thereby requiring roles and authentication mechanisms known to the user. Furthermore, the user naturally assumes that authentication will not be required to access paths for which he or she has not required authentication.

On the contrary, since the user's custom @EnableWebSecurity is not included in the @WebMvcTest slice, Spring Boot configures HTTP BASIC authentication for all request paths.

Consequently, when a user uses @WebMvcTest and then executes a MockMvc test -- without supplying the BASIC authentication headers -- the test fails with a 401 response status (Full authentication is required to access this resource). This can be extremely baffling to the user, especially for non-secured paths such as a home page, login page, etc.

Setting the @WebMvcTest.secure flag to false turns off Spring Security entirely, but that is often undesirable.

Known Workarounds

In my Spring Events sample application, I came up with the following two workarounds.

Generic solution:

@WebMvcTest(includeFilters = @Filter(classes = EnableWebSecurity.class))

Custom solution specific to my project:

@WebMvcTest
@Import(WebSecurityConfig.class)

Note that WebSecurityConfig is annotated with @EnableWebSecurity.

Related Discussions

  1. Whenever @WebMvcTest.secure is set to true, include @Configuration classes annotated with @EnableWebSecurity in WebMvcTypeExcludeFilter.
    • Alternatively, introduce a new boolean flag or enum to enable automatic inclusion of user-defined @EnableWebSecurity classes.
  2. The Javadoc for @WebMvcTest.secure should be augmented to point out that setting it to false actually disables auto-configuration for Spring Security completely, instead of implying that it only disables Spring Security Test support in MockMvc.
@wilkinsona

This comment has been minimized.

Copy link
Member

wilkinsona commented Aug 8, 2016

Using @EnableWebSecurity in a Spring Boot app is somewhat atypical as it switches off all of Boot's security auto-configuration. I think the broader point still stands though. We could do more by looking for @EnableWebSecurity-annotated beans as well as those that extend WebSecurityConfigurerAdapter etc.

@wilkinsona wilkinsona changed the title Include @EnableWebSecurity classes when @WebMvcTest.secure is true Include security configuration classes when @WebMvcTest.secure is true Aug 8, 2016

@wilkinsona wilkinsona changed the title Include security configuration classes when @WebMvcTest.secure is true Include web security configuration classes when @WebMvcTest.secure is true Aug 8, 2016

@philwebb philwebb added this to the 1.5.0 milestone Aug 9, 2016

@btiernay

This comment has been minimized.

Copy link

btiernay commented Aug 24, 2016

This would be quite useful. Hit the same issue today

@adenix

This comment has been minimized.

Copy link

adenix commented Apr 30, 2017

Hit same issue with Oauth2

@juzerali

This comment has been minimized.

Copy link

juzerali commented Jun 21, 2017

Spent two days before figuring this out.

@snicoll

This comment has been minimized.

Copy link
Member

snicoll commented Jun 21, 2017

@juzerali perhaps you could improve your comment and make it productive by sharing what would have helped you to figure this out sooner?

juzerali pushed a commit to juzerali/spring-boot that referenced this issue Jun 21, 2017

juzerali pushed a commit to juzerali/spring-boot that referenced this issue Jun 21, 2017

juzerali pushed a commit to juzerali/spring-boot that referenced this issue Jun 21, 2017

@philwebb philwebb added this to the Backlog milestone Mar 21, 2018

@philwebb

This comment has been minimized.

Copy link
Member

philwebb commented Mar 21, 2018

See eef6fdb (#12275) which we reverted late in 2.0

@mbhave

This comment has been minimized.

Copy link
Contributor

mbhave commented Apr 25, 2018

We might have to do this a bit differently from eef6fdb since that commit would pull in the custom WebSecurityConfigurerAdapters even if secure=false is configured on @WebMvcTest.

@martijnhiemstra

This comment has been minimized.

Copy link

martijnhiemstra commented Aug 9, 2018

2 years later and still no fix!!! This is really bad support from Spring. All urls are returning a 401 which means security is on however the rules defined in ResourceServerConfigurerAdapter in the configure methode aren't being loaded. They are loaded when running the application however when testing they aren't laoded and the above solutions don't work!!!

@wilkinsona

This comment has been minimized.

Copy link
Member

wilkinsona commented Aug 9, 2018

Please try to be constructive. Describing something as "really bad support from Spring" doesn't help anyone. The most likely outcome is that anyone who had the time and motivation to look at this will now choose to spend their time on something more rewarding.

If you are unhappy about the situation, perhaps you could make some suggestions about what form you'd like the proposed enhancements to take? Or, even better than that, perhaps you'd like to contribute something that improves Spring Boot for everyone?

@mbhave mbhave self-assigned this Aug 21, 2018

@mbhave mbhave modified the milestones: Backlog, 2.1.0.M3 Aug 30, 2018

@mbhave mbhave closed this in 0384a88 Aug 30, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment