Skip to content

Latest commit

 

History

History
174 lines (150 loc) · 3.5 KB

result-matchers.adoc

File metadata and controls

174 lines (150 loc) · 3.5 KB
Raw

SecurityMockMvcResultMatchers

At times it is desirable to make various security related assertions about a request. To accommodate this need, Spring Security Test support implements Spring MVC Test’s ResultMatcher interface. In order to use Spring Security’s ResultMatcher implementations ensure the following static import is used:

Java
import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.*;
Kotlin
import org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.*

Unauthenticated Assertion

At times it may be valuable to assert that there is no authenticated user associated with the result of a MockMvc invocation. For example, you might want to test submitting an invalid username and password and verify that no user is authenticated. You can easily do this with Spring Security’s testing support using something like the following:

Java
mvc
	.perform(formLogin().password("invalid"))
	.andExpect(unauthenticated());
Kotlin
mvc
    .perform(formLogin().password("invalid"))
    .andExpect { unauthenticated() }

Authenticated Assertion

It is often times that we must assert that an authenticated user exists. For example, we may want to verify that we authenticated successfully. We could verify that a form based login was successful with the following snippet of code:

Java
mvc
	.perform(formLogin())
	.andExpect(authenticated());
Kotlin
mvc
    .perform(formLogin())
    .andExpect { authenticated() }

If we wanted to assert the roles of the user, we could refine our previous code as shown below:

Java
mvc
	.perform(formLogin().user("admin"))
	.andExpect(authenticated().withRoles("USER","ADMIN"));
Kotlin
mvc
    .perform(formLogin())
    .andExpect { authenticated().withRoles("USER","ADMIN") }

Alternatively, we could verify the username:

Java
mvc
	.perform(formLogin().user("admin"))
	.andExpect(authenticated().withUsername("admin"));
Kotlin
mvc
    .perform(formLogin().user("admin"))
    .andExpect { authenticated().withUsername("admin") }

We can also combine the assertions:

Java
mvc
	.perform(formLogin().user("admin"))
	.andExpect(authenticated().withUsername("admin").withRoles("USER", "ADMIN"));
Kotlin
mvc
    .perform(formLogin().user("admin"))
    .andExpect { authenticated().withUsername("admin").withRoles("USER", "ADMIN") }

We can also make arbitrary assertions on the authentication

Java
mvc
	.perform(formLogin())
	.andExpect(authenticated().withAuthentication(auth ->
		assertThat(auth).isInstanceOf(UsernamePasswordAuthenticationToken.class)));
Kotlin
mvc
    .perform(formLogin())
    .andExpect {
        authenticated().withAuthentication { auth ->
            assertThat(auth).isInstanceOf(UsernamePasswordAuthenticationToken::class.java) }
        }
    }