Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEC-2935: Security context held between multiple MVC requests in one test #3061

Closed
spring-projects-issues opened this issue Apr 8, 2015 · 2 comments
Assignees
Labels
in: test type: bug type: jira
Milestone

Comments

@spring-projects-issues
Copy link

spring-projects-issues commented Apr 8, 2015

Dan Parrella (Migrated from SEC-2935) said:

I'm using the new Spring Security test integration features in my Mock MVC tests and noticed that in tests where there are two MVC calls but with different Authentication, the Authentication set in the first MVC call is still present on the second MVC call.

For example, the first call has only the required update permission and the second call has only the required read permission. The second still has the update permission and can't do the read.

In order to work around this I created a ResultHandler that will call TestSecurityContext.clearContext().

@spring-projects-issues
Copy link
Author

spring-projects-issues commented Apr 8, 2015

Rob Winch said:

Thanks for the report! This does indeed seem to be a problem.

At first glance a proper solution is not that apparent to me (I'll need to spend a bit of time on it). For example, if we use the following:

@Test
@WithMockUser
public void requestProtectedUrlWithUser() throws Exception {
  mvc.perform(get("/"));

  mvc.perform(get("/other"));
}

the test user should be used in both invocations. Similarly:

mvc = MockMvcBuilders
        .webAppContextSetup(context)
        .defaultRequest(get("/").with(user("user").roles("ADMIN")))
        .apply(springSecurity())
        .build();

creates something that by default always uses the same user. So

@Test
public void requestProtectedUrlWithUser() throws Exception {
  mvc.perform(get("/"));

  mvc.perform(get("/other"));
}

will both user the user "user".

All of the underlying mechanisms are using TestSecurityContext so if we clear it out it will break these cases.

@spring-projects-issues
Copy link
Author

spring-projects-issues commented Apr 8, 2015

Dan Parrella said:

Hi Rob,
Thanks for the quick update! I think in the latter case it would be fine to clear the TestSecurityContext if we always set the authentication on every request.

Seems like what we should do is just make sure we can always overwrite the existing context. If a test is using the annotations, it seems like the expectation is fine that authentication is configured once for a test, and if you change it within the test you're doing it wrong. That would honestly fit my needs but I have a lot of old tests I can't update right now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: test type: bug type: jira
Projects
None yet
Development

No branches or pull requests

2 participants