I'm using the new Spring Security test integration features in my Mock MVC tests and noticed that in tests where there are two MVC calls but with different Authentication, the Authentication set in the first MVC call is still present on the second MVC call.
For example, the first call has only the required update permission and the second call has only the required read permission. The second still has the update permission and can't do the read.
In order to work around this I created a ResultHandler that will call TestSecurityContext.clearContext().
The text was updated successfully, but these errors were encountered:
Thanks for the quick update! I think in the latter case it would be fine to clear the TestSecurityContext if we always set the authentication on every request.
Seems like what we should do is just make sure we can always overwrite the existing context. If a test is using the annotations, it seems like the expectation is fine that authentication is configured once for a test, and if you change it within the test you're doing it wrong. That would honestly fit my needs but I have a lot of old tests I can't update right now.