Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEC-3083: SecurityMockMvcRequestPostProcessors.user stops working when upgrading from 4.0.0 to 4.0.2 #3288

Closed
spring-projects-issues opened this issue Aug 20, 2015 · 4 comments
Assignees
Labels
in: test An issue in spring-security-test status: declined A suggestion or change that we don't feel we should currently apply type: bug A general bug type: jira An issue that was migrated from JIRA

Comments

@spring-projects-issues
Copy link

spring-projects-issues commented Aug 20, 2015

Jean Noel Delavalade (Migrated from SEC-3083) said:

Unit tests of controllers stopped passing when I upgraded Spring Security from 4.0.0 to 4.0.2.

Controller method:

    @RequestMapping(value = MY_URI, method = RequestMethod.POST)
    @ResponseStatus(value = HttpStatus.CREATED)
    public void postMethod(@AuthenticationPrincipal SecurityUser user) {
        LOG.debug(user.toString());
    }

Unit test:

MockMvc mockMvc = MockMvcBuilders.standaloneSetup(controller)
                .setCustomArgumentResolvers(new AuthenticationPrincipalArgumentResolver())
                .build();
SecurityUser user = mock(SecurityUser.class);
MockHttpServletRequestBuilder request = post(MY_URI)
                .accept(MediaType.APPLICATION_JSON)
                .with(user(user));
mockMvc.perform(request);

With 4.0.0, there is no issue.
But with 4.0.2, user is not resolved in the controller and user.toString() throws a NullPointerException.

Thanks a lot for your help.

@spring-projects-issues
Copy link
Author

spring-projects-issues commented Aug 20, 2015

Rob Winch said:

Thank you for the report.

The with(user(...)) mechanism is intended to associate the current user with the HttpServletRequest and not the SecurityContextHolder. Since the user is not associated to the SecurityContextHolder the @AuthenticationPrincipal will not be resolved.

The reason it worked before was a side effect of SEC-2935 being broken. Unfortunately, this means that the behavior before was unexpected and not supported.

That said, you can still support your use case with only slightly more effort. If you want to use the with(user(...)) mechanism you need to ensure that the SecurityContextPersistenceFilter is registered with MockMvc. For example:

MockMvc mockMvc = MockMvcBuilders
                .standaloneSetup(controller)
                .addFilters(new SecurityContextPersistenceFilter())
                .setCustomArgumentResolvers(new AuthenticationPrincipalArgumentResolver())
                .build();

I created SEC-3084 which will document this so it is more clear.

@spring-projects-issues
Copy link
Author

spring-projects-issues commented Aug 20, 2015

Rob Winch said:

In light of my previous comments I'm closing this as "works as designed"

@spring-projects-issues
Copy link
Author

spring-projects-issues commented Aug 20, 2015

Jean Noel Delavalade said:

Thanks a lot Rob for the very prompt reply. :)

@spring-projects-issues spring-projects-issues added in: test An issue in spring-security-test Resolved type: bug A general bug type: jira An issue that was migrated from JIRA labels Feb 5, 2016
@spring-projects-issues
Copy link
Author

spring-projects-issues commented Feb 6, 2016

This issue relates to #3061

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: test An issue in spring-security-test status: declined A suggestion or change that we don't feel we should currently apply type: bug A general bug type: jira An issue that was migrated from JIRA
Projects
None yet
Development

No branches or pull requests

2 participants