这是我的Java配置:
routes.MapRoute(name: "Default",
url: "{lang}/{controller}/{action}/{id}",
defaults: new { controller = "Home", action = "Index", id = UrlParameter.Optional }
如您所见,我喜欢人妖
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("Jon")
.password("123456")
.roles("USER")
.and()
.withUser("Bob")
.password("qwer")
.roles("USER", "ADMIN");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http
.authorizeRequests()
.antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers(HttpMethod.GET,"/admin/**").access("hasRole('ADMIN')")
.anyRequest().authenticated()
.and()
.httpBasic()
;
}
}
USER
USER
但是,因此,乔恩(Jon)不应享有ADMIN
的肉眼见识,然后我编写跟踪测试
/admin/**
我希望此测试返回未经授权的401,但实际上返回200。
出什么问题了?
SpringSecurityVersion为 ResultMatcher isUnauthorized = MockMvcResultMatchers.status()
.is(401);
String credential = Base64.getEncoder().encodeToString("Jon:123456".getBytes());
MockHttpServletRequestBuilder builder =
MockMvcRequestBuilders.get("/admin/")
.header("Authorization", "Basic " + credential);
mockMvc.perform(builder)
.andDo(MockMvcResultHandlers.print())
.andExpect(isUnauthorized);