测试方法安全性,如何测试@PreAuthorize(“#user.id!= authentication.principal.id”)?

时间:2019-05-23 11:05:43

标签: angular spring-boot junit spring-security spring-framework-beans

我正在尝试在名为update的UserController中测试一个如下所示的方法:

@RequestMapping(path = "/update", method = RequestMethod.PUT)
@PreAuthorize("#user.id != authentication.principal.id")
public ResponseEntity<User> update(@RequestBody final User user) {
    return new ResponseEntity<>(userService.saveElement(user), HttpStatus.OK);
}

但是我似乎无法在测试中访问id(“#user.id!= authentication.principal.id”)

当我删除@PreAuthorize(“#user.id!= authentication.principal.id”)时 测试是绿色的。 我尝试添加

    @Test
    @WithMockUser(roles = {"ADMIN"}, id={"1"})
    ...
    }

或其他修饰符,但无效

UserController.java

@Controller
@RequestMapping(API_PATH)
public class UserController {

    public static final String API_PATH = "/api/user";
    private final UserService userService;

    @Autowired
    public UserController(final UserService userService) {
        this.userService = userService;
    }

    @RequestMapping(path = "/update", method = RequestMethod.PUT)
    @PreAuthorize("#user.id != authentication.principal.id")
    public ResponseEntity<User> update(@RequestBody final User user) {
        return new ResponseEntity<>(userService.saveElement(user), HttpStatus.OK);
    }
}

UserControllerTest.java

@ExtendWith(SpringExtension.class)
@SpringBootTest
@ContextConfiguration(classes = {TestContextConfiguration.class})
@WebAppConfiguration
class UserControllerTest {

    private MockMvc mvc;

    @Autowired
    private WebApplicationContext context;

    @MockBean
    private UserService userServiceMock;

    @BeforeEach
    void initTest() {
        MockitoAnnotations.initMocks(this);
        mvc = MockMvcBuilders.webAppContextSetup(context).apply(springSecurity()).build();
    }

    @Test
    @WithMockUser(roles = {"ADMIN"})
    void update() throws Exception {
        final String apiPath = UserController.API_PATH + "/update";
        final User user = new User();
        final String userAsJsonString = TestUtils.getObjectAsJsonString(user);

        mvc.perform(put(apiPath).contentType(MediaType.APPLICATION_JSON).content(userAsJsonString)).andExpect(status().isOk());

        Mockito.verify(userServiceMock).saveElement(ArgumentMatchers.any(User.class));
    }
}

1 个答案:

答案 0 :(得分:0)

在朋友的帮助下,问题得以解决。

一个问题是我试图用一个测试测试2个案例,而我提供的用户的testMethod为空。

这是我的解决方法:

    @Test
@WithMockUser(roles = {"ADMIN"})
void updateOwnAccount() throws Exception {

    final User user = TestUtils.createUser();
    user.setId(17);

    final UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(user, null, user.getAuthorities());
    SecurityContextHolder.getContext().setAuthentication(authentication);

    mvc.perform(put(UserController.API_PATH + "/update").contentType(MediaType.APPLICATION_JSON).content(TestUtils.getObjectAsJsonString(user))).andExpect(
            status().isInternalServerError());
}

@Test
@WithMockUser(roles = {"ADMIN"})
void updateAnotherAccount() throws Exception {

    final User userToChange = TestUtils.createUser();
    userToChange.setId(17);
    final User userToLogin = TestUtils.createUser();
    userToLogin.setId(18);

    final UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(userToLogin, null, userToLogin.getAuthorities());
    SecurityContextHolder.getContext().setAuthentication(authentication);

    mvc.perform(put(UserController.API_PATH + "/update").contentType(MediaType.APPLICATION_JSON).content(TestUtils.getObjectAsJsonString(userToChange)))
            .andExpect(status().isOk());

    Mockito.verify(userServiceMock).saveElement(ArgumentMatchers.any(User.class));
}