GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Spring Security
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
14885 Commits
61 Branches
359 Tags
120 MiB
 
 
 
 
Tree: fd1db06efd
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'fd1db06efd'
${ noResults }
spring-security/docs/modules/ROOT/pages/servlet/test/mockmvc/result-matchers.adoc

174 lines
3.5 KiB
Raw Blame History

= SecurityMockMvcResultMatchers
At times it is desirable to make various security related assertions about a request.
To accommodate this need, Spring Security Test support implements Spring MVC Test's `ResultMatcher` interface.
In order to use Spring Security's `ResultMatcher` implementations ensure the following static import is used:
[tabs]
======
Java::
+
[source,java,role="primary"]
----
import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.*;
----
Kotlin::
+
[source,kotlin,role="secondary"]
----
import org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.*
----
======
== Unauthenticated Assertion
At times it may be valuable to assert that there is no authenticated user associated with the result of a `MockMvc` invocation.
For example, you might want to test submitting an invalid username and password and verify that no user is authenticated.
You can easily do this with Spring Security's testing support using something like the following:
[tabs]
======
Java::
+
[source,java,role="primary"]
----
mvc
.perform(formLogin().password("invalid"))
.andExpect(unauthenticated());
----
Kotlin::
+
[source,kotlin,role="secondary"]
----
mvc
.perform(formLogin().password("invalid"))
.andExpect { unauthenticated() }
----
======
== Authenticated Assertion
It is often times that we must assert that an authenticated user exists.
For example, we may want to verify that we authenticated successfully.
We could verify that a form based login was successful with the following snippet of code:
[tabs]
======
Java::
+
[source,java,role="primary"]
----
mvc
.perform(formLogin())
.andExpect(authenticated());
----
Kotlin::
+
[source,kotlin,role="secondary"]
----
mvc
.perform(formLogin())
.andExpect { authenticated() }
----
======
If we wanted to assert the roles of the user, we could refine our previous code as shown below:
[tabs]
======
Java::
+
[source,java,role="primary"]
----
mvc
.perform(formLogin().user("admin"))
.andExpect(authenticated().withRoles("USER","ADMIN"));
----
Kotlin::
+
[source,kotlin,role="secondary"]
----
mvc
.perform(formLogin())
.andExpect { authenticated().withRoles("USER","ADMIN") }
----
======
Alternatively, we could verify the username:
[tabs]
======
Java::
+
[source,java,role="primary"]
----
mvc
.perform(formLogin().user("admin"))
.andExpect(authenticated().withUsername("admin"));
----
Kotlin::
+
[source,kotlin,role="secondary"]
----
mvc
.perform(formLogin().user("admin"))
.andExpect { authenticated().withUsername("admin") }
----
======
We can also combine the assertions:
[tabs]
======
Java::
+
[source,java,role="primary"]
----
mvc
.perform(formLogin().user("admin"))
.andExpect(authenticated().withUsername("admin").withRoles("USER", "ADMIN"));
----
Kotlin::
+
[source,kotlin,role="secondary"]
----
mvc
.perform(formLogin().user("admin"))
.andExpect { authenticated().withUsername("admin").withRoles("USER", "ADMIN") }
----
======
We can also make arbitrary assertions on the authentication
[tabs]
======
Java::
+
[source,java,role="primary"]
----
mvc
.perform(formLogin())
.andExpect(authenticated().withAuthentication(auth ->
assertThat(auth).isInstanceOf(UsernamePasswordAuthenticationToken.class)));
----
Kotlin::
+
[source,kotlin,role="secondary"]
----
mvc
.perform(formLogin())
.andExpect {
authenticated().withAuthentication { auth ->
assertThat(auth).isInstanceOf(UsernamePasswordAuthenticationToken::class.java) }
}
}
----
======