Explain Codes LogoExplain Codes Logo

Unit testing with Spring Security

java
unit-testing
spring-security
mocking
Anton ShumikhinbyAnton Shumikhin·Mar 9, 2025
TLDR

Jump into Spring Security unit testing by leveraging @WithMockUser for mock authentication. Use @MockBean for simulating security-specific dependencies like SecurityContextHolder. In MVC tests, MockMvc lends a hand to act out secured endpoints:

@Test
@WithMockUser(roles = "USER")
public void securedEndpointTest() throws Exception {
    mockMvc.perform(get("/secured")).andExpect(status().isOk());
}

In the code above, an authenticated context is established and access to a secured route is verified.

Setting up the test battlefield

When waging war with unit testing in Spring Security, you'd want to concentrate on the trojan horses (authentication process and user permissions), without deploying the entire army (security infrastructure). Suit yourselves with mock security contexts and authentication to portray various scenarios.

Forging the decoys (Custom authentication objects)

Launch a surprise attack, here's a winning strategy:

Authentication authentication = Mockito.mock(Authentication.class); // Our decoy soldier
SecurityContext securityContext = Mockito.mock(SecurityContext.class); // Decoy radio communication
Mockito.when(securityContext.getAuthentication()).thenReturn(authentication); // Covert command execution
SecurityContextHolder.setContext(securityContext); // Send the decoys to battlefield

Pull this off and the permissions, roles, and user identities will be yours to command!

The secret weapon (Advanced scenarios with PowerMock)

Your spies inform of PowerMock's prowess with static methods, constructors, and final class testing:

@RunWith(PowerMockRunner.class)
@PrepareForTest({SecurityContextHolder.class})
public class SomeTestSuite {
    // Your secret battle plans here
}

Use PowerMock to wow your enemies with static methods stunt of SecurityContextHolder.

Spying mission (Integrating custom user details)

Integrating custom user details into the unit testing arena enhances the battle realism. Implement your own UserDetails or use spring's secret weapons (annotations).

Camouflaged spies (Scoped beans)

For intense battles, ponder session-scoped beans to maintain continuous flow of intel:

@Bean
@Scope(value = "session", proxyMode = ScopedProxyMode.TARGET_CLASS)
public CustomUserDetails getUserDetails() {
    return new CustomUserDetails(); // Your undercover agent
}

Ingeniously infiltrate these into your unit tests for discreet integration with Spring's authentication services.

Secret codes (Taking advantage of Spring's annotations)

Spring Security 4.0+ introduced secret codes (annotations) to aid your mission:

  • @WithMockUser acts as the disguise, with a mock UserDetails.
  • @WithUserDetails further enhances the disguise with specific agents' data.

Deploy them for strategic role-based or user-specific operations.

Kung Fu with integration tests (Tackling integration tests)

Practice your Kung Fu with Testcontainers and JUnit for integration tests:

@Testcontainers
public class SecurityIntegrationTest {

    @Container
    private PostgreSQLContainer<?> postgreSQLContainer = new PostgreSQLContainer<>(); // The sparring partner 

    // The rest of your Kung Fu moves here
}

Containers ensure a real dojo for full stack training - a perfect fusion of fatality moves. 🧪

The Konami code (Dealing with Spring IoC)

Inversion of Control (IoC) is like the ultimate cheat code. It decouples class dependencies allowing easier replacement during testing. Exploit the Spring IoC container to manage these dependencies and stealthily inject mock objects.

Super Mario level mechanics (Writing value-driven tests)

Just like Mario's respect for the flagpole, give priority to scenario coverage over just hitting code blocks. Aim for asserting security invariants, covering Koopa Troopa edge cases, and validating the overall castle security of your kingdom.

explain-codes / Java / Unit testing with Spring Security
Linked

When using Spring Security, what is the proper way to obtain current username (i.e. SecurityContext) information in a bean?

Difference Between @Mock and @InjectMocks

How to verify a method of a non-mock object is called?

Mocking member variables of a class using Mockito

Mockito: InvalidUseOfMatchersException

Can Mockito capture arguments of a method called multiple times?

How to capture a list of specific type with mockito

Setting up the test battlefieldSpying mission (Integrating custom user details)Secret codes (Taking advantage of Spring's annotations)Kung Fu with integration tests (Tackling integration tests)The Konami code (Dealing with Spring IoC)Super Mario level mechanics (Writing value-driven tests)
Linked

When using Spring Security, what is the proper way to obtain current username (i.e. SecurityContext) information in a bean?

Difference Between @Mock and @InjectMocks

How to verify a method of a non-mock object is called?

Mocking member variables of a class using Mockito

Mockito: InvalidUseOfMatchersException

Can Mockito capture arguments of a method called multiple times?

How to capture a list of specific type with mockito