JUnit如何测试@PreAuthorize批注及其由spring MVC控制器指定的spring EL?
问题内容:
我已经在Spring MVC Controller中定义了此方法:
@RequestMapping(value = "{id}/content", method=RequestMethod.POST)
@PreAuthorize("principal.user.userAccount instanceof T(com.anonym.model.identity.PedagoAccount) AND principal.user.userAccount.userId == #object.pedago.userId AND #form.id == #object.id")
public String modifyContent(@PathVariable("id") Project object, @Valid @ModelAttribute("form") ProjectContentForm form) {
....
}
然后,在我的JUnit测试中,我想调用此方法并确保验证了PreAuthorize条件。但是,当我在JUnit测试中使用错误帐户设置用户主体时,没有错误,并且该方法完成了。似乎注释已被绕过。
但是,当我以正常方式(不进行测试)调用此方法时,会验证PreAuthorize。
如果可能的话,如何在junit测试中测试此批注以及如何在抛出异常时捕获异常?
谢谢,
尼古拉斯
问题答案:
由于您要测试通过Spring AOP实现的功能,因此需要使用Spring
TestContext
框架针对应用程序上下文运行测试。
然后,使用最少的安全性配置创建基本测试:
abstract-security-test.xml:
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider user-service-ref = "userService" />
</security:authentication-manager>
<security:global-method-security pre-post-annotations="enabled" />
<bean id = "userService" class = "..." />
AbstractSecurityTest.java:
@ContextConfiguration("abstract-security-test.xml")
abstract public class AbstractSecurityTest {
@Autowired
private AuthenticationManager am;
@After
public void clear() {
SecurityContextHolder.clearContext();
}
protected void login(String name, String password) {
Authentication auth = new UsernamePasswordAuthenticationToken(name, password);
SecurityContextHolder.getContext().setAuthentication(am.authenticate(auth));
}
}
现在,您可以在测试中使用它:
@RunWith(SpringJUnit4ClassRunner.class)
@ContextConfiguration(...)
public class CreatePostControllerSecurityTest extends AbstractSecurityTest {
...
@Test
@ExpectedException(AuthenticationCredentialsNotFoundException.class)
public void testNoAuth() {
controller.modifyContent(...);
}
@Test
@ExpectedException(AccessDeniedException.class)
public void testAccessDenied() {
login("userWithoutAccessRight", "...");
controller.modifyContent(...);
}
@Test
public void testAuthOK() {
login("userWithAccessRight", "...");
controller.modifyContent(...);
}
}
