Package org.springframework.security.test.web.servlet.request

Class SecurityMockMvcRequestPostProcessors

java.lang.Object

org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors

public final class SecurityMockMvcRequestPostProcessors
extends Object

Contains MockMvc RequestPostProcessor implementations for Spring Security.

Since:

4.0

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static final class	SecurityMockMvcRequestPostProcessors.CsrfRequestPostProcessor	Populates a valid CsrfToken into the request.
static class	SecurityMockMvcRequestPostProcessors.DigestRequestPostProcessor
static final class	SecurityMockMvcRequestPostProcessors.JwtRequestPostProcessor
static final class	SecurityMockMvcRequestPostProcessors.OAuth2ClientRequestPostProcessor
static final class	SecurityMockMvcRequestPostProcessors.OAuth2LoginRequestPostProcessor
static final class	SecurityMockMvcRequestPostProcessors.OidcLoginRequestPostProcessor
static final class	SecurityMockMvcRequestPostProcessors.OpaqueTokenRequestPostProcessor
static final class	SecurityMockMvcRequestPostProcessors.UserRequestPostProcessor	Creates a UsernamePasswordAuthenticationToken and sets the principal to be a User and associates it to the MockHttpServletRequest.

Method Summary

Modifier and Type	Method	Description
static org.springframework.test.web.servlet.request.RequestPostProcessor	anonymous()	Establish a SecurityContext that uses an AnonymousAuthenticationToken.
static org.springframework.test.web.servlet.request.RequestPostProcessor	authentication(Authentication authentication)	Establish a SecurityContext that uses the specified Authentication for the Authentication.getPrincipal() and a custom UserDetails.
static SecurityMockMvcRequestPostProcessors.CsrfRequestPostProcessor	csrf()	Creates a RequestPostProcessor that will automatically populate a valid CsrfToken in the request.
static SecurityMockMvcRequestPostProcessors.DigestRequestPostProcessor	digest()	Creates a DigestRequestPostProcessor that enables easily adding digest based authentication to a request.
static SecurityMockMvcRequestPostProcessors.DigestRequestPostProcessor	digest(String username)	Creates a DigestRequestPostProcessor that enables easily adding digest based authentication to a request.
static org.springframework.test.web.servlet.request.RequestPostProcessor	httpBasic(String username, String password)	Convenience mechanism for setting the Authorization header to use HTTP Basic with the given username and password.
static SecurityMockMvcRequestPostProcessors.JwtRequestPostProcessor	jwt()	Establish a SecurityContext that has a JwtAuthenticationToken for the Authentication and a Jwt for the Authentication.getPrincipal().
static SecurityMockMvcRequestPostProcessors.OAuth2ClientRequestPostProcessor	oauth2Client()	Establish an OAuth2AuthorizedClient in the session.
static SecurityMockMvcRequestPostProcessors.OAuth2ClientRequestPostProcessor	oauth2Client(String registrationId)	Establish an OAuth2AuthorizedClient in the session.
static SecurityMockMvcRequestPostProcessors.OAuth2LoginRequestPostProcessor	oauth2Login()	Establish a SecurityContext that has a OAuth2AuthenticationToken for the Authentication, a OAuth2User as the principal, and a OAuth2AuthorizedClient in the session.
static SecurityMockMvcRequestPostProcessors.OidcLoginRequestPostProcessor	oidcLogin()	Establish a SecurityContext that has a OAuth2AuthenticationToken for the Authentication, a OidcUser as the principal, and a OAuth2AuthorizedClient in the session.
static SecurityMockMvcRequestPostProcessors.OpaqueTokenRequestPostProcessor	opaqueToken()	Establish a SecurityContext that has a BearerTokenAuthentication for the Authentication and a OAuth2AuthenticatedPrincipal for the Authentication.getPrincipal().
static org.springframework.test.web.servlet.request.RequestPostProcessor	securityContext(SecurityContext securityContext)	Establish the specified SecurityContext to be used.
static org.springframework.test.web.servlet.request.RequestPostProcessor	testSecurityContext()	Creates a RequestPostProcessor that can be used to ensure that the resulting request is ran with the user in the TestSecurityContextHolder.
static SecurityMockMvcRequestPostProcessors.UserRequestPostProcessor	user(String username)	Establish a SecurityContext that has a UsernamePasswordAuthenticationToken for the Authentication.getPrincipal() and a User for the UsernamePasswordAuthenticationToken.getPrincipal().
static org.springframework.test.web.servlet.request.RequestPostProcessor	user(UserDetails user)	Establish a SecurityContext that has a UsernamePasswordAuthenticationToken for the Authentication.getPrincipal() and a custom UserDetails for the UsernamePasswordAuthenticationToken.getPrincipal().
static org.springframework.test.web.servlet.request.RequestPostProcessor	x509(String resourceName)	Finds an X509Cetificate using a resoureName and populates it on the request.
static org.springframework.test.web.servlet.request.RequestPostProcessor	x509(X509Certificate... certificates)	Populates the provided X509Certificate instances on the request.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Details

digest

public static SecurityMockMvcRequestPostProcessors.DigestRequestPostProcessor digest()

Creates a DigestRequestPostProcessor that enables easily adding digest based authentication to a request.

Returns:

the DigestRequestPostProcessor to use

digest

public static SecurityMockMvcRequestPostProcessors.DigestRequestPostProcessor digest(String username)

Creates a DigestRequestPostProcessor that enables easily adding digest based authentication to a request.

Parameters:

username - the username to use

Returns:

the DigestRequestPostProcessor to use

x509

public static org.springframework.test.web.servlet.request.RequestPostProcessor x509(X509Certificate... certificates)

Populates the provided X509Certificate instances on the request.

Parameters:

certificates - the X509Certificate instances to pouplate

Returns:

the RequestPostProcessor to use.

x509

public static org.springframework.test.web.servlet.request.RequestPostProcessor x509(String resourceName)
                                                                              throws IOException,
CertificateException

Finds an X509Cetificate using a resoureName and populates it on the request.

Parameters:

resourceName - the name of the X509Certificate resource

Returns:

the RequestPostProcessor to use.

Throws:

IOException

CertificateException

csrf

public static SecurityMockMvcRequestPostProcessors.CsrfRequestPostProcessor csrf()

Creates a RequestPostProcessor that will automatically populate a valid CsrfToken in the request.

Returns:

the SecurityMockMvcRequestPostProcessors.CsrfRequestPostProcessor for further customizations.

testSecurityContext

public static org.springframework.test.web.servlet.request.RequestPostProcessor testSecurityContext()

Creates a RequestPostProcessor that can be used to ensure that the resulting request is ran with the user in the TestSecurityContextHolder.

Returns:

the RequestPostProcessor to use

user

public static SecurityMockMvcRequestPostProcessors.UserRequestPostProcessor user(String username)

Establish a SecurityContext that has a UsernamePasswordAuthenticationToken for the Authentication.getPrincipal() and a User for the UsernamePasswordAuthenticationToken.getPrincipal(). All details are declarative and do not require that the user actually exists.

The support works by associating the user to the HttpServletRequest. To associate the request to the SecurityContextHolder you need to ensure that the SecurityContextPersistenceFilter is associated with the MockMvc instance. A few ways to do this are:

• Invoking apply SecurityMockMvcConfigurers.springSecurity()
• Adding Spring Security's FilterChainProxy to MockMvc
• Manually adding SecurityContextPersistenceFilter to the MockMvc instance may make sense when using MockMvcBuilders standaloneSetup

Parameters:

username - the username to populate

Returns:

the SecurityMockMvcRequestPostProcessors.UserRequestPostProcessor for additional customization

user

public static org.springframework.test.web.servlet.request.RequestPostProcessor user(UserDetails user)

Establish a SecurityContext that has a UsernamePasswordAuthenticationToken for the Authentication.getPrincipal() and a custom UserDetails for the UsernamePasswordAuthenticationToken.getPrincipal(). All details are declarative and do not require that the user actually exists.

The support works by associating the user to the HttpServletRequest. To associate the request to the SecurityContextHolder you need to ensure that the SecurityContextPersistenceFilter is associated with the MockMvc instance. A few ways to do this are:

• Invoking apply SecurityMockMvcConfigurers.springSecurity()
• Adding Spring Security's FilterChainProxy to MockMvc
• Manually adding SecurityContextPersistenceFilter to the MockMvc instance may make sense when using MockMvcBuilders standaloneSetup

Parameters:

user - the UserDetails to populate

Returns:

the RequestPostProcessor to use

jwt

public static SecurityMockMvcRequestPostProcessors.JwtRequestPostProcessor jwt()

Establish a SecurityContext that has a JwtAuthenticationToken for the Authentication and a Jwt for the Authentication.getPrincipal(). All details are declarative and do not require the JWT to be valid.

The support works by associating the authentication to the HttpServletRequest. To associate the request to the SecurityContextHolder you need to ensure that the SecurityContextPersistenceFilter is associated with the MockMvc instance. A few ways to do this are:

• Invoking apply SecurityMockMvcConfigurers.springSecurity()
• Adding Spring Security's FilterChainProxy to MockMvc
• Manually adding SecurityContextPersistenceFilter to the MockMvc instance may make sense when using MockMvcBuilders standaloneSetup

Returns:

the SecurityMockMvcRequestPostProcessors.JwtRequestPostProcessor for additional customization

opaqueToken

public static SecurityMockMvcRequestPostProcessors.OpaqueTokenRequestPostProcessor opaqueToken()

Establish a SecurityContext that has a BearerTokenAuthentication for the Authentication and a OAuth2AuthenticatedPrincipal for the Authentication.getPrincipal(). All details are declarative and do not require the token to be valid

The support works by associating the authentication to the HttpServletRequest. To associate the request to the SecurityContextHolder you need to ensure that the SecurityContextPersistenceFilter is associated with the MockMvc instance. A few ways to do this are:

• Invoking apply SecurityMockMvcConfigurers.springSecurity()
• Adding Spring Security's FilterChainProxy to MockMvc
• Manually adding SecurityContextPersistenceFilter to the MockMvc instance may make sense when using MockMvcBuilders standaloneSetup

Returns:

the SecurityMockMvcRequestPostProcessors.OpaqueTokenRequestPostProcessor for additional customization

Since:

5.3

authentication

public static org.springframework.test.web.servlet.request.RequestPostProcessor authentication(Authentication authentication)

Establish a SecurityContext that uses the specified Authentication for the Authentication.getPrincipal() and a custom UserDetails. All details are declarative and do not require that the user actually exists.

The support works by associating the user to the HttpServletRequest. To associate the request to the SecurityContextHolder you need to ensure that the SecurityContextPersistenceFilter is associated with the MockMvc instance. A few ways to do this are:

• Invoking apply SecurityMockMvcConfigurers.springSecurity()
• Adding Spring Security's FilterChainProxy to MockMvc
• Manually adding SecurityContextPersistenceFilter to the MockMvc instance may make sense when using MockMvcBuilders standaloneSetup

Parameters:

authentication - the Authentication to populate

Returns:

the RequestPostProcessor to use

anonymous

public static org.springframework.test.web.servlet.request.RequestPostProcessor anonymous()

Establish a SecurityContext that uses an AnonymousAuthenticationToken. This is useful when a user wants to run a majority of tests as a specific user and wishes to override a few methods to be anonymous. For example:

 
 public class SecurityTests {
     @Before
     public void setup() {
         mockMvc = MockMvcBuilders
             .webAppContextSetup(context)
             .defaultRequest(get("/").with(user("user")))
             .build();
     }

     @Test
     public void anonymous() {
         mockMvc.perform(get("anonymous").with(anonymous()));
     }
     // ... lots of tests ran with a default user ...
 }
  

Returns:

the RequestPostProcessor to use

securityContext

public static org.springframework.test.web.servlet.request.RequestPostProcessor securityContext(SecurityContext securityContext)

Establish the specified SecurityContext to be used.

This works by associating the user to the HttpServletRequest. To associate the request to the SecurityContextHolder you need to ensure that the SecurityContextPersistenceFilter (i.e. Spring Security's FilterChainProxy will typically do this) is associated with the MockMvc instance.

httpBasic

public static org.springframework.test.web.servlet.request.RequestPostProcessor httpBasic(String username,
 String password)

Convenience mechanism for setting the Authorization header to use HTTP Basic with the given username and password. This method will automatically perform the necessary Base64 encoding.

Parameters:

username - the username to include in the Authorization header.

password - the password to include in the Authorization header.

Returns:

the RequestPostProcessor to use

oauth2Login

public static SecurityMockMvcRequestPostProcessors.OAuth2LoginRequestPostProcessor oauth2Login()

Establish a SecurityContext that has a OAuth2AuthenticationToken for the Authentication, a OAuth2User as the principal, and a OAuth2AuthorizedClient in the session. All details are declarative and do not require associated tokens to be valid.

The support works by associating the authentication to the HttpServletRequest. To associate the request to the SecurityContextHolder you need to ensure that the SecurityContextPersistenceFilter is associated with the MockMvc instance. A few ways to do this are:

• Invoking apply SecurityMockMvcConfigurers.springSecurity()
• Adding Spring Security's FilterChainProxy to MockMvc
• Manually adding SecurityContextPersistenceFilter to the MockMvc instance may make sense when using MockMvcBuilders standaloneSetup

Returns:

the SecurityMockMvcRequestPostProcessors.OidcLoginRequestPostProcessor for additional customization

Since:

5.3

oidcLogin

public static SecurityMockMvcRequestPostProcessors.OidcLoginRequestPostProcessor oidcLogin()

Establish a SecurityContext that has a OAuth2AuthenticationToken for the Authentication, a OidcUser as the principal, and a OAuth2AuthorizedClient in the session. All details are declarative and do not require associated tokens to be valid.

The support works by associating the authentication to the HttpServletRequest. To associate the request to the SecurityContextHolder you need to ensure that the SecurityContextPersistenceFilter is associated with the MockMvc instance. A few ways to do this are:

• Invoking apply SecurityMockMvcConfigurers.springSecurity()
• Adding Spring Security's FilterChainProxy to MockMvc
• Manually adding SecurityContextPersistenceFilter to the MockMvc instance may make sense when using MockMvcBuilders standaloneSetup

Returns:

the SecurityMockMvcRequestPostProcessors.OidcLoginRequestPostProcessor for additional customization

Since:

5.3

oauth2Client

public static SecurityMockMvcRequestPostProcessors.OAuth2ClientRequestPostProcessor oauth2Client()

Establish an OAuth2AuthorizedClient in the session. All details are declarative and do not require associated tokens to be valid.

The support works by associating the authorized client to the HttpServletRequest using an OAuth2AuthorizedClientRepository

Returns:

the SecurityMockMvcRequestPostProcessors.OAuth2ClientRequestPostProcessor for additional customization

Since:

5.3

oauth2Client

public static SecurityMockMvcRequestPostProcessors.OAuth2ClientRequestPostProcessor oauth2Client(String registrationId)

Establish an OAuth2AuthorizedClient in the session. All details are declarative and do not require associated tokens to be valid.

The support works by associating the authorized client to the HttpServletRequest using an OAuth2AuthorizedClientRepository

Parameters:

registrationId - The registration id for the OAuth2AuthorizedClient

Returns:

the SecurityMockMvcRequestPostProcessors.OAuth2ClientRequestPostProcessor for additional customization

Since:

5.3