Java 用于Selenium测试的Spring Security@WithMockUser
我刚刚用MockUser发现了新的Spring Security 4测试注释Java 用于Selenium测试的Spring Security@WithMockUser,java,selenium,spring-security,Java,Selenium,Spring Security,我刚刚用MockUser发现了新的Spring Security 4测试注释,但我无法让它用于Selenium测试。 问题是,这个注释创建了一个模拟的SecurityContext,但是由HttpSessionSecurityContextRepository创建了一个新的,因为Selenium基于真实的浏览器运行测试。 我能告诉Spring使用mockSecurityContext作为下一个会话安全上下文吗 谢谢 我找到了在测试类路径中使用新过滤器对模拟用户进行身份验证的方法: @Compon
,但我无法让它用于Selenium测试。
问题是,这个注释创建了一个模拟的SecurityContext
,但是由HttpSessionSecurityContextRepository
创建了一个新的,因为Selenium基于真实的浏览器运行测试。
我能告诉Spring使用mockSecurityContext
作为下一个会话安全上下文吗
谢谢 我找到了在测试类路径中使用新过滤器对模拟用户进行身份验证的方法:
@Component
public class MockUserFilter extends GenericFilterBean {
@Autowired
private UserDetailsService userDetailsService;
private SecurityContext securityContext;
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain chain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) servletResponse;
if (securityContext != null) {
SecurityContextRepository securityContextRepository = WebTestUtils.getSecurityContextRepository(request);
HttpRequestResponseHolder requestResponseHolder = new HttpRequestResponseHolder(request, response);
securityContextRepository.loadContext(requestResponseHolder);
request = requestResponseHolder.getRequest();
response = requestResponseHolder.getResponse();
securityContextRepository.saveContext(securityContext, request, response);
securityContext = null;
}
chain.doFilter(request, response);
}
public void authenticateNextRequestAs(String username) {
UserDetails principal = userDetailsService.loadUserByUsername(username);
Authentication authentication = new UsernamePasswordAuthenticationToken(principal, principal.getPassword(), principal.getAuthorities());
securityContext = SecurityContextHolder.createEmptyContext();
securityContext.setAuthentication(authentication);
}
}
它的灵感来源于SecurityMockMvcRequestPostProcessors
和with userDetailsSecurityContextFactory
我无法使用带有userdetails的@注释,因为我运行Cucumber测试,但使用此筛选器,我可以在一行中模拟下一个请求的身份验证:testSecurityFilter.authenticateNextRequestAs(“用户名”)代码>我之所以添加此答案,是因为虽然已接受的答案帮助我形成了一个解决方案,但我必须进行一些更改才能使其生效。这个答案也帮助我让它工作:
这是我的MockUserFilter:
@Component("MockUserFilter")
public class MockUserFilter extends GenericFilterBean {
@Autowired
private UserDetailService userDetailService;
private SecurityContext securityContext;
@Autowired
private AuthenticationProvider authenticationProvider;
public void setUserDetailService(UserDetailService userDetailService) {
this.userDetailService = userDetailService;
}
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest servletRequest = (HttpServletRequest) request;
HttpServletResponse servletResponse = (HttpServletResponse) response;
if (securityContext != null) {
SecurityContextRepository securityContextRepository = WebTestUtils.getSecurityContextRepository(servletRequest);
HttpRequestResponseHolder requestResponseHolder = new HttpRequestResponseHolder(servletRequest, servletResponse);
securityContextRepository.loadContext(requestResponseHolder);
servletRequest = requestResponseHolder.getRequest();
servletResponse = requestResponseHolder.getResponse();
securityContextRepository.saveContext(securityContext, servletRequest, servletResponse);
securityContext = null;
}
chain.doFilter(request, response);
}
public void authenticateNextRequestAs(String username, ServletRequest request) {
UserDetails principal = userDetailService.loadUserByUsername(username);
Authentication authentication = new UsernamePasswordAuthenticationToken(principal, principal.getPassword(), principal.getAuthorities());
securityContext = SecurityContextHolder.createEmptyContext();
securityContext.setAuthentication(authentication);
SecurityContextHolder.getContext().setAuthentication(authentication);
HttpSession session = ((HttpServletRequest) request).getSession(true);
session.setAttribute("SPRING_SECURITY_CONTEXT", securityContext);
}
}
除此之外,我还必须将我的casAuthenticationFilter从过滤器链中移除,以使其正常工作。我使用属性值来启用/禁用此功能
我对Spring和Spring security相对较新,因此欢迎对此解决方案发表任何意见。我不确定这个解决方案是“好”还是“坏”
需要记住的一点是,这是一个用于本地测试或在安全环境中测试的解决方案,而不是您希望在开发环境中使用的解决方案 你有完整的例子吗?