这是我的春季测试,我正在测试一个为给定用户创建食谱的安全端点。 测试安全端点的正确方法是什么? @WithMockUser 注解还不够吗? 我仍然收到 401。
package com.joaogoncalves.recipes.controller;
import com.joaogoncalves.recipes.model.RecipeCreate;
import com.joaogoncalves.testcontainers.EnableTestContainers;
import io.restassured.RestAssured;
import io.restassured.http.ContentType;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.MethodOrderer;
import org.junit.jupiter.api.Order;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.TestMethodOrder;
import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.boot.test.web.server.LocalServerPort;
import org.springframework.http.HttpStatus;
import org.springframework.security.test.context.support.WithMockUser;
import java.util.List;
import static io.restassured.RestAssured.given;
@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
@EnableTestContainers
@TestMethodOrder(MethodOrderer.OrderAnnotation.class)
public class RecipeControllerIT {
@LocalServerPort
private Integer port;
@BeforeEach
void setUp() {
RestAssured.baseURI = "http://localhost:" + port;
}
@Test
@Order(1)
@WithMockUser
public void testRecipeCreateOk() {
final RecipeCreate recipeCreate = new RecipeCreate(
"tomato soup",
"tomato soup with anchovies",
List.of("tomato", "water", "anchovies"),
List.of("peel the tomatoes", "add water", "boil for 30 minutes", "add the anchovies"),
"soup"
);
given()
.contentType(ContentType.JSON)
.body(recipeCreate)
.when()
.post("/api/recipe/new")
.then()
.statusCode(HttpStatus.OK.value());
}
}
提前致谢。
我不确定,因为我没有看到您的安全过滤器链设置。让我猜猜。
您的请求是POST方法。如果您的 CSRF 配置已启用,您可以更改服务器状态(如 POST、PUT、DELETE)的请求需要 CSRF 令牌来保护攻击。
如果你不需要CSRF保护,那么在你的配置过滤链中进行这样的设置。根据Spring Security版本的不同有所不同,最新版本的代码是这样的。如果您使用其他版本,请找到如何禁用 CSRF 配置的方法。
package com.example.demo.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.web.SecurityFilterChain;
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain securityFilterChain(
HttpSecurity httpSecurity
) throws Exception {
// ... other configuration
httpSecurity.csrf(
AbstractHttpConfigurer::disable
);
return httpSecurity.build();
}
}