Learning Monk

March 14, 2009

How to write testcase for spring security defined by annotations

Filed under: junit, security, spring — Tags: , , , — gnandiga @ 3:04 pm

Creating testcases in spring is very simple. Sometimes it is so simple that, it is never documneted thinking that everybody would just get it. I tried to search for a solution/tutorial/example to create a good testcase for the spring security annotations, and couldnot find any. After reading some the spring security forum, I came to conclusion that I need to document this.

The Big Question: How do you know that a method is called with the right security permissions?

Step 1: Create your test context.

Create a  test-context.xml with the following application context.

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:sec="http://www.springframework.org/schema/security"
    xmlns:p="http://www.springframework.org/schema/p"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:aop="http://www.springframework.org/schema/aop"
    xsi:schemaLocation="
        http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
        http://www.springframework.org/schema/context
        http://www.springframework.org/schema/context/spring-context-2.5.xsd
        http://www.springframework.org/schema/aop
        http://www.springframework.org/schema/aop/spring-aop-2.5.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security-2.0.xsd">

    <context:annotation-config/>

    <!--Services-->
    <context:component-scan base-package="com.company.name.service" />

    <!--Set method level security, very important to set secured-annotations="enabled"-->
    <global-method-security secured-annotations="enabled" access-decision-manager-ref="accessDecisionManager"/>

    <bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
<property name="allowIfAllAbstainDecisions" value="false"/>
<property name="decisionVoters">
	<list>
                <bean class="org.springframework.security.vote.RoleVoter"/>
            </list>
        </property>
    </bean>
</beans>

Step 2: Create your service with the security annotations


public interface MyService
{
    @Secured({"ROLE_USER"})
    public Object securedServiceCall();
}

Step 3: Create your testcase to load the test-context.xml, and test the service.


@RunWith(SpringJUnit4ClassRunner.class)
@ContextConfiguration(locations = { "classpath:test-context.xml"})
public class ServiceSecurityAccessTestCase
{
    @Autowired
    private MyService myService;

    @Test
    public void testSimServiceSecured() throws Exception
    {
        GrantedAuthority[] authorities = {new GrantedAuthorityImpl("ROLE_ANONYMOUS")};
        SecurityContextHolder.getContext().setAuthentication(new AnonymousAuthenticationToken("key", "Any Object", authorities));
        try
        {
            myService.securedServiceCall();
            Assert.fail("The service access should not be granted.");
        } catch (AccessDeniedException e)
        {
            //Your Assertions
        }

    }
}

Vola!. You have your test case for the annotaion based security system.

Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: