0 
    @Test
    public void testGetOrders() throws Exception {
        mockMvc.perform(get("/admin/api/orders/")
                        .with(jwt().authorities(new SimpleGrantedAuthority("USER"))))
                .andExpect(status().isForbidden());

This test should return status code 403, but it seems that as long as there's some kind of authentication, it will always return 200 regardless of authorities set in the token.

Here's my SecurityConfig:

@Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception{
        http
                .csrf(AbstractHttpConfigurer::disable)
                .authorizeHttpRequests(auth -> {
                    auth.requestMatchers("/").permitAll();
                    auth.requestMatchers("/auth/**").permitAll();
                    auth.requestMatchers("/api/**").permitAll();
                    auth.requestMatchers("/api/cart/**").hasAnyRole("ADMIN", "USER");
                    auth.requestMatchers("/admin/api/**").hasRole("ADMIN");
                    auth.anyRequest().authenticated();
                });

        http.oauth2ResourceServer()
                .jwt()
                .jwtAuthenticationConverter(jwtAuthenticationConverter());
        http.sessionManagement(
                session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        );

        http.cors();

        return http.build();
    }

I tried setting different authorities using SecurityMockMvcRequestPostProccesors.jwt().authorities() but no matter what i set it always returns 200.

Running the test without any sort of authetication returns 401 as expected.

Requests sent with Postman behave as expected.

Improve this question

1 Answer 1

Reset to default
0

If your test is returning a 200 status instead of the expected 403, it's likely that your test class is not correctly configured to include the SecurityFilterChain bean.

You need to ensure that your test class is set up to load the full security configuration. Could you verify that you test class is using @SpringBootTest and @AutoConfigureMockMvc to ensure that the full application context, including security configurations, is loaded?

@RunWith(SpringRunner.class)
@SpringBootTest
@AutoConfigureMockMvc
public class YourTestClass {
    
    @Autowired
    private MockMvc mockMvc;

    @Test
    public void testGetOrders() throws Exception {
        mockMvc.perform(get("/admin/api/orders/")
                        .with(jwt().authorities(new SimpleGrantedAuthority("USER"))))
                .andExpect(status().isForbidden());
    }
}
Improve this answer
4
  • It uses these two annotations: @ExtendWith(SpringExtension.class) @WebMvcTest(AdminController.class) I tried adding @AutoCOnfigureMockMvc but it does not change anything
    – TheClassicSmoke
    Commented Jun 6 at 11:01
  • @WebMvcTest is designed to slice out the web layer for testing and does not load the full application context, including custom security configurations.
    – Alexander G Castañeda Estévez
    Commented Jun 6 at 14:30
  • Could you please share the structure of your project and the test files? This will help verify if your package structure is set up correctly for Spring Boot's automatic component scanning. Proper package organization is crucial for ensuring that all necessary configurations, including security, are detected and applied.
    – Alexander G Castañeda Estévez
    Commented Jun 6 at 14:33
  • it's too long to fit a comment, here it is: pastebin.com/UzUD2V9T
    – TheClassicSmoke
    Commented Jun 7 at 10:06

Not the answer you're looking for? Browse other questions tagged or ask your own question.