@Test
public void testGetOrders() throws Exception {
mockMvc.perform(get("/admin/api/orders/")
.with(jwt().authorities(new SimpleGrantedAuthority("USER"))))
.andExpect(status().isForbidden());
This test should return status code 403, but it seems that as long as there's some kind of authentication, it will always return 200 regardless of authorities set in the token.
Here's my SecurityConfig:
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception{
http
.csrf(AbstractHttpConfigurer::disable)
.authorizeHttpRequests(auth -> {
auth.requestMatchers("/").permitAll();
auth.requestMatchers("/auth/**").permitAll();
auth.requestMatchers("/api/**").permitAll();
auth.requestMatchers("/api/cart/**").hasAnyRole("ADMIN", "USER");
auth.requestMatchers("/admin/api/**").hasRole("ADMIN");
auth.anyRequest().authenticated();
});
http.oauth2ResourceServer()
.jwt()
.jwtAuthenticationConverter(jwtAuthenticationConverter());
http.sessionManagement(
session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
);
http.cors();
return http.build();
}
I tried setting different authorities using SecurityMockMvcRequestPostProccesors.jwt().authorities()
but no matter what i set it always returns 200.
Running the test without any sort of authetication returns 401 as expected.
Requests sent with Postman behave as expected.