From 30aff2259ec43d8baded6d8a6f36519910a97b85 Mon Sep 17 00:00:00 2001 From: djmil Date: Sun, 23 Jul 2023 15:20:46 +0200 Subject: [PATCH] SpringSecurity: testing basic authentication - add autentication chain rule - create test user - add auth data to test requests --- .../java/djmil/cashcard/SecurityConfig.java | 18 +++++++ .../cashcard/CashcardApplicationTests.java | 48 +++++++++++++++---- 2 files changed, 57 insertions(+), 9 deletions(-) diff --git a/src/main/java/djmil/cashcard/SecurityConfig.java b/src/main/java/djmil/cashcard/SecurityConfig.java index eac111c..ec6c028 100644 --- a/src/main/java/djmil/cashcard/SecurityConfig.java +++ b/src/main/java/djmil/cashcard/SecurityConfig.java @@ -16,6 +16,13 @@ public class SecurityConfig { @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { + http.authorizeHttpRequests() + .requestMatchers("/cashcards/**") + .authenticated() + .and() + .csrf().disable() + .httpBasic(); + return http.build(); } @@ -23,4 +30,15 @@ public class SecurityConfig { public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } + + @Bean + public UserDetailsService testOnlyUsers(PasswordEncoder passwordEncoder) { + User.UserBuilder users = User.builder(); + UserDetails sarah = users + .username("sarah1") + .password(passwordEncoder.encode("abc123")) + .roles() // No roles for now + .build(); + return new InMemoryUserDetailsManager(sarah); + } } \ No newline at end of file diff --git a/src/test/java/djmil/cashcard/CashcardApplicationTests.java b/src/test/java/djmil/cashcard/CashcardApplicationTests.java index e158cc0..8a004a2 100644 --- a/src/test/java/djmil/cashcard/CashcardApplicationTests.java +++ b/src/test/java/djmil/cashcard/CashcardApplicationTests.java @@ -31,7 +31,9 @@ class CashcardApplicationTests { @Test void shouldReturnACashCardWhenDataIsSaved() { - ResponseEntity response = restTemplate.getForEntity("/cashcards/99", String.class); + ResponseEntity response = restTemplate + .withBasicAuth("sarah1", "abc123") + .getForEntity("/cashcards/99", String.class); assertThat(response.getStatusCode()).isEqualTo(HttpStatus.OK); @@ -46,7 +48,9 @@ class CashcardApplicationTests { @Test void shouldNotReturnACashCardWithAnUnknownId() { - ResponseEntity response = restTemplate.getForEntity("/cashcards/1000", String.class); + ResponseEntity response = restTemplate + .withBasicAuth("sarah1", "abc123") + .getForEntity("/cashcards/1000", String.class); assertThat(response.getStatusCode()).isEqualTo(HttpStatus.NOT_FOUND); assertThat(response.getBody()).isBlank(); @@ -56,15 +60,20 @@ class CashcardApplicationTests { @DirtiesContext void shouldCreateANewCashCard() { CashCard newCashCard = new CashCard(null, 250.00, "sarah1"); - ResponseEntity createResponse = restTemplate.postForEntity("/cashcards", newCashCard, Void.class ); + ResponseEntity createResponse = restTemplate + .withBasicAuth("sarah1", "abc123") + .postForEntity("/cashcards", newCashCard, Void.class ); assertThat(createResponse.getStatusCode()).isEqualTo(HttpStatus.CREATED); + + // Validate created CashCard URI locationOfNewCashCard = createResponse.getHeaders().getLocation(); - ResponseEntity getResponse = restTemplate.getForEntity(locationOfNewCashCard, String.class); + ResponseEntity getResponse = restTemplate + .withBasicAuth("sarah1", "abc123") + .getForEntity(locationOfNewCashCard, String.class); assertThat(getResponse.getStatusCode()).isEqualTo(HttpStatus.OK); - // Validate created CashCard JSON DocumentContext documentContext = JsonPath.parse(getResponse.getBody()); Number id = documentContext.read("$.id"); Double amount = documentContext.read("$.amount"); @@ -75,7 +84,9 @@ class CashcardApplicationTests { @Test void shouldReturnAllCashCardsWhenListIsRequested() { - ResponseEntity response = restTemplate.getForEntity("/cashcards", String.class); + ResponseEntity response = restTemplate + .withBasicAuth("sarah1", "abc123") + .getForEntity("/cashcards", String.class); assertThat(response.getStatusCode()).isEqualTo(HttpStatus.OK); DocumentContext documentContext = JsonPath.parse(response.getBody()); @@ -91,7 +102,9 @@ class CashcardApplicationTests { @Test void shouldReturnAPageOfCashCards() { - ResponseEntity response = restTemplate.getForEntity("/cashcards?page=0&size=1", String.class); + ResponseEntity response = restTemplate + .withBasicAuth("sarah1", "abc123") + .getForEntity("/cashcards?page=0&size=1", String.class); assertThat(response.getStatusCode()).isEqualTo(HttpStatus.OK); DocumentContext documentContext = JsonPath.parse(response.getBody()); @@ -101,7 +114,9 @@ class CashcardApplicationTests { @Test void shouldReturnASortedPageOfCashCards() { - ResponseEntity response = restTemplate.getForEntity("/cashcards?page=0&size=1&sort=amount,desc", String.class); + ResponseEntity response = restTemplate + .withBasicAuth("sarah1", "abc123") + .getForEntity("/cashcards?page=0&size=1&sort=amount,desc", String.class); assertThat(response.getStatusCode()).isEqualTo(HttpStatus.OK); DocumentContext documentContext = JsonPath.parse(response.getBody()); @@ -114,7 +129,9 @@ class CashcardApplicationTests { @Test void shouldReturnASortedPageOfCashCardsWithNoParametersAndUseDefaultValues() { - ResponseEntity response = restTemplate.getForEntity("/cashcards", String.class); + ResponseEntity response = restTemplate + .withBasicAuth("sarah1", "abc123") + .getForEntity("/cashcards", String.class); assertThat(response.getStatusCode()).isEqualTo(HttpStatus.OK); DocumentContext documentContext = JsonPath.parse(response.getBody()); @@ -124,4 +141,17 @@ class CashcardApplicationTests { JSONArray amounts = documentContext.read("$..amount"); assertThat(amounts).containsExactly(1.00, 123.45, 150.00); } + + @Test + void shouldNotReturnACashCardWhenUsingBadCredentials() { + ResponseEntity response = restTemplate + .withBasicAuth("BAD-USER", "abc123") + .getForEntity("/cashcards/99", String.class); + assertThat(response.getStatusCode()).isEqualTo(HttpStatus.UNAUTHORIZED); + + response = restTemplate + .withBasicAuth("sarah1", "BAD-PASSWORD") + .getForEntity("/cashcards/99", String.class); + assertThat(response.getStatusCode()).isEqualTo(HttpStatus.UNAUTHORIZED); + } }