Spring-boot: Need to set `@AutoConfigureMockMvc(secure = false)` even when security autoconfiguration is excluded
On 1.5.9.RELEASE, when I exclude security related autoconfiguration:
@SpringBootApplication(exclude = {
SecurityAutoConfiguration.class,
SecurityFilterAutoConfiguration.class,
FallbackWebSecurityAutoConfiguration.class,
OAuth2AutoConfiguration.class,
ManagementWebSecurityAutoConfiguration.class
})
public class Application {
//...
}
When I create a test with @AutoConfigureMockMvc, I still need to set secure = false, which is very surprising since the app launches with no security.
@RunWith(SpringRunner.class)
@SpringBootTest
@AutoConfigureMockMvc(secure = false)
@AutoConfigureMockRestServiceServer
public class MyTest {
}
ghost
All 3 comments
@joaocabrita that's because @AutoConfigureMockMvc imports MockMvcSecurityAutoConfiguration which gives us Spring Security's mockmvc integration.
Setting secure=false turns off MockMvcSecurityAutoConfiguration.
mbhave
on 22 Dec 2017
@mbhave my point is that it's surprising behavior (I spent quite a while wondering why my excludes weren't working only to find that they were): if I explicitly disable security in my app, very likely I don't want it enabled in tests either.
Ideally, @AutoConfigureMockMvc should try to replicate the application's configuration and only import MockMvcSecurityAutoConfiguration if other security autoconfiguration is enabled.
ghost
on 22 Dec 2017
Honestly, I don't get why the issue is closed. Meanwhile secure = false is deprecated, which makes the situation worse.
I have some Spring Security classes in the classpath, because I use OAuth to authenticate to third-party systems. So, I get why SecurityAutoConfiguration is triggered. However, the service itself should not have any security configuration enabled. So, I disable it:
@SpringBootApplication(
exclude = {SecurityAutoConfiguration.class, UserDetailsServiceAutoConfiguration.class}
)
public class Application { ... }
This works fine for the production code, however in the tests, I have to use:
@RunWith(SpringRunner.class)
@SpringBootTest (classes = Application.class)
@AutoConfigureMockMvc(secure = false)
public class SomeControllerIT {
According to the documentation secure = false can be avoided by using @WithMockUser. However, this seems odd, because the production code does not require any user authentication. It would be nice if secure = false would not be marked as deprecated or there would be other effective means to disable MockMvcSecurityAutoConfiguration.
rkschamer
on 22 Aug 2019
Related issues
philwebb
路
33Comments
Brandon-Godwin
路
35Comments
snicoll
路
37Comments
berlin-ab
路
33Comments
masc3d
路
33Comments
Most helpful comment
Honestly, I don't get why the issue is closed. Meanwhile
secure = falseis deprecated, which makes the situation worse.I have some Spring Security classes in the classpath, because I use OAuth to authenticate to third-party systems. So, I get why
SecurityAutoConfigurationis triggered. However, the service itself should not have any security configuration enabled. So, I disable it:This works fine for the production code, however in the tests, I have to use:
According to the documentation
secure = falsecan be avoided by using@WithMockUser. However, this seems odd, because the production code does not require any user authentication. It would be nice ifsecure = falsewould not be marked as deprecated or there would be other effective means to disableMockMvcSecurityAutoConfiguration.