Spring-boot: WebMvcTest does not use the auto-configured ordering for Spring Security's filter

Created on 10 Jun 2020  路  4Comments  路  Source: spring-projects/spring-boot

Describe the bug
WebMvcTests with spring-security-test have a different filter order than during "normal" runtime.

To Reproduce
Define a filter after the default order of Spring Security Filters (=0) and try to access the userPrincipal from the HttpServletRequest:

import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.core.Ordered;
import org.springframework.core.annotation.Order;
import org.springframework.stereotype.Component;
import org.springframework.util.Assert;
import org.springframework.web.filter.OncePerRequestFilter;

@Component
@Order(TestFilter.ORDER)
public class TestFilter extends OncePerRequestFilter {

    public static final int ORDER = Ordered.LOWEST_PRECEDENCE - 10; // - 10 to allow applications/ libraries to register filters after this one

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
        Assert.notNull(request.getUserPrincipal(), "userPrincipal");

        filterChain.doFilter(request, response);
    }
}

Expected behavior
Same filter order during tests as during runtime.

bug
Source
picture puce77

All 4 comments

Issue originally reported at: https://github.com/spring-projects/spring-security/issues/8428
It seems to be a Spring Boot issue, though.

puce77 picture puce77 on 10 Jun 2020

Here is a sample: 8428-spring-security-test-v1.0.zip
(from: https://github.com/puce77/spring-security-sample/tree/8428-spring-security-test )

If Assert.notNull(request.getUserPrincipal(), "userPrincipal"); is commented out in the filter, the tests run fine, but with this null check the tests fail, though the REST service runs fine.

puce77 picture puce77 on 10 Jun 2020

Thanks for the sample, @puce77. You can work around the problem by adding @ImportAutoConfiguration(SecurityFilterAutoConfiguration.class) to your test class:

@WebMvcTest(controllers = SecuredEchoController.class)
@ExtendWith(SpringExtension.class)
@ImportAutoConfiguration(SecurityFilterAutoConfiguration.class)
public class SecuredEchoControllerTest {

Completely unrelated to your problem, you can remove @ExtendWith(SpringExtension.class) as @WebMvcTest does that for you:

@WebMvcTest(controllers = SecuredEchoController.class)
@ImportAutoConfiguration(SecurityFilterAutoConfiguration.class)
public class SecuredEchoControllerTest {
wilkinsona picture wilkinsona on 10 Jun 2020
👍1

First tests with work-around were successful, thanks!

puce77 picture puce77 on 10 Jun 2020
🎉1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

techpavan picture techpavan  路  3Comments
izeye picture izeye  路  3Comments
prasenjit-net picture prasenjit-net  路  3Comments
hanusto picture hanusto  路  3Comments
hadrienk picture hadrienk  路  3Comments