For the latest stable version, please use Spring Security 6.2.3!

Running a Test as a User in Spring MVC Test

It is often desirable to run tests as a specific user. There are two simple ways of populating the user:

Running as a User in Spring MVC Test with RequestPostProcessor

There are a number of options available to associate a user to the current HttpServletRequest. For example, the following will run as a user (which does not need to exist) with the username "user", the password "password", and the role "ROLE_USER":

The support works by associating the user to the HttpServletRequest. To associate the request to the SecurityContextHolder you need to ensure that the SecurityContextPersistenceFilter is associated with the MockMvc instance. A few ways to do this are:

  • Invoking apply(springSecurity())

  • Adding Spring Security’s FilterChainProxy to MockMvc

  • Manually adding SecurityContextPersistenceFilter to the MockMvc instance may make sense when using MockMvcBuilders.standaloneSetup

  • Java

  • Kotlin

mvc
	.perform(get("/").with(user("user")))
mvc.get("/") {
    with(user("user"))
}

You can easily make customizations. For example, the following will run as a user (which does not need to exist) with the username "admin", the password "pass", and the roles "ROLE_USER" and "ROLE_ADMIN".

  • Java

  • Kotlin

mvc
	.perform(get("/admin").with(user("admin").password("pass").roles("USER","ADMIN")))
mvc.get("/admin") {
    with(user("admin").password("pass").roles("USER","ADMIN"))
}

If you have a custom UserDetails that you would like to use, you can easily specify that as well. For example, the following will use the specified UserDetails (which does not need to exist) to run with a UsernamePasswordAuthenticationToken that has a principal of the specified UserDetails:

  • Java

  • Kotlin

mvc
	.perform(get("/").with(user(userDetails)))
mvc.get("/") {
    with(user(userDetails))
}

You can run as anonymous user using the following:

  • Java

  • Kotlin

mvc
	.perform(get("/").with(anonymous()))
mvc.get("/") {
    with(anonymous())
}

This is especially useful if you are running with a default user and wish to process a few requests as an anonymous user.

If you want a custom Authentication (which does not need to exist) you can do so using the following:

  • Java

  • Kotlin

mvc
	.perform(get("/").with(authentication(authentication)))
mvc.get("/") {
    with(authentication(authentication))
}

You can even customize the SecurityContext using the following:

  • Java

  • Kotlin

mvc
	.perform(get("/").with(securityContext(securityContext)))
mvc.get("/") {
    with(securityContext(securityContext))
}

We can also ensure to run as a specific user for every request by using MockMvcBuilders's default request. For example, the following will run as a user (which does not need to exist) with the username "admin", the password "password", and the role "ROLE_ADMIN":

  • Java

  • Kotlin

mvc = MockMvcBuilders
		.webAppContextSetup(context)
		.defaultRequest(get("/").with(user("user").roles("ADMIN")))
		.apply(springSecurity())
		.build();
mvc = MockMvcBuilders
    .webAppContextSetup(context)
    .defaultRequest<DefaultMockMvcBuilder>(get("/").with(user("user").roles("ADMIN")))
    .apply<DefaultMockMvcBuilder>(springSecurity())
    .build()

If you find you are using the same user in many of your tests, it is recommended to move the user to a method. For example, you can specify the following in your own class named CustomSecurityMockMvcRequestPostProcessors:

  • Java

  • Kotlin

public static RequestPostProcessor rob() {
	return user("rob").roles("ADMIN");
}
fun rob(): RequestPostProcessor {
    return user("rob").roles("ADMIN")
}

Now you can perform a static import on CustomSecurityMockMvcRequestPostProcessors and use that within your tests:

  • Java

  • Kotlin

import static sample.CustomSecurityMockMvcRequestPostProcessors.*;

...

mvc
	.perform(get("/").with(rob()))
import sample.CustomSecurityMockMvcRequestPostProcessors.*

//...

mvc.get("/") {
    with(rob())
}

Running as a User in Spring MVC Test with Annotations

As an alternative to using a RequestPostProcessor to create your user, you can use annotations described in Testing Method Security. For example, the following will run the test with the user with username "user", password "password", and role "ROLE_USER":

  • Java

  • Kotlin

@Test
@WithMockUser
public void requestProtectedUrlWithUser() throws Exception {
mvc
		.perform(get("/"))
		...
}
@Test
@WithMockUser
fun requestProtectedUrlWithUser() {
    mvc
        .get("/")
        // ...
}

Alternatively, the following will run the test with the user with username "user", password "password", and role "ROLE_ADMIN":

  • Java

  • Kotlin

@Test
@WithMockUser(roles="ADMIN")
public void requestProtectedUrlWithUser() throws Exception {
mvc
		.perform(get("/"))
		...
}
@Test
@WithMockUser(roles = ["ADMIN"])
fun requestProtectedUrlWithUser() {
    mvc
        .get("/")
        // ...
}