Why I received an Error 403 with MockMvc and JUnit?

Question

I have a spring mvc (3.2.5) application with spring security (3.2).

I configured my SecurityConfig.class with this method :

@Override
protected void configure(HttpSecurity http) throws Exception {

    http.authorizeRequests().antMatchers("/*").permitAll().and()
            .formLogin().successHandler(successHandler)
            .defaultSuccessUrl("/")
            .failureHandler(failureHandler).failureUrl("/login?error=true")
            .permitAll().and().logout()
            .permitAll();

    http.authorizeRequests().antMatchers("/resources/**").permitAll();

    http.authorizeRequests().antMatchers("/welcome").permitAll();

    http.authorizeRequests().antMatchers("/secure/*").authenticated();
    http.authorizeRequests().antMatchers("/admin/**").hasRole("ADMIN").anyRequest().authenticated();
} 

With Spring security (3.2) I have CSRF enabled. I think it is a good idea to let it enabled.

My controller SignInController contains 2 methods with params :

EDIT : adding action= in params

@RequestMapping(value = "/signup")
    public ModelAndView signup() {

        boolean auth = SecurityContextHolder.getContext().getAuthentication() == null ? false
                : SecurityContextHolder.getContext().getAuthentication()
                        .isAuthenticated()
                        && (SecurityContextHolder.getContext()
                                .getAuthentication().getPrincipal() instanceof User);

        ModelAndView result = null;

        if (auth) {
            result = new ModelAndView("redirect:" + "/");
        } else {
            UserForm user = new UserForm();
            result = new ModelAndView("registration", "userForm", user);
        }
        return result;
    }

    @RequestMapping(value = "/register", params = "action=signup")
    public ModelAndView registration(
            @ModelAttribute(value = "userForm") @Valid UserForm userForm,
            BindingResult result, HttpServletRequest request) {

        if (result.hasErrors()) {
            return new ModelAndView("registration");
        }

        Member member = profileFacade.registerNewUser(userForm);

        return new ModelAndView("registration", "member", member);
    }

    @RequestMapping(value = "/register", params = "action=cancel")
    public ModelAndView cancelRegistration() {
        return new ModelAndView("redirect:" + "/");
    }

and finally, I have JUnit test :

@RunWith(SpringJUnit4ClassRunner.class)
    @WebAppConfiguration
    @ContextConfiguration(classes = { WebConfiguration.class,
        JpaConfiguration.class, LoggingConfiguration.class,
        SecurityConfig.class, DataSourceEmbeddedConfiguration.class,
        DataSourceMySqlConfig.class, BaseValidatorConfiguration.class })
    @TransactionConfiguration(transactionManager = "transactionManager", defaultRollback = true)
    @ActiveProfiles("dev")
    public class SignInControllerTest {

        @Autowired
        private WebApplicationContext webApplicationContext;
        @Autowired
        private MockHttpSession session;
        @Autowired
        private MockHttpServletRequest request;
        @Autowired
        private FilterChainProxy springSecurityFilterChain;

        private MockMvc mockMvc;

        @Before
        public void setUp() throws ServletException {

            SecurityContextHolderAwareRequestFilter scharf = new SecurityContextHolderAwareRequestFilter();
            scharf.afterPropertiesSet();

            this.mockMvc = MockMvcBuilders
                    .webAppContextSetup(this.webApplicationContext)
                    .addFilters(springSecurityFilterChain).dispatchOptions(true).build();

            SecurityContextHolder.getContext().setAuthentication(null);
        }
        @Test
        public void signup() throws Exception {
            mockMvc.perform(get("/signup")).andExpect(status().isOk())
                    .andExpect(model().attributeExists("userForm"));
        }

        @Test
        @Transactional
        @Rollback(true)
        public void register() throws Exception {

            UserForm form = new UserForm();
            form.setEmail("email@email.com");
            form.setUsername("aokije");
            form.setPassword("klo,ksff");
            form.setConfirmedPassword("klo,ksff");

            mockMvc.perform(post("/register").param("action", "signup")).andExpect(status().isOk());
        }

    }

EDIT : update mockMvc.perform because it is working fine with http.csrf().disable() in SecurityConfig.class

Test signup run perfectly but register return an error 403. I tried a lot of things but I received always this error.

When I try http://localhost:8080/register?signup in a browser, it is working fine.

_EDIT_

Logs :

2014-02-13 22:00:14,695 [ExpressionBasedFilterInvocationSecurityMetadataSource] processMap Adding web access control expression 'permitAll', for org.springframework.security.config.annotation.web.configurers.PermitAllSupport$ExactUrlRequestMatcher@52ee705c 
2014-02-13 22:00:14,696 [ExpressionBasedFilterInvocationSecurityMetadataSource] processMap Adding web access control expression 'permitAll', for org.springframework.security.config.annotation.web.configurers.PermitAllSupport$ExactUrlRequestMatcher@2412d28d 
2014-02-13 22:00:14,697 [ExpressionBasedFilterInvocationSecurityMetadataSource] processMap Adding web access control expression 'permitAll', for org.springframework.security.config.annotation.web.configurers.PermitAllSupport$ExactUrlRequestMatcher@4fbd397b 
2014-02-13 22:00:14,697 [ExpressionBasedFilterInvocationSecurityMetadataSource] processMap Adding web access control expression 'permitAll', for Ant [pattern='/logout'] 
2014-02-13 22:00:14,698 [ExpressionBasedFilterInvocationSecurityMetadataSource] processMap Adding web access control expression 'permitAll', for org.springframework.security.config.annotation.web.configurers.PermitAllSupport$ExactUrlRequestMatcher@1008e323 
2014-02-13 22:00:14,699 [ExpressionBasedFilterInvocationSecurityMetadataSource] processMap Adding web access control expression 'permitAll', for Ant [pattern='/*'] 
2014-02-13 22:00:14,700 [ExpressionBasedFilterInvocationSecurityMetadataSource] processMap Adding web access control expression 'permitAll', for Ant [pattern='/resources/**'] 
2014-02-13 22:00:14,700 [ExpressionBasedFilterInvocationSecurityMetadataSource] processMap Adding web access control expression 'permitAll', for Ant [pattern='/welcome'] 
2014-02-13 22:00:14,700 [ExpressionBasedFilterInvocationSecurityMetadataSource] processMap Adding web access control expression 'authenticated', for Ant [pattern='/secure/*'] 
2014-02-13 22:00:14,701 [ExpressionBasedFilterInvocationSecurityMetadataSource] processMap Adding web access control expression 'hasRole('ROLE_ADMIN')', for Ant [pattern='/admin/**'] 
2014-02-13 22:00:14,701 [ExpressionBasedFilterInvocationSecurityMetadataSource] processMap Adding web access control expression 'authenticated', for org.springframework.security.web.util.matcher.AnyRequestMatcher@1 
2014-02-13 22:00:14,703 [FilterSecurityInterceptor] afterPropertiesSet Validated configuration attributes 
2014-02-13 22:00:14,704 [FilterSecurityInterceptor] afterPropertiesSet Validated configuration attributes 
2014-02-13 22:00:14,734 [DefaultSecurityFilterChain] <init> Creating filter chain: org.springframework.security.web.util.matcher.AnyRequestMatcher@1, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@10174779, org.springframework.security.web.context.SecurityContextPersistenceFilter@68736a7e, org.springframework.security.web.header.HeaderWriterFilter@728e5d0d, org.springframework.security.web.csrf.CsrfFilter@6e7a918b, org.springframework.security.web.authentication.logout.LogoutFilter@430e85e7, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@55eda087, org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter@290c7ca, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@6dd90afc, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@12eb6a0f, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@6855612f, org.springframework.security.web.session.SessionManagementFilter@410a11a2, org.springframework.security.web.access.ExceptionTranslationFilter@59e15580, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@2257a0] 
2014-02-13 22:00:14,859 [FilterChainProxy] doFilter /register at position 1 of 13 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter' 
2014-02-13 22:00:14,863 [FilterChainProxy] doFilter /register at position 2 of 13 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' 
2014-02-13 22:00:14,863 [HttpSessionSecurityContextRepository] readSecurityContextFromSession HttpSession returned null object for SPRING_SECURITY_CONTEXT 
2014-02-13 22:00:14,863 [HttpSessionSecurityContextRepository] loadContext No SecurityContext was available from the HttpSession: org.springframework.mock.web.MockHttpSession@4c4b529f. A new one will be created. 
2014-02-13 22:00:14,864 [FilterChainProxy] doFilter /register at position 3 of 13 in additional filter chain; firing Filter: 'HeaderWriterFilter' 
2014-02-13 22:00:14,865 [HstsHeaderWriter] writeHeaders Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@5ab39e58 
2014-02-13 22:00:14,865 [FilterChainProxy] doFilter /register at position 4 of 13 in additional filter chain; firing Filter: 'CsrfFilter' 
2014-02-13 22:00:14,866 [CsrfFilter] doFilterInternal Invalid CSRF token found for http://localhost/register 
2014-02-13 22:00:14,866 [HttpSessionSecurityContextRepository] saveContext SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession. 
2014-02-13 22:00:14,866 [SecurityContextPersistenceFilter] doFilter SecurityContextHolder now cleared, as request processing completed 

Could you help me ?

Thanks a lot

EDIT

Finally, I had a bug in another class (annotation). I fix with this :

HttpSessionCsrfTokenRepository httpSessionCsrfTokenRepository = new HttpSessionCsrfTokenRepository();
        CsrfToken csrfToken = httpSessionCsrfTokenRepository
                .generateToken(request);

        Map map = new HashMap();
        map.put("userForm", form);
        map.put("org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository.CSRF_TOKEN",
                csrfToken);
        this.mockMvc
                .perform(
                        post("/register")
                                .param("signup", "")
                                .param("_csrf", csrfToken.getToken())
                                .sessionAttrs(map)).andExpect(status().isOk());

Params csrf and sessionAttrs are mandatory.

Answer 1

I know this question is quite old, but this is one of the first results on Google for some queries and I believe this approach is much better and it is described on spring.io blog

1) You can create your mockMvc with Spring Security support easier, so your setUp() gets much shorter:

@Before
public void setUp() throws Exception {
    mockMvc = MockMvcBuilders
            .webAppContextSetup(webApplicationContext)
            .apply(springSecurity())
            .build();
}

2) You can use org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf() to populate your test request with correct CSRF token like this:

mockMvc.perform(post("/register")
              .with(csrf())
              .param("action", "signup"))
     .andExpect(status().isOk());

Answer 2

Try with @AutoConfigureMockMvc(addFilters = false)

Answer 3

Post requests need the CSRF token to be added to the form. So you have to pass it while testing:

var TOKEN_ATTR_NAME = "org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository.CSRF_TOKEN";
var httpSessionCsrfTokenRepository = new HttpSessionCsrfTokenRepository();
var csrfToken = httpSessionCsrfTokenRepository.generateToken(new MockHttpServletRequest());

mockMvc.perform(
  post("/your/path/here")
    .sessionAttr(TOKEN_ATTR_NAME, csrfToken)
    .param(csrfToken.getParameterName(), csrfToken.getToken())
    ...
);

Second thing, are you sure that the registration method handles your post request? Isn't RequestMapping configured for "GET" by default?