@WebMvcTest needs @Import(SecurityConfig.class) to enable SpringSecurity

Question

First of all, its important to specify that the app is already deployed and our spring security configuration works. If an unauthenticated user tries to access to any endpoint of the API it returns 401 Unauthorized.

Following, this sample example, I want to test a Controller with @WebMvcTest and spring security

@WebMvcTest(EmployeeController.class)   
@Import(SecurityConfig.class)
class EmployeeControllerTest {

    @Autowired
    private WebApplicationContext ctx;

    protected MockMvc mvc;

    @MockBean
    private EmployeeService service;

    @BeforeEach
    public void setUp() {
        this.mvc = MockMvcBuilders
                .webAppContextSetup(ctx)
                .apply(springSecurity())
                .build();
    }

    @Test
    void unauthorized_role_should_return_401() {

       mvc.perform(get("/employees/1").accept(MediaType.APPLICATION_JSON)
            .with(SecurityMockMvcRequestPostProcessors.user("manager").roles("UNKNOWN")))
            .andExpect(status().isUnauthorized())
    }
}

This code works, but I don't understand why I need to import the SecurityConfig class to the test class. Indeed, if I remove the @Import, mockMvc returns 200. But, every sample project that I found over Github simply use @WebMvcTest even if the project has a SecurityConfig class

Does this answer your question? [Testing security in Spring Boot 1.4](https://stackoverflow.com/questions/38675020/testing-security-in-spring-boot-1-4) — Eleftheria Stein-Kousathana, Feb 11 '22 at 10:17
Indeed, this is the same kind of issue. Thanks @EleftheriaStein-Kousathana — Pierre Jones, Feb 11 '22 at 14:05

Ken Chan · Answer 1 · 2022-02-12T16:47:38.890

There is no need to configure extra thing in order to enable spring security when using @WebMvcTest as @WebMvcTest will enable it automatically.

But if you customise the spring-security by creating your own beans , you still have to define these customised beans for the tests for the customisation to work. @Import is one of the way to define these beans. By consolidating their configuration into a SecurityConfig , it can keep your test cases DRY because if a test case need to test with the security stuff , it just need to import this SecurityConfig rather repeatedly do the same configuration for each test.

So it is rather a code design decision which is an application specific and hence it is normal that not every project will have the same kind of setup.

@WebMvcTest needs @Import(SecurityConfig.class) to enable SpringSecurity

1 Answers1