This article is focused on how to test drive a Spring Boot application using Spring Security. I decided to put this together because there is a lot of Spring involved when using Spring Security and because of that testing can be a little bit difficult and slow.
Full source code can be found here:
Before test driving, I tried to discover how Spring Security works. There are many ways of creating an authentication system with Spring Security but these are the steps (implementation details) I found to be working for my sample application:
- Create a domain object or entity that implements
- Create a service that implements
- Create a Security Configuration class with
@EnableWebSecurityfor endpoint access.
- Provide a JWT token generator when login succeeds
- Create a filter which gets
Authorizationheader from incoming request and authenticates
- Apply the filter created above in the Security Configuration
For test driving approach, outside-in (e.g. controller → service → repository) will be used for this problem. Along test driving, some of the implementation details above will be used.
In this example,
JUnit5 will be used as main testing library and
JJWT will be used for generating and parsing JWT tokens.
Sign Up Controller Unit Tests
Sign Up Controller Integration Tests
This can be used to drive out some configuration in
This will lead to overriding
Login Controller Unit Tests
Token Generator Unit Tests
Login Controller Integration Tests
More tests can be added to validate access to different endpoints to existing integration tests in
This will lead to implementation changes to allow
/login to previous
Filter Unit Tests
User Service Unit Tests
From here it can noticed that
UserDetailsService::loadUserByUsername is not yet implemented. So it is possible to test drive from here.
Integration tests for applying Filter
Lastly, the endpoints that require authentication need to be tested. We already built sign up and login, so we can make use of them to test the access to authenticated endpoints.
The filter that was implemented above can be added to previous
SecurityConfiguration. This will validate and authenticate the Bearer token in the incoming request.