SecurityMockMvcResultMatchers

有时希望对请求进行各种与安全性相关的断言。为了满足此需要,Spring Security 测试支持实现了 Spring MVC 测试的 ResultMatcher 接口。为了使用 Spring Security 的 ResultMatcher 实现,请确保使用了以下静态导入:

At times it is desirable to make various security related assertions about a request. To accommodate this need, Spring Security Test support implements Spring MVC Test’s ResultMatcher interface. In order to use Spring Security’s ResultMatcher implementations ensure the following static import is used:

  • Java

  • Kotlin

import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.*;
import org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.*

Unauthenticated Assertion

有时可能需要断言与 MockMvc 调用结果没有关联的经过身份验证的用户。例如,您可能希望测试提交无效的用户名和密码,并验证没有用户经过身份验证。您可以使用类似于以下内容轻松地使用 Spring Security 的测试支持来完成此操作:

At times it may be valuable to assert that there is no authenticated user associated with the result of a MockMvc invocation. For example, you might want to test submitting an invalid username and password and verify that no user is authenticated. You can easily do this with Spring Security’s testing support using something like the following:

  • Java

  • Kotlin

mvc
	.perform(formLogin().password("invalid"))
	.andExpect(unauthenticated());
mvc
    .perform(formLogin().password("invalid"))
    .andExpect { unauthenticated() }

Authenticated Assertion

我们经常必须断言存在经过身份验证的用户。例如,我们可能希望验证我们是否成功地进行了身份验证。我们可以使用以下代码验证基于表单的登录是否成功:

It is often times that we must assert that an authenticated user exists. For example, we may want to verify that we authenticated successfully. We could verify that a form based login was successful with the following snippet of code:

  • Java

  • Kotlin

mvc
	.perform(formLogin())
	.andExpect(authenticated());
mvc
    .perform(formLogin())
    .andExpect { authenticated() }

如果我们想断言用户的角色,我们可以像下面所示的那样优化我们之前的代码:

If we wanted to assert the roles of the user, we could refine our previous code as shown below:

  • Java

  • Kotlin

mvc
	.perform(formLogin().user("admin"))
	.andExpect(authenticated().withRoles("USER","ADMIN"));
mvc
    .perform(formLogin())
    .andExpect { authenticated().withRoles("USER","ADMIN") }

或者,我们可以验证用户名:

Alternatively, we could verify the username:

  • Java

  • Kotlin

mvc
	.perform(formLogin().user("admin"))
	.andExpect(authenticated().withUsername("admin"));
mvc
    .perform(formLogin().user("admin"))
    .andExpect { authenticated().withUsername("admin") }

我们也可以合并断言:

We can also combine the assertions:

  • Java

  • Kotlin

mvc
	.perform(formLogin().user("admin"))
	.andExpect(authenticated().withUsername("admin").withRoles("USER", "ADMIN"));
mvc
    .perform(formLogin().user("admin"))
    .andExpect { authenticated().withUsername("admin").withRoles("USER", "ADMIN") }

我们也可以对身份验证进行任意断言

We can also make arbitrary assertions on the authentication

  • Java

  • Kotlin

mvc
	.perform(formLogin())
	.andExpect(authenticated().withAuthentication(auth ->
		assertThat(auth).isInstanceOf(UsernamePasswordAuthenticationToken.class)));
mvc
    .perform(formLogin())
    .andExpect {
        authenticated().withAuthentication { auth ->
            assertThat(auth).isInstanceOf(UsernamePasswordAuthenticationToken::class.java) }
        }
    }