All geek questions in one place

Shiro: How to write a test for an endpoint protected by @RequiresRoles?

Let's say I have this resource:

import javax.ws.rs.GET; import javax.ws.rs.Path; import javax.ws.rs.PathParam; import javax.ws.rs.Produces; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; import org.apache.shiro.authz.annotation.RequiresAuthentication; import org.apache.shiro.authz.annotation.RequiresRoles; import io.swagger.annotations.Api; import io.swagger.annotations.ApiOperation; @Path("/authhello") @Api(value = "hello", description = "Simple endpoints for testing api authentification", hidden = true) @Produces(MediaType.APPLICATION_JSON) @RequiresAuthentication public class AuthenticatedHelloWorldResource { private static final String READ = "READ"; private static final String WRITE = "WRITE"; @GET @ApiOperation(value = "helloworld", notes = "Simple hello world.", response = String.class) @RequiresRoles(READ) public Response helloWorld() { String hello = "Hello world!"; return Response.status(Response.Status.OK).entity(hello).build(); } @GET @Path("/{param}") @ApiOperation(value = "helloReply", notes = "Returns Hello you! and {param}", response = String.class) @RequiresRoles(WRITE) public Response getMsg(@PathParam("param") String msg) { String output = "Hello you! " + msg; return Response.status(Response.Status.OK).entity(output).build(); } }

Do I have to write tests that confirm that certain (test) users receive a response from endpoints, and some users do not? And if so: how can I write these tests? I tried something like this:

 import javax.ws.rs.core.Application; import org.glassfish.jersey.server.ResourceConfig; import org.junit.Test; import com.cognite.api.shiro.AbstractShiroTest; import static org.junit.Assert.assertEquals; public class AuthenticatedHelloWorldTest extends AbstractShiroTest { @Override protected Application configure() { return new ResourceConfig(AuthenticatedHelloWorldResource.class); } @Test public void testAuthenticatedReadHelloWorld() { final String hello = target("/authhello").request().get(String.class); assertEquals("Hello world!", hello); } @Test public void testAuthenticatedWriteHelloWorld() { final String hello = target("/authhello/test").request().get(String.class); assertEquals("Hello you! test", hello); } }

but I'm not sure how to really check @RequiresRoles -nnotation function. I read the Shiro page in testing , but I could not write a test with an error (for example, a test for an item that does not have the WRITE role trying to access /authhello/test ). Any advice would be appreciated.

+5
source share
1 answer

Should I even check this out?

Yes. If you want to make sure that certain roles will or may not have access to your resource. This will be a security integration test.

How do I configure the entire application + to actually invoke it using an HTTP request in the test, if I have to check it? Or is there an easier way?

Part of the problem is that @RequiresAuthentication and @RequiresRoles themselves are just meta-information of the class and method. Annotations alone do not provide security verification functionality.

It is not clear from your question what type of container you are using, but I can guess that it is just a JAX-RS Jersey service (am I right?). In order for Ciro to perform security checks, you must add some JAX-RS filter (maybe some other way?) Around your endpoints. To test security, you must repeat this setting in your tests. Otherwise, your handlers will not process your annotations, and as a result, there will be no security checks.

+6
source

Source: https://habr.com/ru/post/1272390/

More articles:


All Articles