Clarify @WithSecurityContext thread scope#18812
Clarify @WithSecurityContext thread scope#18812wonderfulrosemari wants to merge 1 commit intospring-projects:mainfrom
Conversation
spring-projects-issues
added
the
status: waiting-for-triage
jzheaux
left a comment
jzheaux
left a comment
There was a problem hiding this comment.
Thanks, @wonderfulrosemari! I've left some feedback inline.
jzheaux
added
in: docs
Closes spring-projectsgh-3721 Signed-off-by: wonderfulrosemari <whwlsgur1419@naver.com>
wonderfulrosemari
force-pushed
the
gh-3721-withsecuritycontext-non-mockmvc-doc
branch
from
2470b93 to
ec6a5a8
Compare
jzheaux
removed
the
status: waiting-for-feedback
jzheaux
left a comment
jzheaux
left a comment
There was a problem hiding this comment.
Hi, @wonderfulrosemari, thanks again for your updates.
Unfortunately, I don't think this sufficiently addresses #3721 since the question in that issue is about JAX-RS, not REST-assured, and because JAX-RS tests can run in-memory, which is likely the use case that #3721 is about. That is, explaining what to do when tests and the server run on separate threads is not the use case that the OP was raising.
In addition to my inline feedback, will you please remove "Closes gh-3721" from the updated commit message?
| [NOTE] | ||
| ==== | ||
| `@WithMockUser`, `@WithUserDetails`, and `@WithSecurityContext` populate the xref:servlet/authentication/architecture.adoc#servlet-authentication-securitycontextholder[`SecurityContextHolder`] for the test thread. | ||
| This works for method-security tests and for xref:servlet/test/mockmvc/index.adoc[`MockMvc`] (when using `testSecurityContext()`), but does not automatically apply to full HTTP requests made through external clients (for example, REST-assured against a running server), because those requests are handled on a different thread. |
There was a problem hiding this comment.
I think it is more accurate for the second sentence to say:
This cannot apply to full HTTP requests a test makes to a running server since those requests are handled by a different thread.
To say "does not automatically" suggests that with some manual intervention, the security context could be passed to the running server's receiving thread, but it cannot. Leaving out the mention of REST-assured helps keep the focus on the real issue, when the server under test is on a separate thread.
jzheaux
added
the
status: waiting-for-feedback
3 participants
Closes gh-3721
Clarify that
@WithMockUser,@WithUserDetails, and@WithSecurityContextpopulate
SecurityContextHolderfor the test thread.Document that this works for method-security tests and for MockMvc when using
testSecurityContext(), but does not automatically apply to full HTTP clienttests against a running server because those requests execute on different threads.
Also add guidance to authenticate end-to-end HTTP requests directly
(for example, HTTP Basic or Bearer token).