Issues

  1. When using reactive web and @WebFluxTest, even explicitly defined permitAll() paths must use @WithMockUser. When using @WithMockUser, any authority will work - they do not seem to be verified against the SecurityConfig.

~~2. When using @EnableReactiveMethodSecurity, the proxyTargetClass attribute must be enabled for the workaround to work.~~

Workaround

Using the following seems to work

@EnableWebFluxSecurity
@EnableReactiveMethodSecurity
public class SecurityConfig {}

@WebFluxTest(
    controllers = PostsController.class,
    excludeAutoConfiguration = ReactiveSecurityAutoConfiguration.class)
@Import(SecurityConfig.class)
public class FooTest {}

Comment From: wilkinsona

Thanks for the report. Without seeing your security configuration, for example where you have used permitAll(), it's hard to know exactly what's happening and why. If you would like us to spend some more time investigating, please spend some time providing a complete yet minimal sample that reproduces the problem. You can share it with us by pushing it to a separate repository on GitHub or by zipping it up and attaching it to this issue.

Comment From: neuroretransmit

Thanks for the report. Without seeing your security configuration, for example where you have used permitAll(), it's hard to know exactly what's happening and why. If you would like us to spend some more time investigating, please spend some time providing a complete yet minimal sample that reproduces the problem. You can share it with us by pushing it to a separate repository on GitHub or by zipping it up and attaching it to this issue.

Should have pre-emptively done it from my last report. I'll get one up for you shortly. Thanks for always being so prompt.

Comment From: neuroretransmit

Here's the demo. testing-security-demo.zip

Issue 1 is still extremely relevant - seems to be pretty global. However, it looks like this really basic example was able to get away without using proxyTargetClass for method security. That may just be an issue in my OAuth project, let me know if you'd like to see that as well and I can share.

UPDATE: D'oh, I'm implementing controllers from a OpenAPI generated interface, maybe that has something to do with needing to proxy. See https://github.com/optimisticninja/posts-api if interested.

Comment From: wilkinsona

Thanks for the sample. This is behaving as documented:

@WebFluxTest cannot detect custom security configuration registered via a @Bean of type SecurityWebFilterChain. To include that in your test, you will need to import the configuration that registers the bean via @Import or use @SpringBootTest.

https://github.com/spring-projects/spring-boot/issues/16088 is tracking some improvements in this area.