在 grails 中测试 securityConfig 映射 +阿塞吉
我正在为一个仍然使用 Acegi 插件(不是较新的 Spring Core Security 插件)的项目编写测试用例,到目前为止,我已经成功地完成了这个网站(http://www.zorched.net/2008/09/01/grails-testing-acegi-security/< /a>)
建议检测当前登录的用户。但是,在我的控制器中,我有类似这样的内容:
def list = {
// code for an "admin account"
}
def list_others = {
// code for other accounts
}
现在,我不检查登录的控制器用户。相反,我在 SecurityConfig.groovy 中定义了这些,如下所示:
security {
...
requestMapString = """\
/someController/list=ROLE_ADMIN
/someController/list_others=ROLE_OTHERS
"""
...
}
因此,如果我有一个如下所示的测试:
void testTrial() {
// define here that otherUser has a role of ROLE_OTHERS
authenticate(otherUser, "other") // this calls the authenticate methode in the site I gave earlier
controller.list()
// I do an assertion here to check where this goes to
}
事情是,当我进行断言时,列表当然会告诉我它转发到 list.gsp...即使“已登录”用户的角色为 ROLE_OTHERS 而不是管理员。
但是,我需要的是如何测试登录用户只能访问的内容?在这种情况下,考虑到调用的是 *.list() 并且登录用户具有 ROLE_OTHERS 角色,我应该被转发到“拒绝”页面。
帮助?谢谢!
I'm writing test cases for a project which still uses the Acegi plugin (not the newer Spring Core Security plugin) and as of now, I've managed to do what this site (http://www.zorched.net/2008/09/01/grails-testing-acegi-security/)
has suggested regarding the detection of which user is currently logged in. However, in my controller, I have stuff that looks like this:
def list = {
// code for an "admin account"
}
def list_others = {
// code for other accounts
}
Now, I do not check in the controller the logged in user. Instead, I have these defined in the SecurityConfig.groovy like:
security {
...
requestMapString = """\
/someController/list=ROLE_ADMIN
/someController/list_others=ROLE_OTHERS
"""
...
}
Hence, if I had a test that looked like this:
void testTrial() {
// define here that otherUser has a role of ROLE_OTHERS
authenticate(otherUser, "other") // this calls the authenticate methode in the site I gave earlier
controller.list()
// I do an assertion here to check where this goes to
}
Thing is, when I do the assertion, of course list will tell me that it forwarded to list.gsp... even if the "logged in" user has a role of ROLE_OTHERS and not an admin.
However, what I need is how to test what a logged-in user is only supposed to access? In this case, given that the call is to *.list() and the logged in user has a ROLE_OTHERS role, I should have been forwarded to a "denied" page.
Help? Thanks!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
为此,您需要进行功能测试。单元测试只是 Groovy 或 Java 类加上一些模拟。没有 Spring 应用程序上下文,没有 Hibernate,没有数据库,最重要的是在这种情况下没有插件。
集成测试为您提供了更多功能,但即使有请求也大多是模拟的,并且由于没有容器,因此不会触发过滤器。 Spring Security(Acegi 插件使用的)基于一系列 servlet 过滤器。因此,如果您想测试您的安全规则是否得到正确应用,您将需要一个正在运行的服务器,因此需要进行功能测试。
功能测试有多种选项,最流行的是 WebTest: http://grails.org/plugin/webtest< /a>,功能测试插件:http://grails.org/plugin/function-test,以及 Selenium RC 插件:http://grails.org/plugin/selenium-rc 。
最新的是 Geb:http://grails.org/plugin/geb。该手册位于 http://geb.codehaus.org/,最近有一篇关于它的博客文章这里:http://blog.springsource。 com/2010/08/28/the-future-of-function-web-testing/
You'll need functional tests for this. Unit tests are just Groovy or Java classes plus some mocking. There's no Spring application context, no Hibernate, no database, and most importantly for this case no plugins.
Integration tests give you more functionality, but even there requests are mostly simulated and since there's no container, no filters fire. Spring Security (which the Acegi plugin uses) is based on a chain of servlet filters. So if you want to test that your security rules are being applied correctly you'll need a running server, hence functional tests.
There are several options for functional testing, the most popular ones being WebTest: http://grails.org/plugin/webtest, the Functional Testing plugin: http://grails.org/plugin/functional-test, and the Selenium RC plugin: http://grails.org/plugin/selenium-rc.
The newest one is Geb: http://grails.org/plugin/geb. The manual is at http://geb.codehaus.org/ and there was a recent blog post written about it here: http://blog.springsource.com/2010/08/28/the-future-of-functional-web-testing/