Shiro:如何为受@RequiresRoles 保护的端点编写测试?
Shiro: How to write a test for an endpoint protected with @RequiresRoles?
说我有这个资源:
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import org.apache.shiro.authz.annotation.RequiresAuthentication;
import org.apache.shiro.authz.annotation.RequiresRoles;
import io.swagger.annotations.Api;
import io.swagger.annotations.ApiOperation;
@Path("/authhello")
@Api(value = "hello", description = "Simple endpoints for testing api authentification",
hidden = true)
@Produces(MediaType.APPLICATION_JSON)
@RequiresAuthentication
public class AuthenticatedHelloWorldResource {
private static final String READ = "READ";
private static final String WRITE = "WRITE";
@GET
@ApiOperation(value = "helloworld",
notes = "Simple hello world.",
response = String.class)
@RequiresRoles(READ)
public Response helloWorld() {
String hello = "Hello world!";
return Response.status(Response.Status.OK).entity(hello).build();
}
@GET
@Path("/{param}")
@ApiOperation(value = "helloReply",
notes = "Returns Hello you! and {param}",
response = String.class)
@RequiresRoles(WRITE)
public Response getMsg(@PathParam("param") String msg) {
String output = "Hello you! " + msg;
return Response.status(Response.Status.OK).entity(output).build();
}
}
我是否应该编写测试来确认某些(测试)用户从端点获得响应,而某些用户没有?如果是这样:我该如何编写这些测试?我试过这样的事情:
import javax.ws.rs.core.Application;
import org.glassfish.jersey.server.ResourceConfig;
import org.junit.Test;
import com.cognite.api.shiro.AbstractShiroTest;
import static org.junit.Assert.assertEquals;
public class AuthenticatedHelloWorldTest extends AbstractShiroTest {
@Override
protected Application configure() {
return new ResourceConfig(AuthenticatedHelloWorldResource.class);
}
@Test
public void testAuthenticatedReadHelloWorld() {
final String hello = target("/authhello").request().get(String.class);
assertEquals("Hello world!", hello);
}
@Test
public void testAuthenticatedWriteHelloWorld() {
final String hello = target("/authhello/test").request().get(String.class);
assertEquals("Hello you! test", hello);
}
}
但我不确定如何实际测试 @RequiresRoles-注释的功能。我读过 Shiro's page on testing,但我无法编写失败的测试(例如,针对没有 WRITE 角色的主题的测试试图访问 /authhello/test)。任何提示将不胜感激。
Should I even test this?
是的。如果您想确保某些角色可以或无法访问您的资源。这将是一个安全集成测试。
How should I go about setting up the whole application + actually call it with an http request in a test if I am to test it? Or is there a simpler way?
部分问题在于 @RequiresAuthentication 和 @RequiresRoles 本身只是 class 和方法元信息。注释本身不提供安全检查功能。
从你的问题中不清楚你使用的是什么类型的容器,但我猜它是普通的 Jersey JAX-RS 服务(我说得对吗?)。为了让 Shiro 执行安全检查,您应该在端点周围添加一些 JAX-RS 过滤器(也许其他方式?)。要测试安全性,您应该在测试中复制此设置。否则,引擎 不会处理您的注释,因此也不会进行安全检查。
说我有这个资源:
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import org.apache.shiro.authz.annotation.RequiresAuthentication;
import org.apache.shiro.authz.annotation.RequiresRoles;
import io.swagger.annotations.Api;
import io.swagger.annotations.ApiOperation;
@Path("/authhello")
@Api(value = "hello", description = "Simple endpoints for testing api authentification",
hidden = true)
@Produces(MediaType.APPLICATION_JSON)
@RequiresAuthentication
public class AuthenticatedHelloWorldResource {
private static final String READ = "READ";
private static final String WRITE = "WRITE";
@GET
@ApiOperation(value = "helloworld",
notes = "Simple hello world.",
response = String.class)
@RequiresRoles(READ)
public Response helloWorld() {
String hello = "Hello world!";
return Response.status(Response.Status.OK).entity(hello).build();
}
@GET
@Path("/{param}")
@ApiOperation(value = "helloReply",
notes = "Returns Hello you! and {param}",
response = String.class)
@RequiresRoles(WRITE)
public Response getMsg(@PathParam("param") String msg) {
String output = "Hello you! " + msg;
return Response.status(Response.Status.OK).entity(output).build();
}
}
我是否应该编写测试来确认某些(测试)用户从端点获得响应,而某些用户没有?如果是这样:我该如何编写这些测试?我试过这样的事情:
import javax.ws.rs.core.Application;
import org.glassfish.jersey.server.ResourceConfig;
import org.junit.Test;
import com.cognite.api.shiro.AbstractShiroTest;
import static org.junit.Assert.assertEquals;
public class AuthenticatedHelloWorldTest extends AbstractShiroTest {
@Override
protected Application configure() {
return new ResourceConfig(AuthenticatedHelloWorldResource.class);
}
@Test
public void testAuthenticatedReadHelloWorld() {
final String hello = target("/authhello").request().get(String.class);
assertEquals("Hello world!", hello);
}
@Test
public void testAuthenticatedWriteHelloWorld() {
final String hello = target("/authhello/test").request().get(String.class);
assertEquals("Hello you! test", hello);
}
}
但我不确定如何实际测试 @RequiresRoles-注释的功能。我读过 Shiro's page on testing,但我无法编写失败的测试(例如,针对没有 WRITE 角色的主题的测试试图访问 /authhello/test)。任何提示将不胜感激。
Should I even test this?
是的。如果您想确保某些角色可以或无法访问您的资源。这将是一个安全集成测试。
How should I go about setting up the whole application + actually call it with an http request in a test if I am to test it? Or is there a simpler way?
部分问题在于 @RequiresAuthentication 和 @RequiresRoles 本身只是 class 和方法元信息。注释本身不提供安全检查功能。
从你的问题中不清楚你使用的是什么类型的容器,但我猜它是普通的 Jersey JAX-RS 服务(我说得对吗?)。为了让 Shiro 执行安全检查,您应该在端点周围添加一些 JAX-RS 过滤器(也许其他方式?)。要测试安全性,您应该在测试中复制此设置。否则,引擎 不会处理您的注释,因此也不会进行安全检查。