{"id":21517407,"url":"https://github.com/criske/springsec-endpoint-test","last_synced_at":"2026-05-05T09:31:38.455Z","repository":{"id":126258557,"uuid":"380425355","full_name":"criske/springsec-endpoint-test","owner":"criske","description":"Small utility to test enpoints authorized requests without the need to run full integration tests for spring-security and spring-mvc.","archived":false,"fork":false,"pushed_at":"2021-06-26T08:44:34.000Z","size":30,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-07-02T17:10:07.775Z","etag":null,"topics":["java","spring","spring-boot","spring-mvc","spring-security"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/criske.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-06-26T05:53:04.000Z","updated_at":"2021-06-26T08:44:36.000Z","dependencies_parsed_at":null,"dependency_job_id":"8219d10e-d33c-45b3-827f-76dc0291a5b0","html_url":"https://github.com/criske/springsec-endpoint-test","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/criske/springsec-endpoint-test","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/criske%2Fspringsec-endpoint-test","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/criske%2Fspringsec-endpoint-test/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/criske%2Fspringsec-endpoint-test/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/criske%2Fspringsec-endpoint-test/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/criske","download_url":"https://codeload.github.com/criske/springsec-endpoint-test/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/criske%2Fspringsec-endpoint-test/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32643523,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-04T10:08:07.713Z","status":"online","status_checked_at":"2026-05-05T02:00:06.033Z","response_time":54,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["java","spring","spring-boot","spring-mvc","spring-security"],"created_at":"2024-11-24T00:41:37.515Z","updated_at":"2026-05-05T09:31:38.375Z","avatar_url":"https://github.com/criske.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"## Spring security endpoint tester\n\nSmall utility to test authorization on endpoints without the need to run full integration tests for spring-security and spring-mvc.\n\nAll done in unit tests - no need for spring integration test ceremony(no SpringRunner, @SpringBootTest, @WebMvcTest etc...).\n\n### Usage in unit tests\n```java\npublic final class SecurityTest {\n\n    static AuthorizedRequestsProbe probe = AuthorizedRequestsProbe\n        .withCustomizer(config -\u003e\n            config\n                .mvcMatchers(\"/remember\").rememberMe()\n                .mvcMatchers(\"/private/admin/**\", \"/private/user/**/admin/**\").hasRole(\"ADMIN\")\n                .mvcMatchers(\"/private/user/**\").hasRole(\"USER\")\n                .mvcMatchers(\"/private/**\").authenticated()\n                .anyRequest().permitAll()\n        );\n\n    @Test\n    public void shouldPassUnauthenticated() {\n        var hasAccess = probe.checkAccess(\n            new FilterInvocation(\"/\", \"GET\"),\n            AuthorizedRequestsProbe.UserMode.UNAUTHENTICATED\n        );\n        MatcherAssert.assertThat(\n            hasAccess,\n            Matchers.is(Boolean.TRUE)\n        );\n    }\n\n    @Test\n    public void shouldAllowAdminOnInnerUserPath() {\n        var hasAccess = probe.checkAccess(\n            new FilterInvocation(\"/private/user/foo/admin/bar\", \"GET\"),\n            \"ROLE_ADMIN\"\n        );\n        MatcherAssert.assertThat(\n            hasAccess,\n            Matchers.is(Boolean.TRUE)\n        );\n    }\n\n    @Test\n    public void shouldAllowRememberMe() {\n        var hasAccess = probe.checkAccess(\n            new FilterInvocation(\"/remember\", \"GET\"),\n            AuthorizedRequestsProbe.UserMode.REMEMBER_ME\n        );\n        MatcherAssert.assertThat(\n            hasAccess,\n            Matchers.is(Boolean.TRUE)\n        );\n    }\n}\n```\n\n`AuthorizedRequestsProbe` can use [HttpSecurity#authroizeRequests](https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/config/annotation/web/builders/HttpSecurity.html#authorizeRequests(org.springframework.security.config.Customizer)) customizer but for that it needs a little work because that customizer uses [HttpSecurity](https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/config/annotation/web/builders/HttpSecurity.html) builder as generic type while\n`AuthorizedRequestsProbe` accepts a customizer with any [HttpSecurityBuilder](https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/config/annotation/web/HttpSecurityBuilder.html) type\n\nTo convey this, a generic customizer is needed.\n```java\npublic final class AuthorizedRequestsCustomizer\u003cH extends HttpSecurityBuilder\u003cH\u003e\u003e\n    implements Customizer\u003cExpressionUrlAuthorizationConfigurer\u003cH\u003e.ExpressionInterceptUrlRegistry\u003e {\n\n    @Override\n    public void customize(ExpressionUrlAuthorizationConfigurer\u003cH\u003e.ExpressionInterceptUrlRegistry registry) {\n        registry\n            .mvcMatchers(\"/remember\").rememberMe()\n            .mvcMatchers(\"/private/admin/**\", \"/private/user/**/admin/**\").hasRole(\"ADMIN\")\n            .mvcMatchers(\"/private/user/**\").hasRole(\"USER\")\n            .mvcMatchers(\"/private/**\").authenticated()\n            .anyRequest().permitAll();\n    }\n\n}\n```\n\nNow security configuration will look\n\n```java\n@EnableWebSecurity\npublic class SecConfig extends WebSecurityConfigurerAdapter {\n\n    @Override\n    protected void configure(HttpSecurity http) {\n        http\n            .authorizeRequests(new AuthorizedRequestsCustomizer\u003c\u003e());\n    }\n}\n```\nand in tests:\n```java\npublic final class SecurityTest {\n\n    @SuppressWarnings({\"unchecked\", \"rawtypes\"})\n    static AuthorizedRequestsProbe probe = AuthorizedRequestsProbe\n        .withCustomizer(new AuthorizedRequestsCustomizer());\n    //...\n}\n```\n\n### Usage in integration tests\n\n`AuthorizedRequestsProbe` can be used in integration tests too.\nIn this case `AuthorizedRequestsProbe#usingFilterSecurityInterceptor(context)` factory method will\nextract [FilterInvocationSecurityMetadataSource](https://docs.spring.io/spring-security/site/docs/4.2.19.RELEASE/apidocs/org/springframework/security/web/access/intercept/FilterInvocationSecurityMetadataSource.html) created by HttpSecurity builder from \n[FilterSecurityInterceptor](https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/access/intercept/FilterSecurityInterceptor.html)(filter is obtained from the filter list of the exposed [FilterChainProxy](https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/FilterChainProxy.html) bean).\n\n```java\n@RunWith(SpringRunner.class)\n@ContextConfiguration(classes = {SecConfig.class})\n@WebAppConfiguration\npublic final class SecurityTest {\n    @Autowired\n    ApplicationContext context;\n\n    AuthorizedRequestsProbe probe;\n\n    @Before\n    public void before() {\n        probe = AuthorizedRequestsProbe.usingFilterSecurityInterceptor(context);\n    }\n}\n```\n\n### Gist\nWhole source code is available in this [gist](https://gist.github.com/criske/5960f55614a5801113a3c97e7ed3737f).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcriske%2Fspringsec-endpoint-test","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcriske%2Fspringsec-endpoint-test","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcriske%2Fspringsec-endpoint-test/lists"}