tags:

views:

28

answers:

1
Q: 

testing securityConfig mapping in grails + acegi

Hi, I'm kinda lost.

I'm writing test cases for a project which still uses the Acegi plugin (not the newer Spring Core Security plugin) and as of now, I've managed to do what this site (http://www.zorched.net/2008/09/01/grails-testing-acegi-security/)

has suggested regarding the detection of which user is currently logged in. However, in my controller, I have stuff that looks like this:

def list = {
     // code for an "admin account"
}

def list_others = {
     // code for other accounts
}

Now, I do not check in the controller the logged in user. Instead, I have these defined in the SecurityConfig.groovy like:

security {
     ...
     requestMapString = """\
          /someController/list=ROLE_ADMIN
          /someController/list_others=ROLE_OTHERS
     """
     ...
}

Hence, if I had a test that looked like this:

void testTrial() {
     // define here that otherUser has a role of ROLE_OTHERS

     authenticate(otherUser, "other") // this calls the authenticate methode in the site I gave earlier
     controller.list()

     // I do an assertion here to check where this goes to
}

Thing is, when I do the assertion, of course list will tell me that it forwarded to list.gsp... even if the "logged in" user has a role of ROLE_OTHERS and not an admin.

However, what I need is how to test what a logged-in user is only supposed to access? In this case, given that the call is to *.list() and the logged in user has a ROLE_OTHERS role, I should have been forwarded to a "denied" page.

Help? Thanks!

A: 

You'll need functional tests for this. Unit tests are just Groovy or Java classes plus some mocking. There's no Spring application context, no Hibernate, no database, and most importantly for this case no plugins.

Integration tests give you more functionality, but even there requests are mostly simulated and since there's no container, no filters fire. Spring Security (which the Acegi plugin uses) is based on a chain of servlet filters. So if you want to test that your security rules are being applied correctly you'll need a running server, hence functional tests.

There are several options for functional testing, the most popular ones being WebTest: http://grails.org/plugin/webtest, the Functional Testing plugin: http://grails.org/plugin/functional-test, and the Selenium RC plugin: http://grails.org/plugin/selenium-rc.

The newest one is Geb: http://grails.org/plugin/geb. The manual is at http://geb.codehaus.org/ and there was a recent blog post written about it here: http://blog.springsource.com/2010/08/28/the-future-of-functional-web-testing/

Burt Beckwith  2010-10-01 04:54:48
lolz, was kinda afraid that it would involve functional tests. anyway, i'll check those out, thanks! that helps out quite a bit :)
callie16  2010-10-03 05:58:26

related questions

Unit tests for deep cloning
What is the difference between integration and unit tests?
Unit test execution speed (how many tests per second?)
Run PHPUnit Tests in Certain Order
Testing a function that throws on failure
What do you use to Unit-Test your Web UI?
How do you test/change untested and untestable code?
How to make junior programmers write tests?
How do you mock a Sealed class?
RhinoMocks: How do you properly mock an IEnumerable<T>?
What is the best way to do unit testing for ASP.NET 2.0 web pages?
TDD and Mocking Frameworks
Unit testing with VSTest basics
How to set up unit testing for Visual Studio C++
What are the primary differences between TDD and BDD?
What is Your Experience with Unit Testing in Practice?
How can I unit test Flex applications from within the IDE or a build script?
C# Unit Testing Example
How do I unit test persistence?
.NET Unit Testing packages?
Integrating Visual Studio Test Project with Cruise Control
What is unit testing?
Best way to implement unit testing in PHP
.NET Testing Framework Advice
Using combinations of sets as test data