Annotating @Secured(AuthoritiesConstants.ADMIN) is not working

[pmverma]

Overview of the issue

Annotating @Secured(AuthoritiesConstants.ADMIN) is not working

Motivation for or Use Case

Annotating with @Secured must work as expected, in this case, other than ADMIN role must fail, but thats not happening.

Reproduce the error

1. Generate a fresh application

2. Change following test method of class UserResourceIntTest.java Change

   @Test
   @Transactional
   public void createUser() throws Exception {

   to

   @Test
   @Transactional
   @WithMockUser(username="user", password = "user", authorities = {"ROLE_USER"})
   public void createUser() throws Exception {

3. Run test, ./mvn clean test

4. All tests are being passed although user creation is allowed only to admin role.

Related issues

7374

Suggest a Fix

-

JHipster Version(s)

myapp@0.0.0 /Users/sierra/jh/myapp
└── generator-jhipster@4.14.4 

JHipster configuration, a .yo-rc.json file generated in the root folder

<details>
<summary>.yo-rc.json file</summary>
<pre>
{
  "generator-jhipster": {
    "promptValues": {
      "packageName": "com.mycompany.myapp"
    },
    "jhipsterVersion": "4.14.4",
    "baseName": "myapp",
    "packageName": "com.mycompany.myapp",
    "packageFolder": "com/mycompany/myapp",
    "serverPort": "8080",
    "authenticationType": "jwt",
    "cacheProvider": "no",
    "websocket": false,
    "databaseType": "sql",
    "devDatabaseType": "h2Disk",
    "prodDatabaseType": "postgresql",
    "searchEngine": false,
    "messageBroker": false,
    "serviceDiscoveryType": false,
    "buildTool": "maven",
    "enableSocialSignIn": false,
    "enableSwaggerCodegen": false,
    "jwtSecretKey": "replaced-by-jhipster-info",
    "clientFramework": "angularX",
    "useSass": false,
    "clientPackageManager": "yarn",
    "applicationType": "monolith",
    "testFrameworks": [],
    "jhiPrefix": "jhi",
    "enableTranslation": false
  }
}
</pre>
</details>

JDL for the Entity configuration(s) entityName.json files generated in the .jhipster directory

ls: no such file or directory: .jhipster/*.json

JDL entity definitions

Environment and Tools

java version "1.8.0_172" Java(TM) SE Runtime Environment (build 1.8.0_172-b11) Java HotSpot(TM) 64-Bit Server VM (build 25.172-b11, mixed mode)

git version 2.15.1 (Apple Git-101)

node: v8.11.2

npm: 6.0.1

yeoman: 2.0.2

yarn: 1.7.0

Docker version 18.03.1-ce, build 9ee9f40

docker-compose version 1.21.1, build 5a3f1a3

[cbornet]

It's normal that it doesn't work in tests since they use a mock and security is not applied. What does it give with a real server ? To apply security in test, add apply(springSecurity()) to restUserMockMvc

[pmverma]

@cbornet with real server, it is fine. And thank you for the tip. However I am still having problem and I have posted on SO.

https://stackoverflow.com/questions/50921852

I will close this issue as this is SO question. Thanks

[cbornet]

We should apply and verify security in the tests. This has been talked about many times but I guess nobody worked on it... As always PRs are very much welcome :smile:.

[RothAndrew]

It's normal that it doesn't work in tests since they use a mock and security is not applied. What does it give with a real server ? To apply security in test, add apply(springSecurity()) to restUserMockMvc

@cbornet Can you give a little bit more detail? When I do what you are suggesting I get this exception:

springSecurityFilterChain cannot be null. Ensure a Bean with the name springSecurityFilterChain implementing Filter is present or inject the Filter to be used.
java.lang.IllegalStateException: springSecurityFilterChain cannot be null. Ensure a Bean with the name springSecurityFilterChain implementing Filter is present or inject the Filter to be used.

Edit: I got it working. See https://github.com/jhipster/generator-jhipster/issues/7374#issuecomment-417118011