Talk at http://greach.es/ 2013 on testing Grails applications that use the Spring Security plugins

1. Testing the Grails Spring Security Plugins
Burt Beckwith, SpringSource
@burtbeckwith
http://burtbeckwith.com/blog/
CONFIDENTIAL
© 2010 SpringSource, A division of VMware. All rights reserved

2. Unit tests are not an option
CONFIDENTIAL 2

3. Unit Tests
 Spring Security is implemented as
a filter chain
• If you use unit testing, mocks, etc.
you only test the mocks
CONFIDENTIAL 3

4. Ok, so what about integration tests?
CONFIDENTIAL 4

5. Integration Tests
 Spring Security is implemented as
a filter chain
• If you use integration testing, mock
request, response, etc. you still don't
have a real filter chain
CONFIDENTIAL 5

6. But there are uses for integration tests
CONFIDENTIAL 6

7. Integration Tests
 Grails integration tests are unit tests + Spring + DB + plugins
• So you can test the configuration
 There's no servlet container, but you can test services
• So ACL testing (both Spring Security and Shiro) is a good fit here
CONFIDENTIAL 7

8. Damn, so I have to use functional tests?
CONFIDENTIAL 8

9. Yes.
CONFIDENTIAL 9

10. Functional tests
 Ideal for security testing
• Make many real requests against a real, properly configured web server
• Test authentication, authorization, configuration - everything
CONFIDENTIAL 10

11. Functional tests
 Functional test plugins
• I use http://grails.org/plugin/functional-test (version 1.2.7)
• Geb is a great option - http://www.gebish.org/
• Webdriver/Selenium
• jQuery selector syntax
• Spock, JUnit & TestNG
• Actively developed, active mailing list
CONFIDENTIAL 11

12. Grails functional-test plugin
 Apache Commons HttpClient to make GET/POST requests
 HtmlUnit to parse responses
 JUnit 3 base class with helper methods
 2.0 is in development, but I still use 1.2.7
• NEVER RUN create-functional-test script – will overwrite grails-
app/conf files
CONFIDENTIAL 12

13. Grails functional-test plugin
 Usage
• Add plugin dependency in BuildConfig.groovy
• test ':functional-test:1.2.7'
• Will fail to resolve dependencies on first compile
• Fatal error during compilation
org.apache.tools.ant.BuildException:
java.lang.NoClassDefFoundError:
Lcom/gargoylesoftware/htmlunit/html/HTMLParser$Html
UnitDOMBuilder
• Just run grails compile again
CONFIDENTIAL 13

14. Grails functional-test plugin
 Creating test classes
• NEVER RUN create-functional-test script – will overwrite grails-
app/conf files
• Just create a class in test/functional that extends
functionaltestplugin.FunctionalTestCase
CONFIDENTIAL 14

15. Grails functional-test plugin
import functionaltestplugin.FunctionalTestCase
class LoginTests extends FunctionalTestCase {
void testSomeWebsiteFeature() {
// Here call get(uri) or post(uri) to start
// the session and then use the custom
// assertXXXX calls etc to check the response
//
// get('/something')
// assertStatus 200
// assertContentContains 'the expected text'
}
}
CONFIDENTIAL 15

16. How to find all controller actions?
import grails.web.Action
...
def data = []
for (controller in grailsApplication.controllerClasses) {
List<String> actions = controller.clazz.methods.findAll(
{ it.getAnnotation(Action) })*.name
data << [controller: controller.logicalPropertyName,
controllerName: controller.fullName,
actions: actions.sort()]
}
CONFIDENTIAL 16

17. How to find all controller actions?
[controller:book, controllerName:greach.BookController,
actions:[create, delete, edit, list, save, show, update]]
[controller:errors, controllerName:greach.ErrorsController,
actions:[error403, error404, error500]]
[controller:login, controllerName:LoginController,
actions: [ajaxDenied, ajaxSuccess, auth, authAjax,
authfail, denied, full, index]]
[controller:logout, controllerName:LogoutController,
actions:[index]]
[controller:secure, controllerName:greach.SecureController,
actions:[admin, index, user]]
CONFIDENTIAL 17

18. Demo
CONFIDENTIAL 18