Disable security in springBootTest using WebTestClient

Question

SpringBoot in 2.1 Release Notes contain the following piece of information:

Security configuration is now applied to WebTestClient. For more information on testing secured endpoints, please refer to the relevant section of Spring Security’s reference documentation.

Problem:

After updating SpringBoot from 2.0.4 to 2.1.2 I found that my tests have stopped to work. I am using @SpringBootTest for my REST test. My WebTestClient cannot reach server. I did try a lot (e.g. from here) to mock or disable security and still getting 403 FORBIDDEN response.

Do you have any clues what can be wrong?

I create WebTestClient in the following way:

client = WebTestClient
  .bindToServer()
  .baseUrl("http://localhost:$port")
  .build()

Also tried to exclude SecurityAutoConfiguration.class.

Answer 1

In some dark place, deep down the rabbit hole I found this:

@TestConfiguration
@Order(1)
public class SecurityConfiguration
  implements WebSecurityConfigurer<WebSecurity> {

  @Override
  public void init(WebSecurity builder) throws Exception {
    builder.ignoring().requestMatchers(
      new AntPathRequestMatcher("/**"));
  }

  @Override
  public void configure(WebSecurity builder) throws Exception {
  }

}

Remember to register class in @SpringBootTest, for instance:

@SpringBootTest(
  classes = [SomeApplication, SecurityConfiguration],
  webEnvironment = RANDOM_PORT
)

It's not disabling spring security, but it makes it transparent.