Disable Spring Security config class for @WebMvcTest in Spring Boot

Question

Recently I have added Spring Security to my Spring Boot project using the following class:

@EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) public class MySecurityConfig { } 

as result, by default all my URLs are now protected with authentication and a self-generated password.

The problem is that all tests in a @WebMvcTest class that I used for unit-testing a controller:

@RunWith(SpringRunner.class) @WebMvcTest(SomeController.class) public class SomeControllerTest {...} 

are now failing everywhere because of lack of authorization.

Question: can I tell @Test methods to ignore authorization so they keep succeeding as before?

How can I prevent the @EnableWebSecurity config class from being picked on a specific @WebMvcTest unit testing class?

I would like the tests already in place to be able to still go through and to test the authentication features separately later on.

So far I have tried to use a nested config class in the testing class in order to exclude security configs:

@RunWith(SpringRunner.class) @WebMvcTest(SomeController.class) public class SomeControllerTest {      @Configuration     @EnableAutoConfiguration(exclude = { SecurityAutoConfiguration.class})     static class ContextConfiguration { }   ....} 

but it seems not to work.

NOTE : I am using Spring Boot 1.5.8

Answer 1

For me in Spring Boot 2.2.4 (JUnit5) the below seems to have worked and bypass the security filter.

@ExtendWith(SpringExtension.class) @WebMvcTest(SomeController.class) @AutoConfigureMockMvc(addFilters = false) public class SomeControllerTest { ... 

Note: this simply disables any filters in the SpringSecurity configuration. It won't disable the security completely. In other words it will still bootstrap security without loading any filters.