Home/ Questions/Q 1115939
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-17T03:13:51+00:00

I’m writing test cases for a project which still uses the Acegi plugin (not

  • 0

I’m writing test cases for a project which still uses the Acegi plugin (not the newer Spring Core Security plugin) and as of now, I’ve managed to do what this site (http://www.zorched.net/2008/09/01/grails-testing-acegi-security/)

has suggested regarding the detection of which user is currently logged in. However, in my controller, I have stuff that looks like this:

def list = {
     // code for an "admin account"
}

def list_others = {
     // code for other accounts
}

Now, I do not check in the controller the logged in user. Instead, I have these defined in the SecurityConfig.groovy like:

security {
     ...
     requestMapString = """\
          /someController/list=ROLE_ADMIN
          /someController/list_others=ROLE_OTHERS
     """
     ...
}

Hence, if I had a test that looked like this:

void testTrial() {
     // define here that otherUser has a role of ROLE_OTHERS

     authenticate(otherUser, "other") // this calls the authenticate methode in the site I gave earlier
     controller.list()

     // I do an assertion here to check where this goes to
}

Thing is, when I do the assertion, of course list will tell me that it forwarded to list.gsp… even if the “logged in” user has a role of ROLE_OTHERS and not an admin.

However, what I need is how to test what a logged-in user is only supposed to access? In this case, given that the call is to *.list() and the logged in user has a ROLE_OTHERS role, I should have been forwarded to a “denied” page.

Help? Thanks!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You’ll need functional tests for this. Unit tests are just Groovy or Java classes plus some mocking. There’s no Spring application context, no Hibernate, no database, and most importantly for this case no plugins.

    Integration tests give you more functionality, but even there requests are mostly simulated and since there’s no container, no filters fire. Spring Security (which the Acegi plugin uses) is based on a chain of servlet filters. So if you want to test that your security rules are being applied correctly you’ll need a running server, hence functional tests.

    There are several options for functional testing, the most popular ones being WebTest: http://grails.org/plugin/webtest, the Functional Testing plugin: http://grails.org/plugin/functional-test, and the Selenium RC plugin: http://grails.org/plugin/selenium-rc.

    The newest one is Geb: http://grails.org/plugin/geb. The manual is at http://geb.codehaus.org/ and there was a recent blog post written about it here: http://blog.springsource.com/2010/08/28/the-future-of-functional-web-testing/

    • 0