Having trouble testing secured web resources with spring test mvc

[balteo]

Hello,

I am trying to test web resources secured with Spring security but it seems that my tests are always able to access the secured resources i.e. I always get a status of 200 even though the credentials are dummy.

I am not sure what I get wrong.

Here is the test class:

Code:

@RunWith(SpringJUnit4ClassRunner.class)
@ContextConfiguration(locations = { "classpath:/META-INF/spring/applicationContext*.xml" })
public class AuthorizationTest {

	private String contextLocWeb = "file:src/main/webapp/WEB-INF/spring/webmvc-config.xml";
	private String contextLoc = "classpath:/META-INF/spring/applicationContext*.xml";
	private String warDir = "src/main/webapp";

	@Autowired
	private FilterChainProxy springSecurityFilterChain;
	
	private Authentication authentication;

	@Before
	public void setup() {
		List<GrantedAuthority> authorities = AuthorityUtils.createAuthorityList("ROLE_DUMMY");
		authentication = new UsernamePasswordAuthenticationToken("jumartin", "dummy", authorities);
		SecurityContextHolder.getContext().setAuthentication(authentication);
	}

	@Test
	public void testFailedAuthorization() throws Exception {
		MockMvc mockMvc = MockMvcBuilders.xmlConfigSetup(contextLocWeb, contextLoc).configureWebAppRootDir(warDir, false).addFilters(springSecurityFilterChain).build();
		mockMvc.perform(MockMvcRequestBuilders.get("/admin/clients").principal(authentication).param("form", "")).andExpect(MockMvcResultMatchers.status().isForbidden());
	}

}

and the relevant snippet from applicationContext-security.xml file:

Code:

<global-method-security pre-post-annotations="enabled"/>
	<!-- HTTP security configurations Enlever les commentaires pour Spring security -->
	<http auto-config="true" use-expressions="true">
		<!-- Session control -->
		<session-management>
			<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" expired-url="/login" />
		</session-management>
		<form-login login-processing-url="/resources/j_spring_security_check" login-page="/login" authentication-failure-url="/login?login_error=t" />
		<logout logout-url="/resources/j_spring_security_logout" />
		<intercept-url pattern='/css/**' access="permitAll" />
		<intercept-url pattern='/resources/**' access="permitAll" />
		<!-- Page accès interdit -->
		<intercept-url pattern='/authzError/**' access="permitAll" />
		<!-- login -->
		<intercept-url pattern='/login' access="permitAll" />
		<!-- Entité utilisateur -->
		<intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
		<!-- Définir les rôles dans l’application -->
		<intercept-url pattern="/**" access="hasAnyRole('ROLE_ADMIN','ROLE_OPE_NUM','ROLE_OPE_NUM_RENFORT','ROLE_ACCN','ROLE_CHEF_EQUIPE','ROLE_RESP_PROD','ROLE_CODIR')" />
	</http>

Can anyone please help?

Regards,

J.