spring-security-testing

star 48

Spring Security 7 changed method security defaults and CSRF handling — tests using hasRole() or csrf() may need updates. Read before testing authentication, authorization, or secured endpoints. Triggers: @WithMockUser, csrf(), jwt(), oauth2Login(), SecurityFilterChain, @PreAuthorize, AccessDeniedException, @WithUserDetails, @WithSecurityContext, hasRole, hasAuthority, SCOPE_, JwtAuthenticationToken.

spring-ai-community

By spring-ai-community schedule Updated 4/8/2026

play_arrow Run Skill in Manus View GitHub

name: spring-security-testing description: "Spring Security 7 changed method security defaults and CSRF handling — tests using hasRole() or csrf() may need updates. Read before testing authentication, authorization, or secured endpoints. Triggers: @WithMockUser, csrf(), jwt(), oauth2Login(), SecurityFilterChain, @PreAuthorize, AccessDeniedException, @WithUserDetails, @WithSecurityContext, hasRole, hasAuthority, SCOPE_, JwtAuthenticationToken." version: 0.1.0 license: Apache-2.0

Spring Security Testing

Signals: @WithMockUser, @WithUserDetails, csrf(), jwt(), oauth2Login(), mockOidcLogin(), @WithSecurityContext, SecurityMockMvcRequestPostProcessors, AccessDeniedException, SCOPE_

Tested With

Spring Boot 3.2+ / Spring Boot 4.x
Spring Security 6.x / 7.x
Spring Framework 6.x / Spring Framework 7.x
JUnit 5

Do NOT Use This Skill When

Testing REST controller HTTP behavior (status codes, JSON body, headers) without security focus → use spring-mvc-testing
Testing reactive endpoints with security → use spring-webflux-testing
Testing JPA repositories → use spring-jpa-testing
Writing pure unit tests for service logic without security context → use spring-testing-fundamentals

When to Read References

Situation	Read
`@WithMockUser` and `@WithUserDetails` setup	`references/security-testing-patterns.md`
`roles` vs `authorities` and the `ROLE_` prefix trap	`references/security-testing-patterns.md`
Per-request auth with `SecurityMockMvcRequestPostProcessors` (`user()`, `httpBasic()`)	`references/security-testing-patterns.md`
CSRF on POST/PUT/DELETE — preventing 403 in tests	`references/security-testing-patterns.md`
JWT resource server testing with `jwt()` post-processor	`references/security-testing-patterns.md`
OAuth2 login and OIDC testing with `oauth2Login()`, `mockOidcLogin()`	`references/security-testing-patterns.md`
Custom `@WithSecurityContext` for complex JWT scenarios	`references/security-testing-patterns.md`
`@PreAuthorize` method security testing	`references/security-testing-patterns.md`
Boot 3.x → 4.x security testing changes	`references/security-testing-patterns.md`

Install via CLI

npx skills add https://github.com/spring-ai-community/spring-testing-skills --skill spring-security-testing

Repository Details

star Stars 48

call_split Forks 2

navigation Branch main

article Path SKILL.md

More from Creator

spring-ai-community

spring-ai-community Explore all skills →