Security Testing (@WithMockUser)

Security Testing ensures that your application’s endpoints are protected, accessible only to authorized users, and safe from common attacks.

In Spring Boot, security testing focuses on verifying authentication, authorization, and security configurations without relying on real users or external identity providers.

What Is Security Testing?

Security Testing is the process of verifying that an application is protected against unauthorized access, data leaks, and security vulnerabilities.

Its main goal is to ensure that only the right users can access the right resources, while keeping sensitive data safe.

In Spring Boot applications, security testing confirms that authentication, authorization, and access rules are correctly enforced.

Why Security Testing Is Important

Security testing helps you to:

• Prevent unauthorized access to APIs and data
• Protect user credentials and sensitive information
• Validate role-based access control (ADMIN, USER, etc.)
• Detect security issues before production
• Meet security and compliance requirements

What Does Security Testing Cover?

Security testing typically verifies:

• Authentication – Who is the user? (login, tokens, sessions)
• Authorization – What resources can the user access?
• Access control – Role- and permission-based restrictions
• Secure endpoints – Public vs protected APIs
• Security configuration – Spring Security rules and filters

Security Testing Tools in Spring Boot

Spring Boot provides powerful tools for security testing through Spring Security Test support.

Commonly used tools include:

• @WithMockUser – Simulates an authenticated user
• @WebMvcTest – Tests secured controllers only
• MockMvc – Sends mock HTTP requests
• @SpringBootTest – Runs full security integration tests

These tools allow you to test security rules without real authentication systems.

What Is @WithMockUser?

@WithMockUser is a Spring Security test annotation used to simulate an authenticated user during tests, without calling a real login API or authentication provider.

It allows you to test secured controllers and endpoints quickly and reliably.

In Short: @WithMockUser lets you mock a logged-in user in Spring Boot security tests.

Why Use @WithMockUser?

• Test secured endpoints without real authentication
• Simulate users with roles and authorities
• Verify access control rules (ROLE_ADMIN, ROLE_USER)
• Keep tests fast and isolated
• Ideal for controller-level security testing
• CI/CD friendly

How @WithMockUser Works

During test execution, Spring Security:

1. Creates a mock authenticated user
2. Injects it into the SecurityContext
3. Applies role- and authority-based rules
4. Clears the context after the test

• No database
• No JWT
• No OAuth server

Example: Secured Controller

import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
@RequestMapping("/api/admin")
public class AdminController {

    @GetMapping("/dashboard")
    @PreAuthorize("hasRole('ADMIN')")
    public String dashboard() {
        return "Admin Dashboard";
    }
}

• @RestController – Marks this class as a REST controller.
• @RequestMapping("/api/admin") – Base path for all endpoints in this controller.
• @GetMapping("/dashboard") – Handles GET requests to /api/admin/dashboard.
• @PreAuthorize("hasRole('ADMIN')") – Ensures only users with the ADMIN role can access this endpoint.

Security Test with @WithMockUser

import org.junit.jupiter.api.Test;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
import org.springframework.security.test.context.support.WithMockUser;
import org.springframework.test.web.servlet.MockMvc;

import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;

@WebMvcTest(AdminController.class)
class AdminControllerTest {

    @Autowired
    private MockMvc mockMvc;

    @Test
    @WithMockUser(username = "admin", roles = "ADMIN")
    void shouldAllowAdminAccess() throws Exception {
        mockMvc.perform(get("/api/admin/dashboard"))
               .andExpect(status().isOk());
    }
}

• @WebMvcTest(AdminController.class) – Loads only the AdminController and Spring MVC infrastructure for faster tests.
• MockMvc – Simulates HTTP requests without starting a server.
• @WithMockUser – Mocks an authenticated user with the given username and roles.
• andExpect(status().isOk()) – Verifies that ADMIN users can access the endpoint.

Access Denied Scenario

import org.junit.jupiter.api.Test;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
import org.springframework.security.test.context.support.WithMockUser;
import org.springframework.test.web.servlet.MockMvc;

import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;

@WebMvcTest(AdminController.class)
class AdminControllerTest {

    @Autowired
    private MockMvc mockMvc;

    @Test
    @WithMockUser(username = "user", roles = "USER")
    void shouldDenyUserAccess() throws Exception {
        mockMvc.perform(get("/api/admin/dashboard"))
               .andExpect(status().isForbidden());
    }
}

• @WithMockUser(username = "user", roles = "USER") – Mocks a non-admin user.
• status().isForbidden() – Confirms that access is blocked for users without the ADMIN role.
• Works alongside your allow-admin test to fully verify method-level security.

Customizing @WithMockUser

import org.springframework.security.test.context.support.WithMockUser;

@WithMockUser(
    username = "john",
    roles = {"USER"},
    authorities = {"READ_PRIVILEGES"}
)

What You Can Customize:

Example: Custom Test

@Test
@WithMockUser(
    username = "john",
    roles = {"USER"},
    authorities = {"READ_PRIVILEGES"}
)
voidshouldAllowReadAccess()throws Exception {
    mockMvc.perform(get("/api/resource/read"))
           .andExpect(status().isOk());
}

Testing Anonymous Access

import org.junit.jupiter.api.Test;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
import org.springframework.security.test.context.support.WithAnonymousUser;
import org.springframework.test.web.servlet.MockMvc;

import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;

@WebMvcTest(ProfileController.class)
class ProfileControllerTest {

    @Autowired
    private MockMvc mockMvc;

    @Test
    @WithAnonymousUser
    void anonymousUserIsRejected() throws Exception {
        mockMvc.perform(get("/api/profile"))
               .andExpect(status().isUnauthorized());
    }
}

• @WithAnonymousUser – Simulates an unauthenticated user.
• status().isUnauthorized() – Verifies that anonymous access is blocked for secured endpoints.
• Works well with @WebMvcTest for controller-level security testing.

Testing CSRF Protection

Spring Security enables CSRF protection by default for state-changing HTTP methods (POST, PUT, DELETE).

These tests demonstrate how requests behave with and without a CSRF token.

CSRF Enabled (Default)

import org.junit.jupiter.api.Test;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
import org.springframework.test.web.servlet.MockMvc;

import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;

@WebMvcTest(UserController.class)
class UserControllerTest {

    @Autowired
    private MockMvc mockMvc;

    @Test
    void postWithoutCsrfShouldFail() throws Exception {
        mockMvc.perform(post("/users"))
               .andExpect(status().isForbidden());
    }
}

• Sending a POST request without a CSRF token is blocked.
• status().isForbidden() confirms CSRF protection is working.

Sending a Request With CSRF Token

import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;

@Test
void postWithCsrfShouldSucceed() throws Exception {
    mockMvc.perform(post("/users").with(csrf()))
           .andExpect(status().isOk());
}

• .with(csrf()) adds a valid CSRF token to the request.
• The request now passes CSRF protection and succeeds.

Testing JWT-Secured APIs

import org.junit.jupiter.api.Test;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors;
import org.springframework.test.web.servlet.MockMvc;

import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.jwt;
import static org.springframework.security.core.authority.SimpleGrantedAuthority;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;

@WebMvcTest(OrderController.class)
class OrderControllerTest {

    @Autowired
    private MockMvc mockMvc;

    @Test
    void jwtAuthenticatedRequest() throws Exception {
        mockMvc.perform(get("/api/orders")
                .with(jwt().authorities(new SimpleGrantedAuthority("ROLE_USER"))))
               .andExpect(status().isOk());
    }
}

• jwt() – Mocks a JWT-authenticated request for testing without generating a real token.
• authorities(new SimpleGrantedAuthority("ROLE_USER")) – Grants roles or permissions to the mock JWT.
• Works with Spring Security’s OAuth2 / JWT support in @WebMvcTest.
• status().isOk() confirms the request successfully passes authentication and authorization.

Optional Enhancements

• Test access denied with invalid roles:

@Test
voidjwtUnauthorizedRequest()throws Exception {
    mockMvc.perform(get("/api/orders")
            .with(jwt().authorities(newSimpleGrantedAuthority("ROLE_GUEST"))))
           .andExpect(status().isForbidden());
}

• Combine with CSRF tests if JWT-protected endpoints also require it.
• Use .jwt(jwt -> jwt.claim("sub", "user123")) to mock custom claims for testing.

@WebMvcTest vs @SpringBootTest for Security

@WithMockUser vs Real Authentication

When to Use @WithMockUser

Use @WithMockUser for fast, isolated security testing:

• Testing secured controllers
• Validating role-based access (@PreAuthorize, @RolesAllowed)
• Writing MockMvc tests without full application context
• Needing quick security validation

When NOT to Use It

Avoid it when testing real authentication flows:

• JWT, OAuth2, or SSO-based authentication
• Validating actual authentication providers
• Performing end-to-end security tests

For those scenarios, use a full Spring context:

@SpringBootTest
// with real security configuration and services

Best Practices

• Use @WithMockUser for controller security tests
• Combine with @WebMvcTest
• Test both authorized and unauthorized access
• Keep tests focused and isolated
• Add real authentication tests separately

Key Takeaways

• Security testing ensures your application is safe and protected
• @WithMockUser simulates authenticated users
• Ideal for fast, reliable security testing
• Helps verify roles, permissions, and access rules
• Prevents security bugs before production

Conclusion

Security Testing in Spring Boot ensures your APIs are safe, restricted, and correctly configured.

By using:

• @WithMockUser
• MockMvc
• CSRF & JWT testing
• Role-based validations
• @WebMvcTest and @SpringBootTest

you can confidently verify authentication and authorization rules, prevent security bugs, and deliver secure, production-ready Spring Boot applications.