WebSecurityCustomizer beans are excluded by WebMvcTest

nosan · nosan · commit beaf2b07aafd · 2025-11-10T13:01:28.000+01:00
Add WebSecurityCustomizer to optional includes.

Signed-off-by: Dmytro Nosan &lt;dimanosan@gmail.com&gt;
diff --git a/spring-boot-project/spring-boot-test-autoconfigure/src/main/java/org/springframework/boot/test/autoconfigure/web/servlet/WebMvcTest.java b/spring-boot-project/spring-boot-test-autoconfigure/src/main/java/org/springframework/boot/test/autoconfigure/web/servlet/WebMvcTest.java
@@ -56,8 +56,8 @@
  * <li>{@code Converter}</li>
  * <li>{@code DelegatingFilterProxyRegistrationBean}</li>
  * <li>{@code ErrorAttributes}</li>
- * <li>{@code Filter}</li>
  * <li>{@code FilterRegistrationBean}</li>
+ * <li>{@code Filter}</li>
  * <li>{@code GenericConverter}</li>
  * <li>{@code HandlerInterceptor}</li>
  * <li>{@code HandlerMethodArgumentResolver}</li>
@@ -68,6 +68,7 @@
  * <li>{@code WebMvcConfigurer}</li>
  * <li>{@code WebMvcRegistrations}</li>
  * <li>{@code WebSecurityConfigurer}</li>
+ * <li>{@code WebSecurityCustomizer}</li>
  * </ul>
  * <p>
  * By default, tests annotated with {@code @WebMvcTest} will also auto-configure Spring
diff --git a/spring-boot-project/spring-boot-test-autoconfigure/src/main/java/org/springframework/boot/test/autoconfigure/web/servlet/WebMvcTypeExcludeFilter.java b/spring-boot-project/spring-boot-test-autoconfigure/src/main/java/org/springframework/boot/test/autoconfigure/web/servlet/WebMvcTypeExcludeFilter.java
@@ -52,6 +52,7 @@ public final class WebMvcTypeExcludeFilter extends StandardAnnotationCustomizabl
 	private static final Class<?>[] NO_CONTROLLERS = {};
 
 	private static final String[] OPTIONAL_INCLUDES = { "com.fasterxml.jackson.databind.Module",
+			"org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer",
 			"org.springframework.security.config.annotation.web.WebSecurityConfigurer",
 			"org.springframework.security.web.SecurityFilterChain", "org.thymeleaf.dialect.IDialect" };
 
diff --git a/spring-boot-project/spring-boot-test-autoconfigure/src/test/java/org/springframework/boot/test/autoconfigure/web/servlet/WebMvcTypeExcludeFilterTests.java b/spring-boot-project/spring-boot-test-autoconfigure/src/test/java/org/springframework/boot/test/autoconfigure/web/servlet/WebMvcTypeExcludeFilterTests.java
@@ -29,6 +29,8 @@
 import org.springframework.core.type.classreading.MetadataReaderFactory;
 import org.springframework.core.type.classreading.SimpleMetadataReaderFactory;
 import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;
+import org.springframework.security.config.annotation.web.builders.WebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.stereotype.Controller;
 import org.springframework.stereotype.Repository;
@@ -64,6 +66,7 @@ void matchWhenHasNoControllers() throws Exception {
 		assertThat(excludes(filter, ExampleHandlerInterceptor.class)).isFalse();
 		assertThat(excludes(filter, ExampleModule.class)).isFalse();
 		assertThat(excludes(filter, ExampleDialect.class)).isFalse();
+		assertThat(excludes(filter, ExampleWebSecurityCustomizer.class)).isFalse();
 	}
 
 	@Test
@@ -81,6 +84,7 @@ void matchWhenHasController() throws Exception {
 		assertThat(excludes(filter, ExampleHandlerInterceptor.class)).isFalse();
 		assertThat(excludes(filter, ExampleModule.class)).isFalse();
 		assertThat(excludes(filter, ExampleDialect.class)).isFalse();
+		assertThat(excludes(filter, ExampleWebSecurityCustomizer.class)).isFalse();
 	}
 
 	@Test
@@ -98,6 +102,7 @@ void matchNotUsingDefaultFilters() throws Exception {
 		assertThat(excludes(filter, ExampleHandlerInterceptor.class)).isTrue();
 		assertThat(excludes(filter, ExampleModule.class)).isTrue();
 		assertThat(excludes(filter, ExampleDialect.class)).isTrue();
+		assertThat(excludes(filter, ExampleWebSecurityCustomizer.class)).isTrue();
 	}
 
 	@Test
@@ -114,6 +119,7 @@ void matchWithIncludeFilter() throws Exception {
 		assertThat(excludes(filter, ExampleHandlerInterceptor.class)).isFalse();
 		assertThat(excludes(filter, ExampleModule.class)).isFalse();
 		assertThat(excludes(filter, ExampleDialect.class)).isFalse();
+		assertThat(excludes(filter, ExampleWebSecurityCustomizer.class)).isFalse();
 	}
 
 	@Test
@@ -131,6 +137,7 @@ void matchWithExcludeFilter() throws Exception {
 		assertThat(excludes(filter, ExampleHandlerInterceptor.class)).isFalse();
 		assertThat(excludes(filter, ExampleModule.class)).isFalse();
 		assertThat(excludes(filter, ExampleDialect.class)).isFalse();
+		assertThat(excludes(filter, ExampleWebSecurityCustomizer.class)).isFalse();
 	}
 
 	private boolean excludes(WebMvcTypeExcludeFilter filter, Class<?> type) throws IOException {
@@ -217,4 +224,13 @@ public String getName() {
 
 	}
 
+	static class ExampleWebSecurityCustomizer implements WebSecurityCustomizer {
+
+		@Override
+		public void customize(WebSecurity web) {
+
+		}
+
+	}
+
 }
diff --git a/spring-boot-project/spring-boot-test-autoconfigure/src/test/java/org/springframework/boot/test/autoconfigure/web/servlet/mockmvc/ExampleWebSecurityCustomizer.java b/spring-boot-project/spring-boot-test-autoconfigure/src/test/java/org/springframework/boot/test/autoconfigure/web/servlet/mockmvc/ExampleWebSecurityCustomizer.java
@@ -0,0 +1,37 @@
+/*
+ * Copyright 2012-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.test.autoconfigure.web.servlet.mockmvc;
+
+import org.springframework.security.config.annotation.web.builders.WebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
+import org.springframework.stereotype.Component;
+
+/**
+ * Example {@link WebSecurityCustomizer} used with {@code @WebMvcTest} tests, particularly
+ * to verify its discovery.
+ *
+ * @author Dmytro Nosan
+ */
+@Component
+class ExampleWebSecurityCustomizer implements WebSecurityCustomizer {
+
+	@Override
+	public void customize(WebSecurity web) {
+		web.ignoring().requestMatchers("/three/aaaa");
+	}
+
+}
diff --git a/spring-boot-project/spring-boot-test-autoconfigure/src/test/java/org/springframework/boot/test/autoconfigure/web/servlet/mockmvc/WebMvcTestWebSecurityCustomizerIntegrationTests.java b/spring-boot-project/spring-boot-test-autoconfigure/src/test/java/org/springframework/boot/test/autoconfigure/web/servlet/mockmvc/WebMvcTestWebSecurityCustomizerIntegrationTests.java
@@ -0,0 +1,64 @@
+/*
+ * Copyright 2012-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.test.autoconfigure.web.servlet.mockmvc;
+
+import org.junit.jupiter.api.Test;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
+import org.springframework.boot.test.context.TestConfiguration;
+import org.springframework.context.annotation.Bean;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.test.web.servlet.assertj.MockMvcTester;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * Tests for {@link WebMvcTest @WebMvcTest} to validate {@link WebSecurityCustomizer} are
+ * discovered.
+ *
+ * @author Dmytro Nosan
+ */
+@WebMvcTest(controllers = ExampleController3.class)
+class WebMvcTestWebSecurityCustomizerIntegrationTests {
+
+	@Autowired
+	private MockMvcTester mvc;
+
+	@Test
+	void shouldIncludesWebSecurityCustomizers() {
+		assertThat(this.mvc.get().uri("/three")).hasStatus4xxClientError();
+		assertThat(this.mvc.get().uri("/three/abcd")).hasStatus4xxClientError();
+		assertThat(this.mvc.get().uri("/three/aaaa")).hasStatusOk().bodyText().isEqualTo("Hello aaaa");
+	}
+
+	/**
+	 * Test security configuration to ensure that all endpoints are secured.
+	 */
+	@TestConfiguration(proxyBeanMethods = false)
+	static class SecurityConfig {
+
+		@Bean
+		SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+			return http.authorizeHttpRequests((requests) -> requests.anyRequest().authenticated()).build();
+		}
+
+	}
+
+}
