Integration Testing Security

Hello Guys,

I had thought about posting this over on the MXUnit list, but figured that the integration testing, and the security model are more specific to CB.

I plan on integrating some security using the CB security interceptor.

How can I integration test this? I presume in an ideal world I’d want tests that try to access some events and get denied, to ensure security is working, then login and test the methods to ensure they’re working correctly, then logout again?

I really have no idea on the best approach to take with this.

Thanks guys,

Robert

I would suggest in your setup methods to mock the login of a test user that you can control of and then test and then in your teardown, log them out according to your procedures.

So if a user in order to log in needs to be placed in session scope or his id, why not do that in the setup and then remove it in the teardown?

Luis F. Majano
President
Ortus Solutions, Corp

ColdBox Platform: http://www.coldbox.org
Linked In: http://www.linkedin.com/pub/3/731/483
Blog: http://www.luismajano.com
IECFUG Manager: http://www.iecfug.com

Thanks Luis,

That’s a great way to handle things.

One thing I wonder, is that should the integration test be used to test that the security is working as expected?

So,

  1. attempt to access secured events when not logged in should result in relocation to x.
  2. attempt to access secured events when logged in should run the event.

This could help me identify events that should be secured but are missed by rules etc.

Perhaps this is outside of the scope of integration testing, and I shouldn’t be testing the security in this way, or perhaps I’m just creating too much work for myself.

I’d be interested in peoples thoughts though.

Robert

Why not. I would create one integration test that does all this for you