Steps to Reproduce

  1. Download this Spring Boot v4.0.0-M3 app (be sure to use the rest-test-client-spring-security branch)
  2. Run the tests in ItemControllerTests

Expected Outcome

Both tests should pass, because they both attempt to access a secured endpoint without authenticating

Actual Outcome

  • getWithMockMvc passes because the expected 401 (UNAUTHORIZED) status is returned
  • getWithRestTestClient fails because a 200 (OK) status is returned

AFAIK, both of these tests should return the same status because they are using the same configuration.

Discussion

The demo application depends on org.springframework.boot:spring-boot-starter-security. It doesn't define an explicit security configuration, so by default all endpoints should require authentication.

I observed the same behaviour in a production application that does provide an explicit security configuration i.e. endpoints that require authentication (but are not restricted to a specific role via @PreAuthorize, @Secured, etc.) are correctly inaccessible to an unauthenticated MockMvcTester, but incorrectly accessible to an unauthenticated RestTestClient. Some debugging confirmed that the configured security filters are invoked when a request is made by MockMvcTester, but not when the request originates from RestTestClient.

Incidentally, if the Spring Security starter dependency is removed, both clients can access the endpoint without authenticating.