Separate Testing Reactive Docs

Issue gh-10367

docs/modules/ROOT/nav.adoc

@@ -103,5 +103,11 @@
 ** Integrations
 *** xref:reactive/integrations/cors.adoc[CORS]
 *** xref:reactive/integrations/rsocket.adoc[RSocket]
-** xref:reactive/test.adoc[Testing]
+** xref:reactive/test/index.adoc[Testing]
+*** xref:reactive/test/method.adoc[Testing Method Security]
+*** xref:reactive/test/web/index.adoc[Testing Web Security]
+**** xref:reactive/test/web/setup.adoc[WebTestClient Setup]
+**** xref:reactive/test/web/authentication.adoc[Testing Authentication]
+**** xref:reactive/test/web/csrf.adoc[Testing CSRF]
+**** xref:reactive/test/web/oauth2.adoc[Testing OAuth 2.0]
 ** xref:reactive/configuration/webflux.adoc[WebFlux Security]

docs/modules/ROOT/pages/reactive/test/index.adoc

@@ -0,0 +1,5 @@
+[[test-webflux]]
+= Reactive Test Support
+:page-section-summary-toc: 1
+
+Spring Security supports two basic modes for testing reactive applications.

docs/modules/ROOT/pages/reactive/test/method.adoc

@@ -0,0 +1,75 @@
+[[test-erms]]
+= Testing Method Security
+
+For example, we can test our example from xref:reactive/authorization/method.adoc#jc-erms[EnableReactiveMethodSecurity] using the same setup and annotations we did in xref:servlet/test/method.adoc#test-method[Testing Method Security].
+Here is a minimal sample of what we can do:
+
+====
+.Java
+[source,java,role="primary"]
+----
+@RunWith(SpringRunner.class)
+@ContextConfiguration(classes = HelloWebfluxMethodApplication.class)
+public class HelloWorldMessageServiceTests {
+	@Autowired
+	HelloWorldMessageService messages;
+
+	@Test
+	public void messagesWhenNotAuthenticatedThenDenied() {
+		StepVerifier.create(this.messages.findMessage())
+			.expectError(AccessDeniedException.class)
+			.verify();
+	}
+
+	@Test
+	@WithMockUser
+	public void messagesWhenUserThenDenied() {
+		StepVerifier.create(this.messages.findMessage())
+			.expectError(AccessDeniedException.class)
+			.verify();
+	}
+
+	@Test
+	@WithMockUser(roles = "ADMIN")
+	public void messagesWhenAdminThenOk() {
+		StepVerifier.create(this.messages.findMessage())
+			.expectNext("Hello World!")
+			.verifyComplete();
+	}
+}
+----
+
+.Kotlin
+[source,kotlin,role="secondary"]
+----
+@RunWith(SpringRunner::class)
+@ContextConfiguration(classes = [HelloWebfluxMethodApplication::class])
+class HelloWorldMessageServiceTests {
+    @Autowired
+    lateinit var messages: HelloWorldMessageService
+
+    @Test
+    fun messagesWhenNotAuthenticatedThenDenied() {
+        StepVerifier.create(messages.findMessage())
+            .expectError(AccessDeniedException::class.java)
+            .verify()
+    }
+
+    @Test
+    @WithMockUser
+    fun messagesWhenUserThenDenied() {
+        StepVerifier.create(messages.findMessage())
+            .expectError(AccessDeniedException::class.java)
+            .verify()
+    }
+
+    @Test
+    @WithMockUser(roles = ["ADMIN"])
+    fun messagesWhenAdminThenOk() {
+        StepVerifier.create(messages.findMessage())
+            .expectNext("Hello World!")
+            .verifyComplete()
+    }
+}
+----
+====

docs/modules/ROOT/pages/reactive/test/web/authentication.adoc

@@ -0,0 +1,114 @@
+= Testing Authentication
+
+After xref:reactive/test/web/setup.adoc[applying the Spring Security support to `WebTestClient`] we can use either annotations or `mutateWith` support.
+For example:
+
+====
+.Java
+[source,java,role="primary"]
+----
+@Test
+public void messageWhenNotAuthenticated() throws Exception {
+	this.rest
+		.get()
+		.uri("/message")
+		.exchange()
+		.expectStatus().isUnauthorized();
+}
+
+// --- WithMockUser ---
+
+@Test
+@WithMockUser
+public void messageWhenWithMockUserThenForbidden() throws Exception {
+	this.rest
+		.get()
+		.uri("/message")
+		.exchange()
+		.expectStatus().isEqualTo(HttpStatus.FORBIDDEN);
+}
+
+@Test
+@WithMockUser(roles = "ADMIN")
+public void messageWhenWithMockAdminThenOk() throws Exception {
+	this.rest
+		.get()
+		.uri("/message")
+		.exchange()
+		.expectStatus().isOk()
+		.expectBody(String.class).isEqualTo("Hello World!");
+}
+
+// --- mutateWith mockUser ---
+
+@Test
+public void messageWhenMutateWithMockUserThenForbidden() throws Exception {
+	this.rest
+		.mutateWith(mockUser())
+		.get()
+		.uri("/message")
+		.exchange()
+		.expectStatus().isEqualTo(HttpStatus.FORBIDDEN);
+}
+
+@Test
+public void messageWhenMutateWithMockAdminThenOk() throws Exception {
+	this.rest
+		.mutateWith(mockUser().roles("ADMIN"))
+		.get()
+		.uri("/message")
+		.exchange()
+		.expectStatus().isOk()
+		.expectBody(String.class).isEqualTo("Hello World!");
+}
+----
+
+.Kotlin
+[source,kotlin,role="secondary"]
+----
+import org.springframework.test.web.reactive.server.expectBody
+
+//...
+
+@Test
+@WithMockUser
+fun messageWhenWithMockUserThenForbidden() {
+    this.rest.get().uri("/message")
+        .exchange()
+        .expectStatus().isEqualTo(HttpStatus.FORBIDDEN)
+}
+
+@Test
+@WithMockUser(roles = ["ADMIN"])
+fun messageWhenWithMockAdminThenOk() {
+    this.rest.get().uri("/message")
+        .exchange()
+        .expectStatus().isOk
+        .expectBody<String>().isEqualTo("Hello World!")
+
+}
+
+// --- mutateWith mockUser ---
+
+@Test
+fun messageWhenMutateWithMockUserThenForbidden() {
+    this.rest
+        .mutateWith(mockUser())
+        .get().uri("/message")
+        .exchange()
+        .expectStatus().isEqualTo(HttpStatus.FORBIDDEN)
+}
+
+@Test
+fun messageWhenMutateWithMockAdminThenOk() {
+    this.rest
+        .mutateWith(mockUser().roles("ADMIN"))
+        .get().uri("/message")
+        .exchange()
+        .expectStatus().isOk
+        .expectBody<String>().isEqualTo("Hello World!")
+}
+----
+====
+
+In addition to `mockUser()`, Spring Security ships with several other convenience mutators for things like xref:reactive/test/web/csrf.adoc[CSRF] and xref:reactive/test/web/oauth2.adoc[OAuth 2.0].

docs/modules/ROOT/pages/reactive/test/web/csrf.adoc

@@ -0,0 +1,28 @@
+= Testing with CSRF
+
+Spring Security also provides support for CSRF testing with `WebTestClient`.
+For example:
+
+====
+.Java
+[source,java,role="primary"]
+----
+this.rest
+	// provide a valid CSRF token
+	.mutateWith(csrf())
+	.post()
+	.uri("/login")
+	...
+----
+
+.Kotlin
+[source,kotlin,role="secondary"]
+----
+this.rest
+    // provide a valid CSRF token
+    .mutateWith(csrf())
+    .post()
+    .uri("/login")
+    ...
+----
+====

docs/modules/ROOT/pages/reactive/test/web/index.adoc

@@ -0,0 +1,5 @@
+[[test-webtestclient]]
+= Testing Web Security
+:page-section-summary-toc: 1
+
+In this section, we'll talk about testing web application endpoints.