How do I unit test spring security @PreAuthorize(hasRole)?

Question

What do I need in order to unit test the hasRole part of a PreAuthorize annotation on a controller method?

My test should succeed because the logged in user only has

Answer 1

Just to add to Rob's solution above, as of December 20, 2014, there is a bug in the SecurityRequestPostProcessors class on the master branch from Rob's answer above that prevents the assigned roles from being populated.

A quick fix is to comment out the following line of code (currently line 181) in the roles(String... roles) method of the UserRequestPostProcessor inner static class of SecurityRequestPostProcessors:

// List authorities = new ArrayList(roles.length);.

You need to comment out the local variable, NOT the member variable.

Alternatively, you may insert this line just before returning from the method:

this.authorities = authorities;

P.S I would have added this as a comment had I had enough reputation.