From f9cf8b1a5ec09f2a286ffd2cab0cbfcc669fa14a Mon Sep 17 00:00:00 2001
From: Mikhail Chugunov <mchugunov@users.noreply.github.com>
Date: Sat, 2 Feb 2019 19:54:06 +0300
Subject: [PATCH] BAEL-2443: Implement JsonView filtering based on Spring
 security (#6254)

* BAEL-2443: Implement filtering with @JsonView based on spring security role

* Cleanup test

* Rename tests

* Fix renaming roles after refactoring
---
 pom.xml                                       |   1 +
 spring-security-mvc-jsonview/.gitignore       |  13 +
 spring-security-mvc-jsonview/pom.xml          | 222 ++++++++++++++++++
 .../java/com/baeldung/AppInitializer.java     |  33 +++
 .../baeldung/controller/ItemsController.java  |  21 ++
 .../java/com/baeldung/controller/View.java    |  24 ++
 .../main/java/com/baeldung/model/Item.java    |  32 +++
 .../java/com/baeldung/spring/AppConfig.java   |  51 ++++
 .../SecurityJsonViewControllerAdvice.java     |  38 +++
 .../src/main/resources/logback.xml            |  19 ++
 .../SpringContextIntegrationTest.java         |  17 ++
 ...SpringSecurityJsonViewIntegrationTest.java |  85 +++++++
 12 files changed, 556 insertions(+)
 create mode 100644 spring-security-mvc-jsonview/.gitignore
 create mode 100644 spring-security-mvc-jsonview/pom.xml
 create mode 100644 spring-security-mvc-jsonview/src/main/java/com/baeldung/AppInitializer.java
 create mode 100644 spring-security-mvc-jsonview/src/main/java/com/baeldung/controller/ItemsController.java
 create mode 100644 spring-security-mvc-jsonview/src/main/java/com/baeldung/controller/View.java
 create mode 100644 spring-security-mvc-jsonview/src/main/java/com/baeldung/model/Item.java
 create mode 100644 spring-security-mvc-jsonview/src/main/java/com/baeldung/spring/AppConfig.java
 create mode 100644 spring-security-mvc-jsonview/src/main/java/com/baeldung/spring/SecurityJsonViewControllerAdvice.java
 create mode 100644 spring-security-mvc-jsonview/src/main/resources/logback.xml
 create mode 100644 spring-security-mvc-jsonview/src/test/java/com/baeldung/SpringContextIntegrationTest.java
 create mode 100644 spring-security-mvc-jsonview/src/test/java/com/baeldung/security/SpringSecurityJsonViewIntegrationTest.java

diff --git a/pom.xml b/pom.xml
index 787a03c2fb..58d57ade05 100644
--- a/pom.xml
+++ b/pom.xml
@@ -733,6 +733,7 @@
                 <module>spring-security-mvc-boot</module>
                 <module>spring-security-mvc-custom</module>
                 <module>spring-security-mvc-digest-auth</module>
+				<module>spring-security-mvc-jsonview</module>
                 <module>spring-security-mvc-ldap</module>
                 <module>spring-security-mvc-login</module>
                 <module>spring-security-mvc-persisted-remember-me</module>
diff --git a/spring-security-mvc-jsonview/.gitignore b/spring-security-mvc-jsonview/.gitignore
new file mode 100644
index 0000000000..83c05e60c8
--- /dev/null
+++ b/spring-security-mvc-jsonview/.gitignore
@@ -0,0 +1,13 @@
+*.class
+
+#folders#
+/target
+/neoDb*
+/data
+/src/main/webapp/WEB-INF/classes
+*/META-INF/*
+
+# Packaged files #
+*.jar
+*.war
+*.ear
\ No newline at end of file
diff --git a/spring-security-mvc-jsonview/pom.xml b/spring-security-mvc-jsonview/pom.xml
new file mode 100644
index 0000000000..7f1129128f
--- /dev/null
+++ b/spring-security-mvc-jsonview/pom.xml
@@ -0,0 +1,222 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    
+    <groupId>com.baeldung</groupId>
+    <artifactId>spring-security-mvc-jsonview</artifactId>
+    <version>0.1-SNAPSHOT</version>
+    <name>spring-security-mvc-jsonview</name>
+    <packaging>war</packaging>
+
+    <parent>
+        <groupId>com.baeldung</groupId>
+        <artifactId>parent-spring-5</artifactId>
+        <version>0.0.1-SNAPSHOT</version>
+        <relativePath>../parent-spring-5</relativePath>
+    </parent>
+
+    <dependencies>
+
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-core</artifactId>
+            <version>2.9.7</version>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-annotations</artifactId>
+            <version>2.9.7</version>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-databind</artifactId>
+            <version>2.9.7</version>
+        </dependency>
+
+        <!-- Spring Security -->
+
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-web</artifactId>
+            <version>${org.springframework.security.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-config</artifactId>
+            <version>${org.springframework.security.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-taglibs</artifactId>
+            <version>${org.springframework.security.version}</version>
+        </dependency>
+
+        <!-- Spring -->
+
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-core</artifactId>
+            <version>${spring.version}</version>
+            <exclusions>
+                <exclusion>
+                    <artifactId>commons-logging</artifactId>
+                    <groupId>commons-logging</groupId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-context</artifactId>
+            <version>${spring.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-jdbc</artifactId>
+            <version>${spring.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-beans</artifactId>
+            <version>${spring.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-aop</artifactId>
+            <version>${spring.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-tx</artifactId>
+            <version>${spring.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-expression</artifactId>
+            <version>${spring.version}</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-web</artifactId>
+            <version>${spring.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-webmvc</artifactId>
+            <version>${spring.version}</version>
+        </dependency>
+
+        <!-- web -->
+
+        <dependency>
+            <groupId>javax.servlet</groupId>
+            <artifactId>javax.servlet-api</artifactId>
+            <version>${javax.servlet.version}</version>
+            <scope>provided</scope>
+        </dependency>
+
+        <dependency>
+            <groupId>javax.servlet</groupId>
+            <artifactId>jstl</artifactId>
+            <version>${jstl.version}</version>
+            <scope>runtime</scope>
+        </dependency>
+
+        <!-- test scoped -->
+
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-test</artifactId>
+            <version>${spring.version}</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-test</artifactId>
+            <version>${org.springframework.security.version}</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>com.jayway.jsonpath</groupId>
+            <artifactId>json-path</artifactId>
+            <version>2.4.0</version>
+            <scope>test</scope>
+        </dependency>
+
+    </dependencies>
+
+    <build>
+        <finalName>spring-security-mvc-jsonview</finalName>
+        <resources>
+            <resource>
+                <directory>src/main/resources</directory>
+                <filtering>true</filtering>
+            </resource>
+        </resources>
+
+        <plugins>
+
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-war-plugin</artifactId>
+                <version>${maven-war-plugin.version}</version>
+                <executions>
+                    <execution>
+                        <id>default-war</id>
+                        <phase>prepare-package</phase>
+                        <configuration>
+                            <failOnMissingWebXml>false</failOnMissingWebXml>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+
+            <plugin>
+                <groupId>org.codehaus.cargo</groupId>
+                <artifactId>cargo-maven2-plugin</artifactId>
+                <version>${cargo-maven2-plugin.version}</version>
+                <configuration>
+                    <deployables>
+                        <deployable>
+                            <location>${project.build.directory}/${project.name}.war</location>
+                            <type>war</type>
+                            <properties>
+                                <context>/</context>
+                            </properties>
+                        </deployable>
+                    </deployables>
+                    <container>
+                        <timeout>2400000</timeout>
+                        <containerId>tomcat8x</containerId>
+                        <type>embedded</type>
+                        <systemProperties>
+                            <!-- <provPersistenceTarget>cargo</provPersistenceTarget> -->
+                        </systemProperties>
+                    </container>
+                    <configuration>
+                        <properties>
+                            <cargo.servlet.port>8084</cargo.servlet.port>
+                        </properties>
+                    </configuration>
+                </configuration>
+            </plugin>
+
+        </plugins>
+
+    </build>
+
+    <properties>
+        <!-- Spring -->
+        <org.springframework.security.version>5.0.5.RELEASE</org.springframework.security.version>
+
+        <!-- various -->
+        <javax.servlet.version>3.1.0</javax.servlet.version>
+        <jstl.version>1.2</jstl.version>
+
+        <!-- Maven plugins -->
+        <maven-war-plugin.version>2.6</maven-war-plugin.version>
+        <cargo-maven2-plugin.version>1.6.1</cargo-maven2-plugin.version>
+
+    </properties>
+
+</project>
\ No newline at end of file
diff --git a/spring-security-mvc-jsonview/src/main/java/com/baeldung/AppInitializer.java b/spring-security-mvc-jsonview/src/main/java/com/baeldung/AppInitializer.java
new file mode 100644
index 0000000000..4f38d190eb
--- /dev/null
+++ b/spring-security-mvc-jsonview/src/main/java/com/baeldung/AppInitializer.java
@@ -0,0 +1,33 @@
+package com.baeldung;
+
+import javax.servlet.ServletContext;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRegistration;
+
+import org.springframework.web.WebApplicationInitializer;
+import org.springframework.web.context.ContextLoaderListener;
+import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
+import org.springframework.web.context.support.GenericWebApplicationContext;
+import org.springframework.web.filter.DelegatingFilterProxy;
+import org.springframework.web.servlet.DispatcherServlet;
+
+public class AppInitializer implements WebApplicationInitializer {
+
+    @Override
+    public void onStartup(final ServletContext sc) throws ServletException {
+
+        AnnotationConfigWebApplicationContext root = new AnnotationConfigWebApplicationContext();
+
+        root.scan("com.baeldung");
+        sc.addListener(new ContextLoaderListener(root));
+
+        ServletRegistration.Dynamic appServlet = sc.addServlet("mvc", new DispatcherServlet(new GenericWebApplicationContext()));
+        appServlet.setLoadOnStartup(1);
+        appServlet.addMapping("/");
+        
+        sc.addFilter("securityFilter", new DelegatingFilterProxy("springSecurityFilterChain"))
+        .addMappingForUrlPatterns(null, false, "/*");
+
+    }
+
+}
diff --git a/spring-security-mvc-jsonview/src/main/java/com/baeldung/controller/ItemsController.java b/spring-security-mvc-jsonview/src/main/java/com/baeldung/controller/ItemsController.java
new file mode 100644
index 0000000000..16268a239b
--- /dev/null
+++ b/spring-security-mvc-jsonview/src/main/java/com/baeldung/controller/ItemsController.java
@@ -0,0 +1,21 @@
+package com.baeldung.controller;
+
+import com.baeldung.model.Item;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+
+@RestController
+public class ItemsController {
+
+    @RequestMapping("/items")
+    public Collection<Item> getItems() {
+        return Arrays.asList(new Item(1, "Item 1", "Frank"), new Item(2, "Item 2", "Bob"));
+    }
+
+}
diff --git a/spring-security-mvc-jsonview/src/main/java/com/baeldung/controller/View.java b/spring-security-mvc-jsonview/src/main/java/com/baeldung/controller/View.java
new file mode 100644
index 0000000000..10ae50adef
--- /dev/null
+++ b/spring-security-mvc-jsonview/src/main/java/com/baeldung/controller/View.java
@@ -0,0 +1,24 @@
+package com.baeldung.controller;
+
+import com.baeldung.spring.AppConfig.Role;
+
+import java.util.HashMap;
+import java.util.Map;
+
+public class View {
+
+    public static final Map<Role, Class> MAPPING = new HashMap<>();
+
+    static {
+        MAPPING.put(Role.ROLE_ADMIN, Admin.class);
+        MAPPING.put(Role.ROLE_USER, User.class);
+    }
+
+    public static class User {
+
+    }
+
+    public static class Admin extends User {
+
+    }
+}
diff --git a/spring-security-mvc-jsonview/src/main/java/com/baeldung/model/Item.java b/spring-security-mvc-jsonview/src/main/java/com/baeldung/model/Item.java
new file mode 100644
index 0000000000..002ee73e4f
--- /dev/null
+++ b/spring-security-mvc-jsonview/src/main/java/com/baeldung/model/Item.java
@@ -0,0 +1,32 @@
+package com.baeldung.model;
+
+import com.baeldung.controller.View;
+import com.fasterxml.jackson.annotation.JsonView;
+
+public class Item {
+
+    @JsonView(View.User.class)
+    private int id;
+    @JsonView(View.User.class)
+    private String name;
+    @JsonView(View.Admin.class)
+    private String ownerName;
+
+    public Item(int id, String name, String ownerName) {
+        this.id = id;
+        this.name = name;
+        this.ownerName = ownerName;
+    }
+
+    public int getId() {
+        return id;
+    }
+
+    public String getName() {
+        return name;
+    }
+
+    public String getOwnerName() {
+        return ownerName;
+    }
+}
diff --git a/spring-security-mvc-jsonview/src/main/java/com/baeldung/spring/AppConfig.java b/spring-security-mvc-jsonview/src/main/java/com/baeldung/spring/AppConfig.java
new file mode 100644
index 0000000000..10b2d2447e
--- /dev/null
+++ b/spring-security-mvc-jsonview/src/main/java/com/baeldung/spring/AppConfig.java
@@ -0,0 +1,51 @@
+package com.baeldung.spring;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.ComponentScan;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.web.servlet.config.annotation.EnableWebMvc;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+
+import java.util.Arrays;
+
+@Configuration
+@EnableWebMvc
+@EnableWebSecurity
+@ComponentScan("com.baeldung")
+public class AppConfig extends WebSecurityConfigurerAdapter implements WebMvcConfigurer {
+
+    @Override
+    protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
+        auth.inMemoryAuthentication()
+                .withUser("user").password(passwordEncoder().encode("userPass")).roles("USER")
+                .and()
+                .withUser("admin").password(passwordEncoder().encode("adminPass")).roles("ADMIN");
+    }
+
+    @Override
+    protected void configure(final HttpSecurity http) throws Exception {
+        http
+                .csrf().disable()
+                .authorizeRequests()
+                .anyRequest().authenticated()
+                .and().httpBasic();
+    }
+
+    @Bean
+    public PasswordEncoder passwordEncoder() {
+        return new BCryptPasswordEncoder();
+    }
+
+
+
+    public enum Role {
+        ROLE_USER,
+        ROLE_ADMIN
+    }
+}
diff --git a/spring-security-mvc-jsonview/src/main/java/com/baeldung/spring/SecurityJsonViewControllerAdvice.java b/spring-security-mvc-jsonview/src/main/java/com/baeldung/spring/SecurityJsonViewControllerAdvice.java
new file mode 100644
index 0000000000..66c7207e91
--- /dev/null
+++ b/spring-security-mvc-jsonview/src/main/java/com/baeldung/spring/SecurityJsonViewControllerAdvice.java
@@ -0,0 +1,38 @@
+package com.baeldung.spring;
+
+import com.baeldung.controller.View;
+import org.springframework.core.MethodParameter;
+import org.springframework.http.MediaType;
+import org.springframework.http.converter.json.MappingJacksonValue;
+import org.springframework.http.server.ServerHttpRequest;
+import org.springframework.http.server.ServerHttpResponse;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.web.bind.annotation.RestControllerAdvice;
+import org.springframework.web.servlet.mvc.method.annotation.AbstractMappingJacksonResponseBodyAdvice;
+
+import java.util.Collection;
+import java.util.List;
+import java.util.stream.Collectors;
+
+@RestControllerAdvice
+public class SecurityJsonViewControllerAdvice extends AbstractMappingJacksonResponseBodyAdvice {
+
+    @Override
+    protected void beforeBodyWriteInternal(MappingJacksonValue bodyContainer, MediaType contentType,
+                                           MethodParameter returnType, ServerHttpRequest request, ServerHttpResponse response) {
+        if (SecurityContextHolder.getContext().getAuthentication() != null
+                && SecurityContextHolder.getContext().getAuthentication().getAuthorities() != null) {
+            Collection<? extends GrantedAuthority> authorities = SecurityContextHolder.getContext().getAuthentication().getAuthorities();
+            List<Class> jsonViews = authorities.stream()
+                    .map(GrantedAuthority::getAuthority)
+                    .map(AppConfig.Role::valueOf)
+                    .map(View.MAPPING::get)
+                    .collect(Collectors.toList());
+            if (jsonViews.size() == 1) {
+                bodyContainer.setSerializationView(jsonViews.get(0));
+            }
+            throw new IllegalArgumentException("Ambiguous @JsonView declaration for roles "+ authorities.stream().map(GrantedAuthority::getAuthority).collect(Collectors.joining(",")));
+        }
+    }
+}
diff --git a/spring-security-mvc-jsonview/src/main/resources/logback.xml b/spring-security-mvc-jsonview/src/main/resources/logback.xml
new file mode 100644
index 0000000000..56af2d397e
--- /dev/null
+++ b/spring-security-mvc-jsonview/src/main/resources/logback.xml
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<configuration>
+    <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
+        <encoder>
+            <pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n
+            </pattern>
+        </encoder>
+    </appender>
+
+    <logger name="org.springframework" level="WARN" />
+    <logger name="org.springframework.transaction" level="WARN" />
+
+    <!-- in order to debug some marshalling issues, this needs to be TRACE -->
+    <logger name="org.springframework.web.servlet.mvc" level="WARN" />
+
+    <root level="INFO">
+        <appender-ref ref="STDOUT" />
+    </root>
+</configuration>
\ No newline at end of file
diff --git a/spring-security-mvc-jsonview/src/test/java/com/baeldung/SpringContextIntegrationTest.java b/spring-security-mvc-jsonview/src/test/java/com/baeldung/SpringContextIntegrationTest.java
new file mode 100644
index 0000000000..e22cd3d71a
--- /dev/null
+++ b/spring-security-mvc-jsonview/src/test/java/com/baeldung/SpringContextIntegrationTest.java
@@ -0,0 +1,17 @@
+package com.baeldung;
+
+import com.baeldung.spring.AppConfig;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+import org.springframework.test.context.web.WebAppConfiguration;
+
+@RunWith(SpringJUnit4ClassRunner.class)
+@ContextConfiguration(classes = AppConfig.class)
+@WebAppConfiguration
+public class SpringContextIntegrationTest {
+	@Test
+	public void whenSpringContextIsBootstrapped_thenNoExceptions() {
+	}
+}
diff --git a/spring-security-mvc-jsonview/src/test/java/com/baeldung/security/SpringSecurityJsonViewIntegrationTest.java b/spring-security-mvc-jsonview/src/test/java/com/baeldung/security/SpringSecurityJsonViewIntegrationTest.java
new file mode 100644
index 0000000000..626c8cb497
--- /dev/null
+++ b/spring-security-mvc-jsonview/src/test/java/com/baeldung/security/SpringSecurityJsonViewIntegrationTest.java
@@ -0,0 +1,85 @@
+package com.baeldung.security;
+
+import com.baeldung.spring.AppConfig;
+import org.hamcrest.BaseMatcher;
+import org.hamcrest.Description;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.ExpectedException;
+import org.junit.runner.RunWith;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.test.context.support.WithMockUser;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+import org.springframework.test.context.web.WebAppConfiguration;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+import org.springframework.web.context.WebApplicationContext;
+import org.springframework.web.util.NestedServletException;
+
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+@RunWith(SpringJUnit4ClassRunner.class)
+@ContextConfiguration(classes = AppConfig.class)
+@WebAppConfiguration
+public class SpringSecurityJsonViewIntegrationTest {
+
+    @Autowired
+    private WebApplicationContext context;
+
+    private MockMvc mvc;
+
+    @Rule
+    public ExpectedException expectedException = ExpectedException.none();
+
+    @Before
+    public void setup() {
+        mvc = MockMvcBuilders
+                .webAppContextSetup(context)
+                .build();
+    }
+
+    @Test
+    @WithMockUser(username = "admin", password = "adminPass", roles = "ADMIN")
+    public void whenAdminRequests_thenOwnerNameIsPresent() throws Exception {
+        mvc.perform(get("/items"))
+                .andExpect(status().isOk())
+                .andExpect(jsonPath("$[0].id").value(1))
+                .andExpect(jsonPath("$[0].name").value("Item 1"))
+                .andExpect(jsonPath("$[0].ownerName").exists());
+    }
+
+    @Test
+    @WithMockUser(username = "user", password = "userPass", roles = "USER")
+    public void whenUserRequests_thenOwnerNameIsAbsent() throws Exception {
+        mvc.perform(get("/items"))
+                .andExpect(status().isOk())
+                .andExpect(jsonPath("$[0].id").value(1))
+                .andExpect(jsonPath("$[0].name").value("Item 1"))
+                .andExpect(jsonPath("$[0].ownerName").doesNotExist());
+    }
+
+    @Test
+    @WithMockUser(username = "user", password = "userPass", roles = {"ADMIN", "USER"})
+    public void whenMultipleRoles_thenExceptionIsThrown() throws Exception {
+        expectedException.expect(new BaseMatcher<NestedServletException>() {
+            @Override
+            public boolean matches(Object o) {
+                NestedServletException exception = (NestedServletException) o;
+                return exception.getCause() instanceof IllegalArgumentException && exception.getCause().getMessage().equals("Ambiguous @JsonView declaration for roles ROLE_ADMIN,ROLE_USER");
+            }
+
+            @Override
+            public void describeTo(Description description) {
+
+            }
+        });
+
+        mvc.perform(get("/items"))
+                .andExpect(status().isOk());
+
+    }
+}