Getting and Verifying Response Data with REST-assured
Last updated: October 26, 2025
Mocking is an essential part of unit testing, and the Mockito library makes it easy to write clean and intuitive unit tests for your Java code.
Get started with mocking and improve your application tests using our Mockito guide:
Handling concurrency in an application can be a tricky process with many potential pitfalls. A solid grasp of the fundamentals will go a long way to help minimize these issues.
Get started with understanding multi-threaded applications with our Java Concurrency guide:
Spring 5 added support for reactive programming with the Spring WebFlux module, which has been improved upon ever since. Get started with the Reactor project basics and reactive programming in Spring Boot:
Since its introduction in Java 8, the Stream API has become a staple of Java development. The basic operations like iterating, filtering, mapping sequences of elements are deceptively simple to use.
But these can also be overused and fall into some common pitfalls.
To get a better understanding on how Streams work and how to combine them with other language features, check out our guide to Java Streams:
Explore Spring Boot 3 and Spring 6 in-depth through building a full REST API with the framework:
Yes, Spring Security can be complex, from the more advanced functionality within the Core to the deep OAuth support in the framework.
I built the security material as two full courses - Core and OAuth, to get practical with these more complex scenarios. We explore when and how to use each feature and code through it on the backing project.
You can explore the course here:
Spring Data JPA is a great way to handle the complexity of JPA with the powerful simplicity of Spring Boot.
Get started with Spring Data JPA through the guided reference course:
Refactor Java code safely — and automatically — with OpenRewrite.
Refactoring big codebases by hand is slow, risky, and easy to put off. That’s where OpenRewrite comes in. The open-source framework for large-scale, automated code transformations helps teams modernize safely and consistently.
Each month, the creators and maintainers of OpenRewrite at Moderne run live, hands-on training sessions — one for newcomers and one for experienced users. You’ll see how recipes work, how to apply them across projects, and how to modernize code with confidence.
Join the next session, bring your questions, and learn how to automate the kind of work that usually eats your sprint time.
Distributed systems often come with complex challenges such as service-to-service communication, state management, asynchronous messaging, security, and more.
Dapr (Distributed Application Runtime) provides a set of APIs and building blocks to address these challenges, abstracting away infrastructure so we can focus on business logic.
In this tutorial, we'll focus on Dapr's pub/sub API for message brokering. Using its Spring Boot integration, we'll simplify the creation of a loosely coupled, portable, and easily testable pub/sub messaging system:
The Apache HTTP Client is a very robust library, suitable for both simple and advanced use cases when testing HTTP endpoints. Check out our guide covering basic request and response handling, as well as security, cookies, timeouts, and more:
Distributed systems often come with complex challenges such as service-to-service communication, state management, asynchronous messaging, security, and more.
Dapr (Distributed Application Runtime) provides a set of APIs and building blocks to address these challenges, abstracting away infrastructure so we can focus on business logic.
In this tutorial, we'll focus on Dapr's pub/sub API for message brokering. Using its Spring Boot integration, we'll simplify the creation of a loosely coupled, portable, and easily testable pub/sub messaging system:
1. Overview
In this tutorial, we’ll discuss how to test REST services using REST Assured, with a focus on capturing and validating the response data from our REST APIs.
2. Setup for the Test Class
In previous tutorials, we’ve explored REST Assured in general, and we’ve shown how to manipulate request headers, cookies and parameters.
Building on this existing setup, we’ve added a simple REST controller, AppController, that internally calls a service, AppService. We’ll use these classes in our test examples.
To create our test class, we need to do a bit more setup. Since we have spring-boot-starter-test in our classpath, we can easily leverage Spring testing utilities.
First, let’s create the skeleton of our AppControllerIntegrationTest class:
@RunWith(SpringRunner.class)
@SpringBootTest(webEnvironment = WebEnvironment.RANDOM_PORT)
public class AppControllerIntegrationTest {
@LocalServerPort
private int port;
private String uri;
@PostConstruct
public void init() {
uri = "http://localhost:" + port;
}
@MockBean
AppService appService;
//test cases
}In this JUnit test, we annotated our class with a couple of Spring-specific annotations that spin up the application locally in a random available port. In @PostConstruct, we captured the full URI on which we will be making REST calls.
We also used @MockBean on AppService, as we need to mock method calls on this class.
3. Validating the JSON Response
JSON is the most common format used in REST APIs to exchange data. Responses can consist of a single JSON object or an array of JSON objects. We’ll look at both in this section.
3.1. Single JSON Object
Let’s say we need to test the /movie/{id} endpoint, which returns a Movie JSON object if the id is found.
We’ll mock AppService calls to return some mock data using the Mockito framework:
@Test
public void givenMovieId_whenMakingGetRequestToMovieEndpoint_thenReturnMovie() {
Movie testMovie = new Movie(1, "movie1", "summary1");
when(appService.findMovie(1)).thenReturn(testMovie);
get(uri + "/movie/" + testMovie.getId()).then()
.assertThat()
.statusCode(HttpStatus.OK.value())
.body("id", equalTo(testMovie.getId()))
.body("name", equalTo(testMovie.getName()))
.body("synopsis", notNullValue());
}Above, we first mocked the appService.findMovie(1) call to return an object. Then, we constructed our REST URL in the get() method provided by REST Assured for making GET requests. Finally, we made four assertions.
First, we checked the response status code and then the body elements. We’re using Hamcrest to assert the expected value.
Also note that if the response JSON is nested, we can test a nested key by using the dot operator like “key1.key2.key3”.
3.2. Extracting the JSON Response After Validation
In some cases, we may need to extract the response after validation to perform additional operations on it.
We can extract the JSON response to a class, using the extract() method:
Movie result = get(uri + "/movie/" + testMovie.getId()).then()
.assertThat()
.statusCode(HttpStatus.OK.value())
.extract()
.as(Movie.class);
assertThat(result).isEqualTo(testMovie);In this example, we directed REST Assured to extract the JSON response to a Movie object and then asserted on the extracted object.
We can also extract the whole response to a String, using the extract().asString() API:
String responseString = get(uri + "/movie/" + testMovie.getId()).then()
.assertThat()
.statusCode(HttpStatus.OK.value())
.extract()
.asString();
assertThat(responseString).isNotEmpty();Finally, we can extract a particular field out of the response JSON as well.
Let’s look at a test for a POST API that expects a Movie JSON body and will return the same if inserted successfully:
@Test
public void givenMovie_whenMakingPostRequestToMovieEndpoint_thenCorrect() {
Map<String, String> request = new HashMap<>();
request.put("id", "11");
request.put("name", "movie1");
request.put("synopsis", "summary1");
int movieId = given().contentType("application/json")
.body(request)
.when()
.post(uri + "/movie")
.then()
.assertThat()
.statusCode(HttpStatus.CREATED.value())
.extract()
.path("id");
assertThat(movieId).isEqualTo(11);
}Above, we first made the request object that we need to POST. We then extracted the id field from the returned JSON response using the path() method.
3.3. JSON Array
We can also verify the response if it’s a JSON array:
@Test
public void whenCallingMoviesEndpoint_thenReturnAllMovies() {
Set<Movie> movieSet = new HashSet<>();
movieSet.add(new Movie(1, "movie1", "summary1"));
movieSet.add(new Movie(2, "movie2", "summary2"));
when(appService.getAll()).thenReturn(movieSet);
get(uri + "/movies").then()
.statusCode(HttpStatus.OK.value())
.assertThat()
.body("size()", is(2));
}Accordingly, we first mocked the appService.getAll() method with some data and made a request to our endpoint. We then asserted the statusCode and size of our response array.
This again can be done via extraction:
Movie[] movies = get(uri + "/movies").then()
.statusCode(200)
.extract()
.as(Movie[].class);
assertThat(movies.length).isEqualTo(2);3.4. Deserializing Response JSON as List<POJO>
In the previous section, we deserialized a JSON array of movies into a Java array of Movie objects using .as(Movie[].class). While this works, a more idiomatic approach in Java is to use a generic List.
However, we can’t make a direct deserialization to a generic type like List.class because of Java’s type erasure. This is because REST Assured, which uses Jackson, can’t determine the generic type (Movie) at runtime.
To solve this, we use the TypeRef class in REST Assured, which is an abstract class that enables us to pass generic type information to the deserializer:
@Test
public void givenSetMovie_whenCallingMoviesEndpoint_thenReturnAllMoviesAsList() {
Set<Movie> movieSet = new HashSet<>();
movieSet.add(new Movie(1, "movie1", "summary1"));
movieSet.add(new Movie(2, "movie2", "summary2"));
when(appService.getAll()).thenReturn(movieSet);
List<Movie> movies = get(uri + "/movies").then()
.statusCode(200)
.extract()
.as(new TypeRef<List<Movie>>() {});
assertThat(movies.size()).isEqualTo(2);
}Thus, by creating an anonymous inner class extending TypeRef<List>, we explicitly tell REST Assured the exact generic type we want to deserialize the response body into. This neatly deserializes the response into a List, which is much cleaner to work with than a Movie[] array.
4. Validating Headers and Cookies
We can verify a header or cookie of the response using methods with the same name:
@Test
public void whenCallingWelcomeEndpoint_thenCorrect() {
get(uri + "/welcome").then()
.assertThat()
.header("sessionId", notNullValue())
.cookie("token", notNullValue());
}We can also extract the headers and cookies individually:
Response response = get(uri + "/welcome");
String headerName = response.getHeader("sessionId");
String cookieValue = response.getCookie("token");
assertThat(headerName).isNotBlank();
assertThat(cookieValue).isNotBlank();5. Validating Files
If our REST API returns a file, we can use the asByteArray() method to extract the response:
File file = new ClassPathResource("test.txt").getFile();
long fileSize = file.length();
when(appService.getFile(1)).thenReturn(file);
byte[] result = get(uri + "/download/1").asByteArray();
assertThat(result.length).isEqualTo(fileSize);Here, we first mocked appService.getFile(1) to return a text file that is present in our src/test/resources path. We then made a call to our endpoint and extracted the response in a byte[], which we then asserted to have the expected value.
6. Conclusion
In this tutorial, we looked into different ways of capturing and validating responses from our REST APIs using REST Assured.
