英文:
How to mock JwtDecoder in Spring Boot for integration testing of authenticated controllers?
问题
在我的Spring Boot应用程序中,有一些经过身份验证的控制器。
操作模式是"OAuth2资源服务器",因此我的应用程序依赖于某个任意的OAuth2授权服务器(假设是Keycloak,尽管这不应影响模拟的方式)。
所以问题是:
如何正确地模拟JwtDecoder,以便能够传递一些静态字符串作为Bearer令牌?
(请记住,这是一个负责令牌发放的第三方服务器;因此,我不能在测试中依赖它。我想要模拟它以便能够离线运行测试,例如)
我期望发生的事情的一个示例:
- 我模拟JwtDecoder(假装我创建了一些<token字符串,UserData>的映射)。
- 我使用基于MockMvc的HTTP调用访问带有这个静态字符串的授权控制器(Authorization标头:Bearer STATIC_STRING)。控制器测试被标记为
@SpringBootTest和@AutoConfigureMockMvc。 - 我期望JwtAuthenticationToken填充了来自模拟的JwtDecoder映射中UserData的数据。
我已经尝试只是创建一个具有所有描述特性的JwtDecoder实现的bean。我看到这个bean被添加到配置中,但整个测试最终会出现AuthenticationCredentialsNotFoundException:在SecurityContext中未找到Authentication对象。因此,我认为JwtDecoder从未被调用(用调试器检查过),整个测试设置错误配置,但我不确定应该更改什么。
我错过了什么?
英文:
In my Spring Boot application, there are some authenticated controllers.
The operation mode is "OAuth2 resource server", so my application relies on some arbitrary OAuth2 authorization server. (Let's say it's Keycloak, though it should not affect the way of mocking)
So, the question is:
What is the right way to mock JwtDecoder, in order to be able to pass some static strings as the bearer tokens?
(Please remember, it's a third party server responsible for the token issuing; So I cannot rely on it in tests. I want to mock it away to be able to run tests offline for example)
An example of what I expect to happen:
- I mock JwtDecoder (let's pretend I've created some map of <token string, UserData>)
- I make a MockMvc-based http call to the authenticated controller with this static string in the Authorization header (Authorization: Bearer STATIC_STRING). The controller test is decorated with
@SpringBootTestand@AutoConfigureMockMvc. - I expect to have JwtAuthenticationToken filled with data from UserData from the map of the mocked JwtDecoder.
I've already tried to just create a bean of JwtDecoder implementation with all the described features. I see this bean is added to the configuration, but still whole test ends up in AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext. So I presume that JwtDecoder is never called (checked that with the debugger), and the whole testing setup is misconfigured, but I don't know for sure what to change.
What do I miss?
答案1
得分: 1
使用MockMvc(以及反应式应用中的WebTestClient)时,Authorization头部只是被忽略(不解码、验证、审查或其他操作)。
测试安全上下文可以直接设置(SecurityContextHolder.createEmptyContext().setAuthentication(auth);),或者可以使用以下方式之一进行设置:
- 测试注解(比如
@WithMockUser,但这个不太适用于模拟OAuth2身份)。请参考我在OAuth2的这个库中创建的注解。 - 用于
MockMvc的请求后处理器 - 用于
WebTestClient的修改器
更多详细信息请参考以下其他答案:
英文:
With MockMvc (as well as WebTestClient in reactive apps) the Authorization header is just ignored (not decoded, validated, introspected or whatever).
The test security context is to be set directly (SecurityContextHolder.createEmptyContext().setAuthentication(auth);) or with the help of either:
- test annotations (like
@WithMockUser, but this one is not quite adapted to mocking OAuth2 identities). Refer to those that I created in this lib for OAuth2 - Request post-processors for
MockMvc - mutators for
WebTestClients
More details in this other answers:
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论