Mocking a Keycloak token for testing a Spring controller
I want to write unit tests for my spring controller. I\'m using keycloak\'s openid flow to secure my endpoints.
In my tests I\'m using the @WithMockUser ann
-
I was able to test after adding the following things:
Add some fields:
@Autowired private WebApplicationContext context; private MockMvc mockMvc;In my
@Beforesetup()method:mockMvc = MockMvcBuilders.webAppContextSetup(context) .alwaysDo(print()) .apply(springSecurity()) .build();Inside my test method:
SecurityContext context = SecurityContextHolder.getContext(); Authentication authentication = context.getAuthentication();
When I pass the
authenticationobject to the method where I read the claims from the keycloak token I can run the test without any problems.P.S. Don't forget the
@WithMockUserannotation讨论(0) -
@WithmockUserconfigures the security-context with aUsernamePasswordAuthenticationToken. This can be just fine for most use-cases but when your app relies on another Authentication implementation (like your code does), you have to build or mock an instance of the right type and put it in the test security-context:SecurityContextHolder.getContext().setAuthentication(authentication);Of course, you'll soon want to automate this, building your own annotation or
RequestPostProcessor... or ...
take one "off the shelf", like in this lib of mine, which is available from maven-central:
<dependency> <groupId>com.c4-soft.springaddons</groupId> <artifactId>spring-security-oauth2-test-webmvc-addons</artifactId> <version>2.3.4</version> <scope>test</scope> </dependency>You can use it either with
@WithMockKeycloackAuthannotations:@RunWith(SpringRunner.class) @WebMvcTest(GreetingController.class) @ContextConfiguration(classes = GreetingApp.class) @ComponentScan(basePackageClasses = { KeycloakSecurityComponents.class, KeycloakSpringBootConfigResolver.class }) public class GreetingControllerTests extends ServletUnitTestingSupport { @MockBean MessageService messageService; @Test @WithMockKeycloackAuth("TESTER") public void whenUserIsNotGrantedWithAuthorizedPersonelThenSecretRouteIsNotAccessible() throws Exception { mockMvc().get("/secured-route").andExpect(status().isForbidden()); } @Test @WithMockKeycloackAuth("AUTHORIZED_PERSONNEL") public void whenUserIsGrantedWithAuthorizedPersonelThenSecretRouteIsAccessible() throws Exception { mockMvc().get("/secured-route").andExpect(content().string(is("secret route"))); } @Test @WithMockKeycloakAuth( authorities = { "USER", "AUTHORIZED_PERSONNEL" }, id = @IdTokenClaims(sub = "42"), oidc = @OidcStandardClaims( email = "ch4mp@c4-soft.com", emailVerified = true, nickName = "Tonton-Pirate", preferredUsername = "ch4mpy"), privateClaims = @ClaimSet(stringClaims = @StringClaim(name = "foo", value = "bar"))) public void whenAuthenticatedWithKeycloakAuthenticationTokenThenCanGreet() throws Exception { mockMvc().get("/greet") .andExpect(status().isOk()) .andExpect(content().string(startsWith("Hello ch4mpy! You are granted with "))) .andExpect(content().string(containsString("AUTHORIZED_PERSONNEL"))) .andExpect(content().string(containsString("USER"))); }Or MockMvc fluent API (RequestPostProcessor):
@RunWith(SpringRunner.class) @WebMvcTest(GreetingController.class) @ContextConfiguration(classes = GreetingApp.class) @ComponentScan(basePackageClasses = { KeycloakSecurityComponents.class, KeycloakSpringBootConfigResolver.class }) public class GreetingControllerTest extends ServletKeycloakAuthUnitTestingSupport { @MockBean MessageService messageService; @Test public void whenUserIsNotGrantedWithAuthorizedPersonelThenSecretMethodIsNotAccessible() throws Exception { mockMvc().with(authentication().roles("TESTER")).get("/secured-method").andExpect(status().isForbidden()); } @Test public void whenUserIsGrantedWithAuthorizedPersonelThenSecretMethodIsAccessible() throws Exception { mockMvc().with(authentication().roles("AUTHORIZED_PERSONNEL")).get("/secured-method") .andExpect(content().string(is("secret method"))); } }讨论(0)
加载中...
- 热议问题