Wim*_*uwe 5 java spring spring-security spring-test spring-boot
我将 Spring Boot 2.2.1 与spring-security-oauth2-resource-server:5.2.0.RELEASE. 我想写一个集成测试来测试安全性是否可以。
我WebSecurityConfigurerAdapter在我的应用程序中定义了这个:
import org.springframework.boot.autoconfigure.security.oauth2.resource.OAuth2ResourceServerProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer;
import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtValidators;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
private final OAuth2ResourceServerProperties properties;
private final SecuritySettings securitySettings;
public WebSecurityConfiguration(OAuth2ResourceServerProperties properties, SecuritySettings securitySettings) {
this.properties = properties;
this.securitySettings = securitySettings;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/api/**")
.authenticated()
.and()
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
}
@Bean
public JwtDecoder jwtDecoder() {
NimbusJwtDecoder result = NimbusJwtDecoder.withJwkSetUri(properties.getJwt().getJwkSetUri())
.build();
OAuth2TokenValidator<Jwt> validator = new DelegatingOAuth2TokenValidator<>(
JwtValidators.createDefault(),
new AudienceValidator(securitySettings.getApplicationId()));
result.setJwtValidator(validator);
return result;
}
private static class AudienceValidator implements OAuth2TokenValidator<Jwt> {
private final String applicationId;
public AudienceValidator(String applicationId) {
this.applicationId = applicationId;
}
@Override
public OAuth2TokenValidatorResult validate(Jwt token) {
if (token.getAudience().contains(applicationId)) {
return OAuth2TokenValidatorResult.success();
} else {
return OAuth2TokenValidatorResult.failure(
new OAuth2Error("invalid_token", "The audience is not as expected, got " + token.getAudience(),
null));
}
}
}
}
它有一个自定义验证器来检查aud令牌中的受众 ( ) 声明。
我目前有这个测试,它有效,但它根本不检查观众声明:
@WebMvcTest(UserController.class)
@EnableConfigurationProperties({SecuritySettings.class, OAuth2ResourceServerProperties.class})
@ActiveProfiles("controller-test")
class UserControllerTest {
@Autowired
private MockMvc mockMvc;
@Test
void testOwnUserDetails() throws Exception {
mockMvc.perform(get("/api/users/me")
.with(jwt(createJwtToken())))
.andExpect(status().isOk())
.andExpect(jsonPath("userId").value("AZURE-ID-OF-USER"))
.andExpect(jsonPath("name").value("John Doe"));
}
@Test
void testOwnUserDetailsWhenNotLoggedOn() throws Exception {
mockMvc.perform(get("/api/users/me"))
.andExpect(status().isUnauthorized());
}
@NotNull
private Jwt createJwtToken() {
String userId = "AZURE-ID-OF-USER";
String userName = "John Doe";
String applicationId = "AZURE-APP-ID";
return Jwt.withTokenValue("fake-token")
.header("typ", "JWT")
.header("alg", "none")
.claim("iss",
"https://b2ctestorg.b2clogin.com/80880907-bc3a-469a-82d1-b88ffad655df/v2.0/")
.claim("idp", "LocalAccount")
.claim("oid", userId)
.claim("scope", "user_impersonation")
.claim("name", userName)
.claim("azp", applicationId)
.claim("ver", "1.0")
.subject(userId)
.audience(Set.of(applicationId))
.build();
}
}
我还有一个controller-test包含应用程序 ID 和 jwt-set-uri的配置文件的属性文件:
security-settings.application-id=FAKE_ID
spring.security.oauth2.resourceserver.jwt.jwk-set-uri=https://b2ctestorg.b2clogin.com/b2ctestorg.onmicrosoft.com/discovery/v2.0/keys?p=b2c_1_ropc_flow
也许 JwtDecoder 没有使用,因为 Jwt 是手动创建的?我如何确保在测试中调用了 JwtDecoder?
为了详细说明 Eleftheria Stein-Kousathana 的答案,我进行了更改以使其成为可能:
1) 创建一个JwtDecoderFactoryBean类以便能够对JwtDecoder验证器和配置的验证器进行单元测试:
@Component
public class JwtDecoderFactoryBean implements FactoryBean<JwtDecoder> {
private final OAuth2ResourceServerProperties properties;
private final SecuritySettings securitySettings;
private final Clock clock;
public JwtDecoderFactoryBean(OAuth2ResourceServerProperties properties,
SecuritySettings securitySettings,
Clock clock) {
this.properties = properties;
this.securitySettings = securitySettings;
this.clock = clock;
}
@Override
public JwtDecoder getObject() {
JwtTimestampValidator timestampValidator = new JwtTimestampValidator();
timestampValidator.setClock(clock);
JwtIssuerValidator issuerValidator = new JwtIssuerValidator(securitySettings.getJwtIssuer());
JwtAudienceValidator audienceValidator = new JwtAudienceValidator(securitySettings.getJwtApplicationId());
OAuth2TokenValidator<Jwt> validator = new DelegatingOAuth2TokenValidator<>(
timestampValidator,
issuerValidator,
audienceValidator);
NimbusJwtDecoder decoder = NimbusJwtDecoder.withJwkSetUri(properties.getJwt().getJwkSetUri())
.build();
decoder.setJwtValidator(validator);
return decoder;
}
@Override
public Class<?> getObjectType() {
return JwtDecoder.class;
}
}
我还将AudienceValidator原始代码中的提取到外部类并将其重命名为JwtAudienceValidator.
2)JwtDecoder @Bean从安全配置中删除该方法,使其看起来像这样:
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/api/**")
.authenticated()
.and()
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
}
}
3)Clock在某个@Configuration类中创建一个bean :
@Bean
public Clock clock() {
return Clock.systemDefaultZone();
}
(这是令牌时间到期的单元测试所必需的)
通过此设置,现在可以为JwtDecoder应用程序使用的实际设置编写单元测试:
// actual @Test methods ommitted, but they can use this private method
// to setup a JwtDecoder and test some valid/invalid JWT tokens.
@NotNull
private JwtDecoder createDecoder(String currentTime, String issuer, String audience) {
OAuth2ResourceServerProperties properties = new OAuth2ResourceServerProperties();
properties.getJwt().setJwkSetUri(
"https://mycompb2ctestorg.b2clogin.com/mycompb2ctestorg.onmicrosoft.com/discovery/v2.0/keys?p=b2c_1_ropc_flow");
JwtDecoderFactoryBean factoryBean = new JwtDecoderFactoryBean(properties,
new SecuritySettings(audience, issuer),
Clock.fixed(Instant.parse(currentTime),
ZoneId.systemDefault()));
//noinspection ConstantConditions - getObject never returns null in this case
return factoryBean.getObject();
}
最后,@WebMvcTest需要有一个模拟,JwtDecoder因为真正的模拟不再与@WebMvcTest测试切片一起启动(由于使用了工厂 bean)。这是很好的 IMO,否则,我需要为JwtDecoder无论如何都没有使用的真实定义属性。因此,我controller-test在测试中不再需要配置文件。
所以只需声明一个这样的字段:
@MockBean
private JwtDecoder jwtDecoder;
或者创建一个嵌套的测试配置类:
@TestConfiguration
static class TestConfig {
@Bean
public JwtDecoder jwtDecoder() {
return mock(JwtDecoder.class);
}
}
通过使用 JWT 后处理器,.with(jwt(createJwtToken())))您可以绕过JwtDecoder.
JwtDecoder考虑一下如果不绕过的话会发生什么。在过滤器链中,您的请求将到达解析 JWT 值的
点。
在本例中,该值为,这将导致异常,因为它不是有效的 JWT。
这意味着代码甚至不会到达被调用的地方。JwtDecoder"fake-token"AudienceValidator
您可以将传入的值视为SecurityMockMvcRequestPostProcessors.jwt(Jwt jwt)从 中返回的响应JwtDecoder.decode(String token)。
然后,使用的测试SecurityMockMvcRequestPostProcessors.jwt(Jwt jwt)将测试提供有效 JWT 令牌时的行为。
您可以添加其他测试以AudienceValidator确保其正常运行。
| 归档时间: |
|
| 查看次数: |
4496 次 |
| 最近记录: |