Environment:
I have a spring boot based microservice architecture application consisting of multiple infrastructural services and resource services (containing the business logic). Authorization and authentication is handled by an oAuth2-Service managing the user entities and creating JWT tokens for the clients.
To test a single microservice application in its entirety i tried to build tests with testNG, spring.boot.test, org.springframework.security.test ...
#SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.MOCK, properties = {"spring.cloud.discovery.enabled=false", "spring.cloud.config.enabled=false", "spring.profiles.active=test"})
#AutoConfigureMockMvc
#Test
public class ArtistControllerTest extends AbstractTestNGSpringContextTests {
#Autowired
private MockMvc mvc;
#BeforeClass
#Transactional
public void setUp() {
// nothing to do
}
#AfterClass
#Transactional
public void tearDown() {
// nothing to do here
}
#Test
#WithMockUser(authorities = {"READ", "WRITE"})
public void getAllTest() throws Exception {
// EXPECT HTTP STATUS 200
// BUT GET 401
this.mvc.perform(get("/")
.accept(MediaType.APPLICATION_JSON))
.andExpect(status().isOk())
}
}
where the security (resource server) config is the following
#Configuration
#EnableResourceServer
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
// get the configured token store
#Autowired
TokenStore tokenStore;
// get the configured token converter
#Autowired
JwtAccessTokenConverter tokenConverter;
/**
* !!! configuration of springs http security !!!
*/
#Override
public void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/**").authenticated();
}
/**
* configuration of springs resource server security
*/
#Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
// set the configured tokenStore to this resourceServer
resources.resourceId("artist").tokenStore(tokenStore);
}
}
and the following method based security check annotated inside the controller class
#PreAuthorize("hasAuthority('READ')")
#RequestMapping(value = "/", method = RequestMethod.GET)
public List<Foo> getAll(Principal user) {
List<Foo> foos = fooRepository.findAll();
return foos;
}
I thought that would work but when running the test i only get an assertion error
java.lang.AssertionError: Status
Expected :200
Actual :401
Question:
Is there something totally obvious that i am doing wrong? Or is #WithMockUser not going to work with #SpringBootTest and #AutoConfigureMockMvc in an oAuth2 environment? If this is the case... what would be the best approach for testing route and method based security configurations as part of such an (integration) test like this one?
Appendix:
I also tried different approaches like something like the following... but it led to the same result :(
this.mvc.perform(get("/")
.with(user("admin").roles("READ","WRITE").authorities(() -> "READ", () -> "WRITE"))
.accept(MediaType.APPLICATION_JSON))
see:
spring security testing
spring boot 1.4 testing
#WithMockUser creates the authentication in SecurityContext.
Same applies for with(user("username")).
By default the OAuth2AuthenticationProcessingFilter does not use the SecurityContext, but always build the authentication from the token ("stateless").
You can easily change this behavior be setting the stateless flag in the resource server security configuration to false:
#Configuration
#EnableResourceServer
public class ResourceServerConfiguration implements ResourceServerConfigurer {
#Override
public void configure(ResourceServerSecurityConfigurer security) throws Exception {
security.stateless(false);
}
#Override
public void configure(HttpSecurity http) {}
}
Another option is to extend ResourceServerConfigurerAdapter, but the problem with that is that it comes with configuration that forces all requests to be authenticated. Implementing the interface leaves your main security config unchanged apart from the statelessness.
Of course, set the flag to to false in your test contexts, only.
I had de same issue, and the only way I found was creating a token and using it in the mockMvc perform
mockMvc.perform(get("/resource")
.with(oAuthHelper.bearerToken("test"))
And the OAuthHelper:
#Component
#EnableAuthorizationServer
public class OAuthHelper extends AuthorizationServerConfigurerAdapter {
#Autowired
AuthorizationServerTokenServices tokenservice;
#Autowired
ClientDetailsService clientDetailsService;
public RequestPostProcessor bearerToken(final String clientid) {
return mockRequest -> {
OAuth2AccessToken token = createAccessToken(clientid);
mockRequest.addHeader("Authorization", "Bearer " + token.getValue());
return mockRequest;
};
}
OAuth2AccessToken createAccessToken(final String clientId) {
ClientDetails client = clientDetailsService.loadClientByClientId(clientId);
Collection<GrantedAuthority> authorities = client.getAuthorities();
Set<String> resourceIds = client.getResourceIds();
Set<String> scopes = client.getScope();
Map<String, String> requestParameters = Collections.emptyMap();
boolean approved = true;
String redirectUrl = null;
Set<String> responseTypes = Collections.emptySet();
Map<String, Serializable> extensionProperties = Collections.emptyMap();
OAuth2Request oAuth2Request = new OAuth2Request(requestParameters, clientId, authorities,
approved, scopes, resourceIds, redirectUrl, responseTypes, extensionProperties);
User userPrincipal = new User("user", "", true, true, true, true, authorities);
UsernamePasswordAuthenticationToken authenticationToken =
new UsernamePasswordAuthenticationToken(userPrincipal, null, authorities);
OAuth2Authentication auth = new OAuth2Authentication(oAuth2Request, authenticationToken);
return tokenservice.createAccessToken(auth);
}
#Override
public void configure(final ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("test")
.authorities("READ");
}
}
As I was specifically trying to write tests against our ResourceServerConfiguration, I worked around the issue by creating a test wrapper for it which set security.stateless to false:
#Configuration
#EnableResourceServer
public class ResourceServerTestConfiguration extends ResourceServerConfigurerAdapter {
private ResourceServerConfiguration configuration;
public ResourceServerTestConfiguration(ResourceServerConfiguration configuration) {
this.configuration = configuration;
}
#Override
public void configure(ResourceServerSecurityConfigurer security) throws Exception {
configuration.configure(security);
security.stateless(false);
}
#Override
public void configure(HttpSecurity http) throws Exception {
configuration.configure(http);
}
}
Related
I have the following controller:
#CrossOrigin
#RestController
#RequestMapping("api")
public class MyController {
#GetMapping("/principal")
public void principalEndpoint(Principal user) {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
System.out.println(user);
System.out.println(authentication);
}
}
and the corresponding integration test whcich uses #WithMockUser as described in the docs:
/**
* implementation according to https://docs.spring.io/spring-security/reference/servlet/test/index.html
*/
#ExtendWith(SpringExtension.class)
#SpringBootTest
#WebAppConfiguration
#ContextConfiguration
public class MyControllerIT {
#Autowired
private WebApplicationContext context;
private MockMvc mvc;
#BeforeEach
public void setup() {
mvc = MockMvcBuilders
.webAppContextSetup(context)
.apply(springSecurity())
.build();
}
#Test
#WithMockUser(value = "Dani", username = "TAATIDA3")
public void testWithPrincipal() throws Exception {
mvc.perform(get("/api/principal").principal(new PrincipalImpl()))
.andExpect(status().isOk());
}
}
PrincipalImpl is a simple implementation of Principal:
public class PrincipalImpl implements Principal {
#Override
public String getName() {
return "MOCKUSER";
}
}
I also have the following SpringBoot configuration to authorize requests under the /api path:
#Configuration
#EnableResourceServer
#EnableCaching
#EnableScheduling
#EnableMongoAuditing
public class MyApiConfig extends ResourceServerConfigurerAdapter {
#Override
public void configure(HttpSecurity http) throws Exception {
http.antMatcher("/api/**").authorizeRequests()
.antMatchers("/api/**").not().anonymous();
}
}
My problem is that the request dispatched by mockMvc in MyControllerIT fails because a HTTP Status 401 is returned (not authorized). It would work if I change the HttpSecurity configuration to this
http.antMatcher("/api/**").authorizeRequests()
.antMatchers("/api/**").permitAll();
then the request succeeds (HTTP status 200), but no Principal is injected and the Authentication object from SecurityContextHolder.getContext().getAuthentication() is from an anonymous user:
null
AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]]
If I change the paths in MyApiConfig e.g. to this:
http.antMatcher("/someOtherApi/**").authorizeRequests()
.antMatchers("/someOtherApi/**").permitAll();
then the call from MyControllerIT succeeds and also a Principal is injected, which is what I want. However, in this case the actual api under /api/** is not secured anymore...
I'm quite new to the concepts of Spring Boot Security. Somehow I would have to override the MyApiConfig to configure HttpSecurity differently for tests (or use a separate configuration for test while at the same time excluding MyApiConfig). How do I do that, or what's the best way to make the HttpSecurity setup not interfere with MockMvc setup?
In my app I've got a custom filter added in WebSecurityConfigurerAdapter extension:
#Configuration
#EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
private static final RequestMatcher PROTECTED_URLS = new AntPathRequestMatcher("/v1/**");
#Override
public void configure(HttpSecurity http) throws Exception {
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.addFilterBefore(authenticationFilter(), AnonymousAuthenticationFilter.class)
.authorizeRequests()
.requestMatchers(PROTECTED_URLS)
.authenticated()
.and()
.csrf().disable()
.formLogin().disable()
.httpBasic().disable()
.logout().disable();
}
#Bean
AuthenticationFilter authenticationFilter() throws Exception {
final AuthenticationFilter filter = new AuthenticationFilter(PROTECTED_URLS);
// filter setup...
filter.setAuthenticationManager(authenticationManager());
return filter;
}
}
The filter itself, which is responsible for validating the access token by calling an external authorization server is defined as:
public class AuthenticationFilter extends AbstractAuthenticationProcessingFilter {
AuthenticationFilter(final RequestMatcher requiresAuth) {
super(requiresAuth);
}
#Override
public Authentication attemptAuthentication(HttpServletRequest httpServletRequest,
HttpServletResponse httpServletResponse)
throws AuthenticationException, IOException, OAuth2Exception {
try {
// Get Authorization header.
String token = httpServletRequest.getHeader(AUTHORIZATION);
// Check if the token is valid by calling an external authorization server.
// Returns some Authentication if successful.
} catch (OAuth2Exception exception) {
// Return 401
} catch (Exception exception) {
// All other errors are 500s
}
}
#Override
protected void successfulAuthentication(final HttpServletRequest request,
final HttpServletResponse response,
final FilterChain chain,
final Authentication authResult)
throws IOException, ServletException {
SecurityContextHolder.getContext().setAuthentication(authResult);
chain.doFilter(request, response);
}
}
What I'm trying to do is to perform integration test on the controller defined as:
#RestController
#RequestMapping(value = "/v1", produces = "application/json")
public class SomeController {
#Autowired
private SomeService someService;
#ResponseStatus(OK)
#PostMapping(value = "/a/path")
public SomeSuccessResponse pathHandlerMethod() {
return someService.someServiceMethod();
}
}
Finally, my test setup is as following:
#RunWith(SpringRunner.class)
#WebMvcTest(SomeController.class)
#Import(SecurityConfig.class)
#ContextConfiguration
#WebAppConfiguration
public class SomeControllerTest {
private MockMvc mockMvc;
#Autowired
private ObjectMapper objectMapper;
#Autowired
private WebApplicationContext context;
#MockBean
private SomeService someService;
#Before
public void setup() {
mockMvc = MockMvcBuilders
.webAppContextSetup(context)
.apply(springSecurity()) // When I comment out this line I'm getting 404 errors instead.
.build();
}
#Test
#WithMockUser
public void performIntegrationTest() throws Exception {
mockMvc.perform(post("/v1/a/path")).andExpect(status().isOk());
}
}
I'd like the authentication to be either turned off or somehow mocked out for this scenario - the actual code in AuthenticationFilter sholdn't be invoked at all. In order to achieve this, in SomeControllerTest class I've tried:
annotating test methods with #WithMockUser
setting mockMvc with MockMvcBuilders (see the setup() method above) with .apply(springSecurity()) and without it
annotating the SomeControllerTest class with #AutoConfigureMockMvc (with both secure and addFilters parameters set to false)
annotating the SomeControllerTest class with #ContextConfiguration and #WebAppConfiguration (I don't know if it changes anything)
None of these approaches disable the authentication. When I run the test, the AuthenticationFilter's attemptAuthentication() method calling external service is still invoked which I don't want to happen.
Disabling the filter sounds contradictory for an integration test, imho. Have you considered mocking the filter instead?
Create a
public class MockAuthenticationFilter implements Filter {
// return mock data for different use cases.
}
Then register this filter in your test.
#Before
public void setup() {
mockMvc = MockMvcBuilders.webAppContextSetup(context)
.apply(springSecurity(new MockAuthenticationFilter()))
.build();
}
This would also allow you to test different use cases where the filter acts one way or an other.
I'd like to override spring's default AuthorizationEndpoint and provide my own on /oauth/authorize. I wrote my own controller
#RestController
#RequestMapping("oauth/authorize")
public class AuthorizationController {
#RequestMapping
public void authorize(#RequestParam Map<String, String> parameters, HttpServletResponse response) throws Exception {
// todo
}
}
However it is not mapped as AuthorizationEndpoint maps to /oauth/authorize by default. How can I remove the standard implementation?
Bonus
The reason I want to provide my own implementation is because my rest api is stateless and does not provide sessions and/or web interface, standalone angular app does that for me and authorizes using passwrd grant to server. So what I want to do is redirect the user to my angular app's approoval page and implement a custom user_oauth_approval approveOrDeny endpoint which my client calls. I'm not sure if I can set that up with spring, and even if I could, custom implementation would probably be less hassle. I'd love to hear some insights
Inject your customAuthenticationManager in your new controller.
#Autowired
private AuthenticationManager authenticationManager;
#RequestMapping(value = "${jwt.route.authentication.path}", method = RequestMethod.POST)
public ResponseEntity<?> createAuthenticationToken(#RequestBody JwtAuthenticationRequest authenticationRequest)
throws AuthenticationException {
Authentication customAuthentication = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(
authenticationRequest.getUsername(), authenticationRequest.getPassword()));
SecurityContextHolder.getContext().setAuthentication(authentication);
return ResponseEntity
.ok(new JwtAuthenticationResponse(customAuthentication.getToken(), customAuthentication.isActive()));
}
Then overwrite default Spring AuthenticationManager + AuthenticationProvider
#Configuration
#EnableWebSecurity
#EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
#Autowired
private CustomAuthenticationProvider customAuthenticationProvider;
#Autowired
public void configureAuthentication(AuthenticationManagerBuilder authenticationManagerBuilder) {
authenticationManagerBuilder.authenticationProvider(customAuthenticationProvider);
}
#Bean(name = BeanIds.AUTHENTICATION_MANAGER)
#Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
import org.springframework.security.authentication.AuthenticationProvider;
#Component("customAuthenticationProvider")
public class CustomAuthenticationProvider implements AuthenticationProvider {
I'm trying to create a spring security configuration with two different AuthenticationProviders and exposing a rest interface to verify credentials (this is just used in the dev environment and will be replaced by an oAuth service in prod.) But when I inject the AuthenticationManager into the Controller, spring creates a default AuthenticationManager and injects it into the RestController. How can I make spring inject the AuthenticationManager configured in the WebSecurityConfigurationAdapter? I'm using spring-boot-starter-security:1.5.7.RELEASE. Here is my security configuration:
#EnableWebSecurity
#EnableGlobalMethodSecurity(prePostEnabled = true)
#Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
#Configuration
public class LocalWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
private final DevUserDetailsService devUserDetailService;
private final ServiceUserDetailService serviceUserDetailService;
#Autowired
public LocalWebSecurityConfigurationAdapter(DevUserDetailsService devUserDetailService, ServiceUserDetailService serviceUserDetailService) {
this.devUserDetailService = devUserDetailService;
this.serviceUserDetailService = serviceUserDetailService;
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and().authorizeRequests().antMatchers("/api/public/**").permitAll()
.antMatchers("/api/login").permitAll()
.antMatchers("/api/**").fullyAuthenticated()
.anyRequest().permitAll()
.and().exceptionHandling().authenticationEntryPoint(unauthorizedEntryPoint())
.and().httpBasic();
}
#Bean
public AuthenticationEntryPoint unauthorizedEntryPoint() {
return (request, response, authException) -> response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
}
#Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(devUserDetailService);
DaoAuthenticationProvider serviceUserAuthProvider = new DaoAuthenticationProvider();
serviceUserAuthProvider.setUserDetailsService(serviceUserDetailService);
serviceUserAuthProvider.setPasswordEncoder(passwordEncoder());
auth.authenticationProvider(serviceUserAuthProvider);
}
#Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
And here is my RestController:
#RestController
#RequestMapping("/api/login")
public class LoginController {
private final Logger log = LoggerFactory.getLogger(this.getClass());
private final AuthenticationManager authenticationManager;
public LoginController(AuthenticationManager authenticationManager) {
this.authenticationManager = authenticationManager;
}
#RequestMapping(method = RequestMethod.POST)
public Map<String, String> login(#RequestBody Map<String, String> body) {
String user = body.get("user");
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(user, body.get("password"));
try {
authenticationManager.authenticate(token);
return Collections.singletonMap("status", "ok");
} catch (BadCredentialsException e) {
return Collections.singletonMap("status", "bad credentials");
} catch (AuthenticationException e) {
log.warn("Could not authenticate user {} because {}.", user, e.getMessage(), e);
return Collections.singletonMap("status", "general error");
}
}
}
And since you guys are probably experts in spring, is there a best practice to create different security configurations depending on the environment (using the profile) the code is running on without creating redundant code? I tried a super class, but spring didn't like that a lot.
I finally found a solution. By using configureGlobal inside my configuration class the AuthenticationManager gets shared across all spring managed Components.
#Autowired
public void configureGlobal(AuthenticationManagerBuilder auth, DevUserDetailsService devUserDetailService,
#Qualifier("serviceUserAuthenticationProvider") AuthenticationProvider serviceUserAuthProvider) throws Exception {
auth.userDetailsService(devUserDetailService);
auth.authenticationProvider(serviceUserAuthProvider);
}
For reusing configuration, I still didn't find a good solution. Creating an abstract “super configuration” for all the common configuration is creating troubles as soon as a method is annotated with #Bean and creating multiple WebSecurityConfigurerAdapter results in one overwriting the other, so if there is a best practice, I'm still interested in a proper solution. I've managed to do what I wanted, but it still feels like a little of a hack to me. For anyone stumbling across a similar issue I hope this helps a little.
Declare the bean in LocalWebSecurityConfigurationAdapter:
#Bean(name="appAuthenticationManager")
#Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
and inject it other components just like any other bean:
public LoginController(#Qualifier("appAuthenticationManager") AuthenticationManager authenticationManager) {
this.authenticationManager = authenticationManager;
}
I am having a problem similar to PreAuthorize annotation doesn't work with jersey. I created a configuration class for Spring Security and the authentication works but the authorization does not.
Here is my code
SpringSecurityConfig.java
#Configuration
#EnableWebSecurity
#EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
#Order(1)
#ComponentScan({"com.foo.rest.resources.Template"})
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
private final UserService userService;
private final TokenAuthenticationService tokenAuthenticationService;
public SpringSecurityConfig() {
super(true);
this.userService = new UserService();
tokenAuthenticationService = new TokenAuthenticationService("tooManySecrets", userService);
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.exceptionHandling().and()
.anonymous().and()
.servletApi().and()
.headers().cacheControl().and()
.authorizeRequests()
// Allow anonymous logins
.antMatchers("/auth/**").permitAll()
// All other request need to be authenticated
.anyRequest().authenticated().and()
// Custom Token based authentication based on the header previously given to the client
.addFilterBefore(new StatelessAuthenticationFilter(tokenAuthenticationService),
UsernamePasswordAuthenticationFilter.class);
}
#Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService()).passwordEncoder(new BCryptPasswordEncoder());
}
#Bean
#Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
#Bean
#Override
public UserService userDetailsService() {
return userService;
}
#Bean
public TokenAuthenticationService tokenAuthenticationService() {
return tokenAuthenticationService;
}
}
and Template.java
#Component
#Path("/template")
#Produces(MediaType.APPLICATION_JSON)
public class Template {
#GET
#Secured("ROLE_EDITOR")
public User getTemplate() {
return new Template();
}
}
My guess is that the authentication is handled in the filter chain but it never comes back around after the authorization tag is reached. Any idea how to make this work?
I think your #ComponentScan is configured wrongly and doesn't pick the Template resource correctly.
According to #ComponentScan documentation the value is an alias for basePackages but you have given a Class instead of Package. Try and change it to look like following and see.
#ComponentScan({"com.foo.rest.resources.*"})
And make sure you haven't missed any steps in Jersey Spring Integration as per the documentation