【发布时间】:2016-10-01 02:22:29
【问题描述】:
例如,我已按照以下链接尝试测试 OAuth2 @PreAuthorise(hasAnyRole('ADMIN', 'TEST'),但我无法通过任何测试,甚至无法通过身份验证。
当我尝试使用管理员(或任何角色)访问端点时,它永远无法正确验证。我是否遗漏了一些明显的东西,似乎我拥有示例中的所有内容。我还尝试了使用 OAuth 特定身份验证的 WithSecurityContext Factory 的另一种替代方案,但仍然没有运气。任何帮助将不胜感激。
https://stackoverflow.com/a/31679649/2594130 和 http://docs.spring.io/spring-security/site/docs/4.0.x/reference/htmlsingle/#test
我正在测试的控制器
@RestController
@RequestMapping("/bookmark/")
public class GroupBookmarkController {
@Autowired
BookmarkService bookmarkService;
/**
* Get list of all bookmarks
*/
@RequestMapping(value = "{groupId}", method = RequestMethod.GET)
@PreAuthorize("hasAnyRole(['ADMIN', 'USER'])")
public ResponseEntity<List<Bookmark>> listAllGroupBookmarks(@PathVariable("groupId") String groupId) throws BookmarkNotFoundException {
List<Bookmark> bookmarks = bookmarkService.findAllBookmarksByGroupId(groupId);
return new ResponseEntity<>(bookmarks, HttpStatus.OK);
}
...
}
我的测试课
@RunWith(SpringJUnit4ClassRunner.class)
@SpringApplicationConfiguration(classes = BookmarkServiceApplication.class)
@WebAppConfiguration
public class BookmarkServiceApplicationTests {
private MockMvc mockMvc;
@Autowired
private WebApplicationContext webApplicationContext;
@Before
public void loadData() {
this.mockMvc = MockMvcBuilders
.webAppContextSetup(webApplicationContext)
.apply(springSecurity())
.alwaysDo(print())
.build();
}
@Test
@WithMockCustomUser(username = "test")
public void getBookmarkAuthorised() throws Exception {
mockMvc.perform(get("/bookmark/nvjdbngkjlsdfngkjlfdsnlkgsd"))
.andExpect(status().is(HttpStatus.SC_OK));
// always 401 here
}
}
我的书签服务应用程序
@SpringBootApplication
@EnableResourceServer
public class BookmarkServiceApplication {
public static void main(String[] args) {
SpringApplication.run(BookmarkServiceApplication.class, args);
}
}
我的 WithSecurityContextFactory
public class WithMockCustomUserSecurityContextFactory implements WithSecurityContextFactory<WithMockCustomUser> {
@Override
public SecurityContext createSecurityContext(WithMockCustomUser customUser) {
SecurityContext context = SecurityContextHolder.createEmptyContext();
List<GrantedAuthority> grantedAuthorities = new ArrayList<>();
grantedAuthorities.add(new SimpleGrantedAuthority("ROLE_ADMIN"));
UserDetails principal = new User(customUser.username(), "password", true, true, true, true, grantedAuthorities);
Authentication authentication = new UsernamePasswordAuthenticationToken(
principal, principal.getPassword(), principal.getAuthorities());
context.setAuthentication(authentication);
return context;
}
}
我的 WithSecurityContext 注释
@Retention(RetentionPolicy.RUNTIME)
@WithSecurityContext(factory = WithMockCustomUserSecurityContextFactory.class)
public @interface WithMockCustomUser {
String username() default "user";
String name() default "Test User";
}
根据@RobWinch 的回复
嗨@RobWinch 我已经用无状态标志尝试过你的建议,这有助于部分答案。但是,在您回答这个问题 [Spring OAuth and Boot Integration Test] (https://stackoverflow.com/a/31679649/2594130) 时,您提到了
您不再需要担心是否在无状态模式下运行
为什么我仍然需要添加无状态的 false,这是一个错误还是我们使用它略有不同?
我需要做的另一件事是将 OAuth2Request 和 OAuth2Authentication 添加到 WithSecurityContextFactory,如下所示
public class WithMockCustomUserSecurityContextFactory implements WithSecurityContextFactory<WithMockOAuthUser> {
@Override
public SecurityContext createSecurityContext(WithMockOAuthUser withClient) {
// Get the username
String username = withClient.username();
if (username == null) {
throw new IllegalArgumentException("Username cannot be null");
}
// Get the user roles
List<GrantedAuthority> authorities = new ArrayList<>();
for (String role : withClient.roles()) {
if (role.startsWith("ROLE_")) {
throw new IllegalArgumentException("roles cannot start with ROLE_ Got " + role);
}
authorities.add(new SimpleGrantedAuthority("ROLE_" + role));
}
// Get the client id
String clientId = withClient.clientId();
// get the oauth scopes
String[] scopes = withClient.scope();
Set<String> scopeCollection = Sets.newSet(scopes);
// Create the UsernamePasswordAuthenticationToken
User principal = new User(username, withClient.password(), true, true, true, true, authorities);
Authentication authentication = new UsernamePasswordAuthenticationToken(principal, principal.getPassword(),
principal.getAuthorities());
// Create the authorization request and OAuth2Authentication object
OAuth2Request authRequest = new OAuth2Request(null, clientId, null, true, scopeCollection, null, null, null,
null);
OAuth2Authentication oAuth = new OAuth2Authentication(authRequest, authentication);
// Add the OAuth2Authentication object to the security context
SecurityContext context = SecurityContextHolder.createEmptyContext();
context.setAuthentication(oAuth);
return context;
}
}
【问题讨论】:
-
WithMockOAuthUser 的代码在哪里,它与 WithSecurityContextFactory 相关?
-
@RobWinch 对不起,这是一个错字,实际上是 WithMockCustomUser 是一个错字,我在乱搞,同样的问题存在。我有另一个界面创建了 OAuth 身份验证而不是 UsernamePasswordAuthentication
-
您的安全配置是什么样的?具体来说,网络和方法安全配置是什么样的?
-
@RobWinch 我实际上并没有默认运行的配置,这是一个微服务和通信,位于承载配置的身份验证服务的网关后面。这些测试是在 AuthService 的隔离中运行的,我应该还有配置吗?
-
@revilo 如果我可能会问,您是否可以与您的测试环境共享存储库?我正在尝试测试 spring-security-oauth2,除了 401 之外我什么也得不到。你的帖子是最能帮助我理解的帖子。尚不存在使用 spring-security 和 spring-security-oauth2 的项目测试。这将是超级好。提前致谢
标签: spring-security spring-boot spring-security-oauth2 spring-test spring-oauth2