[英]Spring Boot Unit Tests with JWT Token Security
I am creating a backend using Spring Boot and I have just added JWT security to it.我正在使用 Spring Boot 创建后端,并且我刚刚为其添加了 JWT 安全性。
I have done some tests using a REST Client and the JWT security is working fine, however all of my unit tests are now returning a 403 error code.我已经使用 REST 客户端进行了一些测试,并且 JWT 安全性工作正常,但是我所有的单元测试现在都返回 403 错误代码。
I've added the @WithMockUser
annotation to them, but they are still not working:我已经向它们添加了
@WithMockUser
注释,但它们仍然无法正常工作:
@Test
@WithMockUser
public void shouldRedirectToInstaAuthPage() throws Exception {
mvc.perform(MockMvcRequestBuilders.get("/instaAuth")).andExpect(status().is3xxRedirection());
}
Is there some other configuration that I am missing here?我在这里缺少其他一些配置吗?
Here is the security configuration:这是安全配置:
@Configuration
@EnableWebSecurity
public class ServerSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers(HttpMethod.POST, "/login").permitAll()
.anyRequest().authenticated()
.and()
// We filter the api/login requests
.addFilterBefore(new JWTLoginFilter("/login", authenticationManager()),
UsernamePasswordAuthenticationFilter.class)
// And filter other requests to check the presence of JWT in header
.addFilterBefore(new JWTAuthenticationFilter(),
UsernamePasswordAuthenticationFilter.class);
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
// Create a default account
auth.inMemoryAuthentication()
.withUser("john")
.password("123")
.roles("ADMIN");
}
}
And Method security:和方法安全:
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true, proxyTargetClass = true)
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {
@Override
protected MethodSecurityExpressionHandler createExpressionHandler() {
return new OAuth2MethodSecurityExpressionHandler();
}
}
I believe that I solved the problem (and I hope I am not doing a bad practice or creating a security vulnerability on my backend).我相信我解决了这个问题(我希望我没有做不好的做法或在我的后端创建安全漏洞)。
I followed @punkrocker27ka's advice and looked at this answer .我遵循@punkrocker27ka 的建议并查看了这个答案。 In it they say that they are generating an Oauth token manually for the tests, so I decided to do the same thing for my JWT token.
他们在其中说他们正在为测试手动生成 Oauth 令牌,所以我决定为我的 JWT 令牌做同样的事情。
So I updated my class that generates the JWT tokens and validates them to be like this:因此,我更新了生成 JWT 令牌并验证它们的类,如下所示:
public class TokenAuthenticationService {
static final long EXPIRATIONTIME = 864_000_000; // 10 days
static final String SECRET = "ThisIsASecret";
static final String TOKEN_PREFIX = "Bearer";
static final String HEADER_STRING = "Authorization";
public static void addAuthentication(HttpServletResponse res, String username) {
String jwt = createToken(username);
res.addHeader(HEADER_STRING, TOKEN_PREFIX + " " + jwt);
}
public static Authentication getAuthentication(HttpServletRequest request) {
String token = request.getHeader(HEADER_STRING);
if (token != null) {
// parse the token.
String user = Jwts.parser()
.setSigningKey(SECRET)
.parseClaimsJws(token.replace(TOKEN_PREFIX, ""))
.getBody()
.getSubject();
return user != null ?
new UsernamePasswordAuthenticationToken(user, null, Collections.emptyList()) :
null;
}
return null;
}
public static String createToken(String username) {
String jwt = Jwts.builder()
.setSubject(username)
.setExpiration(new Date(System.currentTimeMillis() + EXPIRATIONTIME))
.signWith(SignatureAlgorithm.HS512, SECRET)
.compact();
return jwt;
}
}
And then I created a new test for it:然后我为它创建了一个新的测试:
@RunWith(SpringRunner.class)
@SpringBootTest
@AutoConfigureMockMvc
public class TokenAuthenticationServiceTest {
@Autowired
private MockMvc mvc;
@Test
public void shouldNotAllowAccessToUnauthenticatedUsers() throws Exception {
mvc.perform(MockMvcRequestBuilders.get("/test")).andExpect(status().isForbidden());
}
@Test
public void shouldGenerateAuthToken() throws Exception {
String token = TokenAuthenticationService.createToken("john");
assertNotNull(token);
mvc.perform(MockMvcRequestBuilders.get("/test").header("Authorization", token)).andExpect(status().isOk());
}
}
Then I ran the tests and they passed, so the token was accepted without the need for the @WithMockUser
annotation.然后我运行了测试并且它们通过了,因此不需要
@WithMockUser
注释就可以接受令牌。 I will add this to my other tests classes.我会将它添加到我的其他测试类中。
PS: The test endpoint is below. PS:测试端点如下。
/**
* This controller is used only for testing purposes.
* Especially to check if the JWT authentication is ok.
*/
@RestController
public class TestController {
@RequestMapping(path = "/test", method = RequestMethod.GET)
public String testEndpoint() {
return "Hello World!";
}
}
One thing you need to be aware of when testing using this createToken() method is that your tests cannot test for a nonexistent user.使用此 createToken() 方法进行测试时需要注意的一件事是,您的测试无法测试不存在的用户。
This is because createToken() only makes a JWT token based off of the string you put into it.这是因为 createToken() 仅根据您放入的字符串生成 JWT 令牌。
If you want to make sure nonexistent users cannot gain access, I recommend making your createToken() method private and instead use requests to gain the token, like this:如果您想确保不存在的用户无法获得访问权限,我建议您将 createToken() 方法设为私有,而是使用请求来获取令牌,如下所示:
@Test
public void existentUserCanGetTokenAndAuthentication() throws Exception {
String username = "existentuser";
String password = "password";
String body = "{\"username\":\"" + username + "\", \"password\":\"
+ password + "\"}";
MvcResult result = mvc.perform(MockMvcRequestBuilders.post("/v2/token")
.content(body))
.andExpect(status().isOk()).andReturn();
String response = result.getResponse().getContentAsString();
response = response.replace("{\"access_token\": \"", "");
String token = response.replace("\"}", "");
mvc.perform(MockMvcRequestBuilders.get("/test")
.header("Authorization", "Bearer " + token))
.andExpect(status().isOk());
}
In a similar way, you can show that a nonexistent user will not be able to get this result:以类似的方式,您可以证明不存在的用户将无法获得此结果:
@Test
public void nonexistentUserCannotGetToken() throws Exception {
String username = "nonexistentuser";
String password = "password";
String body = "{\"username\":\"" + username + "\", \"password\":\"
+ password + "\"}";
mvc.perform(MockMvcRequestBuilders.post("/v2/token")
.content(body))
.andExpect(status().isForbidden()).andReturn();
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.