[英]Spring Boot WebMvcTest returns 302 instead of 401 for GET methods
I have an application with REST endpoints that are secured with JWT
authentication (external resource server).我有一个带有 REST 端点的应用程序,这些端点通过JWT
身份验证(外部资源服务器)进行保护。 After upgrading my project from spring-boot 2.2.7 to 2.4.3 some of the WebMvcTest
integration tests are failing.在将我的项目从 spring-boot 2.2.7 升级到 2.4.3 之后,一些WebMvcTest
集成测试失败了。 Specifically, test cases for GET
requests without JWT
tokens - previously they would return 401 UNAUTHORIZED
, now they return 302 REDIRECT
to http://localhost/oauth2/authorization/keycloak
.具体来说,没有JWT
令牌的GET
请求的测试用例 - 以前它们将返回401 UNAUTHORIZED
UNAUTHORIZED ,现在它们返回302 REDIRECT
到http://localhost/oauth2/authorization/keycloak
。
@Test
void shouldNotAllowAccessForUnauthenticatedUsers() throws Exception {
// given
var params = createParams();
// when / then
mockMvc.perform(get(MY_URI)
.params(params)
.contentType(MediaType.APPLICATION_JSON)
.content(new byte[0]))
.andExpect(status().isUnauthorized());
}
No custom web security configuration is imported, just @WebMvcTest
, @AutoConfigureMockMvc
plus @ContextConfiguration
for relevant controller and mapper beans.没有自定义 web 安全配置被导入,只是@WebMvcTest
, @AutoConfigureMockMvc
加上相关@ContextConfiguration
和映射器 bean 的 @ContextConfiguration。
POST
methods in tests without authentication return 403
(as before the upgrade).没有身份验证的测试中的POST
方法返回403
(与升级之前一样)。 This problem occurs only in tests - when application is running, calling any endpoint without the token results in 401
.此问题仅在测试中出现 - 当应用程序运行时,调用任何没有令牌的端点都会导致401
。
Is there a way to configure WebMvcTest
to return 401
instead of 302
?有没有办法将WebMvcTest
配置为返回401
而不是302
?
Andy Wilkinson's question inspired me to look deeper into this, since no Keycloak adapter is really added as an explicit dependency (only spring-boot-starter-security
, spring-boot-starter-oauth2-client
, spring-boot-starter-oauth2-resource-server
), but keycloak
is mentioned in the config here: Andy Wilkinson 的问题启发了我深入研究这个问题,因为没有真正将 Keycloak 适配器添加为显式依赖项(只有spring-boot-starter-security
、 spring-boot-starter-oauth2-client
、 spring-boot-starter-oauth2-resource-server
),但这里的配置中提到了keycloak
:
security:
oauth2:
resourceserver:
jwt:
issuer-uri: ...
client:
registration:
keycloak:
client-id: ...
client-secret: ...
authorization-grant-type: ...
scope: ...
provider:
keycloak:
authorization-uri: ...
token-uri: ...
Requests for app's endpoints are authenticated with JWT tokens from the issuer-uri, but HTTP client calls to other services are authenticated using client registration in Keycloak (for service-to-service authentication).对应用程序端点的请求使用来自 issuer-uri 的 JWT 令牌进行身份验证,但 HTTP 客户端对其他服务的调用使用 Keycloak 中的客户端注册进行身份验证(用于服务到服务身份验证)。
Anyway, I believe this change of behavior after upgrade is due to a feature introduced in Spring Boot 2.3 , specifically: "OAuth2 parameter binding in @WebMvcTest
".无论如何,我相信升级后的这种行为变化是由于Spring Boot 2.3中引入的一个功能,特别是:“ @WebMvcTest
中的 OAuth2 参数绑定”。 Auto-configuration for OAuth2 is now included in @WebMvcTest
which resulted in this test trying to redirect to keycloak using the client configuration (which in runtime is used only for service-to-service). OAuth2 的自动配置现在包含在@WebMvcTest
中,这导致此测试尝试使用客户端配置(在运行时仅用于服务到服务)重定向到 keycloak。
I fixed the issue by annotating the test class with:我通过注释测试 class 解决了这个问题:
@ImportAutoConfiguration(exclude = {OAuth2ClientAutoConfiguration.class, OAuth2ResourceServerAutoConfiguration.class})
(Resource server config had to be excluded as well to handle mocked JWT properly.) (资源服务器配置也必须被排除在外,才能正确处理模拟的 JWT。)
Maybe someone will find this helpful.也许有人会觉得这很有帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.