Spring Boot WebMvcTest 返回 302 而不是 GET 方法的 401

Question

I have an application with REST endpoints that are secured with JWT authentication (external resource server). After upgrading my project from spring-boot 2.2.7 to 2.4.3 some of the WebMvcTest integration tests are failing. Specifically, test cases for GET requests without JWT tokens - previously they would return 401 UNAUTHORIZED , now they return 302 REDIRECT to http://localhost/oauth2/authorization/keycloak .

@Test
void shouldNotAllowAccessForUnauthenticatedUsers() throws Exception {
    // given
    var params = createParams();

    // when / then
    mockMvc.perform(get(MY_URI)
            .params(params)
            .contentType(MediaType.APPLICATION_JSON)
            .content(new byte[0]))
            .andExpect(status().isUnauthorized());
}

No custom web security configuration is imported, just @WebMvcTest , @AutoConfigureMockMvc plus @ContextConfiguration for relevant controller and mapper beans.

POST methods in tests without authentication return 403 (as before the upgrade). This problem occurs only in tests - when application is running, calling any endpoint without the token results in 401 .

Is there a way to configure WebMvcTest to return 401 instead of 302 ?

Answer 1

Andy Wilkinson's question inspired me to look deeper into this, since no Keycloak adapter is really added as an explicit dependency (only spring-boot-starter-security , spring-boot-starter-oauth2-client , spring-boot-starter-oauth2-resource-server ), but keycloak is mentioned in the config here:

  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: ...
      client:
        registration:
          keycloak:
            client-id: ...
            client-secret: ...
            authorization-grant-type: ...
            scope: ...
        provider:
          keycloak:
            authorization-uri: ...
            token-uri: ...

Requests for app's endpoints are authenticated with JWT tokens from the issuer-uri, but HTTP client calls to other services are authenticated using client registration in Keycloak (for service-to-service authentication).

Anyway, I believe this change of behavior after upgrade is due to a feature introduced in Spring Boot 2.3 , specifically: "OAuth2 parameter binding in @WebMvcTest ". Auto-configuration for OAuth2 is now included in @WebMvcTest which resulted in this test trying to redirect to keycloak using the client configuration (which in runtime is used only for service-to-service).

I fixed the issue by annotating the test class with:

@ImportAutoConfiguration(exclude = {OAuth2ClientAutoConfiguration.class, OAuth2ResourceServerAutoConfiguration.class})

(Resource server config had to be excluded as well to handle mocked JWT properly.)

Maybe someone will find this helpful.