stackoom
  简体   繁体   中英

Spring Boot WebMvcTest returns 302 instead of 401 for GET methods

 原文  2021-06-09 13:06:58       java/ spring-boot/ testing/ spring-security/ jwt

Question

I have an application with REST endpoints that are secured with JWT authentication (external resource server). After upgrading my project from spring-boot 2.2.7 to 2.4.3 some of the WebMvcTest integration tests are failing. Specifically, test cases for GET requests without JWT tokens - previously they would return 401 UNAUTHORIZED , now they return 302 REDIRECT to http://localhost/oauth2/authorization/keycloak .

@Test
void shouldNotAllowAccessForUnauthenticatedUsers() throws Exception {
    // given
    var params = createParams();

    // when / then
    mockMvc.perform(get(MY_URI)
            .params(params)
            .contentType(MediaType.APPLICATION_JSON)
            .content(new byte[0]))
            .andExpect(status().isUnauthorized());
}

No custom web security configuration is imported, just @WebMvcTest , @AutoConfigureMockMvc plus @ContextConfiguration for relevant controller and mapper beans.

POST methods in tests without authentication return 403 (as before the upgrade). This problem occurs only in tests - when application is running, calling any endpoint without the token results in 401 .

Is there a way to configure WebMvcTest to return 401 instead of 302 ?

1 answers

solution1
 0  2021-06-11 14:41:18

Andy Wilkinson's question inspired me to look deeper into this, since no Keycloak adapter is really added as an explicit dependency (only spring-boot-starter-security , spring-boot-starter-oauth2-client , spring-boot-starter-oauth2-resource-server ), but keycloak is mentioned in the config here: 

  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: ...
      client:
        registration:
          keycloak:
            client-id: ...
            client-secret: ...
            authorization-grant-type: ...
            scope: ...
        provider:
          keycloak:
            authorization-uri: ...
            token-uri: ...

Requests for app's endpoints are authenticated with JWT tokens from the issuer-uri, but HTTP client calls to other services are authenticated using client registration in Keycloak (for service-to-service authentication).

Anyway, I believe this change of behavior after upgrade is due to a feature introduced in Spring Boot 2.3 , specifically: "OAuth2 parameter binding in @WebMvcTest ". Auto-configuration for OAuth2 is now included in @WebMvcTest which resulted in this test trying to redirect to keycloak using the client configuration (which in runtime is used only for service-to-service).

I fixed the issue by annotating the test class with:

@ImportAutoConfiguration(exclude = {OAuth2ClientAutoConfiguration.class, OAuth2ResourceServerAutoConfiguration.class})

(Resource server config had to be excluded as well to handle mocked JWT properly.)

Maybe someone will find this helpful.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Spring Boot 1.4.2 @WebMvcTest returns status 404 Spring Boot @WebMvcTest returns 404 if success login 401 instead of 403 with Spring Boot 2 Spring Boot, Spring Security returns a status 401 instead of 404 for "no mapping found for HTTP request" How to get Spring Boot default validation reponses in @WebMvcTest? Spring Boot WebMvcTest require EntityManager Spring Boot @WebMvcTest vs @SpringBootTest Spring Boot : POST request returns 401 HttpUrlConnection Spring RestTemplate GET request returns 302 status Spring returns 401 instead of 200 status
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM