使用 Spring 安全性在 @WebMvcTest 中测试 JwtDecoder
Test JwtDecoder in @WebMvcTest with Spring Security
我正在使用 Spring Boot 2.2.1 和 spring-security-oauth2-resource-server:5.2.0.RELEASE。我想写一个集成测试来测试安全性是否可以。
我在我的应用程序中定义了这个 WebSecurityConfigurerAdapter:
import org.springframework.boot.autoconfigure.security.oauth2.resource.OAuth2ResourceServerProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer;
import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtValidators;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
private final OAuth2ResourceServerProperties properties;
private final SecuritySettings securitySettings;
public WebSecurityConfiguration(OAuth2ResourceServerProperties properties, SecuritySettings securitySettings) {
this.properties = properties;
this.securitySettings = securitySettings;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/api/**")
.authenticated()
.and()
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
}
@Bean
public JwtDecoder jwtDecoder() {
NimbusJwtDecoder result = NimbusJwtDecoder.withJwkSetUri(properties.getJwt().getJwkSetUri())
.build();
OAuth2TokenValidator<Jwt> validator = new DelegatingOAuth2TokenValidator<>(
JwtValidators.createDefault(),
new AudienceValidator(securitySettings.getApplicationId()));
result.setJwtValidator(validator);
return result;
}
private static class AudienceValidator implements OAuth2TokenValidator<Jwt> {
private final String applicationId;
public AudienceValidator(String applicationId) {
this.applicationId = applicationId;
}
@Override
public OAuth2TokenValidatorResult validate(Jwt token) {
if (token.getAudience().contains(applicationId)) {
return OAuth2TokenValidatorResult.success();
} else {
return OAuth2TokenValidatorResult.failure(
new OAuth2Error("invalid_token", "The audience is not as expected, got " + token.getAudience(),
null));
}
}
}
}
它有一个自定义验证器来检查令牌中的受众 (aud) 声明。
我目前有这个测试,它有效,但它根本不检查观众声明:
@WebMvcTest(UserController.class)
@EnableConfigurationProperties({SecuritySettings.class, OAuth2ResourceServerProperties.class})
@ActiveProfiles("controller-test")
class UserControllerTest {
@Autowired
private MockMvc mockMvc;
@Test
void testOwnUserDetails() throws Exception {
mockMvc.perform(get("/api/users/me")
.with(jwt(createJwtToken())))
.andExpect(status().isOk())
.andExpect(jsonPath("userId").value("AZURE-ID-OF-USER"))
.andExpect(jsonPath("name").value("John Doe"));
}
@Test
void testOwnUserDetailsWhenNotLoggedOn() throws Exception {
mockMvc.perform(get("/api/users/me"))
.andExpect(status().isUnauthorized());
}
@NotNull
private Jwt createJwtToken() {
String userId = "AZURE-ID-OF-USER";
String userName = "John Doe";
String applicationId = "AZURE-APP-ID";
return Jwt.withTokenValue("fake-token")
.header("typ", "JWT")
.header("alg", "none")
.claim("iss",
"https://b2ctestorg.b2clogin.com/80880907-bc3a-469a-82d1-b88ffad655df/v2.0/")
.claim("idp", "LocalAccount")
.claim("oid", userId)
.claim("scope", "user_impersonation")
.claim("name", userName)
.claim("azp", applicationId)
.claim("ver", "1.0")
.subject(userId)
.audience(Set.of(applicationId))
.build();
}
}
我还有一个 controller-test 配置文件的属性文件,其中包含应用程序 ID 和 jwt-set-uri:
security-settings.application-id=FAKE_ID
spring.security.oauth2.resourceserver.jwt.jwk-set-uri=https://b2ctestorg.b2clogin.com/b2ctestorg.onmicrosoft.com/discovery/v2.0/keys?p=b2c_1_ropc_flow
可能Jwt是手动创建的,所以没有使用JwtDecoder?如何确保在测试中调用了 JwtDecoder?
我的猜测是 mockMvc 没有配置为考虑安全方面 (1),或者 @WebMvcTest test slice 没有自动配置所有必需的 bean (2 ).
1:您可以尝试将 @AutoConfigureMockMvc 添加到 class,或者使用
手动配置 mockMvc
@Autowired
private WebApplicationContext context;
private MockMvc mockMvc;
@Before
public void setup() {
mockMvc = MockMvcBuilders
.webAppContextSetup(context)
.apply(springSecurity())
.build();
}
2:如果与@WebMvcTest测试分片有关,考虑在测试class中加入@Import(WebSecurityConfig.class)。否则,在测试 class 中使用 @SpringBootTest 和 @AutoConfigureMockMvc 而不是 @WebMvcTest 来设置 Spring 引导测试。
通过使用 JWT post 处理器 .with(jwt(createJwtToken()))),您可以绕过 JwtDecoder。
考虑一下如果 JwtDecoder 没有被绕过会发生什么。
在过滤器链中,您的请求将到达 JwtDecoder 解析 JWT 值的位置。
在这种情况下,值为 "fake-token",这将导致异常,因为它不是有效的 JWT。
这意味着代码甚至不会到达调用 AudienceValidator 的地步。
您可以将传递到 SecurityMockMvcRequestPostProcessors.jwt(Jwt jwt) 的值视为将从 JwtDecoder.decode(String token) 返回的响应。
然后,使用 SecurityMockMvcRequestPostProcessors.jwt(Jwt jwt) 的测试将在提供有效的 JWT 令牌时测试行为。
您可以为 AudienceValidator 添加额外的测试以确保其正常运行。
为了详细说明 Eleftheria Stein-Kousathana 的回答,我做了以下更改以使其成为可能:
1) 创建一个 JwtDecoderFactoryBean class 以便能够对 JwtDecoder 和配置的验证器进行单元测试:
@Component
public class JwtDecoderFactoryBean implements FactoryBean<JwtDecoder> {
private final OAuth2ResourceServerProperties properties;
private final SecuritySettings securitySettings;
private final Clock clock;
public JwtDecoderFactoryBean(OAuth2ResourceServerProperties properties,
SecuritySettings securitySettings,
Clock clock) {
this.properties = properties;
this.securitySettings = securitySettings;
this.clock = clock;
}
@Override
public JwtDecoder getObject() {
JwtTimestampValidator timestampValidator = new JwtTimestampValidator();
timestampValidator.setClock(clock);
JwtIssuerValidator issuerValidator = new JwtIssuerValidator(securitySettings.getJwtIssuer());
JwtAudienceValidator audienceValidator = new JwtAudienceValidator(securitySettings.getJwtApplicationId());
OAuth2TokenValidator<Jwt> validator = new DelegatingOAuth2TokenValidator<>(
timestampValidator,
issuerValidator,
audienceValidator);
NimbusJwtDecoder decoder = NimbusJwtDecoder.withJwkSetUri(properties.getJwt().getJwkSetUri())
.build();
decoder.setJwtValidator(validator);
return decoder;
}
@Override
public Class<?> getObjectType() {
return JwtDecoder.class;
}
}
我也把原代码中的AudienceValidator提取到外部class中,重命名为JwtAudienceValidator.
2) 从安全配置中删除 JwtDecoder @Bean 方法,使其看起来像这样:
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/api/**")
.authenticated()
.and()
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
}
}
3) 在一些 @Configuration class:
中创建一个 Clock bean
@Bean
public Clock clock() {
return Clock.systemDefaultZone();
}
(令牌超时单元测试需要)
使用此设置,现在可以为应用程序使用的实际设置 JwtDecoder 编写单元测试:
// actual @Test methods ommitted, but they can use this private method
// to setup a JwtDecoder and test some valid/invalid JWT tokens.
@NotNull
private JwtDecoder createDecoder(String currentTime, String issuer, String audience) {
OAuth2ResourceServerProperties properties = new OAuth2ResourceServerProperties();
properties.getJwt().setJwkSetUri(
"https://mycompb2ctestorg.b2clogin.com/mycompb2ctestorg.onmicrosoft.com/discovery/v2.0/keys?p=b2c_1_ropc_flow");
JwtDecoderFactoryBean factoryBean = new JwtDecoderFactoryBean(properties,
new SecuritySettings(audience, issuer),
Clock.fixed(Instant.parse(currentTime),
ZoneId.systemDefault()));
//noinspection ConstantConditions - getObject never returns null in this case
return factoryBean.getObject();
}
最后,@WebMvcTest 需要一个 mock JwtDecoder,因为真实的 @WebMvcTest 测试片不再启动(由于使用了工厂 bean) .这是很好的 IMO,否则,我需要为真正的 JwtDecoder 定义属性,这些属性无论如何都没有被使用。因此,我在测试中不再需要 controller-test 配置文件。
所以只需像这样声明一个字段:
@MockBean
private JwtDecoder jwtDecoder;
或创建嵌套测试配置class:
@TestConfiguration
static class TestConfig {
@Bean
public JwtDecoder jwtDecoder() {
return mock(JwtDecoder.class);
}
}
我正在使用 Spring Boot 2.2.1 和 spring-security-oauth2-resource-server:5.2.0.RELEASE。我想写一个集成测试来测试安全性是否可以。
我在我的应用程序中定义了这个 WebSecurityConfigurerAdapter:
import org.springframework.boot.autoconfigure.security.oauth2.resource.OAuth2ResourceServerProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer;
import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtValidators;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
private final OAuth2ResourceServerProperties properties;
private final SecuritySettings securitySettings;
public WebSecurityConfiguration(OAuth2ResourceServerProperties properties, SecuritySettings securitySettings) {
this.properties = properties;
this.securitySettings = securitySettings;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/api/**")
.authenticated()
.and()
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
}
@Bean
public JwtDecoder jwtDecoder() {
NimbusJwtDecoder result = NimbusJwtDecoder.withJwkSetUri(properties.getJwt().getJwkSetUri())
.build();
OAuth2TokenValidator<Jwt> validator = new DelegatingOAuth2TokenValidator<>(
JwtValidators.createDefault(),
new AudienceValidator(securitySettings.getApplicationId()));
result.setJwtValidator(validator);
return result;
}
private static class AudienceValidator implements OAuth2TokenValidator<Jwt> {
private final String applicationId;
public AudienceValidator(String applicationId) {
this.applicationId = applicationId;
}
@Override
public OAuth2TokenValidatorResult validate(Jwt token) {
if (token.getAudience().contains(applicationId)) {
return OAuth2TokenValidatorResult.success();
} else {
return OAuth2TokenValidatorResult.failure(
new OAuth2Error("invalid_token", "The audience is not as expected, got " + token.getAudience(),
null));
}
}
}
}
它有一个自定义验证器来检查令牌中的受众 (aud) 声明。
我目前有这个测试,它有效,但它根本不检查观众声明:
@WebMvcTest(UserController.class)
@EnableConfigurationProperties({SecuritySettings.class, OAuth2ResourceServerProperties.class})
@ActiveProfiles("controller-test")
class UserControllerTest {
@Autowired
private MockMvc mockMvc;
@Test
void testOwnUserDetails() throws Exception {
mockMvc.perform(get("/api/users/me")
.with(jwt(createJwtToken())))
.andExpect(status().isOk())
.andExpect(jsonPath("userId").value("AZURE-ID-OF-USER"))
.andExpect(jsonPath("name").value("John Doe"));
}
@Test
void testOwnUserDetailsWhenNotLoggedOn() throws Exception {
mockMvc.perform(get("/api/users/me"))
.andExpect(status().isUnauthorized());
}
@NotNull
private Jwt createJwtToken() {
String userId = "AZURE-ID-OF-USER";
String userName = "John Doe";
String applicationId = "AZURE-APP-ID";
return Jwt.withTokenValue("fake-token")
.header("typ", "JWT")
.header("alg", "none")
.claim("iss",
"https://b2ctestorg.b2clogin.com/80880907-bc3a-469a-82d1-b88ffad655df/v2.0/")
.claim("idp", "LocalAccount")
.claim("oid", userId)
.claim("scope", "user_impersonation")
.claim("name", userName)
.claim("azp", applicationId)
.claim("ver", "1.0")
.subject(userId)
.audience(Set.of(applicationId))
.build();
}
}
我还有一个 controller-test 配置文件的属性文件,其中包含应用程序 ID 和 jwt-set-uri:
security-settings.application-id=FAKE_ID
spring.security.oauth2.resourceserver.jwt.jwk-set-uri=https://b2ctestorg.b2clogin.com/b2ctestorg.onmicrosoft.com/discovery/v2.0/keys?p=b2c_1_ropc_flow
可能Jwt是手动创建的,所以没有使用JwtDecoder?如何确保在测试中调用了 JwtDecoder?
我的猜测是 mockMvc 没有配置为考虑安全方面 (1),或者 @WebMvcTest test slice 没有自动配置所有必需的 bean (2 ).
1:您可以尝试将 @AutoConfigureMockMvc 添加到 class,或者使用
@Autowired
private WebApplicationContext context;
private MockMvc mockMvc;
@Before
public void setup() {
mockMvc = MockMvcBuilders
.webAppContextSetup(context)
.apply(springSecurity())
.build();
}
2:如果与@WebMvcTest测试分片有关,考虑在测试class中加入@Import(WebSecurityConfig.class)。否则,在测试 class 中使用 @SpringBootTest 和 @AutoConfigureMockMvc 而不是 @WebMvcTest 来设置 Spring 引导测试。
通过使用 JWT post 处理器 .with(jwt(createJwtToken()))),您可以绕过 JwtDecoder。
考虑一下如果 JwtDecoder 没有被绕过会发生什么。
在过滤器链中,您的请求将到达 JwtDecoder 解析 JWT 值的位置。
在这种情况下,值为 "fake-token",这将导致异常,因为它不是有效的 JWT。
这意味着代码甚至不会到达调用 AudienceValidator 的地步。
您可以将传递到 SecurityMockMvcRequestPostProcessors.jwt(Jwt jwt) 的值视为将从 JwtDecoder.decode(String token) 返回的响应。
然后,使用 SecurityMockMvcRequestPostProcessors.jwt(Jwt jwt) 的测试将在提供有效的 JWT 令牌时测试行为。
您可以为 AudienceValidator 添加额外的测试以确保其正常运行。
为了详细说明 Eleftheria Stein-Kousathana 的回答,我做了以下更改以使其成为可能:
1) 创建一个 JwtDecoderFactoryBean class 以便能够对 JwtDecoder 和配置的验证器进行单元测试:
@Component
public class JwtDecoderFactoryBean implements FactoryBean<JwtDecoder> {
private final OAuth2ResourceServerProperties properties;
private final SecuritySettings securitySettings;
private final Clock clock;
public JwtDecoderFactoryBean(OAuth2ResourceServerProperties properties,
SecuritySettings securitySettings,
Clock clock) {
this.properties = properties;
this.securitySettings = securitySettings;
this.clock = clock;
}
@Override
public JwtDecoder getObject() {
JwtTimestampValidator timestampValidator = new JwtTimestampValidator();
timestampValidator.setClock(clock);
JwtIssuerValidator issuerValidator = new JwtIssuerValidator(securitySettings.getJwtIssuer());
JwtAudienceValidator audienceValidator = new JwtAudienceValidator(securitySettings.getJwtApplicationId());
OAuth2TokenValidator<Jwt> validator = new DelegatingOAuth2TokenValidator<>(
timestampValidator,
issuerValidator,
audienceValidator);
NimbusJwtDecoder decoder = NimbusJwtDecoder.withJwkSetUri(properties.getJwt().getJwkSetUri())
.build();
decoder.setJwtValidator(validator);
return decoder;
}
@Override
public Class<?> getObjectType() {
return JwtDecoder.class;
}
}
我也把原代码中的AudienceValidator提取到外部class中,重命名为JwtAudienceValidator.
2) 从安全配置中删除 JwtDecoder @Bean 方法,使其看起来像这样:
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/api/**")
.authenticated()
.and()
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
}
}
3) 在一些 @Configuration class:
Clock bean
@Bean
public Clock clock() {
return Clock.systemDefaultZone();
}
(令牌超时单元测试需要)
使用此设置,现在可以为应用程序使用的实际设置 JwtDecoder 编写单元测试:
// actual @Test methods ommitted, but they can use this private method
// to setup a JwtDecoder and test some valid/invalid JWT tokens.
@NotNull
private JwtDecoder createDecoder(String currentTime, String issuer, String audience) {
OAuth2ResourceServerProperties properties = new OAuth2ResourceServerProperties();
properties.getJwt().setJwkSetUri(
"https://mycompb2ctestorg.b2clogin.com/mycompb2ctestorg.onmicrosoft.com/discovery/v2.0/keys?p=b2c_1_ropc_flow");
JwtDecoderFactoryBean factoryBean = new JwtDecoderFactoryBean(properties,
new SecuritySettings(audience, issuer),
Clock.fixed(Instant.parse(currentTime),
ZoneId.systemDefault()));
//noinspection ConstantConditions - getObject never returns null in this case
return factoryBean.getObject();
}
最后,@WebMvcTest 需要一个 mock JwtDecoder,因为真实的 @WebMvcTest 测试片不再启动(由于使用了工厂 bean) .这是很好的 IMO,否则,我需要为真正的 JwtDecoder 定义属性,这些属性无论如何都没有被使用。因此,我在测试中不再需要 controller-test 配置文件。
所以只需像这样声明一个字段:
@MockBean
private JwtDecoder jwtDecoder;
或创建嵌套测试配置class:
@TestConfiguration
static class TestConfig {
@Bean
public JwtDecoder jwtDecoder() {
return mock(JwtDecoder.class);
}
}