我想知道代码的问题在哪里,每次我运行后期测试时(无论它针对的是哪个控制器或方法),我都返回403错误,在某些情况下我希望返回401,并且在其他情况下为200(使用auth)。
这是我的控制器的代码段:
@RestController
@CrossOrigin("*")
@RequestMapping("/user")
class UserController @Autowired constructor(val userRepository: UserRepository) {
@PostMapping("/create")
fun addUser(@RequestBody user: User): ResponseEntity<User> {
return ResponseEntity.ok(userRepository.save(user))
}
}
我针对该控制器的单元测试
@RunWith(SpringRunner::class)
@WebMvcTest(UserController::class)
class UserControllerTests {
@Autowired
val mvc: MockMvc? = null
@MockBean
val repository: UserRepository? = null
val userCollection = mutableListOf<BioRiskUser>()
@Test
fun testAddUserNoAuth() {
val user = BioRiskUser(
0L,
"user",
"password",
mutableListOf(Role(
0L,
"administrator"
)))
repository!!
`when`(repository.save(user)).thenReturn(createUser(user))
mvc!!
mvc.perform(post("/create"))
.andExpect(status().isUnauthorized)
}
private fun createUser(user: BioRiskUser): BioRiskUser? {
user.id=userCollection.count().toLong()
userCollection.add(user)
return user
}
}
我想念什么?
根据要求,我的安全配置...
@Configuration
@EnableWebSecurity
class SecurityConfig(private val userRepository: UserRepository, private val userDetailsService: UserDetailsService) : WebSecurityConfigurerAdapter() {
@Bean
override fun authenticationManagerBean(): AuthenticationManager {
return super.authenticationManagerBean()
}
override fun configure(auth: AuthenticationManagerBuilder) {
auth.authenticationProvider(authProvider())
}
override fun configure(http: HttpSecurity) {
http
.csrf().disable()
.cors()
.and()
.httpBasic()
.realmName("App Realm")
.and()
.authorizeRequests()
.antMatchers("/img/*", "/error", "/favicon.ico", "/doc")
.anonymous()
.anyRequest().authenticated()
.and()
.logout()
.invalidateHttpSession(true)
.clearAuthentication(true)
.logoutSuccessUrl("/user")
.permitAll()
}
@Bean
fun authProvider(): DaoAuthenticationProvider {
val authProvider = CustomAuthProvider(userRepository)
authProvider.setUserDetailsService(userDetailsService)
authProvider.setPasswordEncoder(encoder())
return authProvider
}
}
和身份验证提供程序
class CustomAuthProvider constructor(val userRepository: UserRepository) : DaoAuthenticationProvider() {
override fun authenticate(authentication: Authentication?): Authentication {
authentication!!
val user = userRepository.findByUsername(authentication.name)
if (!user.isPresent) {
throw BadCredentialsException("Invalid username or password")
}
val result = super.authenticate(authentication)
return UsernamePasswordAuthenticationToken(user, result.credentials, result.authorities)
}
override fun supports(authentication: Class<*>?): Boolean {
return authentication?.equals(UsernamePasswordAuthenticationToken::class.java) ?: false
}
}
答案 0 :(得分:5)
就我而言,csrf-Protection似乎在我的WebMvcTest中仍然处于活动状态(即使在您的配置中已禁用)。
因此要解决此问题,我只是将WebMvcTest更改为以下内容:
@Test
public void testFoo() throws Exception {
MvcResult result = mvc.perform(
post("/foo").with(csrf()))
.andExpect(status().isOk())
.andReturn();
// ...
}
所以我的问题是缺少.with(csrf())。
答案 1 :(得分:1)
您需要在@ContextConfiguration(classes=SecurityConfig.class)注释之后的UserControllerTests类的顶部添加@WebMvcTest(UserController::class)。
答案 2 :(得分:0)
这是一个问题:
override fun configure(http: HttpSecurity) {
http
.csrf().disable()
.cors()
.and()
.httpBasic()
.realmName("App Realm")
.and()
.authorizeRequests()
.antMatchers("/img/*", "/error", "/favicon.ico", "/doc")
.anonymous()
.anyRequest().authenticated()
.and()
.logout()
.invalidateHttpSession(true)
.clearAuthentication(true)
.logoutSuccessUrl("/user")
.permitAll()
}
这里更特别:
.anyRequest().authenticated()
您需要对每个请求进行身份验证,因此您得到403。
This tutorial很好地说明了如何与模拟用户一起执行测试。
简单的方法是拥有这样的东西:
@RunWith(SpringRunner.class)
@SpringBootTest(webEnvironment = WebEnvironment.RANDOM_PORT)
class SecuredControllerRestTemplateIntegrationTest {
@Autowired
private val template: TestRestTemplate
@Test
fun createUser(): Unit {
val result = template.withBasicAuth("username", "password")
.postForObject("/user/create", HttpEntity(User(...)), User.class)
assertEquals(HttpStatus.OK, result.getStatusCode())
}
}
答案 3 :(得分:0)
您的问题来自CSRF,如果启用调试日志记录,则问题将变得很明显,并且是由于@WebMvcTest仅加载Web层而不加载整个上下文,您的问题 strong> KeycloakWebSecurityConfigurerAdapter未加载。
已加载的配置来自org.springframework.boot.autoconfigure.security.servlet.DefaultConfigurerAdapter(=到org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
WebSecurityConfigurerAdapter包含crsf()。
截止到今天,您有3种解决方案:
在测试类中创建一个WebSecurityConfigurerAdapter。
如果您的项目中只有很少的@WebMvcTest带注释的类,则该解决方案适合您。
@ExtendWith(SpringExtension.class)
@WebMvcTest(controllers = {MyController.class})
public class MyControllerTest {
@TestConfiguration
static class DefaultConfigWithoutCsrf extends WebSecurityConfigurerAdapter {
@Override
protected void configure(final HttpSecurity http) throws Exception {
super.configure(http);
http.csrf().disable();
}
}
...
}
在超类内部创建一个WebSecurityConfigurerAdapter,然后从该类扩展测试。
如果您的项目中有多个带有@WebMvcTest注释的类,则该解决方案很适合您。
@Import(WebMvcTestWithoutCsrf.DefaultConfigWithoutCsrf.class)
public interface WebMvcCsrfDisabler {
static class DefaultConfigWithoutCsrf extends WebSecurityConfigurerAdapter {
@Override
protected void configure(final HttpSecurity http) throws Exception {
super.configure(http);
http.csrf().disable();
}
}
}
@ExtendWith(SpringExtension.class)
@WebMvcTest(controllers = {MyControllerTest .class})
public class MyControllerTest implements WebMvcCsrfDisabler {
...
}
使用 spring-security csrf SecurityMockMvcRequestPostProcessors。
此解决方案体积大且容易出错,检查权限被拒绝并忘记with(csrf())会导致误报。
@ExtendWith(SpringExtension.class)
@WebMvcTest(controllers = {MyController.class})
public class MyControllerTest {
...
@Test
public void myTest() {
mvc.perform(post("/path")
.with(csrf()) // <=== THIS IS THE PART THAT FIX CSRF ISSUE
.content(...)
)
.andExpect(...);
}
}