生成带有对JUnit测试的其他声明的OAuth2访问令牌

时间:2019-01-03 04:01:09

标签: spring-boot spring-security-oauth2 spring-security-test

我有使用OAuth2保护的Spring Boot REST API。我的身份验证服务器和资源服务器是两个应用程序。所有REST API安全性均可与REST客户端正常使用。 然后,我需要编写安全测试用例。我使用以下代码生成访问令牌。一些端点需要在REST方法中手动添加声明。 程序已提供有效的访问令牌,但声明不包含在此令牌中。

private String generateToken(String... authorities) {

    JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
    converter.setSigningKey("123");

    tokenService = new DefaultTokenServices();

    JwtTokenStore jwtTokenStore = new JwtTokenStore(converter);
    tokenService.setTokenStore(jwtTokenStore);

    tokenService.setTokenEnhancer(converter);

    Collection<GrantedAuthority> grantAuthorities = new ArrayList<>();

    if (authorities != null) {
        for (String authority: authorities) {
            grantAuthorities.add(new SimpleGrantedAuthority(authority));
        }
    }

    Set<String> resourceIds = Collections.emptySet();
    Set<String> scopes = Collections.emptySet();

    Map<String, String> requestParameters = Collections.emptyMap();
    boolean approved = true;
    String redirectUrl = null;
    Set<String> responseTypes = Collections.emptySet();
    Map<String, Serializable> extensionProperties = Collections.emptyMap();

    OAuth2Request oAuth2Request = new OAuth2Request(requestParameters, "web-client", grantAuthorities,
            approved, scopes, resourceIds, redirectUrl, responseTypes, extensionProperties);

    User userPrincipal = new User("user", "", true, true,
            true, true, grantAuthorities);
    UsernamePasswordAuthenticationToken authenticationToken =
            new UsernamePasswordAuthenticationToken(userPrincipal, null, grantAuthorities);

    OAuth2Authentication auth = new OAuth2Authentication(oAuth2Request, authenticationToken);

    OAuth2AccessToken accessToken = tokenService.createAccessToken(auth);

    Map<String, Object> claims = new HashMap<>();

    List<Long> tenantIds = new ArrayList<>();
    tenantIds.add(1L);

    claims.put("role", 1L);
    claims.put("tenants", tenantIds);

    ((DefaultOAuth2AccessToken) accessToken).setAdditionalInformation(claims);

    return accessToken.getValue();

}

我如何对此令牌添加声明。

1 个答案:

答案 0 :(得分:-1)

最后找到了解决方案。将 TokenEnhancerChain 添加到代码中

以下是最终代码

private String generateToken(String... authorities) {

    JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
    converter.setSigningKey("123");

    tokenService = new DefaultTokenServices();

    JwtTokenStore jwtTokenStore = new JwtTokenStore(converter);
    tokenService.setTokenStore(jwtTokenStore);

    Collection<GrantedAuthority> grantAuthorities = new ArrayList<>();

    if (authorities != null) {
        for (String authority: authorities) {
            grantAuthorities.add(new SimpleGrantedAuthority(authority));
        }
    }

    Set<String> resourceIds = Collections.emptySet();
    Set<String> scopes = Collections.emptySet();

    Map<String, String> requestParameters = Collections.emptyMap();
    boolean approved = true;
    String redirectUrl = null;
    Set<String> responseTypes = Collections.emptySet();
    Map<String, Serializable> extensionProperties = Collections.emptyMap();

    OAuth2Request oAuth2Request = new OAuth2Request(requestParameters, "web-client", grantAuthorities,
            approved, scopes, resourceIds, redirectUrl, responseTypes, extensionProperties);

    User userPrincipal = new User("user", "", true, true,
            true, true, grantAuthorities);
    UsernamePasswordAuthenticationToken authenticationToken =
            new UsernamePasswordAuthenticationToken(userPrincipal, null, grantAuthorities);

    OAuth2Authentication auth = new OAuth2Authentication(oAuth2Request, authenticationToken);

    Map<String, Object> claims = new HashMap<>();

    List<Long> tenantIds = new ArrayList<>();
    tenantIds.add(1L);

    claims.put("role", 1L);
    claims.put("tenants", tenantIds);

    OAuth2AccessToken accessToken = tokenService.createAccessToken(auth);

    TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain();
    tokenEnhancerChain.setTokenEnhancers(
            Arrays.asList(new CustomTokenEnhancer(), converter));

    accessToken = tokenEnhancerChain.enhance(accessToken, auth);

    return accessToken.getValue();

}

重要提示:将JwtAccessTokenConverter添加为令牌增强器列表的最后一个元素

以下是CustomTokenEnhancer类。

public class CustomTokenEnhancer extends JwtAccessTokenConverter {

    @Override
    public OAuth2AccessToken enhance(OAuth2AccessToken accessToken, OAuth2Authentication authentication) {
        Map<String, Object> claims = new HashMap<>();

        List<Long> tenantIds = new ArrayList<>();
        tenantIds.add(1L);

        claims.put("role", 1L);
        claims.put("tenants", tenantIds);
        claims.put("userId", "admin@abc.com");

        ((DefaultOAuth2AccessToken) accessToken).setAdditionalInformation(claims);

        return accessToken;

    }
}