如何让@WebMvcTest与OAuth一起工作？

我迭代的解决方案是将请求中的虚拟“授权”标头与拦截它的模拟令牌服务相结合（如果查看编辑堆栈，经过多次尝试）。

如果没有Authorization标头，则SecurityContext在OAuth堆栈中将是匿名的，无论您尝试将其设置为@WithMockUser还是类似的（创建了一个您无法控制的新安全上下文）。

设置此标头后，将触发ResourceServerTokenServices。 这里有两个案例：

• 您正在编写集成测试，提供有效令牌并让真正的令牌服务完成它的工作并提供此令牌中包含的身份validation
• 您正在编写unit testing，我的案例和模拟令牌服务，以便它返回模拟身份validation

一个非常相似的方法，我发现在拔头发几天并从头开始构建之后，我已经在这里进行了描述。 我只是进一步了解了@WebMvcTest的模拟Oauth2Authentication配置和工具。

@ WithMockOAuth2Client模拟仅客户端身份validation（不涉及最终用户）

 @Retention(RetentionPolicy.RUNTIME) @WithSecurityContext(factory = WithMockOAuth2Client.WithMockOAuth2ClientSecurityContextFactory.class) public @interface WithMockOAuth2Client { String clientId() default "web-client"; String[] scope() default {"openid"}; String[] authorities() default {}; boolean approved() default true; class WithMockOAuth2ClientSecurityContextFactory implements WithSecurityContextFactory { public static OAuth2Request getOAuth2Request(final WithMockOAuth2Client annotation) { final Set authorities = Stream.of(annotation.authorities()) .map(auth -> new SimpleGrantedAuthority(auth)) .collect(Collectors.toSet()); final Set scope = Stream.of(annotation.scope()) .collect(Collectors.toSet()); return new OAuth2Request( null, annotation.clientId(), authorities, annotation.approved(), scope, null, null, null, null); } @Override public SecurityContext createSecurityContext(final WithMockOAuth2Client annotation) { final SecurityContext ctx = SecurityContextHolder.createEmptyContext(); ctx.setAuthentication(new OAuth2Authentication(getOAuth2Request(annotation), null)); SecurityContextHolder.setContext(ctx); return ctx; } } } 

@ WithMockOAuth2User代表最终用户模拟客户端身份validation

 @Retention(RetentionPolicy.RUNTIME) @WithSecurityContext(factory = WithMockOAuth2User.WithMockOAuth2UserSecurityContextFactory.class) public @interface WithMockOAuth2User { WithMockOAuth2Client client() default @WithMockOAuth2Client(); WithMockUser user() default @WithMockUser(); class WithMockOAuth2UserSecurityContextFactory implements WithSecurityContextFactory { /** * Sadly, #WithMockUserSecurityContextFactory is not public, * so re-implement mock user authentication creation * * @param user * @return an Authentication with provided user details */ public static UsernamePasswordAuthenticationToken getUserAuthentication(final WithMockUser user) { final String principal = user.username().isEmpty() ? user.value() : user.username(); final Stream grants = user.authorities().length == 0 ? Stream.of(user.roles()).map(r -> "ROLE_" + r) : Stream.of(user.authorities()); final Set userAuthorities = grants .map(auth -> new SimpleGrantedAuthority(auth)) .collect(Collectors.toSet()); return new UsernamePasswordAuthenticationToken( new User(principal, user.password(), userAuthorities), principal + ":" + user.password(), userAuthorities); } @Override public SecurityContext createSecurityContext(final WithMockOAuth2User annotation) { final SecurityContext ctx = SecurityContextHolder.createEmptyContext(); ctx.setAuthentication(new OAuth2Authentication( WithMockOAuth2Client.WithMockOAuth2ClientSecurityContextFactory.getOAuth2Request(annotation.client()), getUserAuthentication(annotation.user()))); SecurityContextHolder.setContext(ctx); return ctx; } } } 

OAuth2MockMvcHelper可帮助使用预期的Authorization标头构建测试请求

 public class OAuth2MockMvcHelper extends MockMvcHelper { public static final String VALID_TEST_TOKEN_VALUE = "test.fake.jwt"; public OAuth2MockMvcHelper( final MockMvc mockMvc, final ObjectFactory messageConverters, final MediaType defaultMediaType) { super(mockMvc, messageConverters, defaultMediaType); } /** * Adds OAuth2 support: adds an Authorisation header to all request builders * if there is an OAuth2Authentication in test security context. * * /!\ Make sure your token services recognize this dummy "VALID_TEST_TOKEN_VALUE" token as valid during your tests /!\ * * @param contentType should be not-null when issuing request with body (POST, PUT, PATCH), null otherwise * @param accept should be not-null when issuing response with body (GET, POST, OPTION), null otherwise * @param method * @param urlTemplate * @param uriVars * @return a request builder with minimal info you can tweak further (add headers, cookies, etc.) */ @Override public MockHttpServletRequestBuilder requestBuilder( Optional contentType, Optional accept, HttpMethod method, String urlTemplate, Object... uriVars) { final MockHttpServletRequestBuilder builder = super.requestBuilder(contentType, accept, method, urlTemplate, uriVars); if (SecurityContextHolder.getContext().getAuthentication() instanceof OAuth2Authentication) { builder.header("Authorization", "Bearer " + VALID_TEST_TOKEN_VALUE); } return builder; } } 

OAuth2ControllerTest控制器unit testing的父级

 @RunWith(SpringRunner.class) @Import(OAuth2MockMvcConfig.class) public class OAuth2ControllerTest { @MockBean private ResourceServerTokenServices tokenService; @Autowired protected OAuth2MockMvcHelper api; @Autowired protected SerializationHelper conv; @Before public void setUpTokenService() { when(tokenService.loadAuthentication(api.VALID_TEST_TOKEN_VALUE)) .thenAnswer(invocation -> SecurityContextHolder.getContext().getAuthentication()); } } 

 @TestConfiguration class OAuth2MockMvcConfig { @Bean public SerializationHelper serializationHelper(ObjectFactory messageConverters) { return new SerializationHelper(messageConverters); } @Bean public OAuth2MockMvcHelper mockMvcHelper( MockMvc mockMvc, ObjectFactory messageConverters, @Value("${controllers.default-media-type:application/json;charset=UTF-8}") MediaType defaultMediaType) { return new OAuth2MockMvcHelper(mockMvc, messageConverters, defaultMediaType); } } 

在混凝土测试中使用的样品

 @WebMvcTest(MyController.class) // Controller to unit-test @Import(WebSecurityConfig.class) // your class extending WebSecurityConfigurerAdapter public class MyControllerTest extends OAuth2ControllerTest { @Test public void testWithUnauthenticatedClient() throws Exception { api.post(payload, "/endpoint") .andExpect(...); } @Test @WithMockOAuth2Client public void testWithDefaultClient() throws Exception { api.get("/endpoint") .andExpect(...); } @Test @WithMockOAuth2User public void testWithDefaultClientOnBehalfDefaultUser() throws Exception { MockHttpServletRequestBuilder req = api.postRequestBuilder(null, "/uaa/refresh") .header("refresh_token", JWT_REFRESH_TOKEN); api.perform(req) .andExpect(status().isOk()) .andExpect(...) } @Test @WithMockOAuth2User( client = @WithMockOAuth2Client( clientId = "custom-client", scope = {"custom-scope", "other-scope"}, authorities = {"custom-authority", "ROLE_CUSTOM_CLIENT"}), user = @WithMockUser( username = "custom-username", authorities = {"custom-user-authority"})) public void testWithCustomClientOnBehalfCustomUser() throws Exception { api.get(MediaType.APPLICATION_ATOM_XML, "/endpoint") .andExpect(status().isOk()) .andExpect(xpath(...)); } } 

时髦，不是吗？

上面提到的工具与OAuth2测试没有直接关系

 public class MockMvcHelper { private final MockMvc mockMvc; private final MediaType defaultMediaType; protected final SerializationHelper conv; public MockMvcHelper(MockMvc mockMvc, ObjectFactory messageConverters, MediaType defaultMediaType) { this.mockMvc = mockMvc; this.conv = new SerializationHelper(messageConverters); this.defaultMediaType = defaultMediaType; } /** * Generic request builder which adds relevant "Accept" and "Content-Type" headers * * @param contentType should be not-null when issuing request with body (POST, PUT, PATCH), null otherwise * @param accept should be not-null when issuing response with body (GET, POST, OPTION), null otherwise * @param method * @param urlTemplate * @param uriVars * @return a request builder with minimal info you can tweak further: add headers, cookies, etc. */ public MockHttpServletRequestBuilder requestBuilder( Optional contentType, Optional accept, HttpMethod method, String urlTemplate, Object... uriVars) { final MockHttpServletRequestBuilder builder = request(method, urlTemplate, uriVars); contentType.ifPresent(builder::contentType); accept.ifPresent(builder::accept); return builder; } public ResultActions perform(MockHttpServletRequestBuilder request) throws Exception { return mockMvc.perform(request); } /* GET */ public MockHttpServletRequestBuilder getRequestBuilder(MediaType accept, String urlTemplate, Object... uriVars) { return requestBuilder(Optional.empty(), Optional.of(accept), HttpMethod.GET, urlTemplate, uriVars); } public MockHttpServletRequestBuilder getRequestBuilder(String urlTemplate, Object... uriVars) { return getRequestBuilder(defaultMediaType, urlTemplate, uriVars); } public ResultActions get(MediaType accept, String urlTemplate, Object... uriVars) throws Exception { return mockMvc.perform(getRequestBuilder(accept, urlTemplate, uriVars)); } public ResultActions get(String urlTemplate, Object... uriVars) throws Exception { return mockMvc.perform(getRequestBuilder(urlTemplate, uriVars)); } /* POST */ public  MockHttpServletRequestBuilder postRequestBuilder(final T payload, MediaType contentType, MediaType accept, String urlTemplate, Object... uriVars) throws Exception { return feed( requestBuilder(Optional.of(contentType), Optional.of(accept), HttpMethod.POST, urlTemplate, uriVars), payload, contentType); } public  MockHttpServletRequestBuilder postRequestBuilder(final T payload, String urlTemplate, Object... uriVars) throws Exception { return postRequestBuilder(payload, defaultMediaType, defaultMediaType, urlTemplate, uriVars); } public  ResultActions post(final T payload, MediaType contentType, MediaType accept, String urlTemplate, Object... uriVars) throws Exception { return mockMvc.perform(postRequestBuilder(payload, contentType, accept, urlTemplate, uriVars)); } public  ResultActions post(final T payload, String urlTemplate, Object... uriVars) throws Exception { return mockMvc.perform(postRequestBuilder(payload, urlTemplate, uriVars)); } /* PUT */ public  MockHttpServletRequestBuilder putRequestBuilder(final T payload, MediaType contentType, String urlTemplate, Object... uriVars) throws Exception { return feed( requestBuilder(Optional.of(contentType), Optional.empty(), HttpMethod.PUT, urlTemplate, uriVars), payload, contentType); } public  MockHttpServletRequestBuilder putRequestBuilder(final T payload, String urlTemplate, Object... uriVars) throws Exception { return putRequestBuilder(payload, defaultMediaType, urlTemplate, uriVars); } public  ResultActions put(final T payload, MediaType contentType, String urlTemplate, Object... uriVars) throws Exception { return mockMvc.perform(putRequestBuilder(payload, contentType, urlTemplate, uriVars)); } public  ResultActions put(final T payload, String urlTemplate, Object... uriVars) throws Exception { return mockMvc.perform(putRequestBuilder(payload, urlTemplate, uriVars)); } /* PATCH */ public  MockHttpServletRequestBuilder patchRequestBuilder(final T payload, MediaType contentType, String urlTemplate, Object... uriVars) throws Exception { return feed( requestBuilder(Optional.of(contentType), Optional.empty(), HttpMethod.PATCH, urlTemplate, uriVars), payload, contentType); } public  MockHttpServletRequestBuilder patchRequestBuilder(final T payload, String urlTemplate, Object... uriVars) throws Exception { return patchRequestBuilder(payload, defaultMediaType, urlTemplate, uriVars); } public  ResultActions patch(final T payload, MediaType contentType, String urlTemplate, Object... uriVars) throws Exception { return mockMvc.perform(patchRequestBuilder(payload, contentType, urlTemplate, uriVars)); } public  ResultActions patch(final T payload, String urlTemplate, Object... uriVars) throws Exception { return mockMvc.perform(patchRequestBuilder(payload, urlTemplate, uriVars)); } /* DELETE */ public MockHttpServletRequestBuilder deleteRequestBuilder(String urlTemplate, Object... uriVars) { return requestBuilder(Optional.empty(), Optional.empty(), HttpMethod.DELETE, urlTemplate, uriVars); } public ResultActions delete(String urlTemplate, Object... uriVars) throws Exception { return mockMvc.perform(deleteRequestBuilder(urlTemplate, uriVars)); } /* HEAD */ public MockHttpServletRequestBuilder headRequestBuilder(String urlTemplate, Object... uriVars) { return requestBuilder(Optional.empty(), Optional.empty(), HttpMethod.HEAD, urlTemplate, uriVars); } public ResultActions head(String urlTemplate, Object... uriVars) throws Exception { return mockMvc.perform(headRequestBuilder(urlTemplate, uriVars)); } /* OPTION */ public MockHttpServletRequestBuilder optionRequestBuilder(MediaType accept, String urlTemplate, Object... uriVars) { return requestBuilder(Optional.empty(), Optional.of(accept), HttpMethod.OPTIONS, urlTemplate, uriVars); } public MockHttpServletRequestBuilder optionRequestBuilder(String urlTemplate, Object... uriVars) { return requestBuilder(Optional.empty(), Optional.of(defaultMediaType), HttpMethod.OPTIONS, urlTemplate, uriVars); } public ResultActions option(MediaType accept, String urlTemplate, Object... uriVars) throws Exception { return mockMvc.perform(optionRequestBuilder(accept, urlTemplate, uriVars)); } public ResultActions option(String urlTemplate, Object... uriVars) throws Exception { return mockMvc.perform(optionRequestBuilder(urlTemplate, uriVars)); } /** * Adds serialized payload to request content * * @param request * @param payload * @param mediaType * @param  * @return the request with provided payload as content * @throws Exception if things go wrong (no registered serializer for payload type and asked MediaType, serialization failure, ...) */ public  MockHttpServletRequestBuilder feed( MockHttpServletRequestBuilder request, final T payload, final MediaType mediaType) throws Exception { if (payload == null) { return request; } final SerializationHelper.ByteArrayHttpOutputMessage msg = conv.outputMessage(payload, mediaType); return request .headers(msg.headers) .content(msg.out.toByteArray()); } } 

 public class SerializationHelper { private final ObjectFactory messageConverters; public SerializationHelper(ObjectFactory messageConverters) { this.messageConverters = messageConverters; } public  ByteArrayHttpOutputMessage outputMessage(final T payload, final MediaType mediaType) throws Exception { if (payload == null) { return null; } List> relevantConverters = messageConverters.getObject().getConverters().stream() .filter(converter -> converter.canWrite(payload.getClass(), mediaType)) .collect(Collectors.toList()); final ByteArrayHttpOutputMessage converted = new ByteArrayHttpOutputMessage(); boolean isConverted = false; for (HttpMessageConverter converter : relevantConverters) { try { ((HttpMessageConverter) converter).write(payload, mediaType, converted); isConverted = true; //won't be reached if a conversion error occurs break; //stop iterating over converters after first successful conversion } catch (IOException e) { //swallow exception so that next converter is tried } } if (!isConverted) { throw new Exception("Could not convert " + payload.getClass() + " to " + mediaType.toString()); } return converted; } /** * Provides a String representation of provided payload * * @param payload * @param mediaType * @param  * @return * @throws Exception if things go wrong (no registered serializer for payload type and asked MediaType, serialization failure, ...) */ public  String asString(T payload, MediaType mediaType) throws Exception { return payload == null ? null : outputMessage(payload, mediaType).out.toString(); } public  String asJsonString(T payload) throws Exception { return asString(payload, MediaType.APPLICATION_JSON_UTF8); } public static final class ByteArrayHttpOutputMessage implements HttpOutputMessage { public final ByteArrayOutputStream out = new ByteArrayOutputStream(); public final HttpHeaders headers = new HttpHeaders(); @Override public OutputStream getBody() { return out; } @Override public HttpHeaders getHeaders() { return headers; } } }