Mock JWT with claims with no JwtAuthenticationConverter

[ancavar]

Basically the title. @WithJwt is very useful, but what if JwtAuthenticationConverter bean isn't provided? I'm kinda new to Spring Security so maybe I'm missing something. I know you can use SecurityMockMvcRequestPostProcessors.JwtRequestPostProcessor.jwt and build claims with it, but I would like to not resort to that (and that's only for controllers).

[ch4mpy]

What does your security configuration look like (dependencies, properties & Java code)?

[ancavar]

I have no particular project going on, so I'm currently just testing some simple scenarios.

@RestController
public class DemoController {

    @GetMapping("/demo")
    @PreAuthorize("principal.claims['aud'] == 'my-audience'")
    public String demo() {
        return "Demo";
    }
}

@Configuration
@EnableMethodSecurity
public class ProjectConfig {

    @Value("${keySetURI}")
    private String keySetUri;

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.oauth2ResourceServer(
            c -> c.jwt(
                    j -> j.jwkSetUri(keySetUri)
            )
        );

        http.authorizeHttpRequests(
            c -> c.anyRequest().authenticated()
        );

        return http.build();
    }
}

server.port=9090

keySetURI=http://localhost:8080/oauth2/jwks

<dependency>
	<groupId>com.c4-soft.springaddons</groupId>
	<artifactId>spring-addons-oauth2-test</artifactId>
	<scope>test</scope>
	<version>7.1.16</version>
</dependency>
<dependency>
	<groupId>org.springframework.boot</groupId>
	<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>
<dependency>
	<groupId>org.springframework.boot</groupId>
	<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
	<groupId>org.springframework.boot</groupId>
	<artifactId>spring-boot-starter-web</artifactId>
</dependency>

<dependency>
	<groupId>org.springframework.boot</groupId>
	<artifactId>spring-boot-starter-test</artifactId>
	<scope>test</scope>
</dependency>
<dependency>
	<groupId>org.springframework.security</groupId>
	<artifactId>spring-security-test</artifactId>
	<scope>test</scope>
</dependency>

[ch4mpy]

Thank you. This confirms you are testing components within a resource server with JWT decoder and that @WithJwt is actually what is adapted to your case.

I hadn't noticed that the default authentication converter is not exposed as a bean: it is just instantiated by the OAuth2ResourceServerConfigurer.JwtConfigurer if no JwtAuthenticationConverter bean is found in the context (I thought so far that there was a @CondionalOnMissingBean JwtAuthenticationConverter). I will open a bug to fix that and use a JwtAuthenticationConverter instance if no Converter<Jwt, ? extends AbstractAuthenticationToken> is found in the test context.

What you can do until I release a new version is, in your security conf, just add:

@Bean
JwtAuthenticationConverter jwtAuthenticationConverter() {
    return new JwtAuthenticationConverter();
}

This will:

• fix the issue you face right now
• keep the exact same behavior for your app (look at OAuth2ResourceServerConfigurer.JwtConfigurer::getJwtAuthenticationConverter source code if you doubt
• give you a starting point for configuring the authentication converter (which you'll need as soon as you'll want to use something esle than scope as authorities source)

[ch4mpy]

Here is the ticket for tracking the bug resolution: #159

[ancavar]

Thank you so much for your answer. Yeah I guess it's very unusual to not have JwtAuthenticationConverter bean, but oh well. Really love your work by the way, looking forward to a new version!