Couple of questions about usage

[cvetan]

Since I can't get around I thought to post question here.

I want to use library to mock keycloak user token for API calls. Token is tored in header with Authorization: Bearer Token Also my API routes are protected based on the client roles. I tried from what I understood, however when I start test for controller I get following error:

MockHttpServletRequest:
      HTTP Method = PATCH
      Request URI = /v1/locations
       Parameters = {}
          Headers = []
             Body = null
    Session Attrs = {}

Handler:
             Type = null

Async:
    Async started = false
     Async result = null

Resolved Exception:
             Type = null

ModelAndView:
        View name = null
             View = null
            Model = null

FlashMap:
       Attributes = null

MockHttpServletResponse:
           Status = 403
    Error message = Forbidden
          Headers = [X-Content-Type-Options:"nosniff", X-XSS-Protection:"1; mode=block", Cache-Control:"no-cache, no-store, max-age=0, must-revalidate", Pragma:"no-cache", Expires:"0", X-Frame-Options:"DENY"]
     Content type = null
             Body = 
    Forwarded URL = null
   Redirected URL = null
          Cookies = []

So the headers are null and so is the token. I tried following:

 @Test
    @WithMockKeycloakAuth(
            authorities = { "DRIVER" },
            accessToken = @KeycloakAccessToken(
                    resourceAccess = @KeycloakResourceAccess(
                            resourceId = "ace-dl-ms",
                            access = @KeycloakAccess(roles = "DRIVER")
                    ),
            )
    )
    void Should_UpdateUserLocation_WhenValidDataSent() throws Exception {
        final URI uri = URI.create("/v1/locations");

        mockMvc.perform(
                MockMvcRequestBuilders.patch(uri)
        ).andExpect(status().isNoContent());


    }

Perhaps you could instruct me a bit or point me in the direction where to look. I would much appreciate it. Thanks

[ch4mpy]

I had missed that, sorry.

In the output you pasted above, you get a 403 (forbidden) and not a 401 (unauthorized) which means that your request actually had authentication context but that spring-security denied access. A frequent cause for that is security being role based (hasRole('DRIVER') as opposed to hasAuthority('DRIVER')) and GrantedAuthoritiesMapper not being exposed as a @Bean.

If your app uses something else than NullAuthoritiesMapper, you must either

• expose it as a bean so that test security conf can pick it
• provide @WithMockKeycloakAuth with already transformed authorities (i.e.: @WithMockKeycloakAuth(authorities = { "ROLE_DRIVER" })

Now an important note about Spring security in mocked requests:

All the process of building a Spring Authentication instance out of authentication header is skipped with MockMvc: Spring security does not decode, validate, parse nor turn JSON payload into an Authentication instance for MockMvc requests.

As a consequence, this lib does neither of the following:

• insert Bearer Authentication header to the test requests
• create a JSON web token (JWT)

What happens instead is the lib building an Authentication instance based on annotations (or requests post-processors) and directly populating TestSecurityContext with it.

=> do not try to find headers in mock requests, just fetch Authentication from Spring SecurityContext.

Regarding usage, please refer to

• samples and tutorials for both webmvc and weblux
• READMEs at maven modules root folders