Comments (8)
@pvannierop What IDE are you using ?
STS (Eclipse) auto-completion does a pretty good job in this domain.
from spring-addons.
I am using IntelliJ. If I look carefully it suggests WithAccessToken, but when selecting it is difficult to guess what to do next if you do not know what to do. I, for instance, for the first time encountered an annotation used as variable inside another annotation. I discovered that this is the correct approach by a wild guess in a final desperate attempt :) I posted this because I would like to spare others this discovery process. This is as far as IntelliJ brought me:
@Test
@WithMockKeycloakAuth(
name = "testuser",
authorities = "study_es_0",
accessToken = WithAccessToken <-- no additional suggestions from here
)
from spring-addons.
Hi @pvannierop, can you please confirm what I added to https://github.com/ch4mpy/spring-addons/tree/master/spring-security-oauth2-test-addons README meets your expectations ?
from spring-addons.
Hi @ch4mpy, thank you for updating the documentation. I find the section on the @WithAccessToken
annotation very informative. Not that alone, but the whole readme is a very nice addition. I have several comments:
you need to unit test a @service with an OAuth2 security-context (or just prefer annotations over flow APIs)
This is not resticted to @service beans, but applies to @controller and @component as well (that is how I used your lib at least). My propsal is to remove the specific reference to @service not to confuse users.
Why unit-testing security at all?
If you see it as your task to educate the reader on what should be tested (and I like this attitude), it would be nice here to write a small block of (pseudo-)code that tests the three elements in ~2 tests (e.g. deny/redirect when not authenticated, access when authenticated, behavior) in combination with a security config that specified tested behavior. Not essential, but helpful.
Thats where this lib jumps in: providing with annotations and helpers to build not only test jwt, but also quite a few other OAuth2 Authentication implementations (and elements it contains).
This is new to me. Sounds very interesting. To assist new users I think it would be a great addition to list these implementations (helps new users in the right direction) and provide an example.
I favor annotations because it enables to test any kind of @component when both MockMvc post-processors and WebTestClient configurers are limited to @controllers.
You do not have to explain yourself here :) The user can take it or leave it ...
And another addition would be to mention that @WithMockAuthentication
is an equivalent of @WithMockUser
. Possibly make a remark that @WithMockUser
does not work with OAuth2 security-context (that is correct, isn't it?).
And finally, overall I would suggest to use somewhat more formal language, but this is all nitpicking. I would be open to provide a PR with my version of the README.md if you are interested.
Overall, great work on this repo. It has been very useful to me and I will be using it in future projects.
from spring-addons.
@WithMockAuthentication
is an equivalent of@WithMockUser
Well... no.
@WithMockAuthentication
can be used with any Authentication
implementation, including JwtAuthenticationToken
, KeycloakAuthenticationToken
and many more.
Only @WithMockAuthentication(UsernamePasswordAuthenticationToken.class)
is close to @WithMockUser()
(you'd get
a UsernamePasswordAuthenticationToken
mock in security context with the first instead of a real instance with the later).
I would be open to provide a PR with my version of the README.md if you are interested.
I'll keep this ticket open, then.
from spring-addons.
from spring-addons.
@pvannierop may we close this issue?
I think I improved the docs on most of the points you reported (and adapted to 2.3.0 breaking changes).
If you still feel like submitting a PR later, you can do it even without a bug report.
from spring-addons.
@ch4mpy Yeah sure. Thnx for your work.
from spring-addons.
Related Issues (20)
- Per request post-login and post-logout URIs HOT 1
- `@WithJwt` does not convert claims using `ConfigurableClaimSetAuthoritiesConverter` and path from configuration HOT 5
- NPE when trying to protect client HOT 2
- After 7.3.0 authentication for web mvc client against keycloak ends in endless redirect HOT 8
- Exception thrown when `post-logout-redirect-path` configuration property is null HOT 1
- Post-login success & failure URI params and headers on authentication request are ignored in reactive applications HOT 1
- `authorization-request-params` ignored HOT 1
- POST /logout response Forbidden 403 HOT 9
- Support several JWT authentication converters (or converters with a `@Qualifier` which is not `jwtAuthenticationConverter`)
- Doubled path-prefix by `SpringAddonsServerOAuth2AuthorizationRequestResolver` HOT 1
- Allow anonymous CORS preflight requests (`OPTIONS` requests to a path configured with CORS) HOT 1
- Configuration properties to add parameters to token requests HOT 1
- Spring Starter OICD, Resource Server: Option to disable the default behavior for authorized/protected routes HOT 1
- BFF configuration token is not refreshed HOT 3
- Getting response 401 (Unauthorized) for permit-all requests after update HOT 2
- (Not a bug)Why the custom JwtDecoder bean is useless HOT 2
- `spring-security-oauth2-resource-server`, `spring-security-oauth2-client` and `spring-webflux` should be `optional` dependencies HOT 1
- Support for resource owner password credential flow (ROPC) HOT 1
- Handle CORS Requests with Keycloak's "allowed-origins" claim like the keycloak adapter (now deprecated) HOT 2
- Downstream services times out reading request body when csrf is set to cookie-accessible-from-js HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from spring-addons.