Thử nghiệm khởi động mùa xuân không tôn trọng cấu hình bảo mật web

Question

Tôi đang viết kiểm tra cho bộ điều khiển API Rest. thiết bị đầu cuối này có thể truy cập mà không cần bất kỳ ủy quyền:

@EnableWebSecurity 
@Configuration 
@Import(AppConfig.class) 
class WebSecurityConfig extends WebSecurityConfigurerAdapter { 

@Autowired 
private UserDetailsRepository accountRepository; 

@Autowired 
private CustomUserDetailsService customUserDetailsService; 

@Autowired 
private JWTAuthenticationFilter jwtAuthenticationFilter; 

@Override 
protected void configure(HttpSecurity http) throws Exception { 
    http 
     .csrf().disable() 
     .addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class) 
     .authorizeRequests() 
      .anyRequest().authenticated().and() 
     .sessionManagement() 
      .sessionCreationPolicy(SessionCreationPolicy.STATELESS); 
} 

/* 
* Apparently, permitAll() doesn't work for custom filters, therefore we ignore the signup and login endpoints 
* here 
*/ 
@Override 
public void configure(WebSecurity web) 
     throws Exception { 
    web.ignoring() 
     .antMatchers(HttpMethod.POST, "/login") 
     .antMatchers(HttpMethod.POST, "/signup"); 
} 

/* 
* set user details services and password encoder 
*/ 
@Override 
protected void configure(AuthenticationManagerBuilder auth) throws Exception { 
    auth.userDetailsService(userDetailsServiceBean()).passwordEncoder(passwordEncoder()); 
} 

@Bean 
public PasswordEncoder passwordEncoder() { 
    return new BCryptPasswordEncoder(); 
} 

/* Stopping spring from adding filter by default */ 
@Bean 
public FilterRegistrationBean rolesAuthenticationFilterRegistrationDisable(JWTAuthenticationFilter filter) { 
    FilterRegistrationBean registration = new FilterRegistrationBean(filter); 
    registration.setEnabled(false); 
    return registration; 
} 

}

Các JWTAuthenticationFilter lớp:

@Component 
public class JWTAuthenticationFilter extends AbstractAuthenticationProcessingFilter { 

    @Autowired 
    private UserDetailsService customUserDetailsService; 

    private static Logger logger = LoggerFactory.getLogger(JWTAuthenticationFilter.class); 
    private final static UrlPathHelper urlPathHelper = new UrlPathHelper(); 

    final static String defaultFilterProcessesUrl = "/**"; 

    public JWTAuthenticationFilter() { 
     super(defaultFilterProcessesUrl); 
     super.setRequiresAuthenticationRequestMatcher(new AntPathRequestMatcher(defaultFilterProcessesUrl)); //Authentication will only be initiated for the request url matching this pattern 
     setAuthenticationManager(new NoOpAuthenticationManager()); 
    } 

    @Override 
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException { 
     Authentication authentication = AuthenticationService.getAuthentication(request, customUserDetailsService); 
     return getAuthenticationManager().authenticate(authentication); 
    } 

    @Override 
    protected void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed) throws IOException, ServletException { 
     logger.debug("failed authentication while attempting to access "+ urlPathHelper.getPathWithinApplication((HttpServletRequest) request)); 
     response.sendError(HttpServletResponse.SC_UNAUTHORIZED,"Authentication Failed"); 
    } 

    @Override 
    protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) throws IOException, ServletException { 
     SecurityContextHolder.getContext().setAuthentication(authResult); 
     chain.doFilter(request, response); 
    } 

    @Override 
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { 
     super.doFilter(req, res, chain); 
    } 
} 

Khi tôi thực hiện một yêu cầu (sử dụng người đưa thư) để 'đăng ký' Endpoint nó hoạt động tốt. Nhưng khi tôi chạy thử nghiệm, nó chạm doFilter và không thành công, vì nó không được xác thực.

@RunWith(SpringRunner.class) 
@SpringBootTest 
@AutoConfigureMockMvc 
public class AuthenticationControllerFTest { 

    @Autowired 
    private MockMvc mockMvc; 

    @MockBean 
    private AuthenticationManager authenticationManager; 

    @Test 
    public void testCreate() throws Exception { 
     Authentication authentication = Mockito.mock(Authentication.class); 
     Mockito.when(authentication.getName()).thenReturn("DUMMY_USERNAME"); 
     Mockito.when(
       authenticationManager.authenticate(Mockito 
         .any(UsernamePasswordAuthenticationToken.class))) 
       .thenReturn(authentication); 

     String exampleUserInfo = "{\"name\":\"Test1234\",\"username\":\"test@test.com\",\"password\":\"Salam12345\"}"; 
     RequestBuilder requestBuilder = MockMvcRequestBuilders 
       .post("/signup") 
       .accept(MediaType.APPLICATION_JSON).content(exampleUserInfo) 
       .contentType(MediaType.APPLICATION_JSON); 

     MvcResult result = mockMvc.perform(requestBuilder).andReturn(); 

     MockHttpServletResponse response = result.getResponse(); 
     int status = response.getStatus(); 
     String content = response.getContentAsString(); 
     System.out.println(content); 
     Assert.assertEquals("http response status is wrong", 200, status); 
    } 
} 

Bất kỳ ý tưởng nào về cách khắc phục vấn đề này?

Answer 1

Vấn đề này đã được giải quyết bằng cách thêm mã sau vào lớp thử nghiệm:

@Autowired 
private WebApplicationContext context; 

@Autowired 
private Filter springSecurityFilterChain; 

@Before 
public void setup() { 
    mockMvc = MockMvcBuilders.webAppContextSetup(context) 
      .addFilters(springSecurityFilterChain).build(); 
} 

Answer 2

@Override 
protected void configure(HttpSecurity http) throws Exception { 
    http.csrf().disable().authorizeRequests() 
      .antMatchers("/**").permitAll() 
      .anyRequest().authenticated(); 
}