我想測試安全配置的一些我的終點,其固定與@PreAuthorize(#oauth2.hasScope('scope')
。當訪問通過郵差這樣的端點與不具有所需範圍的訪問令牌,以下是HTTP狀態碼403返回(禁止):如何在測試Spring端點時防止NestedServletException?
{
"error": "insufficient_scope",
"error_description": "Insufficient scope for this resource",
"scope": "scope"
}
這就是我想要的預期行爲。
當試圖測試此配置,泉NestedServletException
與我的測試干擾的情況下,纔可以與我期望的結果完成。
這是控制器的簡化版本欲測試:
@RestController
@RequestMapping(value = "/api")
public class OauthTestingResource {
@PreAuthorize(#oauth2.hasScope('scope'))
@RequestMapping(value = "/scope", method = RequestMethod.GET)
public void endpoint() {
// ...
}
}
這是相應的測試情形:
@RunWith(SpringJUnit4ClassRunner.class)
@SpringBootTest(classes = MyApplication.class)
@WebAppConfiguration
public class AuthorizationTest {
@Autowired
protected WebApplicationContext webApplicationContext;
protected SecurityContext securityContext = Mockito.mock(SecurityContext.class);
@Before
public void setup() throws Exception {
this.mvc = MockMvcBuilders.webAppContextSetup(webApplicationContext).build();
SecurityContextHolder.setContext(securityContext);
}
protected Authentication createMockAuth(Client client) {
final List<GrantedAuthority> authorities = new ArrayList<>();
authorities.add(new SimpleGrantedAuthority("ROLE_USER"));
final Authentication pwAuth = new UsernamePasswordAuthenticationToken("testuser", "testpw", authorities);
final TokenRequest request = new TokenRequest(new HashMap<>(), client.getClientId(), client.getScopes(), "password");
final OAuthClient oauthClient = new OAuthClient(client, GrantType.PASSWORD);
return new OAuth2Authentication(request.createOAuth2Request(oauthClient), pwAuth);
}
@Test
public void testAppScope() throws Exception {
final Client client = new Client("id1", "secret1");
client.setScope("scope");
Mockito.when(securityContext.getAuthentication()).thenReturn(createMockAuth(client));
// this test passes
mvc.perform(get("/api/scope")).andExpect(status().isOk());
client.setScope("other_scope");
Mockito.when(securityContext.getAuthentication()).thenReturn(createMockAuth(client));
// NestedServletException thrown here
mvc.perform(get("/api/scope")).andExpect(status().isForbidden());
}
}
時引發的例外是以下(這是預計):
org.springframework.web.util.NestedServletException:請求 進程失敗;嵌套的例外是 org.springframework.security.access.AccessDeniedException: 範圍爲該資源
我的問題是我怎樣才能防止這種異常從我的測試情況下干擾不足?