7

I have resource server, when it's starts - it's sending request to Authentication server ("http://localhost:xxxx/auth/oauth/token_key"), and it's okay when all up and running.

But when I testing my services I do not need this at all. How can I disable resource server or maybe I should mock something so it won't be dependent on auth server(for future security tests for controllers)?

My spring boot main:

@SpringBootApplication
@EnableEurekaClient
@EnableResourceServer
public class CalendarApplication {

    public static void main(String[] args) throws Exception {
        SpringApplication.run(CalendarApplication.class, args);
    }
}

application.yml

security:
  basic:
    enabled: false
  oauth2:
    resource:
      jwt:
        keyUri: http://localhost:xxxx/auth/oauth/token_key

Test class annotations:

@RunWith(SpringJUnit4ClassRunner.class)
@WebMvcTest(value = TypeController.class, secure = false)
public class TypeControllerTest {}
Evgenii
  • 447
  • 1
  • 10
  • 26

3 Answers3

5

Why don't you create a separate @Configuration for your @AuthenticationServer with a separate profile (@Profile("test"))? That way, you don't need to disable security and can have an in-memory Token. That's how I dealt with it. You can also disable Spring Security for your tests completely. Have a look at this question.

thomi
  • 1,603
  • 1
  • 24
  • 31
  • Do you know a way to disable `@EnableResourceServer` in application context only? Without touching source code. – Michal Foksa Mar 26 '18 at 12:18
  • 1
    I don't think there is one, since you try to disable something you enable in the first place. I'd go with different configurations for your application context for different environments. In the end, you will want to test your app with all the features enabled anyway. – thomi Mar 26 '18 at 19:31
2

You can use @WithMockUser for tests

Testing Method Security

Atul Kumbhar
  • 1,073
  • 16
  • 26
Vazgen Torosyan
  • 1,255
  • 1
  • 12
  • 26
0

The way I've worked around this was to create a token in the database I'm using for test and to ensure that requests to my API used the token before making a request to the resource under test.

You do want your token there, since it acts as a reasonable sanity check for security. If you expect this resource to not be accessible without a specific token, then that is a useful test to have.

Makoto
  • 104,088
  • 27
  • 192
  • 230
  • But I have two cases - at first test-case I'm doing check for valid json using json schema. And there I do not need security at all. In another case I want to test security, and token of course will be needed. – Evgenii Aug 02 '17 at 16:06
  • And for example if i want test my repositories, it's do not run application, because it's trying to find AuthServer.. it's not right behavior. – Evgenii Aug 04 '17 at 07:32