1

The following spring security config gives some unexpected behavior.

When making a request to some (non-health-check) endpoint (/user), in the browser and when using curl (via git bash on windows), an unauthenticated request returns an idp redirect as expected.

However, when using the WebTestClient, it returns 401 Unauthorized with www-authenticate: [Basic ...].

The request for basic authn in this context (and the password generated at startup) are unexpected because I've declared to disable basic authn via http.httpBasic().disable().

Why would this response come? Is there a better way to override the default basic auth configs? Is there an ordering on these configurations as suggested in this post? Where is this documented?

  ...env values

  @Bean
  public SecurityWebFilterChain webFilterChain(ServerHttpSecurity http) {
    http.oauth2Client()
      .and()
      .oauth2Login()
      .and()
      .httpBasic()
      .disable()
      .formLogin()
      .disable()
      .csrf()
      .disable()
      .authorizeExchange()
      .pathMatchers("/actuator/health").permitAll()
      .anyExchange().authenticated();
    return http.build();
  }

  @Bean
  ReactiveClientRegistrationRepository getClientRegistrationRepository() {
    ClientRegistration google =
        ClientRegistration.withRegistrationId("google")
            .scope("openid", "profile", "email")
            .clientId(clientId)
            .clientSecret(clientSecret)
            .authorizationUri(authUri)
            .tokenUri(tokenUri)
            .userInfoUri(userInfoUri)
            .redirectUri(redirectUri)
            .jwkSetUri(jwksUri)
            .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
            .userNameAttributeName("name")
            .build();

    return new InMemoryReactiveClientRegistrationRepository(google);
  }

Project on github: https://github.com/segevmalool/spring-samples/blob/main/spring-security-webflux-postgres

Segev Malool
  • 68
  • 5
  • Adding the SecurityConfiguration class to the test's ContextConfiguration classes list "fixed" what I was seeing in the test context, but still not sure why the password is being generated. – Segev Malool Nov 25 '21 at 19:42
  • 1
    this is impossible for us to know unless you provide a project that demonstrates the problem. My first question is, is your security configuration even loaded? – Toerktumlare Nov 27 '21 at 17:06
  • Added the project link, here's the line where I added the security config to the test context: https://github.com/segevmalool/spring-samples/blob/main/spring-security-webflux-postgres/src/test/java/com/segbaus/user/userTest.java#L16 The config is definitely loaded (when running), it works in the browser context like I mentioned. But I think the test context defined by `@WebFluxTest` is partial. – Segev Malool Nov 28 '21 at 18:23

1 Answers1

0
httpBasic().authenticationEntryPoint(new HttpStatusServerEntryPoint(HttpStatus.UNAUTHORIZED))

Solution

aboat365
  • 19
  • 3
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community May 31 '22 at 11:57
  • While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes. - [From Review](/review/late-answers/31903939) – Emi OB Jun 06 '22 at 14:51