在Spring Security源码分析十一:Spring Security OAuth2整合JWT和Spring Boot 2.0 整合 Spring Security Oauth2中,我们都是使用Restlet Client - REST API Testing测试被Oauth2保护的API。在本章中,我们将展示如何使用MockMvc测试Oauth2的API。
修改pom.xml添加spring-security-test依赖
修改MerryyouResourceServerConfig配置org.springframework.security spring-security-test
@Override
public void configure(HttpSecurity http) throws Exception { // @formatter:off
http.formLogin() .successHandler(appLoginInSuccessHandler)//登录成功处理器
.and() .authorizeRequests() .antMatchers("/user").hasRole("USER") .antMatchers("/forbidden").hasRole("ADMIN") .anyRequest().authenticated().and() .csrf().disable(); // @formatter:ON
}修改MerryyouResourceServerConfig配置,增加对指定路径的角色校验。
默认角色为ROLE_USER,详见MyUserDetailsService
@Componentpublic class MyUserDetailsService implements UserDetailsService { @Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { return new User(username, "123456", AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_USER"));
}
}关于为何是hasRole("USER")而不是hasRole("ROLE_USER")请参考:Spring Security源码分析十三:Spring Security 基于表达式的权限控制
@formatter:off和@formatter:ON此段代码不进行格式化
@GetMapping("/user")
public Object getCurrentUser1(Authentication authentication, HttpServletRequest request) throws UnsupportedEncodingException {
log.info("【SecurityOauth2Application】 getCurrentUser1 authenticaiton={}", JsonUtil.toJson(authentication));
String header = request.getHeader("Authorization");
String token = StringUtils.substringAfter(header, "bearer ");
Claims claims = Jwts.parser().setSigningKey(oAuth2Properties.getJwtSigningKey().getBytes("UTF-8")).parseClaimsJws(token).getBody();
String blog = (String) claims.get("blog");
log.info("【SecurityOauth2Application】 getCurrentUser1 blog={}", blog); return authentication;
} @GetMapping("/forbidden")
public String getForbidden() { return "forbidden";
}/user请求需要USER角色
/forbidden请求需要ADMIN角色
@RunWith(SpringRunner.class)@WebAppConfiguration@SpringBootTest(classes = SecurityOauth2Application.class)@Slf4jpublic class Oauth2MvcTest {
@Autowired
private WebApplicationContext wac; @Autowired
private FilterChainProxy springSecurityFilterChain; private MockMvc mockMvc; //clientId
final static String CLIENT_ID = "merryyou"; //clientSecret
final static String CLIENT_SECRET = "merryyou"; //用户名
final static String USERNAME = "admin"; //密码
final static String PASSWORD = "123456"; private static final String CONTENT_TYPE = "application/json;charset=UTF-8"; @Before
public void setup() { this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).addFilter(springSecurityFilterChain).build();//初始化MockMvc对象,添加Security过滤器链
}初始化Oauth2信息
public String obtainAccessToken() throws Exception { final MultiValueMap params = new linkedMultiValueMap<>(); params.add("grant_type", "password"); params.add("client_id", CLIENT_ID); params.add("username", USERNAME); params.add("password", PASSWORD); // @formatter:off
ResultActions result = mockMvc.perform(post("/oauth/token")
.params(params)
.with(httpBasic(CLIENT_ID, CLIENT_SECRET))
.accept(CONTENT_TYPE))
.andExpect(status().isOk())
.andExpect(content().contentType(CONTENT_TYPE)); // @formatter:on
String resultString = result.andReturn().getResponse().getContentAsString();
JacksonJsonParser jsonParser = new JacksonJsonParser();// System.out.println(jsonParser.parseMap(resultString).get("access_token").toString());
return jsonParser.parseMap(resultString).get("access_token").toString();
} 测试obtainAccessToken @Test
public void getAccessToken() throws Exception { final String accessToken = obtainAccessToken();
log.info("access_token={}", accessToken);
}控制台打印:
access_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX25hbWUiOiJhZG1pbiIsInNjb3BlIjpbImFsbCJdLCJleHAiOjE1MjY0NjEwMzgsImJsb2ciOiJodHRwczovL2xvbmdmZWl6aGVuZy5naXRodWIuaW8vIiwiYXV0aG9yaXRpZXMiOlsiUk9MRV9VU0VSIl0sImp0aSI6ImE1MmE2NDI4LTcwNzctNDcwZC05M2MwLTc0ZWNlNjFhYTlkMCIsImNsaWVudF9pZCI6Im1lcnJ5eW91In0.CPmkZmfOkgDII29RMIoMO7ufAe5WFrQDB7SaMDKa128UnauthorizedTest
@Test
public void UnauthorizedTest() throws Exception {// mockMvc.perform(get("/user")).andExpect(status().isUnauthorized());
ResultActions actions = mockMvc.perform(get("/user")); int status = actions.andReturn().getResponse().getStatus();
Assert.assertTrue(status == HttpStatus.UNAUTHORIZED.value());
}未授权 401
@Test
public void forbiddenTest() throws Exception { final String accessToken = obtainAccessToken();
log.info("access_token={}", accessToken);
mockMvc.perform(get("/forbidden").header("Authorization", "bearer " + accessToken)).andExpect(status().isForbidden());
}禁止访问 403
@Test
public void accessTokenOk() throws Exception { final String accessToken = obtainAccessToken();
log.info("access_token={}", accessToken);
mockMvc.perform(get("/user").header("Authorization", "bearer " + accessToken)).andExpect(status().isOk());
}允许访问 200
作者:郑龙飞
来源:https://my.oschina.net/merryyou/blog/1813546
