Spring security x509 tests are not working as I expected
Spring security x509 tests are not working as I expected
I have a simple application doing mutual TLS. In practice, when running the app, everything works as I expect.
However this following test doesn't work and I would like to understand why, as it seems to go in the security chain but the truststore configuration seems to be completely ignored.
@ActiveProfiles("test")
@RunWith(SpringRunner.class)
@ContextConfiguration
@WebMvcTest
public class ConfigurationTest {
@Autowired
private MockMvc mockMvc;
@Autowired
private WebApplicationContext context;
@Before
public void setup()
mockMvc = MockMvcBuilders
.webAppContextSetup(context)
.apply(springSecurity())
.build();
public void untrustedClientShouldBeForbidden() throws Exception
this.mockMvc.perform(get("/v1/load")
.with(x509(getCertificateFromFile("src/test/resources/untrusted-cert.pem")))
.accept(MediaType.APPLICATION_JSON)
.contentType(MediaType.APPLICATION_JSON)
.content(""foo":"bar""))
.andDo(print())
.andExpect(status().is(HttpStatus.FORBIDDEN.value()));
The security configuration I have is very simple and is as follow:
@Override
protected void configure(HttpSecurity http) throws Exception $)")
.userDetailsService(userDetailsService());
And my test configuration (which works when doing manual testing) looks like this (application-test.properties):
server.ssl.trust-store=src/test/resources/test.truststore
server.ssl.trust-store-password=changeit
server.ssl.key-store-provider=SUN
server.ssl.key-store-type=JKS
EDIT: renamed the unit test function to better convey the intent of the test.
When I run untrustedClientShouldBeForbidden() integration test I expect to be returned a 403 from the server however the unit tests runs with a 200. I expect the client call with an untrusted cert to be denied access.
– gturc
Aug 30 at 13:31
1 Answer
1
Turns out my test class was not properly annotated.
On my main configuration class I changed:
@SpringBootApplication
@PropertySources(
@PropertySource("classpath:application.properties"),
@PropertySource("classpath:application-$spring.profiles.active.properties"))
@ComponentScan("foo.bar.blah")
public class Application {
To:
@SpringBootApplication(scanBasePackages="foo.bar.blah")
@PropertySources(
@PropertySource("classpath:application.properties"),
@PropertySource("classpath:application-$spring.profiles.active.properties"))
public class Application {
And in my test class I stopped using @MockWebMvc in favor of this configuration:
@ActiveProfiles("test")
@RunWith(SpringRunner.class)
@ContextConfiguration
@SpringBootTest
@AutoConfigureMockMvc
public class ConfigurationTest {
Now the configuration is picked up properly and the unit tests all behave as I expected.
By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.
What do you mean by However this following test doesn't work? What response do you get?
– dur
Aug 29 at 13:46