Question about usage of @WithMockJwtAuth

[theexiile1305]

First of all, thank you very much for this great project.

Since I can't get around with my questions, I thought to post the question here. I want to use this library to mock a brand new keycloak (version 18.0.0). My API routes are protected via method-level security. I tried from what I understood, but when I started implementing tests for the controller, I got a 200 response without any valid authorization. The mock user doesn't have any granted authorities, and the API is protected.

test method:

@Test
@WithMockJwtAuth(
    authorities = [ ],
    claims = OpenIdClaims(email = "[email protected]")
)
internal fun test_without_authorities() {
     mockMvc.get("/my-api") {
            contentType = MediaType.APPLICATION_JSON
            content = null
            accept = MediaType.APPLICATION_JSON
            with(csrf())
        }.andExpect { status().isForbidden }
}

MockHttpServletRequest:

      HTTP Method = GET
      Request URI = /my-api
       Parameters = {_csrf=[e8f13097-3e3b-4deb-8e5b-4fbc320b4394]}
          Headers = [Content-Type:"application/json;charset=UTF-8", Accept:"application/json", Content-Length:"20"]
             Body = {"content":"foo"}
    Session Attrs = {}

Handler:
             Type = com.example.rest.controller.Controller
           Method = com.example.rest.controller.Controller#update(String, StatusRequest)

Async:
    Async started = false
     Async result = null

Resolved Exception:
             Type = null

ModelAndView:
        View name = null
             View = null
            Model = null

FlashMap:
       Attributes = null

MockHttpServletResponse:
           Status = 200
    Error message = null
          Headers = [X-Content-Type-Options:"nosniff", X-XSS-Protection:"1; mode=block", Cache-Control:"no-cache, no-store, max-age=0, must-revalidate", Pragma:"no-cache", Expires:"0", X-Frame-Options:"DENY"]
     Content type = null
             Body = 
    Forwarded URL = null
   Redirected URL = null
          Cookies = []

Can you help me out? Thanks in advance and many greetings!

[ch4mpy]

Hello @theexiile1305 ,

Sorry for late answer, I wasn't notified of your question.

Did you have a look at the sample modules? More specifically at the tutorials section? You'll find a few working sample, including one with @WithMockJwtAuth.

You might not have @Import / @ComponentScan your web-security config, (most probable reason for 200 on protected resource)

Side note, wit MokcMvc, the Authentication instance is not build from the Authorization header (do not expect to find one). It is build by an authentication factory provided with test annotation. You can inspect the built Authentication by accessing it from SecurityContextHolder.getContext().getAuthentication()

[theexiile1305]

Thank you very much. I have forgotten to import my web-security config.