search

SAP / cloud-security-services-integration-library

Integration libraries and samples for authenticating users and clients bound to XSUAA authentication and authorization service or Identity authentication service.
Apache License 2.0
151 stars 135 forks source link

How to disable JWT token signature verification for Tests? #251

Closed MahatmaFatalError closed 4 years ago

MahatmaFatalError commented 4 years ago

Is there a way to disable JWT token signature verification for @SpringBootTest or @WebMvcTest?

Background: The SecurityTestRule shown in this sample https://github.com/SAP/cloud-security-xsuaa-integration/blob/d1b559d01f69bc7c23b241eaad36781325d2d3da/samples/spring-security-xsuaa-usage/src/test/java/sample/spring/xsuaa/TestControllerTest.java#L43 leads to the following issue:

Caused by: org.springframework.security.oauth2.jwt.JwtException: JWT verification failed: Cannot verify with online token key, jku is null
    at com.sap.cloud.security.xsuaa.token.authentication.XsuaaJwtDecoder.decode(XsuaaJwtDecoder.java:92) ~[spring-xsuaa-2.5.2.jar:na]
    at org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider.authenticate(JwtAuthenticationProvider.java:89) ~[spring-security-oauth2-resource-server-5.2.1.RELEASE.jar:5.2.1.RELEASE]
    ... 99 common frames omitted

After playing around with the solution from https://github.com/SAP/cloud-security-xsuaa-integration/issues/187#issuecomment-556972619 and adding a dummy uaa url via @TestPropertySource(properties = { "xsuaa.uaadomain=dummy", "xsuaa.url=http://dummy", "xsuaa.xsappname=xsapp!t0815", "xsuaa.clientid=sb-clientId!t0815" }) I still can not circumvent the token validation:

Caused by: org.springframework.security.oauth2.jwt.JwtException: JWT verification failed: An error occurred while attempting to decode the Jwt: Couldn't retrieve remote JWK set: org.springframework.web.client.ResourceAccessException: I/O error on GET request for "http://dummy/token_keys": dummy; nested exception is java.net.UnknownHostException: dummy
    at com.sap.cloud.security.xsuaa.token.authentication.XsuaaJwtDecoder.decode(XsuaaJwtDecoder.java:92) ~[spring-xsuaa-2.5.2.jar:na]
    at org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider.authenticate(JwtAuthenticationProvider.java:89) ~[spring-security-oauth2-resource-server-5.2.1.RELEASE.jar:5.2.1.RELEASE]
    ... 99 common frames omitted
nenaraab commented 4 years ago

Hi @MahatmaFatalError,

thanks for your request... I only know about @WithMockUser: https://www.baeldung.com/spring-security-integration-tests

But I'm not sure whether this will work in the spring-xsuaa setup.

Please use exactly the properties that are used in the sample: https://github.com/SAP/cloud-security-xsuaa-integration/blob/d1b559d01f69bc7c23b241eaad36781325d2d3da/samples/spring-security-xsuaa-usage/src/test/java/sample/spring/xsuaa/TestControllerTest.java#L26

That will fix your setup.

Best regards, Nena

MahatmaFatalError commented 4 years ago

@nenaraab Thanks for the reply.

thanks for your request... I only know about @WithMockUser: baeldung.com/spring-security-integration-tests

Please use exactly the properties that are used in the sample:

Both suggestions lead to the same exception:

Caused by: org.springframework.security.oauth2.jwt.JwtException: JWT verification failed: Cannot verify with online token key, jku is null
    at com.sap.cloud.security.xsuaa.token.authentication.XsuaaJwtDecoder.decode(XsuaaJwtDecoder.java:92) ~[spring-xsuaa-2.5.2.jar:na]
    at org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider.authenticate(JwtAuthenticationProvider.java:89) ~[spring-security-oauth2-resource-server-5.2.2.RELEASE.jar:5.2.2.RELEASE]
    ... 99 common frames omitted
nenaraab commented 4 years ago

Hi @MahatmaFatalError ,

this is fixed in the version 2.5.2: https://github.com/SAP/cloud-security-xsuaa-integration/releases/tag/2.5.2

Best regards, Nena