Need help for XSUAA based webflux junit 5 test

[4effo]

Hello,

Need help in investigation of the following problem in a @WebFluxController test. I use the spring-xsuaa-mock version 2.7.7 with spring boot 2.3.3.Release When I deploy my app the authentication works as expected but I have issue with the unit test (I use JUnit 5).

So I setup the WebFluxTest with the following annotations:

@ExtendWith(SpringExtension.class)
@WebFluxTest(controllers = AggregatesController.class)
@AutoConfigureWebTestClient(timeout = "2500000")
@Import(SecurityConfiguration.class)

Anyway, the call to the endpoint from the WebTestClient fails with the following stack trace:

java.lang.IllegalStateException: Could not obtain the keys
    at org.springframework.security.oauth2.jwt.NimbusReactiveJwtDecoder$JwkSetUriReactiveJwtDecoderBuilder.lambda$null$1(NimbusReactiveJwtDecoder.java:345) ~[spring-security-oauth2-jose-5.3.4.RELEASE.jar:5.3.4.RELEASE]
    Suppressed: reactor.core.publisher.FluxOnAssembly$OnAssemblyException: 
Error has been observed at the following site(s):
    |_ checkpoint ⇢ org.springframework.security.config.web.server.ServerHttpSecurity$OAuth2ResourceServerSpec$BearerTokenAuthenticationWebFilter [DefaultWebFilterChain]
    |_ checkpoint ⇢ org.springframework.security.web.server.context.ReactorContextWebFilter [DefaultWebFilterChain]
    |_ checkpoint ⇢ org.springframework.security.web.server.csrf.CsrfWebFilter [DefaultWebFilterChain]
    |_ checkpoint ⇢ org.springframework.security.web.server.header.HttpHeaderWriterWebFilter [DefaultWebFilterChain]
    |_ checkpoint ⇢ org.springframework.security.config.web.server.ServerHttpSecurity$ServerWebExchangeReactorContextWebFilter [DefaultWebFilterChain]
    |_ checkpoint ⇢ org.springframework.security.web.server.WebFilterChainProxy [DefaultWebFilterChain]
    |_ checkpoint ⇢ HTTP GET "</my/app/ednpoint/here>" [ExceptionHandlingWebHandler]

Is the wrong JwtDecoder used? Not sure how I could change it in the test. So far I tried something like this but without success:

@WebFluxTest(
        controllers = AggregatesController.class,
        excludeAutoConfiguration = {
                ReactiveUserDetailsServiceAutoConfiguration.class,
                ReactiveSecurityAutoConfiguration.class
        })

Appreciate any further help!

[4effo]

Hello, just tried to reproduce the problem that I have and it seems the error probably is related with the JUnit setup that I have. Here example of my setup: https://github.com/4effo/spring-webflux-security-xsuaa-usage

Would be glad to try out any suggestion.

[nenaraab]

Hi @4effo

indeed, spring-xsuaa had to overwrite the Spring Security JwtDecoder and reconfigure the used Nimbus Jwt Decoder slightly to prepare it for multi-tenant applications. That's why

• in case you want to disable Security for the ControllerTests you may have to exclude the Auto-Configurations from spring-xsuaa: https://github.com/SAP/cloud-security-xsuaa-integration/tree/master/spring-xsuaa/src/main/java/com/sap/cloud/security/xsuaa/autoconfiguration

• In case you like to test the security setup as part of your ControllerTests, we already have a test setup, as described here, but this can be (hopefully) simplified when using java-security-test (spring-xsuaa-mock is deprecated because of complexity).

Best regards, Nena

[4effo]

Hi @nenaraab

Thanks for your response. I didn't knew that the xsuaa mock is deprecated. I'll try by using the java-security-test and if I'm successful I could let you know. Meanwhile I tested also with JUnit 4 and it seems that my assumption is wrong actually. As mentioned before, I use the @WebFluxTest annotation and probably this is the one which causes the auto configuration of a different JwtDecoderBuilder.

Best regards, Stefan

[nenaraab]

Hi @4effo

cool, thanks! I will keep this ticket open to track the process.

Best regards, Nena

[4effo]

Hi @nenaraab,

I could use the java-securitiy-test module. I can confirm it's much simpler. Two hints that could help further to someone else (for the xsuaa use case):

• specifying xsuaa.appname and/or xsuaa.clientid environment might be needed if you require validation of the token audience
• The fix to include @Bean in the @WebFluxTest configuration is planed/solved in spring boot 2.4.0-M3. So, for me was required to use @Import(SecurityConfiguration.class) as workaround

I think we can close the issue! Thanks a lot!

Greetings, Stefan

[nenaraab]

Hi @4effo,

Thanks for your feedback, i have two questions.

• where shall we document appname /clientid best? This might not be required when using predefined JwtGenerator for XSUAA Service.
• do you have a link to your test?

Thanks and best regards, Nena