I wanna test a rest API secured by spring security using request maps. The API is mainly used by authenticated users, therefore I wanna test the API with logged in user.
In the test for the rest client I use
testCompile "org.grails:grails-datastore-rest-client:6.0.5.RELEASE"
Before calling the API the user must be authenticated. I tried following within the setup:
springSecurityService.reauthenticate "admin"
Despite the reauthenticate call there is no session the rest client could detect, therefore the status code is 302 -> redirect to login page.
void "test fetching execution statistic"() {
given:
RestBuilder rest = new RestBuilder()
when:
//requestHeaders.add("Cookie", "JSESSIONID=" + session.getValue());
RestResponse response = rest.post("http://localhost:8080/correctionStatistic/executionStatistic") {
json([
reportingPeriod_year: 2008,
reportingPeriod_month: 01
])
}
then:
response.status == 200
}
How can the session be shared with the rest client? As you can see in the commented line, one idea would be to add the session ID in the request header, but how to request the session ID in the integration test.
If you are just using Spring Security Core Plugin and implementing the traditional stateful chain for the protected URLs(endpoints), then you can use Geb and write functional test cases.
But if you are using the Spring Security Rest Plugin and implementing a stateless chain for your URLs, then you need to first hit the api/login endpoint and get your access token and then make futher requests with Authorization header in the requests.
You can find the detailed guide here.
I hope this helps.
Related
I am having a hard time learning OAuth2 and OpenID Connect.
Every time I think I understand everything now, I come across another gimmick.
This time it's Spring Securities OAuth2LoginAuthenticationProvider.
The OAuth2LoginAuthenticationProvider is used instead of OidcAuthorizationCodeAuthenticationProvider if scope openid is not contained in requested scopes.
if (loginAuthenticationToken.getAuthorizationExchange().getAuthorizationRequest().getScopes().contains("openid")) {
// This is an OpenID Connect Authentication Request so return null
// and let OidcAuthorizationCodeAuthenticationProvider handle it instead
return null;
}
But why does this AuthenticationProvider load an OAuth2User via UserInfoEndpoint?
Isn't UserInfoEndpoint OIDC specific?
You are correct that OIDC defines a User-Info endpoint.
When using OAuth 2.0 to authenticate, there is still a need to figure out the user's information and so Spring Security publishes an interface (OAuth2UserService) that does that.
For non-OIDC implementations, I'd imagine that the OAuth2UserService is not pointed at an OIDC-compliant User-Info endpoint.
I have built a simple Spring Boot application that acts as an OAuth 2.0 client using the #EnableOAuth2Client annotation. My application is creating an OAuth2RestTemplate and the OAuth dance succeeds nicely.
The problem is that when I access my application e.g. at http://localhost:8080/someRequest (where the method serving this resource uses the OAuth2RestTemplate#getObject method to retrieve some remote resources, I end up with sth. like http://localhost:8080/someRequest?code=ABC&state=DEF in my browser.
Is there a way to get rid of these parameters using some Spring configuration magic or do I have to do that myself? I saw that the sample Tonr application suffers from the same problem.
The issue is that you have to handle the callback url that u have registered with OAuth2 provider. when you transfer code and state parameter to the provider Server for access token and refresh token, the provider sends request back to ur callback URL with access token. In callback URL u now have to check if access token is available, you redirect to the original request(u need to save original request before OAuth2 dance).
I know this stuff theoretically, but didnot find Spring-Security-OAuth2 example for handling the callback URL.
I asked same question, but didnot get any answer.
OAuth2 Dance With Spring Security
However without using spring security, i found one link which shows handling callback url manually.It will help u in understanding the flow.
Google Handle callback URl
If u found any example of spring secrity handling callback url , Share with me.
I found this as an issue with spring security oAuth2. Check this JIRA Issue
I'm using Spring Security OAuth to build application with token based authentication (using this article http://porterhead.blogspot.com/2014/05/securing-rest-services-with-spring.html).
In the next step I want to store some additional data with token. I decided, that Spring Session is good enough for it. First, it have HeaderHttpSessionStrategy (user sends session ID in custom header - X-Auth-Token), second, it supports different storages (including Redis - good for quick access to session data).
Spring Security OAuth uses Bearer Authorization, that means I need to create child class from HeaderHttpSessionStrategy, which will return correct session ID (not from X-Auth-Token).
So my questions are:
How to hook on login success method in Spring Security OAuth and create session with provided ID (ID == new generated token) in this moment?
How to hook on logout method?
Is it right way to use Spring Session in this case? If not, what alternatives?
I am newbie using Spring Session.
My intend is to use Spring Session on REST API. I followed an example, however have some unclear points.
The flow I tried to make is:
1. Request to login, providing in the http header user and password.
As I've seen, the information about session saved to the Redis.
2. Request to any resource of REST API providing sessionID. It throws an exception saying, a full authentication should be given.
I thought that if I provide sessionID in the header it would be enough? But it's not so.
Is it possible to achieve the mentioned afore flow using Spring Session?
Thanks in advance.
I need to submit a simple and unique request to a web service hosted inside a regular web based Grails application which is secured with Spring Security plugin. My request should look like:
curl -F username=john password=mypass message="Hello World" http://localhost:8080/myapp/restapi/echo
No work flow, just an unique request and I'm done.
I have a simple secured controller to respond to this request as follows:
#Secured(["ROLE_REST_CLIENT"])
class RestapiController {
def echo() {
respond params.message
}
}
The issue here is that spring security default behavior is to redirect any new request to the login page. How can I change that, search the http params for the user name and password, register the user and go on TO the requested controller action, all in the same unique stateless request?
I had a look at Spring Security REST Plugin but it is aimed to provide a token-based work flow which isn't exactly what I need. (I would also appreciate some guidance to this work flow approach as an optional solution)