oauth2 live test

This commit is contained in:
DOHA 2016-02-21 12:58:42 +02:00
parent 2b378747f7
commit f8258e9221
6 changed files with 116 additions and 5 deletions

View File

@ -0,0 +1,16 @@
package org.baeldung.config;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration;
import org.springframework.security.oauth2.provider.expression.OAuth2MethodSecurityExpressionHandler;
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {
@Override
protected MethodSecurityExpressionHandler createExpressionHandler() {
return new OAuth2MethodSecurityExpressionHandler();
}
}

View File

@ -9,7 +9,6 @@ import org.springframework.context.annotation.PropertySource;
import org.springframework.core.env.Environment; import org.springframework.core.env.Environment;
import org.springframework.http.HttpMethod; import org.springframework.http.HttpMethod;
import org.springframework.jdbc.datasource.DriverManagerDataSource; import org.springframework.jdbc.datasource.DriverManagerDataSource;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer; import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
@ -20,7 +19,6 @@ import org.springframework.security.oauth2.provider.token.store.JdbcTokenStore;
@Configuration @Configuration
@PropertySource({ "classpath:persistence.properties" }) @PropertySource({ "classpath:persistence.properties" })
@EnableResourceServer @EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class OAuth2ResourceServerConfig extends ResourceServerConfigurerAdapter { public class OAuth2ResourceServerConfig extends ResourceServerConfigurerAdapter {
@Autowired @Autowired
private Environment env; private Environment env;

View File

@ -21,7 +21,7 @@ public class BarController {
} }
// API - read // API - read
// @PreAuthorize("#oauth2.hasScope('read')") // @PreAuthorize("#oauth2.hasScope('read') and hasRole('ROLE_ADMIN')")
@RequestMapping(method = RequestMethod.GET, value = "/bars/{id}") @RequestMapping(method = RequestMethod.GET, value = "/bars/{id}")
@ResponseBody @ResponseBody
public Bar findById(@PathVariable final long id) { public Bar findById(@PathVariable final long id) {
@ -29,7 +29,7 @@ public class BarController {
} }
// API - write // API - write
// @PreAuthorize("#oauth2.hasScope('write')") // @PreAuthorize("#oauth2.hasScope('write') and hasRole('ROLE_ADMIN')")
@RequestMapping(method = RequestMethod.POST, value = "/bars") @RequestMapping(method = RequestMethod.POST, value = "/bars")
@ResponseStatus(HttpStatus.CREATED) @ResponseStatus(HttpStatus.CREATED)
@ResponseBody @ResponseBody

View File

@ -55,7 +55,7 @@ public class OAuth2AuthorizationServerConfig extends AuthorizationServerConfigur
.withClient("clientIdPassword") .withClient("clientIdPassword")
.secret("secret") .secret("secret")
.authorizedGrantTypes("password","authorization_code", "refresh_token") .authorizedGrantTypes("password","authorization_code", "refresh_token")
.scopes("read"); .scopes("read","write");
// @formatter:on // @formatter:on
} }

View File

@ -22,8 +22,48 @@
<groupId>org.springframework.boot</groupId> <groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId> <artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency> </dependency>
<!-- test -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.hamcrest</groupId>
<artifactId>hamcrest-core</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.hamcrest</groupId>
<artifactId>hamcrest-library</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>com.jayway.restassured</groupId>
<artifactId>rest-assured</artifactId>
<version>${rest-assured.version}</version>
<scope>test</scope>
<exclusions>
<exclusion>
<artifactId>commons-logging</artifactId>
<groupId>commons-logging</groupId>
</exclusion>
</exclusions>
</dependency>
</dependencies> </dependencies>
<build> <build>
<finalName>spring-security-oauth-ui-password</finalName> <finalName>spring-security-oauth-ui-password</finalName>
<resources> <resources>

View File

@ -0,0 +1,57 @@
package org.baeldung.live;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import java.util.HashMap;
import java.util.Map;
import org.junit.Test;
import com.jayway.restassured.RestAssured;
import com.jayway.restassured.response.Response;
public class AuthorizationLiveTest {
private String obtainAccessToken(String username, String password) {
final Map<String, String> params = new HashMap<String, String>();
params.put("grant_type", "password");
params.put("client_id", "clientIdPassword");
params.put("username", username);
params.put("password", password);
final Response response = RestAssured.given().auth().preemptive().basic("clientIdPassword", "secret").and().with().params(params).when().post("http://localhost:8081/spring-security-oauth-server/oauth/token");
return response.jsonPath().getString("access_token");
}
@Test
public void givenUser_whenAccessFoosResource_thenOk() {
final String accessToken = obtainAccessToken("john", "123");
final Response response = RestAssured.given().header("Authorization", "Bearer " + accessToken).get("http://localhost:8081/spring-security-oauth-resource/foos/1");
assertEquals(200, response.getStatusCode());
assertNotNull(response.jsonPath().get("name"));
}
@Test
public void givenUser_whenAccessBarssResource_thenUnauthorized() {
final String accessToken = obtainAccessToken("john", "123");
final Response response = RestAssured.given().header("Authorization", "Bearer " + accessToken).get("http://localhost:8081/spring-security-oauth-resource/bars/1");
assertEquals(403, response.getStatusCode());
}
@Test
public void givenAdmin_whenAccessFoosResource_thenOk() {
final String accessToken = obtainAccessToken("tom", "111");
final Response response = RestAssured.given().header("Authorization", "Bearer " + accessToken).get("http://localhost:8081/spring-security-oauth-resource/foos/1");
assertEquals(200, response.getStatusCode());
assertNotNull(response.jsonPath().get("name"));
}
@Test
public void givenAdmin_whenAccessBarssResource_thenOk() {
final String accessToken = obtainAccessToken("tom", "111");
final Response response = RestAssured.given().header("Authorization", "Bearer " + accessToken).get("http://localhost:8081/spring-security-oauth-resource/bars/1");
assertEquals(200, response.getStatusCode());
assertNotNull(response.jsonPath().get("name"));
}
}