Spring Security Spring Security jwt Test. OAuth2AuthenticationProcessingFilter clears SecurityContext

Hi,

when testing Oauth-Security in a @-SpringBootTest using the jwt() RequestPostProcessor, it seems that this just populates the SecurityContext with an Authentication. It does not put any token into the actual Request.

BUT: when running the test, the OAuth2AuthenticationProcessingFilter comes into action. It looks for a real token in the request and clears(!) the SecurityContext. So the test fails.

How is such a test supposed to work? Should stateless be set on the OAuth2AuthenticationProcessingFilter? (if yes, how exactly & it should be documented)

I'm using Hoxton.SR1.

Thanks a lot

Comment From: jzheaux

@octmueller It appears something else may be going on in your application as there is no OAuth2AuthenticationProcessingFilter in Spring Security (there is one in "Spring Security OAuth", though, a now-deprecated plugin project). Running an app both with Spring Security's built-in OAuth support and Spring Security OAuth may lead to unexpected behavior.

just populates the SecurityContext with an Authentication

Yes, jwt() populates the SecurityContext with a JwtAuthenticationToken which has an instance of Jwt as its principal. You can call Jwt#getToken to get the original token value.

Does that clear things up? If not, would you be able to share a minimal sample application with a failing test?

Comment From: octmueller

@jzheaux I was not aware of the difference between Spring Security OAuth and Spring Security OAuth. Just joking, but it is kind of confusing.

We use the now deprecated Project for our OAuth authentication and I see that the jwt() method is part of Spring Security. So I guess we have to find another way until we switch to Spring Security for OAuth authentication.

Thanks a lot for the clarification!

Comment From: jzheaux

Gotcha, @octmueller. Yes, it's a bit confusing!

AFAIK, the Spring Security OAuth project doesn't have test support for JWTs but one thing you might consider is taking a look at the Spring Security OAuth 2.0 Migration Guide. It is still a work in progress, but it may help you get started making the move over to Spring Security native.