Category: Spring Security

Spring Boot Test and Spring Security: Perform Http Basic Authentication with TestRestTemplate

 

What is HTTP Basic Authentication?

If you want to refresh your knowledge on HTTP Basic Authentication, please click here to refer my article on that.

Here i am going to show you how to execute spring test cases on REST endpoints that are secured with Spring Security and required HTTP Basic Authentication.  Here we are going to use the TestRestTemplate as the REST client for invoking REST endpoints.

 

TestRestTemplate

TestRestTemplate is a convenience alternative to Spring’s RestTemplate that is useful in integration tests. If you use the @SpringBoootTest annotation , with one of the following webEnviroment attribute, you can use fully configured TestRestTemplate in your Test class.

@SpringBootTest(webEnvironment = WebEnvironment.RANDOM_PORT)
                        OR
@SpringBootTest(webEnvironment = WebEnvironment.DEFINED_PORT)

 

There are different ways that can be used to perform Basic Authentication with TestRestTemplate.

  1.  Authentication headers
  2.  ‘withBasicAuth’ method
  3.  With Authenticated TestRestTemplate object.

Lets look at each of those approaches in detailed as follows.

Continue reading “Spring Boot Test and Spring Security: Perform Http Basic Authentication with TestRestTemplate”

Spring Boot Test: Writing Unit Tests for the Controller Layers with @WebMvcTest

 

Unit Tests and Integration Tests

@SpringBootTest annotation will load the fully ApplicationContext. Therefore it is highly used for writing the integration testing in web server environment. This will not use slicing and scan for all the stereotype annotations (@Component@Service, @Respository and @Controller / @RestController) and loads the full application context. Therefore this is more good at in the context of writing integration testing for the application.

@WebMvcTest annotation will load only the controller layer of the application. This will scan only the @Controller/ @RestController annotation and will not load the fully ApplicationContext. If there is any dependency in the controller layer (has some dependency to other beans from your service layer), you need to provide them manually by mocking those objects.

Therefore @SpringBootTest is widely used for Integration Testing purpose and @WebMvcTest is used for controller layer Unit testing.

Continue reading “Spring Boot Test: Writing Unit Tests for the Controller Layers with @WebMvcTest”

Swagger for documenting your Spring Boot REST Api

 

What Is Swagger?

Swagger is a set of open-source tools built around the OpenAPI Specification that can help you design, build, document and consume REST APIs.

Swagger  is mostly used as an open source project for describing and documenting RESTful APIs.  Swagger-UI an another tool which provides the capability of displaying the REST Api documentation in the browser.  Besides rendering documentation, Swagger UI allows other API developers or consumers to interact with the API’s resources without having any of the implementation logic in place.

The more details can be found through following documentations.

https://swagger.io/docs/ 

http://springfox.github.io/springfox/docs/current/

 

Springfox for Swagger

The Swagger 2 specification, which is known as OpenAPI specification has several implementations. Currently, Springfox that has replaced Swagger-SpringMVC (Swagger 1.2 and older) is popular for Spring Boot applications.

Continue reading “Swagger for documenting your Spring Boot REST Api”

Spring Security : DelegatingFilterProxy

 

In Spring Security, a request for a protected resource, will go through a chain of spring security filters for fulfilling Authentication and Authorization requirements.

You might be little bit confused about how your web application is interacting with spring security for authentication and authorization purposes.  you might be questioning yourself about following facts. Continue reading “Spring Security : DelegatingFilterProxy”

Spring Security: Method Level Security @Secured, @RolesAllowed and @PreAuthorize/@PostAuthorize

 

One of the great feature in spring security is, it has the ability of providing both URL based security and method level security.  All these annotations – @Secured , @RolesAllowed, @PreAuthorize / @PostAuthorize are used to  achieve the method level security.

The complete code of this article can be found at GitHub

 

AbstractSecurityInterceptor

We will refresh our knowledge about spring security authorization. In spring security, the initial authorization for the user request will be handled by the AbstractSecurityInterceptor.

Continue reading “Spring Security: Method Level Security @Secured, @RolesAllowed and @PreAuthorize/@PostAuthorize”

Spring Security 5 : HTTP Basic Authentication example

How Basic Authentication works in Spring Security?

I have already described the Spring Security Authentication Architecture in a previous article.  So i am not going to repeat the same thing again in this article. If you do not know about the general authentication architecture of spring security, it is highly recommend to take a look at article about Spring Security Authentication Architecture before continue with this article.

Here it is expected to point out the major components and classes that are related to HTTP Basic authentication. Here is the architectural flow of HTTP Basic Authentication implementation in spring security.

How to configure Spring Security for HTTP Basic Authentication?

When you use the httpBasic() configuration element (In HttpSecurity configuration), Spring Security  BasicAuthenticationFilter comes into action.

In Spring Security, the following two classes are the main core (important) classes that supports to implement HTTP Basic Authentication.

  • BasicAuthenticationFilter
  • BasicAuthenticationEntryPoint

A BasicAuthenticationEntryPoint strategy will be configured into the ExceptionTranslationFilter on startup.

Continue reading “Spring Security 5 : HTTP Basic Authentication example”