Reputation: 4164
I have a controller which gives the user a 403 response unless they are authenticated with a JWT token which is passed as a Bearer token via the authorization header. I'm looking for resources on how to test this with Mockito but I'm not very successful so far as most of them tell me to use the @WithMockUser annotation, which I understand is for Spring security yes, but does not include the mocking for a JWT token. I've tried to mock a few objects such as the UserDetailsClass and the JwtFilter and even hardcoding the bearer token but I think there should be more to it.
private CategoryCommandService categoryCommandService;
private MockMvc mockMvc;
private MyUserDetailsService myUserDetailsService;
private CategoryRepository categoryRepository;
private JwtUtil jwtUtil;
private JwtRequestFilter filter;
void testCreateCategory() throws Exception {
CategoryCreateDto categoryCreateDto = new CategoryCreateDto("category");
CategoryCreateDto categoryCreateResponseDto = new CategoryCreateDto(UUID.fromString("2da4002a-31c5-4cc7-9b92-cbf0db998c41"), "category");
String jsonCreate = asJsonString(categoryCreateDto);
String jsonResponse = asJsonString(categoryCreateResponseDto);
RequestBuilder request = MockMvcRequestBuilders
.header("Authorization", "Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJmb29AZW1haWwuY29tIiwiZXhwIjoxNjM4ODU1MzA1LCJpYXQiOjE2Mzg4MTkzMDV9.q4FWV7yVDAs_DREiF524VZ-udnqwV81GEOgdCj6QQAs")
MvcResult mvcResult = mockMvc.perform(request)
.andExpect(content().json(jsonResponse, true))
Here my controller:
public class CategoryCommandController {
private CategoryCommandService categoryCommandService;
private CategoryRepository categoryRepository;
@PostMapping(produces = MediaType.APPLICATION_JSON_VALUE, consumes = MediaType.APPLICATION_JSON_VALUE)
public ResponseEntity<Object> createCategory(@RequestBody CategoryCreateDto categoryCreateDto) {
if (categoryCreateDto.getTitle() != null) {
return new ResponseEntity<>(categoryCommandService.createCategory(categoryCreateDto), HttpStatus.CREATED);
else {
return new ResponseEntity<>(new FeedbackMessage("Missing title"), HttpStatus.BAD_REQUEST);
And here my filter:
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import static com.example.adverts.SecurityConstants.SIGN_UP_URL;
public class JwtRequestFilter extends OncePerRequestFilter {
private MyUserDetailsService userDetailsService;
private JwtUtil jwtUtil;
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
throws ServletException, IOException {
String path = request.getRequestURI();
if (path.equals(SIGN_UP_URL)) {
chain.doFilter(request, response);
final String authorizationHeader = request.getHeader("Authorization");
String username = null;
String jwt = null;
if (authorizationHeader != null && authorizationHeader.startsWith("Bearer ")) {
jwt = authorizationHeader.substring(7);
username = jwtUtil.extractUsername(jwt);
} else {
if (username != null) {
UserDetails userDetails = this.userDetailsService.loadUserByUsername(username);
if (jwtUtil.validateToken(jwt, userDetails)) {
UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(
userDetails, null, userDetails.getAuthorities());
.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
chain.doFilter(request, response);
And JwtUtil class:
public class JwtUtil {
private String SECRET_KEY = "secret";
public String extractUsername(String token) {
return extractClaim(token, Claims::getSubject);
public Date extractExpiration(String token) {
return extractClaim(token, Claims::getExpiration);
public <T> T extractClaim(String token, Function<Claims, T> claimsResolver) {
final Claims claims = extractAllClaims(token);
return claimsResolver.apply(claims);
private Claims extractAllClaims(String token) {
return Jwts.parser().setSigningKey(SECRET_KEY).parseClaimsJws(token).getBody();
private Boolean isTokenExpired(String token) {
return extractExpiration(token).before(new Date());
public String generateToken(UserDetails userDetails) {
Map<String, Object> claims = new HashMap<>();
return createToken(claims, userDetails.getUsername());
private String createToken(Map<String, Object> claims, String subject) {
return Jwts.builder().setClaims(claims).setSubject(subject).setIssuedAt(new Date(System.currentTimeMillis()))
.setExpiration(new Date(System.currentTimeMillis() + 1000 * 60 * 60 * 10))
.signWith(SignatureAlgorithm.HS256, SECRET_KEY).compact();
public Boolean validateToken(String token, UserDetails userDetails) {
final String username = extractUsername(token);
return (username.equals(userDetails.getUsername()) && !isTokenExpired(token));
Here is the whole Github branch.
Thank you.
For clarity if I hardcode a valid token I get a 200 status code but my tests will still fail with nothing returned for content whereas before JWT and Spring security they were passing.
Upvotes: 7
Views: 22028
Reputation: 12899
@MockBean JwtDecoder jwtDecoder;
should be enough in association with either (in my own preference order):
unit tests only when annotation can be used without MockMvc
. This requires more coding and also more knowledge of JwtAuthenticationToken
internals.The first two in action:
class GreetingControllerAnnotatedTest {
@MockBean JwtDecoder jwtDecoder;
MockMvc api;
@WithMockJwtAuth(authorities = "ROLE_AUTHORIZED_PERSONNEL", claims = @OpenIdClaims(sub = "Ch4mpy", preferredUsername = "Tonton Pirate"))
void greetWithAnnotation() throws Exception {
api.perform(get("/greet")).andExpect(content().string("Hello Ch4mpy! You are granted with [ROLE_AUTHORIZED_PERSONNEL]."));
void greetWithPostProcessor() throws Exception {
.authorities(List.of(new SimpleGrantedAuthority("ROLE_AUTHORIZED_PERSONNEL"))).jwt(jwt -> {
jwt.subject("Ch4mpy"); -> claims.put(StandardClaimNames.PREFERRED_USERNAME, "Tonton Pirate"));
}))).andExpect(content().string("Hello Ch4mpy! You are granted with [ROLE_AUTHORIZED_PERSONNEL]."));
Complete sample there
Upvotes: 1
Reputation: 4164
We just fixed the issue (accepting the other answer for being a more elegant solution).
1st and easier option:
Disable filter authentication for controller test classes:
@AutoConfigureMockMvc(addFilters = false)
class CategoryCommandControllerTest {
You can then perhaps test jwt authorization separately.
2nd and perhaps better option:
Remove the extra pieces from the configure method within the WebSecurity class to end up with only this.
protected void configure(HttpSecurity http) throws Exception {
Then under the JwtRequestFilter class add a return when a 403 is caught on the else part of this if block.
if (authorizationHeader != null && authorizationHeader.startsWith("Bearer ")) {
jwt = authorizationHeader.substring(7);
username = jwtUtil.extractUsername(jwt);
} else {
And move the doChain.filter piece outside of the other if block.
if (username != null) {
UserDetails userDetails = this.userDetailsService.loadUserByUsername(username);
if (jwtUtil.validateToken(jwt, userDetails)) {
UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(
userDetails, null, userDetails.getAuthorities());
.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
// chain.doFilter(request, response);
chain.doFilter(request, response);
Upvotes: 1
Reputation: 8124
The main problem is using
private JwtUtil jwtUtil;
Which make JwtRequestFilter perform wrongly in
if (authorizationHeader != null && authorizationHeader.startsWith("Bearer ")) {
jwt = authorizationHeader.substring(7);
username = jwtUtil.extractUsername(jwt);
As username
will always return null from the mock bean.
To use the actual JwtUtils
Add includeFilters
to include it in spring context,
then we also need to mock myUserDetailsService.loadUserByUsername
used in JwtRequestFilter
. After that the test will pass.
Refer to comment inside below code for the changes.
@WebMvcTest(value = CategoryCommandController.class, includeFilters = {
// to include JwtUtil in spring context
@ComponentScan.Filter(type = FilterType.ASSIGNABLE_TYPE, classes = JwtUtil.class)})
class CategoryCommandControllerTest {
Logger logger = LoggerFactory.getLogger(CategoryCommandController.class);
private CategoryCommandService categoryCommandService;
private MockMvc mockMvc;
private MyUserDetailsService myUserDetailsService;
private CategoryRepository categoryRepository;
private JwtUtil jwtUtil;
private JwtRequestFilter filter;
// @WithMockUser
void testCreateCategory() throws Exception {
CategoryCreateDto categoryCreateDto = new CategoryCreateDto("category");
CategoryCreateDto categoryCreateResponseDto = new CategoryCreateDto(UUID.fromString("2da4002a-31c5-4cc7-9b92-cbf0db998c41"), "category");
String jsonCreate = asJsonString(categoryCreateDto);
String jsonResponse = asJsonString(categoryCreateResponseDto);
UserDetails dummy = new User("[email protected]", "foo", new ArrayList<>());
String jwtToken = jwtUtil.generateToken(dummy);
RequestBuilder request = MockMvcRequestBuilders
.header("Authorization", "Bearer " + jwtToken)
// Below line is not used
// mockMvc.perform(request).andReturn();
// Should be createCategory(eq(categoryCreateDto))?
// Mock Service method used in JwtRequestFilter
when(myUserDetailsService.loadUserByUsername(eq("[email protected]"))).thenReturn(dummy);
MvcResult mvcResult = mockMvc.perform(request)
// .andExpect(content().json(jsonResponse, true))
// .andExpect(jsonPath("$.title").value("category"))
Upvotes: 2