rk@tigase.net opened 4 days ago
-
Estimated Time to Resolve
Task Description Time Estimate Diagnose Investigate why adminuser is not available in test context (e.g., missing profile, missing bean, or test config issue)1–2 hours Fix Implement solution (e.g., include application-basic-auth.yml, wireDataBootstrapper, or mock user viaUserDetailsService)1–2 hours Tests Add/restore test class (e.g., SecurityConfigBasicAuthTest) and verify secured endpoints return 200/401 as expected1 hour Cleanup & Commit Annotate test profile usage, push changes, and update README if needed 0.5 hour Total: 3.5 to 5.5 hours (1 day buffer)
-
Previous Value Current Value Open
In Progress
-
Previous Value Current Value In Progress
Closed
-
Issue: SZ-19 - Fix broken unit tests for Basic Auth
Estimate: 5h 30m
Actual: 8h 15mNotes:
Initial estimate did not account for several complexities:- Refactoring
SecurityConfiginto two separate configurations:BasicAuthSecurityConfigandOidcSecurityConfig - Rewriting the test setup for both modes to avoid classpath leaks and test failures
- Fixing controller tests to run cleanly with security context
- Resolving merge conflict in
docker-compose.yml - Ensuring clean Maven builds and successful execution of all tests before merge
Tests now pass cleanly and are merged to
wolnosc. - Refactoring
-
Root Cause and Complication
The original
SecurityConfigwas designed as a single unified Spring Security configuration that attempted to support both Basic Auth and OIDC modes via Spring Profiles. However, during unit testing with@WebMvcTest, this led to unstable behavior and test failures — especially due to improper context isolation and undesired loading ofBasicAuthTestConfigin unrelated test classes.Resolution Approach
To ensure clean separation of security contexts and avoid cross-contamination:
- The unified
SecurityConfigwas split into two dedicated configurations:BasicAuthSecurityConfig.java(activated viabasic-authprofile)OidcSecurityConfig.java(activated viaoidcprofile)
- Corresponding test classes were rewritten to explicitly import only the relevant configuration using
@Import(...)or@ContextConfiguration(...). - Mocking behavior such as
JwtDecoderwas localized toOidcSecurityConfigTest. - The split config approach prevents accidental loading of unused beans and allows
@WebMvcTestto construct minimal, stable contexts.
This restructuring resolves test pollution and sets up a clean foundation for future enhancements to authentication mechanisms.
- The unified
| Type |
Bug
|
| Priority |
Normal
|
| Assignee | |
| Version |
1.0
|
| Sprints |
n/a
|
| Customer |
n/a
|
Although the application starts up correctly with the basic-auth Spring profile enabled and the admin user configured in application-basic-auth.yml, unit and integration tests fail to authenticate when accessing secured endpoints using the expected credentials (admin@sztab.local / admin123).
These tests return HTTP 401 Unauthorized, indicating that the Basic Auth setup is not being honored in the test context.
⸻
Steps to Reproduce 1. Run any test that accesses secured endpoints (e.g., /api/users) using @SpringBootTest or @WebMvcTest with profile basic-auth 2. Provide credentials matching those defined in: • application-basic-auth.yml • Initialized by DataBootstrapper during app startup 3. Observe the test failure due to 401 Unauthorized