@TestSecurity/@JwtSecurity and SecurityIdentityAugmentor

[michelkaeser]

Hi

The project is using SecurityIdentityAugmentor to replace the JsonWebToken principal with a custom one.
Starting to write tests, it seems this augmentor is not executed when using @TestSecurity/@JwtSecurity.

Do I have to provide a custom TestSecurityIdentityAugmentor as well or is there a way to have the custom SecurityIdentityAugmentor be picked up?

Thanks for assistance.

[quarkus-bot[bot]]

/cc @sberyozkin (security)

[sberyozkin]

Hi @michelkaeser Right, I believe SecurityIdentityAugmentor were not wired in the original TestSecurity design because they can, quite typically, involve either remote HTTP calls or DB calls, which will conflict with the TestSecurity guaranteeing one can test security without having to setup some external services/etc.

Do you mean that in the endpoint code you need to cast Principal to your custom class ? Or is the problem that with TestSecurity/JwtSecurity you can't get Principal correctly implementing all Principal methods ? In the latter case we can try to tweak things, otherwise registering a custom TestSecurityIdentityAugmentor would indeed be required - please try it and see if it helps

[michelkaeser]

Thanks for the quick reply and explanation behind the design decision.

Since this is by-design I went ahead and wrote a custom TestSecurityIdentityAugmentor that sets the custom Principal type 👍.

[sberyozkin]

Sounds good, thanks @michelkaeser

[entertainyou]

@michelkaeser / @sberyozkin Can one of you share how to register a custom TestSecurityIdentityAugmentor ?

[sberyozkin]

@entertainyou Adding @ApplicationScoped to it should do it