Add tests for ReactiveOauth2ResourceServerTests to verify the use of custom success and failure handlers

iain-henderson · iain-henderson · commit 012090084727 · 2026-04-05T19:41:30.000-04:00
diff --git a/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java b/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
@@ -4190,9 +4190,10 @@ public OAuth2ResourceServerSpec authenticationFailureHandler(
 		}
 
 		/**
-		 * Configures the {@link ServerAuthenticationSuccessHandler} to use. The default is
-		 * {@link WebFilterChainServerAuthenticationSuccessHandler}
-		 * @param authenticationSuccessHandler the {@link ServerAuthenticationSuccessHandler} to use
+		 * Configures the {@link ServerAuthenticationSuccessHandler} to use. The default
+		 * is {@link WebFilterChainServerAuthenticationSuccessHandler}
+		 * @param authenticationSuccessHandler the
+		 * {@link ServerAuthenticationSuccessHandler} to use
 		 * @return the {@link OAuth2ClientSpec} to customize
 		 * @since 7.1
 		 */
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/reactive/ReactiveOauth2ResourceServerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/reactive/ReactiveOauth2ResourceServerTests.java
@@ -0,0 +1,205 @@
+/*
+ * Copyright 2026-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.annotation.web.reactive;
+
+import java.util.UUID;
+
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import reactor.core.publisher.Mono;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Import;
+import org.springframework.security.authentication.ReactiveAuthenticationManager;
+import org.springframework.security.authentication.ReactiveAuthenticationManagerResolver;
+import org.springframework.security.config.test.SpringTestContext;
+import org.springframework.security.config.test.SpringTestContextExtension;
+import org.springframework.security.config.users.ReactiveAuthenticationTestConfiguration;
+import org.springframework.security.config.web.server.ServerHttpSecurity;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
+import org.springframework.security.oauth2.jwt.Jwt;
+import org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthenticationToken;
+import org.springframework.security.test.context.annotation.SecurityTestExecutionListeners;
+import org.springframework.security.test.web.reactive.server.WebTestClientBuilder;
+import org.springframework.security.web.server.SecurityWebFilterChain;
+import org.springframework.security.web.server.WebFilterChainProxy;
+import org.springframework.security.web.server.WebFilterExchange;
+import org.springframework.security.web.server.authentication.ServerAuthenticationFailureHandler;
+import org.springframework.security.web.server.authentication.ServerAuthenticationSuccessHandler;
+import org.springframework.test.context.junit.jupiter.SpringExtension;
+import org.springframework.test.web.reactive.server.FluxExchangeResult;
+import org.springframework.test.web.reactive.server.WebTestClient;
+import org.springframework.web.server.ServerWebExchange;
+import static org.mockito.ArgumentMatchers.*;
+import static org.mockito.Mockito.*;
+
+/**
+ * @author Iain Henderson
+ * @since 7.1
+ */
+@ExtendWith({ SpringExtension.class, SpringTestContextExtension.class })
+@SecurityTestExecutionListeners
+public class ReactiveOauth2ResourceServerTests {
+
+	public final SpringTestContext spring = new SpringTestContext(this);
+
+	private static final String authorizedToken = UUID.randomUUID().toString();
+
+	private static final String authorizationFailureToken = UUID.randomUUID().toString();
+
+	private static final String unauthorizedToken = UUID.randomUUID().toString();
+
+	@Autowired
+	WebFilterChainProxy springSecurityFilterChain;
+
+	@Autowired
+	ServerAuthenticationFailureHandler failureHandler;
+
+	@Autowired
+	ServerAuthenticationSuccessHandler successHandler;
+
+	@Mock
+	Jwt jwt = mock(Jwt.class);
+
+	@Test
+	public void authenticate() {
+		this.spring.register(ReactiveOauth2ResourceServerConfig.class).autowire();
+
+		// @formatter:off
+		WebTestClient client = WebTestClientBuilder
+				.bindToWebFilters(this.springSecurityFilterChain)
+				.build();
+		FluxExchangeResult<String> result = client.get()
+				.headers((headers) -> headers.setBearerAuth(authorizedToken))
+				.exchange()
+				.expectStatus().isOk()
+				.returnResult(String.class);
+		// @formatter:on
+
+		verify(failureHandler, never()).onAuthenticationFailure(any(), any());
+		verify(successHandler).onAuthenticationSuccess(any(), any());
+	}
+
+	@Test
+	public void authenticateWithoutAuthorization() {
+		this.spring.register(ReactiveOauth2ResourceServerConfig.class).autowire();
+
+		// @formatter:off
+		WebTestClient client = WebTestClientBuilder
+				.bindToWebFilters(this.springSecurityFilterChain)
+				.build();
+		FluxExchangeResult<String> result = client.get()
+				.headers((headers) -> headers.setBearerAuth(unauthorizedToken))
+				.exchange()
+				.expectStatus().isUnauthorized()
+				.returnResult(String.class);
+		// @formatter:on
+
+		verify(failureHandler, never()).onAuthenticationFailure(any(), any());
+		verify(successHandler).onAuthenticationSuccess(any(), any());
+	}
+
+	@Test
+	public void authenticationFails() {
+		this.spring.register(ReactiveOauth2ResourceServerConfig.class).autowire();
+
+		// @formatter:off
+		WebTestClient client = WebTestClientBuilder
+				.bindToWebFilters(this.springSecurityFilterChain)
+				.build();
+		FluxExchangeResult<String> result = client.get()
+				.headers((headers) -> headers.setBearerAuth(authorizationFailureToken))
+				.exchange()
+				.expectStatus().isUnauthorized()
+				.returnResult(String.class);
+		// @formatter:on
+
+		verify(failureHandler).onAuthenticationFailure(any(), any());
+		verify(successHandler, never()).onAuthenticationSuccess(any(), any());
+	}
+
+	@Configuration
+	@EnableWebFluxSecurity
+	@Import(ReactiveAuthenticationTestConfiguration.class)
+	static class ReactiveOauth2ResourceServerConfig {
+
+		@Bean
+		ServerAuthenticationFailureHandler failureHandler() {
+			ServerAuthenticationFailureHandler failureHandler = mock(ServerAuthenticationFailureHandler.class);
+			when(failureHandler.onAuthenticationFailure(any(), any())).thenAnswer(input -> {
+				WebFilterExchange exchange = input.getArgument(0, WebFilterExchange.class);
+				return exchange.getChain().filter(exchange.getExchange());
+			});
+			return failureHandler;
+		}
+
+		@Bean
+		ServerAuthenticationSuccessHandler successHandler() {
+			ServerAuthenticationSuccessHandler successHandler = mock(ServerAuthenticationSuccessHandler.class);
+			when(successHandler.onAuthenticationSuccess(any(), any())).thenAnswer(input -> {
+				WebFilterExchange webFilterExchange = input.getArgument(0, WebFilterExchange.class);
+				Authentication authentication = input.getArgument(1, Authentication.class);
+				if (authentication instanceof BearerTokenAuthenticationToken token) {
+					token.setAuthenticated(token.getToken().equals(authorizedToken));
+				}
+				return webFilterExchange.getChain().filter(webFilterExchange.getExchange());
+			});
+			return successHandler;
+		}
+
+		@Bean
+		SecurityWebFilterChain httpSecurity(ServerHttpSecurity http, ServerAuthenticationFailureHandler failureHandler,
+				ServerAuthenticationSuccessHandler successHandler) {
+			// @formatter:off
+			return http.authorizeExchange(authorize -> authorize.anyExchange().authenticated())
+					.oauth2ResourceServer(oauth2 -> oauth2
+							.authenticationManagerResolver(new Oauth2AutenticaitonManagerResolver())
+							.authenticationFailureHandler(failureHandler)
+							.authenticationSuccessHandler(successHandler))
+				.build();
+			// @formatter:on
+		}
+
+	}
+
+	static class Oauth2AutenticaitonManagerResolver
+			implements ReactiveAuthenticationManagerResolver<ServerWebExchange>, ReactiveAuthenticationManager {
+
+		@Override
+		public Mono<ReactiveAuthenticationManager> resolve(ServerWebExchange context) {
+			return Mono.just(this::authenticate);
+		}
+
+		@Override
+		public Mono<Authentication> authenticate(Authentication authentication) {
+			if (authentication instanceof BearerTokenAuthenticationToken token) {
+				if (token.getToken().equals(authorizationFailureToken)) {
+					return Mono.error(new OAuth2AuthenticationException("401") {
+					});
+				}
+				return Mono.just(authentication);
+			}
+			return Mono.empty();
+		}
+
+	}
+
+}
