Skip to main content

Testing Without Vault

The starter provides a static test mode that works without any Vault connection. This is useful for integration tests, local development, and CI environments.

Static Test Mode

Enable test mode and provide PEM-encoded RSA private keys:

jeap:
jwe:
test:
enabled: true
keys:
- |
-----BEGIN PRIVATE KEY-----
...4096-bit RSA key in PKCS#8 format...
-----END PRIVATE KEY-----

In this mode:

  • No Vault connection is made.
  • No periodic refresh is scheduled.
  • Keys are loaded once at startup from the configuration.
  • The JWKS endpoint serves the corresponding public keys.

JweTestKeys Utility

The jeap-spring-boot-jwe-test module provides pre-generated 4096-bit RSA test keys:


<dependency>
<groupId>ch.admin.bit.jeap</groupId>
<artifactId>jeap-spring-boot-jwe-test</artifactId>
<scope>test</scope>
</dependency>

Usage in tests:

import ch.admin.bit.jeap.jwe.test.JweTestKeys;

// PEM (public + private, as Vault export emits) for the jeap.jwe.test.keys property
String pem = JweTestKeys.rsa4096Pem(0); // index 0, 1, or 2 — three reusable key pairs

// The underlying java.security.KeyPair
KeyPair keyPair = JweTestKeys.rsa4096(0);

// A Nimbus RSAKey (with a kid), e.g. to act as the client and build a request JWE
RSAKey rsaKey = JweRsaKeys.from(JweTestKeys.rsa4096(0), "my-jwe-key:1");

Spring Boot Test Configuration

The key PEMs are generated at runtime, so feed them in with @DynamicPropertySource (an annotation properties = {…} attribute only accepts compile-time constants):


@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
class MyIntegrationTest {

@DynamicPropertySource
static void jweKeys(DynamicPropertyRegistry registry) {
registry.add("jeap.jwe.enabled", () -> true);
registry.add("jeap.jwe.test.enabled", () -> true);
registry.add("spring.cloud.vault.enabled", () -> false);
registry.add("jeap.jwe.test.keys[0]", () -> JweTestKeys.rsa4096Pem(0));
}
// ...
}

Encrypted Round-Trip Tests

Static test mode is enough to integration-test the full servlet-filter contract — request decryption and response encryption — without Vault or Docker. A test acts as the client using Nimbus: fetch a public key from the JWKS endpoint, build the request JWE (RSA-OAEP-256 + A256GCM), POST it, and decrypt the dir/A256GCM response with the CEK it chose. For GET, send Accept: application/jose plus a JWE-Response-Key envelope. See JweFilterStaticModeIT for a complete example covering happy paths, multi-version keys, exclusions and the problem+json error table.

If your service also uses jeap-spring-boot-security-starter, JweSecurityIntegrationIT (in the jeap-spring-boot-jwe-security-it module) shows the same static-key approach combined with a real jeap-security resource server — minting test tokens with JwsBuilderFactory and asserting the authentication / decryption ordering. See Using with jeap-security.

Disabling the Starter in Tests

If a test does not need JWE at all:

jeap:
jwe:
enabled: false