fixing(gateway)

2025-08-13 21:46:23 +02:00
parent 562eb07be1
commit b67d75543e
10 changed files with 354 additions and 69 deletions
@@ -278,7 +278,7 @@ services:
  # Production monitoring services
  prometheus:
-    image: prom/prometheus:latest
+    image: prom/prometheus:v2.48.1
    volumes:
      - ./config/monitoring/prometheus.prod.yml:/etc/prometheus/prometheus.yml:ro
      - prometheus-data:/prometheus
@@ -320,7 +320,7 @@ services:
          cpus: '0.25'
  grafana:
-    image: grafana/grafana:latest
+    image: grafana/grafana:10.2.3
    volumes:
      - ./config/monitoring/grafana/provisioning:/etc/grafana/provisioning:ro
      - ./config/monitoring/grafana/dashboards:/var/lib/grafana/dashboards:ro
@@ -20,6 +20,7 @@ services:
      timeout: 5s
      retries: 5
      start_period: 20s
    restart: unless-stopped
  redis:
    image: redis:7-alpine
@@ -36,6 +37,7 @@ services:
      timeout: 5s
      retries: 3
      start_period: 10s
    restart: unless-stopped
  keycloak:
    image: quay.io/keycloak/keycloak:23.0
@@ -62,6 +64,7 @@ services:
      timeout: 5s
      retries: 5
      start_period: 30s
    restart: unless-stopped
  zookeeper:
    image: confluentinc/cp-zookeeper:7.5.0
@@ -77,6 +80,7 @@ services:
      timeout: 5s
      retries: 3
      start_period: 10s
    restart: unless-stopped
  kafka:
    image: confluentinc/cp-kafka:7.5.0
@@ -100,6 +104,7 @@ services:
      timeout: 5s
      retries: 3
      start_period: 30s
    restart: unless-stopped
  zipkin:
    image: openzipkin/zipkin:2
@@ -113,6 +118,7 @@ services:
      timeout: 5s
      retries: 3
      start_period: 10s
    restart: unless-stopped
  consul:
    image: hashicorp/consul:1.15
@@ -128,6 +134,7 @@ services:
      timeout: 5s
      retries: 3
      start_period: 15s
    restart: unless-stopped
  # API Gateway
  api-gateway:
@@ -151,6 +158,7 @@ services:
      timeout: 5s
      retries: 3
      start_period: 30s
    restart: unless-stopped
  # Ping Service for testing
  ping-service:
@@ -176,10 +184,11 @@ services:
      timeout: 5s
      retries: 3
      start_period: 20s
    restart: unless-stopped
  # Optional monitoring services
  prometheus:
-    image: prom/prometheus:latest
+    image: prom/prometheus:v2.48.1
    volumes:
      - ./config/monitoring/prometheus.yml:/etc/prometheus/prometheus.yml
      - prometheus-data:/prometheus
@@ -199,9 +208,18 @@ services:
      timeout: 5s
      retries: 3
      start_period: 15s
    restart: unless-stopped
    # Security: Run as non-root user
    user: "65534:65534"
    # Resource limits for development
    deploy:
      resources:
        limits:
          memory: 512M
          cpus: '0.5'
  grafana:
-    image: grafana/grafana:latest
+    image: grafana/grafana:10.2.3
    volumes:
      - ./config/monitoring/grafana/provisioning:/etc/grafana/provisioning
      - ./config/monitoring/grafana/dashboards:/var/lib/grafana/dashboards
@@ -223,6 +241,15 @@ services:
      timeout: 5s
      retries: 3
      start_period: 20s
    restart: unless-stopped
    # Security: Run as non-root user
    user: "472:472"
    # Resource limits for development
    deploy:
      resources:
        limits:
          memory: 256M
          cpus: '0.25'
 volumes:
  postgres-data:
@@ -1,11 +1,7 @@
 package at.mocode.infrastructure.gateway.config
 import org.springframework.cloud.gateway.filter.GatewayFilter
 import org.springframework.cloud.gateway.filter.GatewayFilterChain
 import org.springframework.cloud.gateway.filter.GlobalFilter
 import org.springframework.cloud.gateway.filter.factory.AbstractGatewayFilterFactory
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
 import org.springframework.core.Ordered
 import org.springframework.http.HttpStatus
 import org.springframework.http.server.reactive.ServerHttpRequest
@@ -9,7 +9,7 @@ import java.time.LocalDateTime
 /**
 * Fallback Controller für Circuit Breaker Szenarien.
- * Bietet standardisierte Fehlermeldungen wenn Backend-Services nicht verfügbar sind.
+ * Bietet standardisierte Fehlermeldungen, wenn Backend-Services nicht verfügbar sind.
 */
@RestController
@RequestMapping("/fallback")
@@ -1,13 +1,10 @@
 package at.mocode.infrastructure.gateway.security
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty
 import org.springframework.cloud.gateway.filter.GatewayFilter
 import org.springframework.cloud.gateway.filter.GatewayFilterChain
 import org.springframework.cloud.gateway.filter.GlobalFilter
 import org.springframework.context.annotation.Profile
 import org.springframework.core.Ordered
 import org.springframework.http.HttpStatus
 import org.springframework.http.server.reactive.ServerHttpRequest
 import org.springframework.http.server.reactive.ServerHttpResponse
 import org.springframework.stereotype.Component
 import org.springframework.util.AntPathMatcher
@@ -42,7 +39,7 @@ class JwtAuthenticationFilter : GlobalFilter, Ordered {
        val request = exchange.request
        val path = request.path.value()
-        // Prüfe ob der Pfad öffentlich zugänglich ist
+        // Prüfe, ob der Pfad öffentlich zugänglich ist
        if (isPublicPath(path)) {
            return chain.filter(exchange)
        }
@@ -56,8 +53,8 @@ class JwtAuthenticationFilter : GlobalFilter, Ordered {
        val token = authHeader.substring(7)
-        // Hier würde normalerweise die JWT-Validierung mit dem auth-client erfolgen
+        // Hier würde normalerweise die JWT-Validierung mit dem auth-client erfolgen,
-        // Für diese Implementation verwenden wir eine vereinfachte Validierung
+        // für diese Implementation verwenden wir eine vereinfachte Validierung
        return validateJwtToken(token, exchange, chain)
    }
@@ -78,7 +75,7 @@ class JwtAuthenticationFilter : GlobalFilter, Ordered {
            return handleUnauthorized(exchange, "Invalid JWT token")
        }
-        // Füge User-Information zu Headers hinzu (simuliert)
+        // Füge User-Informationen zu Headers hinzu (simuliert)
        val userRole = extractUserRole(token)
        val userId = extractUserId(token)
@@ -1,32 +1,292 @@
 package at.mocode.infrastructure.gateway.security
 import org.springframework.boot.context.properties.ConfigurationProperties
 import org.springframework.boot.context.properties.EnableConfigurationProperties
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
 import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity
 import org.springframework.security.config.web.server.ServerHttpSecurity
 import org.springframework.security.web.server.SecurityWebFilterChain
 import org.springframework.web.cors.CorsConfiguration
 import org.springframework.web.cors.reactive.CorsConfigurationSource
 import org.springframework.web.cors.reactive.UrlBasedCorsConfigurationSource
 import java.time.Duration
 /**
- * Minimal reactive security configuration for the Gateway.
+ * Enhanced reactive security configuration for the Gateway.
 *
- * Rationale:
+ * ARCHITECTURE OVERVIEW:
 * =====================
 * This configuration establishes the foundational security layer for the Spring Cloud Gateway.
 * It works in conjunction with several other security components:
 *
 * 1. JwtAuthenticationFilter (GlobalFilter) - Handles JWT token validation and user authentication
 * 2. RateLimitingFilter (GlobalFilter) - Provides IP-based rate limiting with user-aware limits
 * 3. CorrelationIdFilter (GlobalFilter) - Adds request tracing capabilities
 * 4. EnhancedLoggingFilter (GlobalFilter) - Provides structured request/response logging
 *
 * SECURITY STRATEGY:
 * ==================
 * The Gateway employs a layered security approach:
 * - This SecurityWebFilterChain provides foundational settings (CORS, CSRF, basic headers)
 * - JwtAuthenticationFilter handles actual authentication when enabled via property
 * - The SecurityWebFilterChain remains permissive (permitAll) to let the JWT filter control access
 * - Rate limiting and logging filters provide operational security and monitoring
 *
 * DESIGN RATIONALE:
 * =================
 * - During tests, Spring Security is on the classpath (testImplementation), which enables
- *   security auto-configuration and can lock down all endpoints unless a SecurityWebFilterChain is provided.
+ *   security autoconfiguration and can lock down all endpoints unless a SecurityWebFilterChain is provided
- * - The Gateway enforces auth using a GlobalFilter (JwtAuthenticationFilter) when enabled via property,
+ * - The Gateway enforces authentication using JwtAuthenticationFilter when enabled via property,
- *   so the SecurityWebFilterChain should stay permissive and let the filter do the auth work.
+ *   so the SecurityWebFilterChain should stay permissive and focus on foundational concerns
 * - Explicit CORS configuration ensures proper handling of cross-origin requests from web clients
 * - Configurable properties allow environment-specific security settings without code changes
 * - CSRF protection is disabled as it's not needed for stateless JWT-based authentication
 *
 * CORS INTEGRATION:
 * =================
 * The CORS configuration works with the existing filter chain:
 * - Allows requests from configured origins (dev/prod environments)
 * - Exposes custom headers from Gateway filters (correlation IDs, rate limits)
 * - Supports credentials for JWT authentication
 * - Caches preflight responses for performance
 *
 * TESTING CONSIDERATIONS:
 * =======================
 * - Configuration is designed to work seamlessly with existing security tests
 * - Test profile can override CORS settings if needed
 * - Permissive authorization ensures tests can focus on filter-level security
 */
@Configuration
-class SecurityConfig {
+@EnableConfigurationProperties(GatewaySecurityProperties::class)
 class SecurityConfig(
    private val securityProperties: GatewaySecurityProperties
 ) {
    /**
     * Main Spring Security filter chain configuration.
     *
     * This method configures the reactive security filter chain with:
     * - CSRF disabled for stateless API operation
     * - Explicit CORS configuration for cross-origin support
     * - Permissive authorization (authentication handled by JWT filter)
     *
     * The configuration maintains compatibility with the existing filter architecture
     * while providing enhanced CORS control and configurability.
     */
    @Bean
-    fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
+    fun springSecurityFilterChain(): SecurityWebFilterChain {
-        return http
+        return ServerHttpSecurity.http()
-            .csrf { it.disable() }
+            .csrf { csrf ->
-            .cors { }
+                // Disable CSRF for stateless API gateway
                // CSRF protection is not required for JWT-based stateless authentication
                // The Gateway operates as a stateless proxy with no session state
                csrf.disable()
            }
            .cors { cors ->
                // Use explicit CORS configuration instead of default
                // This provides better control over cross-origin access policies
                cors.configurationSource(corsConfigurationSource())
            }
            .httpBasic { basic ->
                // Disable HTTP Basic auth for stateless API
                basic.disable()
            }
            .formLogin { form ->
                // Disable form login for API gateway
                form.disable()
            }
            .authorizeExchange { exchanges ->
-                exchanges
+                // Allow all requests through Spring Security
-                    .anyExchange().permitAll()
+                // Authentication and authorization are handled by JwtAuthenticationFilter
                // This approach maintains the existing security architecture while
                // allowing the JWT filter to make granular access control decisions
                exchanges.anyExchange().permitAll()
            }
            .build()
    }
    /**
     * Explicit CORS configuration source.
     *
     * This bean provides detailed control over cross-origin resource sharing settings,
     * replacing the default empty CORS configuration with explicit, configurable settings.
     *
     * Key features:
     * - Environment-specific allowed origins
     * - Comprehensive HTTP method support
     * - JWT-aware header configuration
     * - Integration with Gateway filter headers
     * - Performance-optimized preflight caching
     *
     * The configuration is designed to work with typical web application architectures
     * where a JavaScript frontend makes API calls to the Gateway.
     */
    @Bean
    fun corsConfigurationSource(): CorsConfigurationSource {
        val configuration = CorsConfiguration().apply {
            // Allowed origins - configurable per environment
            // Development: localhost URLs for local testing
            // Production: domain-specific URLs for deployed applications
            allowedOrigins = securityProperties.cors.allowedOrigins.toList()
            // Allowed HTTP methods - comprehensive REST API support
            // Includes all standard methods plus OPTIONS for preflight requests
            allowedMethods = securityProperties.cors.allowedMethods.toList()
            // Allowed request headers - includes JWT and custom headers
            // Authorization: for JWT Bearer tokens
            // X-Correlation-ID: for request tracing
            // Standard headers: Content-Type, Accept, etc.
            allowedHeaders = securityProperties.cors.allowedHeaders.toList()
            // Exposed response headers - allows client access to custom headers
            // Includes headers added by Gateway filters:
            // - X-Correlation-ID from CorrelationIdFilter
            // - X-RateLimit-* from RateLimitingFilter
            exposedHeaders = securityProperties.cors.exposedHeaders.toList()
            // Allow credentials - required for JWT authentication
            // Enables cookies and authorization headers in cross-origin requests
            allowCredentials = securityProperties.cors.allowCredentials
            // Preflight cache duration - performance optimization
            // Reduces the number of OPTIONS requests for repeated API calls
            maxAge = securityProperties.cors.maxAge.seconds
        }
        return UrlBasedCorsConfigurationSource().apply {
            // Apply CORS configuration to all Gateway routes
            registerCorsConfiguration("/**", configuration)
        }
    }
 }
 /**
 * Configuration properties for Gateway security settings.
 *
 * Enables environment-specific security configuration via application.yml/properties.
 * This approach allows different security settings across development, testing, and
 * production environments without requiring code changes.
 *
 * Example application.yml configuration:
 * ```yaml
 * gateway:
 *   security:
 *     cors:
 *       allowed-origins:
 *         - http://localhost:3000
 *         - https://app.meldestelle.at
 *       allowed-methods:
 *         - GET
 *         - POST
 *         - PUT
 *         - DELETE
 *       allow-credentials: true
 *       max-age: PT2H
 * ```
 */
@ConfigurationProperties(prefix = "gateway.security")
 data class GatewaySecurityProperties(
    val cors: CorsProperties = CorsProperties()
 )
 /**
 * CORS-specific configuration properties with sensible defaults.
 *
 * Default values are chosen to work with typical development and production setups:
 * - Common development URLs (localhost with standard ports)
 * - Production domain pattern matching
 * - Full REST API method support
 * - JWT and Gateway filter header support
 * - Reasonable preflight cache duration
 */
 data class CorsProperties(
    /**
     * Allowed origins for CORS requests.
     *
     * Defaults support common development and production scenarios:
     * - localhost:3000 - typical React development server
     * - localhost:8080 - common alternative development port
     * - localhost:4200 - typical Angular development server
     * - Specific meldestelle.at subdomains for production
     *
     * Can be overridden per environment as needed.
     */
    val allowedOrigins: Set<String> = setOf(
        "http://localhost:3000",
        "http://localhost:8080",
        "http://localhost:4200",
        "https://app.meldestelle.at",
        "https://frontend.meldestelle.at",
        "https://www.meldestelle.at"
    ),
    /**
     * Allowed HTTP methods for CORS requests.
     *
     * Includes all standard REST API methods plus OPTIONS for preflight
     * and HEAD for metadata requests.
     */
    val allowedMethods: Set<String> = setOf(
        "GET", "POST", "PUT", "DELETE", "OPTIONS", "HEAD", "PATCH"
    ),
    /**
     * Allowed request headers for CORS requests.
     *
     * Includes:
     * - Standard headers: Content-Type, Accept, etc.
     * - JWT authentication: Authorization
     * - Gateway tracing: X-Correlation-ID
     * - Cache control: Cache-Control, Pragma
     */
    val allowedHeaders: Set<String> = setOf(
        "Authorization",
        "Content-Type",
        "X-Requested-With",
        "X-Correlation-ID",
        "Accept",
        "Origin",
        "Cache-Control",
        "Pragma"
    ),
    /**
     * Exposed response headers for CORS requests.
     *
     * Headers that client JavaScript can access in responses.
     * Includes custom headers added by Gateway filters:
     * - X-Correlation-ID: request tracing (CorrelationIdFilter)
     * - X-RateLimit-*: rate limiting info (RateLimitingFilter)
     * - Standard headers: Content-Length, Date
     */
    val exposedHeaders: Set<String> = setOf(
        "X-Correlation-ID",
        "X-RateLimit-Limit",
        "X-RateLimit-Remaining",
        "X-RateLimit-Enabled",
        "Content-Length",
        "Date"
    ),
    /**
     * Allow credentials in CORS requests.
     *
     * Set to true to support:
     * - JWT Bearer tokens in Authorization headers
     * - Cookies (if used)
     * - Client certificates (if used)
     */
    val allowCredentials: Boolean = true,
    /**
     * Maximum age for preflight request caching.
     *
     * Duration that browsers can cache preflight responses, reducing
     * the number of OPTIONS requests for repeated API calls.
     * Default: 1 hour (reasonable balance of performance vs. flexibility)
     */
    val maxAge: Duration = Duration.ofHours(1)
 )
@@ -1,14 +1,11 @@
 package at.mocode.infrastructure.gateway
 import at.mocode.infrastructure.gateway.controller.FallbackController
 import org.junit.jupiter.api.Test
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.boot.test.autoconfigure.web.reactive.WebFluxTest
 import org.springframework.boot.test.context.SpringBootTest
 import org.springframework.http.HttpStatus
 import org.springframework.test.context.ActiveProfiles
 import org.springframework.test.web.reactive.server.WebTestClient
 import org.springframework.context.annotation.Import
 /**
 * Tests for the Fallback Controller that handles circuit breaker scenarios.
@@ -57,7 +54,8 @@ class FallbackControllerTests {
            .jsonPath("$.message").isEqualTo("Member operations are temporarily unavailable")
            .jsonPath("$.service").isEqualTo("members-service")
            .jsonPath("$.status").isEqualTo(503)
-            .jsonPath("$.suggestion").isEqualTo("Please try again in a few moments. If the problem persists, contact support.")
+            .jsonPath("$.suggestion")
            .isEqualTo("Please try again in a few moments. If the problem persists, contact support.")
            .jsonPath("$.timestamp").exists()
    }
@@ -14,7 +14,6 @@ import org.springframework.test.web.reactive.server.WebTestClient
 import org.springframework.web.bind.annotation.GetMapping
 import org.springframework.web.bind.annotation.RequestMapping
 import org.springframework.web.bind.annotation.RestController
 import java.util.*
 /**
 * Tests for Gateway custom filters: CorrelationId, Enhanced Logging, and Rate Limiting.
@@ -92,10 +91,10 @@ class GatewayFiltersTests {
    @Test
    fun `should apply different rate limits for auth endpoints`() {
        // This test validates rate-limit headers only; endpoint body/status may vary based on route mapping
        webTestClient.get()
            .uri("/api/auth/test")
            .exchange()
            .expectStatus().isOk
            .expectHeader().valueEquals("X-RateLimit-Limit", "20") // AUTH_ENDPOINT_LIMIT
    }
@@ -1,23 +1,19 @@
 package at.mocode.infrastructure.gateway
 import org.junit.jupiter.api.BeforeEach
 import org.junit.jupiter.api.Test
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.boot.test.autoconfigure.web.reactive.AutoConfigureWebTestClient
 import org.springframework.boot.test.context.SpringBootTest
 import org.springframework.boot.test.web.server.LocalServerPort
 import org.springframework.cloud.gateway.route.RouteLocator
 import org.springframework.cloud.gateway.route.builder.RouteLocatorBuilder
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
 import org.springframework.context.annotation.Import
 import org.springframework.http.HttpHeaders
 import org.springframework.http.HttpMethod
 import org.springframework.test.context.ActiveProfiles
 import org.springframework.test.web.reactive.server.WebTestClient
-import org.springframework.web.bind.annotation.CrossOrigin
+import org.springframework.web.bind.annotation.*
 import org.springframework.web.bind.annotation.GetMapping
 import org.springframework.web.bind.annotation.PostMapping
 import org.springframework.web.bind.annotation.RequestMapping
 import org.springframework.web.bind.annotation.RestController
 /**
 * Tests for Gateway security configuration including CORS settings.
@@ -48,7 +44,7 @@ import org.springframework.web.bind.annotation.RestController
        "server.port=0"
    ]
 )
-@ActiveProfiles("dev") // Use dev profile to get CORS configuration
+@ActiveProfiles("test") // Use test profile to disable unrelated global filters; CORS config is present in application-test.yml
@AutoConfigureWebTestClient
@Import(GatewaySecurityTests.TestSecurityConfig::class)
 class GatewaySecurityTests {
@@ -56,6 +52,17 @@ class GatewaySecurityTests {
    @Autowired
    lateinit var webTestClient: WebTestClient
    @LocalServerPort
    private var port: Int = 0
    @BeforeEach
    fun setUpClient() {
        // Ensure absolute base URL with scheme to satisfy CORS processor
        webTestClient = webTestClient.mutate()
            .baseUrl("http://localhost:$port")
            .build()
    }
    @Test
    fun `should handle CORS preflight requests`() {
        webTestClient.options()
@@ -236,8 +243,15 @@ class GatewaySecurityTests {
    @RequestMapping("/mock")
    class SecurityTestController {
-        @GetMapping("/cors-test")
+        @RequestMapping(
-        @PostMapping("/cors-test")
+            value = ["/cors-test"],
            method = [
                RequestMethod.GET,
                RequestMethod.POST,
                RequestMethod.PUT,
                RequestMethod.DELETE
            ]
        )
        fun corsTest(): Map<String, String> = mapOf(
            "message" to "CORS test successful",
            "timestamp" to System.currentTimeMillis().toString()
@@ -9,14 +9,9 @@ import org.springframework.cloud.gateway.route.builder.RouteLocatorBuilder
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
 import org.springframework.context.annotation.Import
 import org.springframework.http.HttpStatus
 import org.springframework.test.context.ActiveProfiles
 import org.springframework.test.web.reactive.server.WebTestClient
-import org.springframework.web.bind.annotation.GetMapping
+import org.springframework.web.bind.annotation.*
 import org.springframework.web.bind.annotation.PostMapping
 import org.springframework.web.bind.annotation.RequestHeader
 import org.springframework.web.bind.annotation.RequestMapping
 import org.springframework.web.bind.annotation.RestController
 /**
 * Tests for JWT Authentication Filter functionality.
@@ -47,7 +42,7 @@ import org.springframework.web.bind.annotation.RestController
        "server.port=0"
    ]
 )
-@ActiveProfiles("dev") // Use dev profile to enable JWT filter
+@ActiveProfiles("test") // Use test profile to disable unrelated global filters; JWT is enabled via properties above
@AutoConfigureWebTestClient
@Import(JwtAuthenticationTests.TestJwtConfig::class)
 class JwtAuthenticationTests {
@@ -112,10 +107,10 @@ class JwtAuthenticationTests {
            .expectStatus().isOk
            .expectBody(String::class.java)
            .consumeWith { result ->
-                // The mock controller will return the injected headers
+                // The mock controller returns injected header values in the message
-                val body = result.responseBody
+                val body = result.responseBody ?: ""
-                assert(body?.contains("X-User-ID") == true)
+                assert(body.contains("User ID:"))
-                assert(body?.contains("X-User-Role") == true)
+                assert(body.contains("Role:"))
            }
    }
@@ -180,8 +175,8 @@ class JwtAuthenticationTests {
        fun jwtTestRoutes(builder: RouteLocatorBuilder): RouteLocator = builder.routes()
            .route("test-protected") { r ->
                r.path("/api/members/**")
-                    .filters { f -> f.stripPrefix(1) }
+                    .filters { f -> f.setPath("/mock/protected") }
-                    .uri("forward:/mock/protected")
+                    .uri("forward:/")
            }
            .route("test-public-health") { r ->
                r.path("/health")
@@ -189,13 +184,13 @@ class JwtAuthenticationTests {
            }
            .route("test-public-ping") { r ->
                r.path("/api/ping/**")
-                    .filters { f -> f.stripPrefix(1) }
+                    .filters { f -> f.setPath("/mock/ping") }
-                    .uri("forward:/mock/ping")
+                    .uri("forward:/")
            }
            .route("test-public-auth") { r ->
                r.path("/api/auth/**")
-                    .filters { f -> f.stripPrefix(1) }
+                    .filters { f -> f.setPath("/mock/auth") }
-                    .uri("forward:/mock/auth")
+                    .uri("forward:/")
            }
            .route("test-public-fallback") { r ->
                r.path("/fallback/**")
@@ -211,11 +206,8 @@ class JwtAuthenticationTests {
            }
            .route("test-root") { r ->
                r.path("/")
-                    .filters { f ->
+                    .filters { f -> f.setPath("/mock/root") }
-                        f.setStatus(HttpStatus.OK)
+                    .uri("forward:/")
                            .setResponseHeader("Content-Type", "application/json")
                    }
                    .uri("forward:/mock/root")
            }
            .build()
@@ -231,8 +223,10 @@ class JwtAuthenticationTests {
    @RequestMapping("/mock")
    class JwtTestController {
-        @GetMapping("/protected")
+        @RequestMapping(
-        @PostMapping("/protected")
+            value = ["/protected"],
            method = [RequestMethod.GET, RequestMethod.POST]
        )
        fun protectedEndpoint(
            @RequestHeader(value = "X-User-ID", required = false) userId: String?,
            @RequestHeader(value = "X-User-Role", required = false) userRole: String?