diff --git a/servlet/spring-boot/java/oauth2/resource-server/multi-tenancy/src/main/java/example/OAuth2ResourceServerSecurityConfiguration.java b/servlet/spring-boot/java/oauth2/resource-server/multi-tenancy/src/main/java/example/OAuth2ResourceServerSecurityConfiguration.java index bc00c44..d67abe2 100644 --- a/servlet/spring-boot/java/oauth2/resource-server/multi-tenancy/src/main/java/example/OAuth2ResourceServerSecurityConfiguration.java +++ b/servlet/spring-boot/java/oauth2/resource-server/multi-tenancy/src/main/java/example/OAuth2ResourceServerSecurityConfiguration.java @@ -1,5 +1,5 @@ /* - * Copyright 2020 the original author or authors. + * Copyright 2020-2021 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -21,60 +21,50 @@ import java.util.Optional; import javax.servlet.http.HttpServletRequest; -import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.AuthenticationManagerResolver; +import org.springframework.security.authentication.ProviderManager; import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.oauth2.jwt.JwtDecoder; -import org.springframework.security.oauth2.jwt.NimbusJwtDecoder; import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider; import org.springframework.security.oauth2.server.resource.authentication.JwtBearerTokenAuthenticationConverter; import org.springframework.security.oauth2.server.resource.authentication.OpaqueTokenAuthenticationProvider; -import org.springframework.security.oauth2.server.resource.introspection.NimbusOpaqueTokenIntrospector; import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector; +import org.springframework.security.web.SecurityFilterChain; /** * OAuth Resource Security configuration. * * @author Josh Cummings */ -@EnableWebSecurity -public class OAuth2ResourceServerSecurityConfiguration extends WebSecurityConfigurerAdapter { +@Configuration +public class OAuth2ResourceServerSecurityConfiguration { - @Value("${tenantOne.jwk-set-uri}") - String jwkSetUri; - - @Value("${tenantTwo.introspection-uri}") - String introspectionUri; - - @Value("${tenantTwo.introspection-client-id}") - String introspectionClientId; - - @Value("${tenantTwo.introspection-client-secret}") - String introspectionClientSecret; - - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain apiSecurity(HttpSecurity http, + AuthenticationManagerResolver authenticationManagerResolver) throws Exception { // @formatter:off http .authorizeRequests((requests) -> requests - .mvcMatchers("/**/message/**").hasAuthority("SCOPE_message:read") - .anyRequest().authenticated() + .mvcMatchers("/**/message/**").hasAuthority("SCOPE_message:read") + .anyRequest().authenticated() ) .oauth2ResourceServer((resourceServer) -> resourceServer - .authenticationManagerResolver(multitenantAuthenticationManager()) + .authenticationManagerResolver(authenticationManagerResolver) ); // @formatter:on + + return http.build(); } @Bean - AuthenticationManagerResolver multitenantAuthenticationManager() { + AuthenticationManagerResolver multitenantAuthenticationManager(JwtDecoder jwtDecoder, + OpaqueTokenIntrospector opaqueTokenIntrospector) { Map authenticationManagers = new HashMap<>(); - authenticationManagers.put("tenantOne", jwt()); - authenticationManagers.put("tenantTwo", opaque()); + authenticationManagers.put("tenantOne", jwt(jwtDecoder)); + authenticationManagers.put("tenantTwo", opaque(opaqueTokenIntrospector)); return (request) -> { String[] pathParts = request.getRequestURI().split("/"); String tenantId = (pathParts.length > 0) ? pathParts[1] : null; @@ -86,17 +76,14 @@ public class OAuth2ResourceServerSecurityConfiguration extends WebSecurityConfig }; } - AuthenticationManager jwt() { - JwtDecoder jwtDecoder = NimbusJwtDecoder.withJwkSetUri(this.jwkSetUri).build(); + AuthenticationManager jwt(JwtDecoder jwtDecoder) { JwtAuthenticationProvider authenticationProvider = new JwtAuthenticationProvider(jwtDecoder); authenticationProvider.setJwtAuthenticationConverter(new JwtBearerTokenAuthenticationConverter()); - return authenticationProvider::authenticate; + return new ProviderManager(authenticationProvider); } - AuthenticationManager opaque() { - OpaqueTokenIntrospector introspectionClient = new NimbusOpaqueTokenIntrospector(this.introspectionUri, - this.introspectionClientId, this.introspectionClientSecret); - return new OpaqueTokenAuthenticationProvider(introspectionClient)::authenticate; + AuthenticationManager opaque(OpaqueTokenIntrospector introspectionClient) { + return new ProviderManager(new OpaqueTokenAuthenticationProvider(introspectionClient)); } } diff --git a/servlet/spring-boot/java/oauth2/resource-server/multi-tenancy/src/main/resources/application.yml b/servlet/spring-boot/java/oauth2/resource-server/multi-tenancy/src/main/resources/application.yml index de938e3..fe03b67 100644 --- a/servlet/spring-boot/java/oauth2/resource-server/multi-tenancy/src/main/resources/application.yml +++ b/servlet/spring-boot/java/oauth2/resource-server/multi-tenancy/src/main/resources/application.yml @@ -1,4 +1,10 @@ -tenantOne.jwk-set-uri: ${mockwebserver.url}/.well-known/jwks.json -tenantTwo.introspection-uri: ${mockwebserver.url}/introspect -tenantTwo.introspection-client-id: client -tenantTwo.introspection-client-secret: secret +spring: + security: + oauth2: + resourceserver: + jwt: + jwk-set-uri: ${mockwebserver.url}/.well-known/jwks.json + opaquetoken: + introspection-uri: ${mockwebserver.url}/introspect + client-id: client + client-secret: secret \ No newline at end of file