From 054791c26c92ad06c2d62c42d7f28ff000f131c2 Mon Sep 17 00:00:00 2001 From: Joe Grandja Date: Fri, 15 Jul 2022 14:53:36 -0400 Subject: [PATCH] Remove deprecations in ServletOAuth2AuthorizedClientExchangeFilterFunction Closes gh-11588 --- ...uthorizedClientExchangeFilterFunction.java | 83 +------------------ ...izedClientExchangeFilterFunctionTests.java | 33 +------- 2 files changed, 2 insertions(+), 114 deletions(-) diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServletOAuth2AuthorizedClientExchangeFilterFunction.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServletOAuth2AuthorizedClientExchangeFilterFunction.java index 5d41d17448..c8cd1c58e1 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServletOAuth2AuthorizedClientExchangeFilterFunction.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServletOAuth2AuthorizedClientExchangeFilterFunction.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2020 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,7 +16,6 @@ package org.springframework.security.oauth2.client.web.reactive.function.client; -import java.time.Duration; import java.util.Collections; import java.util.HashMap; import java.util.Map; @@ -38,18 +37,14 @@ import org.springframework.security.core.Authentication; import org.springframework.security.core.authority.AuthorityUtils; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.oauth2.client.ClientAuthorizationException; -import org.springframework.security.oauth2.client.ClientCredentialsOAuth2AuthorizedClientProvider; import org.springframework.security.oauth2.client.OAuth2AuthorizationFailureHandler; import org.springframework.security.oauth2.client.OAuth2AuthorizeRequest; import org.springframework.security.oauth2.client.OAuth2AuthorizedClient; import org.springframework.security.oauth2.client.OAuth2AuthorizedClientManager; import org.springframework.security.oauth2.client.OAuth2AuthorizedClientProvider; import org.springframework.security.oauth2.client.OAuth2AuthorizedClientProviderBuilder; -import org.springframework.security.oauth2.client.RefreshTokenOAuth2AuthorizedClientProvider; import org.springframework.security.oauth2.client.RemoveAuthorizedClientOAuth2AuthorizationFailureHandler; import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken; -import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient; -import org.springframework.security.oauth2.client.endpoint.OAuth2ClientCredentialsGrantRequest; import org.springframework.security.oauth2.client.registration.ClientRegistration; import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository; import org.springframework.security.oauth2.client.web.DefaultOAuth2AuthorizedClientManager; @@ -150,16 +145,8 @@ public final class ServletOAuth2AuthorizedClientExchangeFilterFunction implement private static final Authentication ANONYMOUS_AUTHENTICATION = new AnonymousAuthenticationToken("anonymous", "anonymousUser", AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS")); - @Deprecated - private Duration accessTokenExpiresSkew = Duration.ofMinutes(1); - - @Deprecated - private OAuth2AccessTokenResponseClient clientCredentialsTokenResponseClient; - private OAuth2AuthorizedClientManager authorizedClientManager; - private boolean defaultAuthorizedClientManager; - private boolean defaultOAuth2AuthorizedClient; private String defaultClientRegistrationId; @@ -224,7 +211,6 @@ public final class ServletOAuth2AuthorizedClientExchangeFilterFunction implement clientRegistrationRepository, authorizedClientRepository); defaultAuthorizedClientManager.setAuthorizationFailureHandler(authorizationFailureHandler); this.authorizedClientManager = defaultAuthorizedClientManager; - this.defaultAuthorizedClientManager = true; this.clientResponseHandler = new AuthorizationFailureForwarder(authorizationFailureHandler); } @@ -235,52 +221,6 @@ public final class ServletOAuth2AuthorizedClientExchangeFilterFunction implement authorizedClientRepository.removeAuthorizedClient(clientRegistrationId, principal, request, response); } - /** - * Sets the {@link OAuth2AccessTokenResponseClient} used for getting an - * {@link OAuth2AuthorizedClient} for the client_credentials grant. - * @param clientCredentialsTokenResponseClient the client to use - * @deprecated Use - * {@link #ServletOAuth2AuthorizedClientExchangeFilterFunction(OAuth2AuthorizedClientManager)} - * instead. Create an instance of - * {@link ClientCredentialsOAuth2AuthorizedClientProvider} configured with a - * {@link ClientCredentialsOAuth2AuthorizedClientProvider#setAccessTokenResponseClient(OAuth2AccessTokenResponseClient) - * DefaultClientCredentialsTokenResponseClient} (or a custom one) and than supply it - * to - * {@link DefaultOAuth2AuthorizedClientManager#setAuthorizedClientProvider(OAuth2AuthorizedClientProvider) - * DefaultOAuth2AuthorizedClientManager}. - */ - @Deprecated - public void setClientCredentialsTokenResponseClient( - OAuth2AccessTokenResponseClient clientCredentialsTokenResponseClient) { - Assert.notNull(clientCredentialsTokenResponseClient, "clientCredentialsTokenResponseClient cannot be null"); - Assert.state(this.defaultAuthorizedClientManager, - "The client cannot be set when the constructor used is \"ServletOAuth2AuthorizedClientExchangeFilterFunction(OAuth2AuthorizedClientManager)\". " - + "Instead, use the constructor \"ServletOAuth2AuthorizedClientExchangeFilterFunction(ClientRegistrationRepository, OAuth2AuthorizedClientRepository)\"."); - this.clientCredentialsTokenResponseClient = clientCredentialsTokenResponseClient; - updateDefaultAuthorizedClientManager(); - } - - private void updateDefaultAuthorizedClientManager() { - // @formatter:off - OAuth2AuthorizedClientProvider authorizedClientProvider = OAuth2AuthorizedClientProviderBuilder.builder() - .authorizationCode() - .refreshToken((configurer) -> configurer.clockSkew(this.accessTokenExpiresSkew)) - .clientCredentials(this::updateClientCredentialsProvider) - .password((configurer) -> configurer.clockSkew(this.accessTokenExpiresSkew)) - .build(); - // @formatter:on - ((DefaultOAuth2AuthorizedClientManager) this.authorizedClientManager) - .setAuthorizedClientProvider(authorizedClientProvider); - } - - private void updateClientCredentialsProvider( - OAuth2AuthorizedClientProviderBuilder.ClientCredentialsGrantBuilder builder) { - if (this.clientCredentialsTokenResponseClient != null) { - builder.accessTokenResponseClient(this.clientCredentialsTokenResponseClient); - } - builder.clockSkew(this.accessTokenExpiresSkew); - } - /** * If true, a default {@link OAuth2AuthorizedClient} can be discovered from the * current Authentication. It is recommended to be cautious with this feature since @@ -393,27 +333,6 @@ public final class ServletOAuth2AuthorizedClientExchangeFilterFunction implement return (attributes) -> attributes.put(HTTP_SERVLET_RESPONSE_ATTR_NAME, response); } - /** - * An access token will be considered expired by comparing its expiration to now + - * this skewed Duration. The default is 1 minute. - * @param accessTokenExpiresSkew the Duration to use. - * @deprecated The {@code accessTokenExpiresSkew} should be configured with the - * specific {@link OAuth2AuthorizedClientProvider} implementation, e.g. - * {@link ClientCredentialsOAuth2AuthorizedClientProvider#setClockSkew(Duration) - * ClientCredentialsOAuth2AuthorizedClientProvider} or - * {@link RefreshTokenOAuth2AuthorizedClientProvider#setClockSkew(Duration) - * RefreshTokenOAuth2AuthorizedClientProvider}. - */ - @Deprecated - public void setAccessTokenExpiresSkew(Duration accessTokenExpiresSkew) { - Assert.notNull(accessTokenExpiresSkew, "accessTokenExpiresSkew cannot be null"); - Assert.state(this.defaultAuthorizedClientManager, - "The accessTokenExpiresSkew cannot be set when the constructor used is \"ServletOAuth2AuthorizedClientExchangeFilterFunction(OAuth2AuthorizedClientManager)\". " - + "Instead, use the constructor \"ServletOAuth2AuthorizedClientExchangeFilterFunction(ClientRegistrationRepository, OAuth2AuthorizedClientRepository)\"."); - this.accessTokenExpiresSkew = accessTokenExpiresSkew; - updateDefaultAuthorizedClientManager(); - } - /** * Sets the {@link OAuth2AuthorizationFailureHandler} that handles authentication and * authorization failures when communicating to the OAuth 2.0 Resource Server. diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServletOAuth2AuthorizedClientExchangeFilterFunctionTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServletOAuth2AuthorizedClientExchangeFilterFunctionTests.java index 3e527cd513..3087c24b85 100644 --- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServletOAuth2AuthorizedClientExchangeFilterFunctionTests.java +++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServletOAuth2AuthorizedClientExchangeFilterFunctionTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -73,7 +73,6 @@ import org.springframework.security.oauth2.client.OAuth2AuthorizedClientProvider import org.springframework.security.oauth2.client.OAuth2AuthorizedClientProviderBuilder; import org.springframework.security.oauth2.client.RefreshTokenOAuth2AuthorizedClientProvider; import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken; -import org.springframework.security.oauth2.client.endpoint.DefaultClientCredentialsTokenResponseClient; import org.springframework.security.oauth2.client.endpoint.DefaultRefreshTokenTokenResponseClient; import org.springframework.security.oauth2.client.endpoint.JwtBearerGrantRequest; import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient; @@ -112,7 +111,6 @@ import org.springframework.web.reactive.function.client.WebClientResponseExcepti import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThatExceptionOfType; import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException; -import static org.assertj.core.api.Assertions.assertThatIllegalStateException; import static org.assertj.core.api.Assertions.entry; import static org.mockito.ArgumentMatchers.any; import static org.mockito.ArgumentMatchers.eq; @@ -220,35 +218,6 @@ public class ServletOAuth2AuthorizedClientExchangeFilterFunctionTests { .isThrownBy(() -> new ServletOAuth2AuthorizedClientExchangeFilterFunction(null)); } - @Test - public void setClientCredentialsTokenResponseClientWhenClientIsNullThenThrowIllegalArgumentException() { - assertThatIllegalArgumentException() - .isThrownBy(() -> this.function.setClientCredentialsTokenResponseClient(null)) - .withMessage("clientCredentialsTokenResponseClient cannot be null"); - } - - @Test - public void setClientCredentialsTokenResponseClientWhenNotDefaultAuthorizedClientManagerThenThrowIllegalStateException() { - assertThatIllegalStateException() - .isThrownBy(() -> this.function - .setClientCredentialsTokenResponseClient(new DefaultClientCredentialsTokenResponseClient())) - .withMessage("The client cannot be set when the constructor used is " - + "\"ServletOAuth2AuthorizedClientExchangeFilterFunction(OAuth2AuthorizedClientManager)\". " - + "Instead, use the constructor \"ServletOAuth2AuthorizedClientExchangeFilterFunction(ClientRegistrationRepository, " - + "OAuth2AuthorizedClientRepository)\"."); - } - - @Test - public void setAccessTokenExpiresSkewWhenNotDefaultAuthorizedClientManagerThenThrowIllegalStateException() { - assertThatIllegalStateException() - .isThrownBy(() -> this.function.setAccessTokenExpiresSkew(Duration.ofSeconds(30))) - .isInstanceOf(IllegalStateException.class) - .withMessage("The accessTokenExpiresSkew cannot be set when the constructor used is " - + "\"ServletOAuth2AuthorizedClientExchangeFilterFunction(OAuth2AuthorizedClientManager)\". " - + "Instead, use the constructor \"ServletOAuth2AuthorizedClientExchangeFilterFunction(ClientRegistrationRepository, " - + "OAuth2AuthorizedClientRepository)\"."); - } - @Test public void defaultRequestRequestResponseWhenNullRequestContextThenRequestAndResponseNull() { Map attrs = getDefaultRequestAttributes();