Allow custom header during bearer token extraction

Added ability to specify the header that
ServerBearerTokenAuthenticationConverter and
DefaultBearerTokenResolver use to extract a Bearer Token.

Fixes gh-8337
This commit is contained in:
Teddy Reinert 2020-04-06 19:00:33 -05:00 committed by Josh Cummings
parent 95f0d02d79
commit 2f8eb16d76
No known key found for this signature in database
GPG Key ID: 49EF60DD7FF83443
4 changed files with 54 additions and 5 deletions

View File

@ -45,6 +45,8 @@ public final class DefaultBearerTokenResolver implements BearerTokenResolver {
private boolean allowUriQueryParameter = false; private boolean allowUriQueryParameter = false;
private String bearerTokenHeaderName = HttpHeaders.AUTHORIZATION;
/** /**
* {@inheritDoc} * {@inheritDoc}
*/ */
@ -85,8 +87,21 @@ public final class DefaultBearerTokenResolver implements BearerTokenResolver {
this.allowUriQueryParameter = allowUriQueryParameter; this.allowUriQueryParameter = allowUriQueryParameter;
} }
private static String resolveFromAuthorizationHeader(HttpServletRequest request) { /**
String authorization = request.getHeader(HttpHeaders.AUTHORIZATION); * Set this value to configure what header is checked when resolving a Bearer Token.
* This value is defaulted to {@link HttpHeaders#AUTHORIZATION}.
*
* This allows other headers to be used as the Bearer Token source such as {@link HttpHeaders#PROXY_AUTHORIZATION}
*
* @param bearerTokenHeaderName the header to check when retrieving the Bearer Token.
* @since 5.4
*/
public void setBearerTokenHeaderName(String bearerTokenHeaderName) {
this.bearerTokenHeaderName = bearerTokenHeaderName;
}
private String resolveFromAuthorizationHeader(HttpServletRequest request) {
String authorization = request.getHeader(this.bearerTokenHeaderName);
if (StringUtils.startsWithIgnoreCase(authorization, "bearer")) { if (StringUtils.startsWithIgnoreCase(authorization, "bearer")) {
Matcher matcher = authorizationPattern.matcher(authorization); Matcher matcher = authorizationPattern.matcher(authorization);

View File

@ -50,6 +50,7 @@ public class ServerBearerTokenAuthenticationConverter
Pattern.CASE_INSENSITIVE); Pattern.CASE_INSENSITIVE);
private boolean allowUriQueryParameter = false; private boolean allowUriQueryParameter = false;
private String bearerTokenHeaderName = HttpHeaders.AUTHORIZATION;
public Mono<Authentication> convert(ServerWebExchange exchange) { public Mono<Authentication> convert(ServerWebExchange exchange) {
return Mono.justOrEmpty(token(exchange.getRequest())) return Mono.justOrEmpty(token(exchange.getRequest()))
@ -90,8 +91,21 @@ public class ServerBearerTokenAuthenticationConverter
this.allowUriQueryParameter = allowUriQueryParameter; this.allowUriQueryParameter = allowUriQueryParameter;
} }
private static String resolveFromAuthorizationHeader(HttpHeaders headers) { /**
String authorization = headers.getFirst(HttpHeaders.AUTHORIZATION); * Set this value to configure what header is checked when resolving a Bearer Token.
* This value is defaulted to {@link HttpHeaders#AUTHORIZATION}.
*
* This allows other headers to be used as the Bearer Token source such as {@link HttpHeaders#PROXY_AUTHORIZATION}
*
* @param bearerTokenHeaderName the header to check when retrieving the Bearer Token.
* @since 5.4
*/
public void setBearerTokenHeaderName(String bearerTokenHeaderName) {
this.bearerTokenHeaderName = bearerTokenHeaderName;
}
private String resolveFromAuthorizationHeader(HttpHeaders headers) {
String authorization = headers.getFirst(this.bearerTokenHeaderName);
if (StringUtils.startsWithIgnoreCase(authorization, "bearer")) { if (StringUtils.startsWithIgnoreCase(authorization, "bearer")) {
Matcher matcher = authorizationPattern.matcher(authorization); Matcher matcher = authorizationPattern.matcher(authorization);

View File

@ -33,7 +33,7 @@ import static org.assertj.core.api.Assertions.assertThatCode;
* @author Vedran Pavic * @author Vedran Pavic
*/ */
public class DefaultBearerTokenResolverTests { public class DefaultBearerTokenResolverTests {
private static final String CUSTOM_HEADER = "custom-header";
private static final String TEST_TOKEN = "test-token"; private static final String TEST_TOKEN = "test-token";
private DefaultBearerTokenResolver resolver; private DefaultBearerTokenResolver resolver;
@ -51,6 +51,15 @@ public class DefaultBearerTokenResolverTests {
assertThat(this.resolver.resolve(request)).isEqualTo(TEST_TOKEN); assertThat(this.resolver.resolve(request)).isEqualTo(TEST_TOKEN);
} }
@Test
public void resolveWhenCustomDefinedHeaderIsValidAndPresentThenTokenIsResolved() {
this.resolver.setBearerTokenHeaderName(CUSTOM_HEADER);
MockHttpServletRequest request = new MockHttpServletRequest();
request.addHeader(CUSTOM_HEADER, "Bearer " + TEST_TOKEN);
assertThat(this.resolver.resolve(request)).isEqualTo(TEST_TOKEN);
}
@Test @Test
public void resolveWhenLowercaseHeaderIsPresentThenTokenIsResolved() { public void resolveWhenLowercaseHeaderIsPresentThenTokenIsResolved() {
MockHttpServletRequest request = new MockHttpServletRequest(); MockHttpServletRequest request = new MockHttpServletRequest();

View File

@ -38,6 +38,7 @@ import static org.assertj.core.api.Assertions.catchThrowableOfType;
* @since 5.1 * @since 5.1
*/ */
public class ServerBearerTokenAuthenticationConverterTests { public class ServerBearerTokenAuthenticationConverterTests {
private static final String CUSTOM_HEADER = "custom-header";
private static final String TEST_TOKEN = "test-token"; private static final String TEST_TOKEN = "test-token";
private ServerBearerTokenAuthenticationConverter converter; private ServerBearerTokenAuthenticationConverter converter;
@ -56,6 +57,16 @@ public class ServerBearerTokenAuthenticationConverterTests {
assertThat(convertToToken(request).getToken()).isEqualTo(TEST_TOKEN); assertThat(convertToToken(request).getToken()).isEqualTo(TEST_TOKEN);
} }
@Test
public void resolveWhenCustomDefinedHeaderIsValidAndPresentThenTokenIsResolved() {
this.converter.setBearerTokenHeaderName(CUSTOM_HEADER);
MockServerHttpRequest.BaseBuilder<?> request = MockServerHttpRequest
.get("/")
.header(CUSTOM_HEADER, "Bearer " + TEST_TOKEN);
assertThat(convertToToken(request).getToken()).isEqualTo(TEST_TOKEN);
}
// gh-7011 // gh-7011
@Test @Test
public void resolveWhenValidHeaderIsEmptyStringThenTokenIsResolved() { public void resolveWhenValidHeaderIsEmptyStringThenTokenIsResolved() {