Fix credentials precedence over introspector in Kotlin

Fixes: gh-7878
2020-02-06 11:01:42 +01:00 · 2020-02-06 11:01:42 +01:00 · 8c0b754a49
parent 1fed688f05
commit 8c0b754a49
2 changed files with 53 additions and 3 deletions
--- a/config/src/main/kotlin/org/springframework/security/config/web/servlet/oauth2/resourceserver/OpaqueTokenDsl.kt
+++ b/config/src/main/kotlin/org/springframework/security/config/web/servlet/oauth2/resourceserver/OpaqueTokenDsl.kt
@ -29,11 +29,25 @@ import org.springframework.security.oauth2.server.resource.introspection.OpaqueT
 * @property introspector the [OpaqueTokenIntrospector] to use.
 */
 class OpaqueTokenDsl {
-    var introspectionUri: String? = null
-    var introspector: OpaqueTokenIntrospector? = null
-
+    private var _introspectionUri: String? = null
+    private var _introspector: OpaqueTokenIntrospector? = null
    private var clientCredentials: Pair<String, String>? = null

+    var introspectionUri: String?
+        get() = _introspectionUri
+        set(value) {
+            _introspectionUri = value
+            _introspector = null
+        }
+    var introspector: OpaqueTokenIntrospector?
+        get() = _introspector
+        set(value) {
+            _introspector = value
+            _introspectionUri = null
+            clientCredentials = null
+        }
+
+
    /**
     * Configures the credentials for Introspection endpoint.
     *
@ -42,6 +56,7 @@ class OpaqueTokenDsl {
     */
    fun introspectionClientCredentials(clientId: String, clientSecret: String) {
        clientCredentials = Pair(clientId, clientSecret)
+        _introspector = null
    }

    internal fun get(): (OAuth2ResourceServerConfigurer<HttpSecurity>.OpaqueTokenConfigurer) -> Unit {
--- a/config/src/test/kotlin/org/springframework/security/config/web/servlet/oauth2/resourceserver/OpaqueTokenDslTests.kt
+++ b/config/src/test/kotlin/org/springframework/security/config/web/servlet/oauth2/resourceserver/OpaqueTokenDslTests.kt
@ -138,6 +138,41 @@ class OpaqueTokenDslTests {
        }
    }

+    @Test
+    fun `opaque token when custom introspector set after client credentials then introspector used`() {
+        this.spring.register(IntrospectorAfterClientCredentialsConfig::class.java, AuthenticationController::class.java).autowire()
+        `when`(IntrospectorAfterClientCredentialsConfig.INTROSPECTOR.introspect(ArgumentMatchers.anyString()))
+                .thenReturn(DefaultOAuth2AuthenticatedPrincipal(mapOf(Pair(JwtClaimNames.SUB, "mock-subject")), emptyList()))
+
+        this.mockMvc.get("/authenticated") {
+            header("Authorization", "Bearer token")
+        }
+
+        verify(IntrospectorAfterClientCredentialsConfig.INTROSPECTOR).introspect("token")
+    }
+
+    @EnableWebSecurity
+    open class IntrospectorAfterClientCredentialsConfig : WebSecurityConfigurerAdapter() {
+        companion object {
+            var INTROSPECTOR: OpaqueTokenIntrospector = mock(OpaqueTokenIntrospector::class.java)
+        }
+
+        override fun configure(http: HttpSecurity) {
+            http {
+                authorizeRequests {
+                    authorize(anyRequest, authenticated)
+                }
+                oauth2ResourceServer {
+                    opaqueToken {
+                        introspectionUri = "/introspect"
+                        introspectionClientCredentials("clientId", "clientSecret")
+                        introspector = INTROSPECTOR
+                    }
+                }
+            }
+        }
+    }
+
    @RestController
    class AuthenticationController {
        @GetMapping("/authenticated")