Add authenticationManagerResolver to Kotlin DSL

Closes gh-8981

config/src/main/kotlin/org/springframework/security/config/web/servlet/OAuth2ResourceServerDsl.kt

@@ -16,6 +16,7 @@
 
 package org.springframework.security.config.web.servlet
 
+import org.springframework.security.authentication.AuthenticationManagerResolver
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.web.servlet.oauth2.resourceserver.JwtDsl
 import org.springframework.security.config.web.servlet.oauth2.resourceserver.OpaqueTokenDsl
@@ -23,6 +24,7 @@ import org.springframework.security.config.annotation.web.configurers.oauth2.ser
 import org.springframework.security.oauth2.server.resource.web.BearerTokenResolver
 import org.springframework.security.web.AuthenticationEntryPoint
 import org.springframework.security.web.access.AccessDeniedHandler
+import javax.servlet.http.HttpServletRequest
 
 /**
  * A Kotlin DSL to configure [HttpSecurity] OAuth 2.0 resource server support using
@@ -42,6 +44,7 @@ class OAuth2ResourceServerDsl {
     var accessDeniedHandler: AccessDeniedHandler? = null
     var authenticationEntryPoint: AuthenticationEntryPoint? = null
     var bearerTokenResolver: BearerTokenResolver? = null
+    var authenticationManagerResolver: AuthenticationManagerResolver<HttpServletRequest>? = null
 
     private var jwt: ((OAuth2ResourceServerConfigurer<HttpSecurity>.JwtConfigurer) -> Unit)? = null
     private var opaqueToken: ((OAuth2ResourceServerConfigurer<HttpSecurity>.OpaqueTokenConfigurer) -> Unit)? = null
@@ -105,6 +108,7 @@ class OAuth2ResourceServerDsl {
             accessDeniedHandler?.also { oauth2ResourceServer.accessDeniedHandler(accessDeniedHandler) }
             authenticationEntryPoint?.also { oauth2ResourceServer.authenticationEntryPoint(authenticationEntryPoint) }
             bearerTokenResolver?.also { oauth2ResourceServer.bearerTokenResolver(bearerTokenResolver) }
+            authenticationManagerResolver?.also { oauth2ResourceServer.authenticationManagerResolver(authenticationManagerResolver) }
             jwt?.also { oauth2ResourceServer.jwt(jwt) }
             opaqueToken?.also { oauth2ResourceServer.opaqueToken(opaqueToken) }
         }

config/src/test/kotlin/org/springframework/security/config/web/servlet/OAuth2ResourceServerDslTests.kt

@@ -16,11 +16,15 @@
 
 package org.springframework.security.config.web.servlet
 
+import org.assertj.core.api.Assertions
 import org.junit.Rule
 import org.junit.Test
 import org.mockito.Mockito.*
+import org.springframework.beans.factory.BeanCreationException
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.context.annotation.Bean
+import org.springframework.security.authentication.AuthenticationManager
+import org.springframework.security.authentication.AuthenticationManagerResolver
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
@@ -28,11 +32,13 @@ import org.springframework.security.config.test.SpringTestRule
 import org.springframework.security.oauth2.core.oidc.IdTokenClaimNames.SUB
 import org.springframework.security.oauth2.jwt.Jwt
 import org.springframework.security.oauth2.jwt.JwtDecoder
+import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken
 import org.springframework.security.oauth2.server.resource.web.BearerTokenResolver
 import org.springframework.security.web.AuthenticationEntryPoint
 import org.springframework.security.web.access.AccessDeniedHandler
 import org.springframework.test.web.servlet.MockMvc
 import org.springframework.test.web.servlet.get
+import javax.servlet.http.HttpServletRequest
 
 /**
  * Tests for [OAuth2ResourceServerDsl]
@@ -47,6 +53,11 @@ class OAuth2ResourceServerDslTests {
     @Autowired
     lateinit var mockMvc: MockMvc
 
+    private val JWT: Jwt = Jwt.withTokenValue("token")
+            .header("alg", "none")
+            .claim(SUB, "user")
+            .build()
+
     @Test
     fun `oauth2Resource server when custom entry point then entry point used`() {
         this.spring.register(EntryPointConfig::class.java).autowire()
@@ -116,11 +127,7 @@ class OAuth2ResourceServerDslTests {
     @Test
     fun `oauth2Resource server when custom access denied handler then handler used`() {
         this.spring.register(AccessDeniedHandlerConfig::class.java).autowire()
-        `when`(AccessDeniedHandlerConfig.DECODER.decode(anyString())).thenReturn(
+        `when`(AccessDeniedHandlerConfig.DECODER.decode(anyString())).thenReturn(JWT)
-                Jwt.withTokenValue("token")
-                        .header("alg", "none")
-                        .claim(SUB, "user")
-                        .build())
 
         this.mockMvc.get("/") {
             header("Authorization", "Bearer token")
@@ -153,4 +160,61 @@ class OAuth2ResourceServerDslTests {
             return DECODER
         }
     }
+
+    @Test
+    fun `oauth2Resource server when custom authentication manager resolver then resolver used`() {
+        this.spring.register(AuthenticationManagerResolverConfig::class.java).autowire()
+        `when`(AuthenticationManagerResolverConfig.RESOLVER.resolve(any())).thenReturn(
+                AuthenticationManager {
+                    JwtAuthenticationToken(JWT)
+                }
+        )
+
+        this.mockMvc.get("/") {
+            header("Authorization", "Bearer token")
+        }
+
+        verify(AuthenticationManagerResolverConfig.RESOLVER).resolve(any())
+    }
+
+    @EnableWebSecurity
+    open class AuthenticationManagerResolverConfig : WebSecurityConfigurerAdapter() {
+        companion object {
+            var RESOLVER: AuthenticationManagerResolver<*> = mock(AuthenticationManagerResolver::class.java)
+        }
+
+        override fun configure(http: HttpSecurity) {
+            http {
+                authorizeRequests {
+                    authorize(anyRequest, authenticated)
+                }
+                oauth2ResourceServer {
+                    authenticationManagerResolver = RESOLVER as AuthenticationManagerResolver<HttpServletRequest>
+                }
+            }
+        }
+    }
+
+    @Test
+    fun `oauth2Resource server when custom authentication manager resolver and opaque then exception`() {
+        Assertions.assertThatExceptionOfType(BeanCreationException::class.java)
+                .isThrownBy { spring.register(AuthenticationManagerResolverAndOpaqueConfig::class.java).autowire() }
+                .withMessageContaining("authenticationManagerResolver")
+    }
+
+    @EnableWebSecurity
+    open class AuthenticationManagerResolverAndOpaqueConfig : WebSecurityConfigurerAdapter() {
+        override fun configure(http: HttpSecurity) {
+            http {
+                authorizeRequests {
+                    authorize(anyRequest, authenticated)
+                }
+                oauth2ResourceServer {
+                    authenticationManagerResolver = mock(AuthenticationManagerResolver::class.java)
+                            as AuthenticationManagerResolver<HttpServletRequest>
+                    opaqueToken { }
+                }
+            }
+        }
+    }
 }