Register Authentication Provider in Init Phase

Fixes gh-8031

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -222,9 +222,16 @@ public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<
 
 	@Override
 	public void init(H http) {
+		validateConfiguration();
+
 		registerDefaultAccessDeniedHandler(http);
 		registerDefaultEntryPoint(http);
 		registerDefaultCsrfOverride(http);
+
+		AuthenticationProvider authenticationProvider = getAuthenticationProvider();
+		if (authenticationProvider != null) {
+			http.authenticationProvider(authenticationProvider);
+		}
 	}
 
 	@Override
@@ -232,8 +239,6 @@ public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<
 		BearerTokenResolver bearerTokenResolver = getBearerTokenResolver();
 		this.requestMatcher.setBearerTokenResolver(bearerTokenResolver);
 
-		validateConfiguration();
-
 		AuthenticationManagerResolver resolver = this.authenticationManagerResolver;
 		if (resolver == null) {
 			AuthenticationManager authenticationManager = getAuthenticationManager(http);
@@ -321,9 +326,9 @@ public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<
 			return this.decoder;
 		}
 
-		AuthenticationManager getAuthenticationManager(H http) {
+		AuthenticationProvider getAuthenticationProvider() {
 			if (this.authenticationManager != null) {
-				return this.authenticationManager;
+				return null;
 			}
 
 			JwtDecoder decoder = getJwtDecoder();
@@ -333,9 +338,13 @@ public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<
 			JwtAuthenticationProvider provider =
 					new JwtAuthenticationProvider(decoder);
 			provider.setJwtAuthenticationConverter(jwtAuthenticationConverter);
-			AuthenticationProvider authenticationProvider = postProcess(provider);
+			return postProcess(provider);
+		}
 
-			http.authenticationProvider(authenticationProvider);
+		AuthenticationManager getAuthenticationManager(H http) {
+			if (this.authenticationManager != null) {
+				return this.authenticationManager;
+			}
 
 			return http.getSharedObject(AuthenticationManager.class);
 		}
@@ -391,16 +400,19 @@ public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<
 			return this.context.getBean(OpaqueTokenIntrospector.class);
 		}
 
+		AuthenticationProvider getAuthenticationProvider() {
+			if (this.authenticationManager != null) {
+				return null;
+			}
+			OpaqueTokenIntrospector introspector = getIntrospector();
+			return new OpaqueTokenAuthenticationProvider(introspector);
+		}
+
 		AuthenticationManager getAuthenticationManager(H http) {
 			if (this.authenticationManager != null) {
 				return this.authenticationManager;
 			}
 
-			OpaqueTokenIntrospector introspector = getIntrospector();
-			OpaqueTokenAuthenticationProvider provider =
-					new OpaqueTokenAuthenticationProvider(introspector);
-			http.authenticationProvider(provider);
-
 			return http.getSharedObject(AuthenticationManager.class);
 		}
 	}
@@ -439,6 +451,18 @@ public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<
 		csrf.ignoringRequestMatchers(this.requestMatcher);
 	}
 
+	AuthenticationProvider getAuthenticationProvider() {
+		if (this.jwtConfigurer != null) {
+			return this.jwtConfigurer.getAuthenticationProvider();
+		}
+
+		if (this.opaqueTokenConfigurer != null) {
+			return this.opaqueTokenConfigurer.getAuthenticationProvider();
+		}
+
+		return null;
+	}
+
 	AuthenticationManager getAuthenticationManager(H http) {
 		if (this.jwtConfigurer != null) {
 			return this.jwtConfigurer.getAuthenticationManager(http);

config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java

@@ -360,6 +360,18 @@ public class OAuth2ResourceServerConfigurerTests {
 				.andExpect(header().string(HttpHeaders.WWW_AUTHENTICATE, "Bearer"));
 	}
 
+	// gh-8031
+	@Test
+	public void getWhenAnonymousDisabledThenAllows() throws Exception {
+		this.spring.register(RestOperationsConfig.class, AnonymousDisabledConfig.class).autowire();
+		mockRestOperations(jwks("Default"));
+		String token = token("ValidNoScopes");
+
+		this.mvc.perform(get("/authenticated")
+				.with(bearerToken(token)))
+				.andExpect(status().isNotFound());
+	}
+
 	@Test
 	public void getWhenUsingDefaultsWithNoBearerTokenThenUnauthorized()
 			throws Exception {
@@ -730,7 +742,8 @@ public class OAuth2ResourceServerConfigurerTests {
 
 	@Test
 	public void getBearerTokenResolverWhenDuplicateResolverBeansThenWiringException() {
-		assertThatCode(() -> this.spring.register(MultipleBearerTokenResolverBeansConfig.class).autowire())
+		assertThatCode(() -> this.spring
+				.register(MultipleBearerTokenResolverBeansConfig.class, JwtDecoderConfig.class).autowire())
 				.isInstanceOf(BeanCreationException.class)
 				.hasRootCauseInstanceOf(NoUniqueBeanDefinitionException.class);
 	}
@@ -1469,6 +1482,22 @@ public class OAuth2ResourceServerConfigurerTests {
 		}
 	}
 
+	@EnableWebSecurity
+	static class AnonymousDisabledConfig extends WebSecurityConfigurerAdapter {
+		@Override
+		protected void configure(HttpSecurity http) throws Exception {
+			// @formatter:off
+			http
+				.authorizeRequests()
+					.anyRequest().authenticated()
+					.and()
+				.anonymous().disable()
+				.oauth2ResourceServer()
+					.jwt();
+			// @formatter:on
+		}
+	}
+
 	@EnableWebSecurity
 	@EnableGlobalMethodSecurity(prePostEnabled = true)
 	static class MethodSecurityConfig extends WebSecurityConfigurerAdapter {