Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-07-11 21:03:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

Remove Reliance on BearerTokenResolver

Browse Source 
Closes gh-9186
This commit is contained in:
Josh Cummings 2020-11-02 17:29:24 -07:00
parent ad489495dc
commit af669a2166
No known key found for this signature in database
GPG Key ID: 49EF60DD7FF83443
4 changed files with 182 additions and 188 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/JwtIssuerAuthenticationManagerResolver.java
View File

@ -34,12 +34,13 @@ import org.springframework.core.log.LogMessage;
import org.springframework.lang.NonNull; import org.springframework.lang.NonNull;
import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationManagerResolver; import org.springframework.security.authentication.AuthenticationManagerResolver;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException; import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.jwt.JwtDecoder; import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtDecoders; import org.springframework.security.oauth2.jwt.JwtDecoders;
import org.springframework.security.oauth2.server.resource.BearerTokenAuthenticationToken;
import org.springframework.security.oauth2.server.resource.InvalidBearerTokenException; import org.springframework.security.oauth2.server.resource.InvalidBearerTokenException;
import org.springframework.security.oauth2.server.resource.web.BearerTokenResolver;
import org.springframework.security.oauth2.server.resource.web.DefaultBearerTokenResolver;
import org.springframework.util.Assert; import org.springframework.util.Assert;
/** /**
@ -63,9 +64,7 @@ import org.springframework.util.Assert;
*/ */
public final class JwtIssuerAuthenticationManagerResolver implements AuthenticationManagerResolver<HttpServletRequest> { public final class JwtIssuerAuthenticationManagerResolver implements AuthenticationManagerResolver<HttpServletRequest> {
private final AuthenticationManagerResolver<String> issuerAuthenticationManagerResolver; private final AuthenticationManager authenticationManager;
private Converter<HttpServletRequest, String> issuerConverter = new JwtClaimIssuerConverter();
/** /**
* Construct a {@link JwtIssuerAuthenticationManagerResolver} using the provided * Construct a {@link JwtIssuerAuthenticationManagerResolver} using the provided
@ -83,8 +82,9 @@ public final class JwtIssuerAuthenticationManagerResolver implements Authenticat
*/ */
public JwtIssuerAuthenticationManagerResolver(Collection<String> trustedIssuers) { public JwtIssuerAuthenticationManagerResolver(Collection<String> trustedIssuers) {
Assert.notEmpty(trustedIssuers, "trustedIssuers cannot be empty"); Assert.notEmpty(trustedIssuers, "trustedIssuers cannot be empty");
this.issuerAuthenticationManagerResolver = new TrustedIssuerJwtAuthenticationManagerResolver( this.authenticationManager = new ResolvingAuthenticationManager(
Collections.unmodifiableCollection(trustedIssuers)::contains); new TrustedIssuerJwtAuthenticationManagerResolver(
Collections.unmodifiableCollection(trustedIssuers)::contains));
} }
/** /**
@ -111,7 +111,7 @@ public final class JwtIssuerAuthenticationManagerResolver implements Authenticat
public JwtIssuerAuthenticationManagerResolver( public JwtIssuerAuthenticationManagerResolver(
AuthenticationManagerResolver<String> issuerAuthenticationManagerResolver) { AuthenticationManagerResolver<String> issuerAuthenticationManagerResolver) {
Assert.notNull(issuerAuthenticationManagerResolver, "issuerAuthenticationManagerResolver cannot be null"); Assert.notNull(issuerAuthenticationManagerResolver, "issuerAuthenticationManagerResolver cannot be null");
this.issuerAuthenticationManagerResolver = issuerAuthenticationManagerResolver; this.authenticationManager = new ResolvingAuthenticationManager(issuerAuthenticationManagerResolver);
} }
/** /**
@ -122,40 +122,39 @@ public final class JwtIssuerAuthenticationManagerResolver implements Authenticat
*/ */
@Override @Override
public AuthenticationManager resolve(HttpServletRequest request) { public AuthenticationManager resolve(HttpServletRequest request) {
String issuer = this.issuerConverter.convert(request); return this.authenticationManager;
}
private static class ResolvingAuthenticationManager implements AuthenticationManager {
private final Converter<BearerTokenAuthenticationToken, String> issuerConverter = new JwtClaimIssuerConverter();
private final AuthenticationManagerResolver<String> issuerAuthenticationManagerResolver;
ResolvingAuthenticationManager(AuthenticationManagerResolver<String> issuerAuthenticationManagerResolver) {
this.issuerAuthenticationManagerResolver = issuerAuthenticationManagerResolver;
}
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
Assert.isTrue(authentication instanceof BearerTokenAuthenticationToken,
"Authentication must be of type BearerTokenAuthenticationToken");
BearerTokenAuthenticationToken token = (BearerTokenAuthenticationToken) authentication;
String issuer = this.issuerConverter.convert(token);
AuthenticationManager authenticationManager = this.issuerAuthenticationManagerResolver.resolve(issuer); AuthenticationManager authenticationManager = this.issuerAuthenticationManagerResolver.resolve(issuer);
if (authenticationManager == null) { if (authenticationManager == null) {
throw new InvalidBearerTokenException("Invalid issuer"); throw new InvalidBearerTokenException("Invalid issuer");
} }
return authenticationManager; return authenticationManager.authenticate(authentication);
} }
/**
* Set a custom bearer token resolver
*
* @since 5.5
*/
public void setBearerTokenResolver(BearerTokenResolver bearerTokenResolver) {
Assert.notNull(bearerTokenResolver, "bearerTokenResolver cannot be null");
this.issuerConverter = new JwtClaimIssuerConverter(bearerTokenResolver);
} }
private static class JwtClaimIssuerConverter implements Converter<HttpServletRequest, String> { private static class JwtClaimIssuerConverter implements Converter<BearerTokenAuthenticationToken, String> {
private final BearerTokenResolver resolver;
JwtClaimIssuerConverter() {
this(new DefaultBearerTokenResolver());
}
JwtClaimIssuerConverter(BearerTokenResolver bearerTokenResolver) {
Assert.notNull(bearerTokenResolver, "bearerTokenResolver cannot be null");
this.resolver = bearerTokenResolver;
}
@Override @Override
public String convert(@NonNull HttpServletRequest request) { public String convert(@NonNull BearerTokenAuthenticationToken authentication) {
String token = this.resolver.resolve(request); String token = authentication.getToken();
try { try {
String issuer = JWTParser.parse(token).getJWTClaimsSet().getIssuer(); String issuer = JWTParser.parse(token).getJWTClaimsSet().getIssuer();
if (issuer != null) { if (issuer != null) {
@ -170,8 +169,7 @@ public final class JwtIssuerAuthenticationManagerResolver implements Authenticat
} }
private static class TrustedIssuerJwtAuthenticationManagerResolver static class TrustedIssuerJwtAuthenticationManagerResolver implements AuthenticationManagerResolver<String> {
implements AuthenticationManagerResolver<String> {
private final Log logger = LogFactory.getLog(getClass()); private final Log logger = LogFactory.getLog(getClass());

72
oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/JwtIssuerReactiveAuthenticationManagerResolver.java
View File

@ -32,11 +32,11 @@ import org.springframework.lang.NonNull;
import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.ReactiveAuthenticationManager; import org.springframework.security.authentication.ReactiveAuthenticationManager;
import org.springframework.security.authentication.ReactiveAuthenticationManagerResolver; import org.springframework.security.authentication.ReactiveAuthenticationManagerResolver;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException; import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.jwt.ReactiveJwtDecoders; import org.springframework.security.oauth2.jwt.ReactiveJwtDecoders;
import org.springframework.security.oauth2.server.resource.BearerTokenAuthenticationToken; import org.springframework.security.oauth2.server.resource.BearerTokenAuthenticationToken;
import org.springframework.security.oauth2.server.resource.InvalidBearerTokenException; import org.springframework.security.oauth2.server.resource.InvalidBearerTokenException;
import org.springframework.security.oauth2.server.resource.web.server.ServerBearerTokenAuthenticationConverter;
import org.springframework.util.Assert; import org.springframework.util.Assert;
import org.springframework.web.server.ServerWebExchange; import org.springframework.web.server.ServerWebExchange;
@ -63,9 +63,7 @@ import org.springframework.web.server.ServerWebExchange;
public final class JwtIssuerReactiveAuthenticationManagerResolver public final class JwtIssuerReactiveAuthenticationManagerResolver
implements ReactiveAuthenticationManagerResolver<ServerWebExchange> { implements ReactiveAuthenticationManagerResolver<ServerWebExchange> {
private final ReactiveAuthenticationManagerResolver<String> issuerAuthenticationManagerResolver; private final ReactiveAuthenticationManager authenticationManager;
private Converter<ServerWebExchange, Mono<String>> issuerConverter = new JwtClaimIssuerConverter();
/** /**
* Construct a {@link JwtIssuerReactiveAuthenticationManagerResolver} using the * Construct a {@link JwtIssuerReactiveAuthenticationManagerResolver} using the
@ -83,8 +81,8 @@ public final class JwtIssuerReactiveAuthenticationManagerResolver
*/ */
public JwtIssuerReactiveAuthenticationManagerResolver(Collection<String> trustedIssuers) { public JwtIssuerReactiveAuthenticationManagerResolver(Collection<String> trustedIssuers) {
Assert.notEmpty(trustedIssuers, "trustedIssuers cannot be empty"); Assert.notEmpty(trustedIssuers, "trustedIssuers cannot be empty");
this.issuerAuthenticationManagerResolver = new TrustedIssuerJwtAuthenticationManagerResolver( this.authenticationManager = new ResolvingAuthenticationManager(
new ArrayList<>(trustedIssuers)::contains); new TrustedIssuerJwtAuthenticationManagerResolver(new ArrayList<>(trustedIssuers)::contains));
} }
/** /**
@ -111,7 +109,7 @@ public final class JwtIssuerReactiveAuthenticationManagerResolver
public JwtIssuerReactiveAuthenticationManagerResolver( public JwtIssuerReactiveAuthenticationManagerResolver(
ReactiveAuthenticationManagerResolver<String> issuerAuthenticationManagerResolver) { ReactiveAuthenticationManagerResolver<String> issuerAuthenticationManagerResolver) {
Assert.notNull(issuerAuthenticationManagerResolver, "issuerAuthenticationManagerResolver cannot be null"); Assert.notNull(issuerAuthenticationManagerResolver, "issuerAuthenticationManagerResolver cannot be null");
this.issuerAuthenticationManagerResolver = issuerAuthenticationManagerResolver; this.authenticationManager = new ResolvingAuthenticationManager(issuerAuthenticationManagerResolver);
} }
/** /**
@ -122,61 +120,53 @@ public final class JwtIssuerReactiveAuthenticationManagerResolver
*/ */
@Override @Override
public Mono<ReactiveAuthenticationManager> resolve(ServerWebExchange exchange) { public Mono<ReactiveAuthenticationManager> resolve(ServerWebExchange exchange) {
// @formatter:off return Mono.just(this.authenticationManager);
return this.issuerConverter.convert(exchange)
.flatMap((issuer) -> this.issuerAuthenticationManagerResolver
.resolve(issuer)
.switchIfEmpty(Mono.error(() -> new InvalidBearerTokenException("Invalid issuer " + issuer)))
);
// @formatter:on
} }
/** private static class ResolvingAuthenticationManager implements ReactiveAuthenticationManager {
* Set a custom server bearer token authentication converter
*
* @since 5.5
*/
public void setServerBearerTokenAuthenticationConverter(
ServerBearerTokenAuthenticationConverter serverBearerTokenAuthenticationConverter) {
Assert.notNull(serverBearerTokenAuthenticationConverter,
"serverBearerTokenAuthenticationConverter cannot be null");
this.issuerConverter = new JwtClaimIssuerConverter(serverBearerTokenAuthenticationConverter);
}
private static class JwtClaimIssuerConverter implements Converter<ServerWebExchange, Mono<String>> { private final Converter<BearerTokenAuthenticationToken, Mono<String>> issuerConverter = new JwtClaimIssuerConverter();
private final ServerBearerTokenAuthenticationConverter converter; private final ReactiveAuthenticationManagerResolver<String> issuerAuthenticationManagerResolver;
JwtClaimIssuerConverter() { ResolvingAuthenticationManager(
this(new ServerBearerTokenAuthenticationConverter()); ReactiveAuthenticationManagerResolver<String> issuerAuthenticationManagerResolver) {
}
JwtClaimIssuerConverter(ServerBearerTokenAuthenticationConverter serverBearerTokenAuthenticationConverter) { this.issuerAuthenticationManagerResolver = issuerAuthenticationManagerResolver;
Assert.notNull(serverBearerTokenAuthenticationConverter,
"serverBearerTokenAuthenticationConverter cannot be null");
this.converter = serverBearerTokenAuthenticationConverter;
} }
@Override @Override
public Mono<String> convert(@NonNull ServerWebExchange exchange) { public Mono<Authentication> authenticate(Authentication authentication) {
return this.converter.convert(exchange).map((convertedToken) -> { Assert.isTrue(authentication instanceof BearerTokenAuthenticationToken,
BearerTokenAuthenticationToken token = (BearerTokenAuthenticationToken) convertedToken; "Authentication must be of type BearerTokenAuthenticationToken");
BearerTokenAuthenticationToken token = (BearerTokenAuthenticationToken) authentication;
return this.issuerConverter.convert(token)
.flatMap((issuer) -> this.issuerAuthenticationManagerResolver.resolve(issuer).switchIfEmpty(
Mono.error(() -> new InvalidBearerTokenException("Invalid issuer " + issuer))))
.flatMap((manager) -> manager.authenticate(authentication));
}
}
private static class JwtClaimIssuerConverter implements Converter<BearerTokenAuthenticationToken, Mono<String>> {
@Override
public Mono<String> convert(@NonNull BearerTokenAuthenticationToken token) {
try { try {
String issuer = JWTParser.parse(token.getToken()).getJWTClaimsSet().getIssuer(); String issuer = JWTParser.parse(token.getToken()).getJWTClaimsSet().getIssuer();
if (issuer == null) { if (issuer == null) {
throw new InvalidBearerTokenException("Missing issuer"); throw new InvalidBearerTokenException("Missing issuer");
} }
return issuer; return Mono.just(issuer);
} }
catch (Exception ex) { catch (Exception ex) {
throw new InvalidBearerTokenException(ex.getMessage(), ex); return Mono.error(() -> new InvalidBearerTokenException(ex.getMessage(), ex));
} }
});
} }
} }
private static class TrustedIssuerJwtAuthenticationManagerResolver static class TrustedIssuerJwtAuthenticationManagerResolver
implements ReactiveAuthenticationManagerResolver<String> { implements ReactiveAuthenticationManagerResolver<String> {
private final Map<String, Mono<ReactiveAuthenticationManager>> authenticationManagers = new ConcurrentHashMap<>(); private final Map<String, Mono<ReactiveAuthenticationManager>> authenticationManagers = new ConcurrentHashMap<>();

104
oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/JwtIssuerAuthenticationManagerResolverTests.java
View File

@ -21,8 +21,6 @@ import java.util.Collections;
import java.util.HashMap; import java.util.HashMap;
import java.util.Map; import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import com.nimbusds.jose.JWSAlgorithm; import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader; import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSObject; import com.nimbusds.jose.JWSObject;
@ -35,21 +33,20 @@ import okhttp3.mockwebserver.MockResponse;
import okhttp3.mockwebserver.MockWebServer; import okhttp3.mockwebserver.MockWebServer;
import org.junit.Test; import org.junit.Test;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationManagerResolver; import org.springframework.security.authentication.AuthenticationManagerResolver;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException; import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.jose.TestKeys; import org.springframework.security.oauth2.jose.TestKeys;
import org.springframework.security.oauth2.jwt.JwtClaimNames; import org.springframework.security.oauth2.jwt.JwtClaimNames;
import org.springframework.security.oauth2.server.resource.web.BearerTokenResolver; import org.springframework.security.oauth2.server.resource.BearerTokenAuthenticationToken;
import org.springframework.security.oauth2.server.resource.authentication.JwtIssuerAuthenticationManagerResolver.TrustedIssuerJwtAuthenticationManagerResolver;
import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType; import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException; import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
import static org.mockito.Mockito.any; import static org.mockito.BDDMockito.mock;
import static org.mockito.Mockito.mock; import static org.mockito.BDDMockito.verify;
import static org.mockito.Mockito.spy;
import static org.mockito.Mockito.verify;
/** /**
* Tests for {@link JwtIssuerAuthenticationManagerResolver} * Tests for {@link JwtIssuerAuthenticationManagerResolver}
@ -59,7 +56,7 @@ public class JwtIssuerAuthenticationManagerResolverTests {
private static final String DEFAULT_RESPONSE_TEMPLATE = "{\n" + " \"issuer\": \"%s\", \n" private static final String DEFAULT_RESPONSE_TEMPLATE = "{\n" + " \"issuer\": \"%s\", \n"
+ " \"jwks_uri\": \"%s/.well-known/jwks.json\" \n" + "}"; + " \"jwks_uri\": \"%s/.well-known/jwks.json\" \n" + "}";
private static final String JWK_SET = "{\"keys\":[{\"kty\":\"RSA\",\"e\":\"AQAB\",\"use\":\"sig\",\"kid\":\"one\",\"n\":\"oXJ8OyOv_eRnce4akdanR4KYRfnC2zLV4uYNQpcFn6oHL0dj7D6kxQmsXoYgJV8ZVDn71KGmuLvolxsDncc2UrhyMBY6DVQVgMSVYaPCTgW76iYEKGgzTEw5IBRQL9w3SRJWd3VJTZZQjkXef48Ocz06PGF3lhbz4t5UEZtdF4rIe7u-977QwHuh7yRPBQ3sII-cVoOUMgaXB9SHcGF2iZCtPzL_IffDUcfhLQteGebhW8A6eUHgpD5A1PQ-JCw_G7UOzZAjjDjtNM2eqm8j-Ms_gqnm4MiCZ4E-9pDN77CAAPVN7kuX6ejs9KBXpk01z48i9fORYk9u7rAkh1HuQw\"}]}"; private static final String JWK_SET = "{\"keys\":[{\"kty\":\"RSA\",\"e\":\"AQAB\",\"use\":\"sig\",\"kid\":\"one\",\"n\":\"3FlqJr5TRskIQIgdE3Dd7D9lboWdcTUT8a-fJR7MAvQm7XXNoYkm3v7MQL1NYtDvL2l8CAnc0WdSTINU6IRvc5Kqo2Q4csNX9SHOmEfzoROjQqahEcve1jBXluoCXdYuYpx4_1tfRgG6ii4Uhxh6iI8qNMJQX-fLfqhbfYfxBQVRPywBkAbIP4x1EAsbC6FSNmkhCxiMNqEgxaIpY8C2kJdJ_ZIV-WW4noDdzpKqHcwmB8FsrumlVY_DNVvUSDIipiq9PbP4H99TXN1o746oRaNa07rq1hoCgMSSy-85SagCoxlmyE-D-of9SsMY8Ol9t0rdzpobBuhyJ_o5dfvjKw\"}]}";
private String jwt = jwt("iss", "trusted"); private String jwt = jwt("iss", "trusted");
@ -81,17 +78,36 @@ public class JwtIssuerAuthenticationManagerResolverTests {
.setHeader("Content-Type", "application/json") .setHeader("Content-Type", "application/json")
.setBody(JWK_SET) .setBody(JWK_SET)
); );
server.enqueue(new MockResponse().setResponseCode(200)
.setHeader("Content-Type", "application/json")
.setBody(JWK_SET)
);
// @formatter:on // @formatter:on
JWSObject jws = new JWSObject(new JWSHeader(JWSAlgorithm.RS256), JWSObject jws = new JWSObject(new JWSHeader(JWSAlgorithm.RS256),
new Payload(new JSONObject(Collections.singletonMap(JwtClaimNames.ISS, issuer)))); new Payload(new JSONObject(Collections.singletonMap(JwtClaimNames.ISS, issuer))));
jws.sign(new RSASSASigner(TestKeys.DEFAULT_PRIVATE_KEY)); jws.sign(new RSASSASigner(TestKeys.DEFAULT_PRIVATE_KEY));
JwtIssuerAuthenticationManagerResolver authenticationManagerResolver = new JwtIssuerAuthenticationManagerResolver( JwtIssuerAuthenticationManagerResolver authenticationManagerResolver = new JwtIssuerAuthenticationManagerResolver(
issuer); issuer);
MockHttpServletRequest request = new MockHttpServletRequest(); Authentication token = withBearerToken(jws.serialize());
request.addHeader("Authorization", "Bearer " + jws.serialize()); AuthenticationManager authenticationManager = authenticationManagerResolver.resolve(null);
AuthenticationManager authenticationManager = authenticationManagerResolver.resolve(request);
assertThat(authenticationManager).isNotNull(); assertThat(authenticationManager).isNotNull();
AuthenticationManager cachedAuthenticationManager = authenticationManagerResolver.resolve(request); Authentication authentication = authenticationManager.authenticate(token);
assertThat(authentication.isAuthenticated()).isTrue();
}
}
@Test
public void resolveWhenUsingSameIssuerThenReturnsSameAuthenticationManager() throws Exception {
try (MockWebServer server = new MockWebServer()) {
String issuer = server.url("").toString();
server.enqueue(new MockResponse().setResponseCode(200).setHeader("Content-Type", "application/json")
.setBody(String.format(DEFAULT_RESPONSE_TEMPLATE, issuer, issuer)));
server.enqueue(new MockResponse().setResponseCode(200).setHeader("Content-Type", "application/json")
.setBody(JWK_SET));
TrustedIssuerJwtAuthenticationManagerResolver resolver = new TrustedIssuerJwtAuthenticationManagerResolver(
(iss) -> iss.equals(issuer));
AuthenticationManager authenticationManager = resolver.resolve(issuer);
AuthenticationManager cachedAuthenticationManager = resolver.resolve(issuer);
assertThat(authenticationManager).isSameAs(cachedAuthenticationManager); assertThat(authenticationManager).isSameAs(cachedAuthenticationManager);
} }
} }
@ -100,11 +116,10 @@ public class JwtIssuerAuthenticationManagerResolverTests {
public void resolveWhenUsingUntrustedIssuerThenException() { public void resolveWhenUsingUntrustedIssuerThenException() {
JwtIssuerAuthenticationManagerResolver authenticationManagerResolver = new JwtIssuerAuthenticationManagerResolver( JwtIssuerAuthenticationManagerResolver authenticationManagerResolver = new JwtIssuerAuthenticationManagerResolver(
"other", "issuers"); "other", "issuers");
MockHttpServletRequest request = new MockHttpServletRequest(); Authentication token = withBearerToken(this.jwt);
request.addHeader("Authorization", "Bearer " + this.jwt);
// @formatter:off // @formatter:off
assertThatExceptionOfType(OAuth2AuthenticationException.class) assertThatExceptionOfType(OAuth2AuthenticationException.class)
.isThrownBy(() -> authenticationManagerResolver.resolve(request)) .isThrownBy(() -> authenticationManagerResolver.resolve(null).authenticate(token))
.withMessageContaining("Invalid issuer"); .withMessageContaining("Invalid issuer");
// @formatter:on // @formatter:on
} }
@ -114,43 +129,30 @@ public class JwtIssuerAuthenticationManagerResolverTests {
AuthenticationManager authenticationManager = mock(AuthenticationManager.class); AuthenticationManager authenticationManager = mock(AuthenticationManager.class);
JwtIssuerAuthenticationManagerResolver authenticationManagerResolver = new JwtIssuerAuthenticationManagerResolver( JwtIssuerAuthenticationManagerResolver authenticationManagerResolver = new JwtIssuerAuthenticationManagerResolver(
(issuer) -> authenticationManager); (issuer) -> authenticationManager);
MockHttpServletRequest request = new MockHttpServletRequest(); Authentication token = withBearerToken(this.jwt);
request.addHeader("Authorization", "Bearer " + this.jwt); authenticationManagerResolver.resolve(null).authenticate(token);
assertThat(authenticationManagerResolver.resolve(request)).isSameAs(authenticationManager); verify(authenticationManager).authenticate(token);
}
@Test
public void resolveWhenUsingCustomIssuerAuthenticationManagerResolverAndCustomBearerTokenResolverThenUses() {
AuthenticationManager authenticationManager = mock(AuthenticationManager.class);
JwtIssuerAuthenticationManagerResolver authenticationManagerResolver = new JwtIssuerAuthenticationManagerResolver(
(issuer) -> authenticationManager);
BearerTokenResolver bearerTokenResolverSpy = spy(new TestBearerTokenResolver());
authenticationManagerResolver.setBearerTokenResolver(bearerTokenResolverSpy);
MockHttpServletRequest request = new MockHttpServletRequest();
request.addHeader("Authorization", "Bearer " + this.jwt);
assertThat(authenticationManagerResolver.resolve(request)).isSameAs(authenticationManager);
verify(bearerTokenResolverSpy).resolve(any());
} }
@Test @Test
public void resolveWhenUsingExternalSourceThenRespondsToChanges() { public void resolveWhenUsingExternalSourceThenRespondsToChanges() {
MockHttpServletRequest request = new MockHttpServletRequest(); Authentication token = withBearerToken(this.jwt);
request.addHeader("Authorization", "Bearer " + this.jwt);
Map<String, AuthenticationManager> authenticationManagers = new HashMap<>(); Map<String, AuthenticationManager> authenticationManagers = new HashMap<>();
JwtIssuerAuthenticationManagerResolver authenticationManagerResolver = new JwtIssuerAuthenticationManagerResolver( JwtIssuerAuthenticationManagerResolver authenticationManagerResolver = new JwtIssuerAuthenticationManagerResolver(
authenticationManagers::get); authenticationManagers::get);
// @formatter:off // @formatter:off
assertThatExceptionOfType(OAuth2AuthenticationException.class) assertThatExceptionOfType(OAuth2AuthenticationException.class)
.isThrownBy(() -> authenticationManagerResolver.resolve(request)) .isThrownBy(() -> authenticationManagerResolver.resolve(null).authenticate(token))
.withMessageContaining("Invalid issuer"); .withMessageContaining("Invalid issuer");
// @formatter:on // @formatter:on
AuthenticationManager authenticationManager = mock(AuthenticationManager.class); AuthenticationManager authenticationManager = mock(AuthenticationManager.class);
authenticationManagers.put("trusted", authenticationManager); authenticationManagers.put("trusted", authenticationManager);
assertThat(authenticationManagerResolver.resolve(request)).isSameAs(authenticationManager); authenticationManagerResolver.resolve(null).authenticate(token);
verify(authenticationManager).authenticate(token);
authenticationManagers.clear(); authenticationManagers.clear();
// @formatter:off // @formatter:off
assertThatExceptionOfType(OAuth2AuthenticationException.class) assertThatExceptionOfType(OAuth2AuthenticationException.class)
.isThrownBy(() -> authenticationManagerResolver.resolve(request)) .isThrownBy(() -> authenticationManagerResolver.resolve(null).authenticate(token))
.withMessageContaining("Invalid issuer"); .withMessageContaining("Invalid issuer");
// @formatter:on // @formatter:on
} }
@ -159,11 +161,10 @@ public class JwtIssuerAuthenticationManagerResolverTests {
public void resolveWhenBearerTokenMalformedThenException() { public void resolveWhenBearerTokenMalformedThenException() {
JwtIssuerAuthenticationManagerResolver authenticationManagerResolver = new JwtIssuerAuthenticationManagerResolver( JwtIssuerAuthenticationManagerResolver authenticationManagerResolver = new JwtIssuerAuthenticationManagerResolver(
"trusted"); "trusted");
MockHttpServletRequest request = new MockHttpServletRequest(); Authentication token = withBearerToken("jwt");
request.addHeader("Authorization", "Bearer jwt");
// @formatter:off // @formatter:off
assertThatExceptionOfType(OAuth2AuthenticationException.class) assertThatExceptionOfType(OAuth2AuthenticationException.class)
.isThrownBy(() -> authenticationManagerResolver.resolve(request)) .isThrownBy(() -> authenticationManagerResolver.resolve(null).authenticate(token))
.withMessageNotContaining("Invalid issuer"); .withMessageNotContaining("Invalid issuer");
// @formatter:on // @formatter:on
} }
@ -172,11 +173,10 @@ public class JwtIssuerAuthenticationManagerResolverTests {
public void resolveWhenBearerTokenNoIssuerThenException() { public void resolveWhenBearerTokenNoIssuerThenException() {
JwtIssuerAuthenticationManagerResolver authenticationManagerResolver = new JwtIssuerAuthenticationManagerResolver( JwtIssuerAuthenticationManagerResolver authenticationManagerResolver = new JwtIssuerAuthenticationManagerResolver(
"trusted"); "trusted");
MockHttpServletRequest request = new MockHttpServletRequest(); Authentication token = withBearerToken(this.noIssuer);
request.addHeader("Authorization", "Bearer " + this.noIssuer);
// @formatter:off // @formatter:off
assertThatExceptionOfType(OAuth2AuthenticationException.class) assertThatExceptionOfType(OAuth2AuthenticationException.class)
.isThrownBy(() -> authenticationManagerResolver.resolve(request)) .isThrownBy(() -> authenticationManagerResolver.resolve(null).authenticate(token))
.withMessageContaining("Missing issuer"); .withMessageContaining("Missing issuer");
// @formatter:on // @formatter:on
} }
@ -185,12 +185,11 @@ public class JwtIssuerAuthenticationManagerResolverTests {
public void resolveWhenBearerTokenEvilThenGenericException() { public void resolveWhenBearerTokenEvilThenGenericException() {
JwtIssuerAuthenticationManagerResolver authenticationManagerResolver = new JwtIssuerAuthenticationManagerResolver( JwtIssuerAuthenticationManagerResolver authenticationManagerResolver = new JwtIssuerAuthenticationManagerResolver(
"trusted"); "trusted");
MockHttpServletRequest request = new MockHttpServletRequest(); Authentication token = withBearerToken(this.evil);
request.addHeader("Authorization", "Bearer " + this.evil);
// @formatter:off // @formatter:off
assertThatExceptionOfType(OAuth2AuthenticationException.class) assertThatExceptionOfType(OAuth2AuthenticationException.class)
.isThrownBy(() -> authenticationManagerResolver .isThrownBy(() -> authenticationManagerResolver
.resolve(request) .resolve(null).authenticate(token)
) )
.withMessage("Invalid issuer"); .withMessage("Invalid issuer");
// @formatter:on // @formatter:on
@ -210,18 +209,13 @@ public class JwtIssuerAuthenticationManagerResolverTests {
.isThrownBy(() -> new JwtIssuerAuthenticationManagerResolver((AuthenticationManagerResolver) null)); .isThrownBy(() -> new JwtIssuerAuthenticationManagerResolver((AuthenticationManagerResolver) null));
} }
private Authentication withBearerToken(String token) {
return new BearerTokenAuthenticationToken(token);
}
private String jwt(String claim, String value) { private String jwt(String claim, String value) {
PlainJWT jwt = new PlainJWT(new JWTClaimsSet.Builder().claim(claim, value).build()); PlainJWT jwt = new PlainJWT(new JWTClaimsSet.Builder().claim(claim, value).build());
return jwt.serialize(); return jwt.serialize();
} }
static class TestBearerTokenResolver implements BearerTokenResolver {
@Override
public String resolve(HttpServletRequest request) {
return "eyJhbGciOiJub25lIn0.eyJpc3MiOiJ0cnVzdGVkIn0.";
}
}
} }

108
oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/JwtIssuerReactiveAuthenticationManagerResolverTests.java
View File

@ -34,22 +34,22 @@ import okhttp3.mockwebserver.MockWebServer;
import org.junit.Test; import org.junit.Test;
import reactor.core.publisher.Mono; import reactor.core.publisher.Mono;
import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
import org.springframework.mock.web.server.MockServerWebExchange;
import org.springframework.security.authentication.ReactiveAuthenticationManager; import org.springframework.security.authentication.ReactiveAuthenticationManager;
import org.springframework.security.authentication.ReactiveAuthenticationManagerResolver; import org.springframework.security.authentication.ReactiveAuthenticationManagerResolver;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException; import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.jose.TestKeys; import org.springframework.security.oauth2.jose.TestKeys;
import org.springframework.security.oauth2.jwt.JwtClaimNames; import org.springframework.security.oauth2.jwt.JwtClaimNames;
import org.springframework.security.oauth2.server.resource.web.server.ServerBearerTokenAuthenticationConverter; import org.springframework.security.oauth2.server.resource.BearerTokenAuthenticationToken;
import org.springframework.security.oauth2.server.resource.authentication.JwtIssuerReactiveAuthenticationManagerResolver.TrustedIssuerJwtAuthenticationManagerResolver;
import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType; import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException; import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
import static org.mockito.Mockito.any; import static org.mockito.BDDMockito.any;
import static org.mockito.Mockito.mock; import static org.mockito.BDDMockito.mock;
import static org.mockito.Mockito.spy; import static org.mockito.BDDMockito.verify;
import static org.mockito.Mockito.verify; import static org.mockito.BDDMockito.when;
/** /**
* Tests for {@link JwtIssuerReactiveAuthenticationManagerResolver} * Tests for {@link JwtIssuerReactiveAuthenticationManagerResolver}
@ -63,7 +63,7 @@ public class JwtIssuerReactiveAuthenticationManagerResolverTests {
+ "}"; + "}";
// @formatter:on // @formatter:on
private static final String JWK_SET = "{\"keys\":[{\"kty\":\"RSA\",\"e\":\"AQAB\",\"use\":\"sig\",\"kid\":\"one\",\"n\":\"oXJ8OyOv_eRnce4akdanR4KYRfnC2zLV4uYNQpcFn6oHL0dj7D6kxQmsXoYgJV8ZVDn71KGmuLvolxsDncc2UrhyMBY6DVQVgMSVYaPCTgW76iYEKGgzTEw5IBRQL9w3SRJWd3VJTZZQjkXef48Ocz06PGF3lhbz4t5UEZtdF4rIe7u-977QwHuh7yRPBQ3sII-cVoOUMgaXB9SHcGF2iZCtPzL_IffDUcfhLQteGebhW8A6eUHgpD5A1PQ-JCw_G7UOzZAjjDjtNM2eqm8j-Ms_gqnm4MiCZ4E-9pDN77CAAPVN7kuX6ejs9KBXpk01z48i9fORYk9u7rAkh1HuQw\"}]}"; private static final String JWK_SET = "{\"keys\":[{\"kty\":\"RSA\",\"e\":\"AQAB\",\"use\":\"sig\",\"kid\":\"one\",\"n\":\"3FlqJr5TRskIQIgdE3Dd7D9lboWdcTUT8a-fJR7MAvQm7XXNoYkm3v7MQL1NYtDvL2l8CAnc0WdSTINU6IRvc5Kqo2Q4csNX9SHOmEfzoROjQqahEcve1jBXluoCXdYuYpx4_1tfRgG6ii4Uhxh6iI8qNMJQX-fLfqhbfYfxBQVRPywBkAbIP4x1EAsbC6FSNmkhCxiMNqEgxaIpY8C2kJdJ_ZIV-WW4noDdzpKqHcwmB8FsrumlVY_DNVvUSDIipiq9PbP4H99TXN1o746oRaNa07rq1hoCgMSSy-85SagCoxlmyE-D-of9SsMY8Ol9t0rdzpobBuhyJ_o5dfvjKw\"}]}";
private String jwt = jwt("iss", "trusted"); private String jwt = jwt("iss", "trusted");
@ -79,17 +79,34 @@ public class JwtIssuerReactiveAuthenticationManagerResolverTests {
.setBody(String.format(DEFAULT_RESPONSE_TEMPLATE, issuer, issuer))); .setBody(String.format(DEFAULT_RESPONSE_TEMPLATE, issuer, issuer)));
server.enqueue(new MockResponse().setResponseCode(200).setHeader("Content-Type", "application/json") server.enqueue(new MockResponse().setResponseCode(200).setHeader("Content-Type", "application/json")
.setBody(JWK_SET)); .setBody(JWK_SET));
server.enqueue(new MockResponse().setResponseCode(200).setHeader("Content-Type", "application/json")
.setBody(JWK_SET));
JWSObject jws = new JWSObject(new JWSHeader(JWSAlgorithm.RS256), JWSObject jws = new JWSObject(new JWSHeader(JWSAlgorithm.RS256),
new Payload(new JSONObject(Collections.singletonMap(JwtClaimNames.ISS, issuer)))); new Payload(new JSONObject(Collections.singletonMap(JwtClaimNames.ISS, issuer))));
jws.sign(new RSASSASigner(TestKeys.DEFAULT_PRIVATE_KEY)); jws.sign(new RSASSASigner(TestKeys.DEFAULT_PRIVATE_KEY));
JwtIssuerReactiveAuthenticationManagerResolver authenticationManagerResolver = new JwtIssuerReactiveAuthenticationManagerResolver( JwtIssuerReactiveAuthenticationManagerResolver authenticationManagerResolver = new JwtIssuerReactiveAuthenticationManagerResolver(
issuer); issuer);
MockServerWebExchange exchange = withBearerToken(jws.serialize()); ReactiveAuthenticationManager authenticationManager = authenticationManagerResolver.resolve(null).block();
ReactiveAuthenticationManager authenticationManager = authenticationManagerResolver.resolve(exchange)
.block();
assertThat(authenticationManager).isNotNull(); assertThat(authenticationManager).isNotNull();
ReactiveAuthenticationManager cachedAuthenticationManager = authenticationManagerResolver.resolve(exchange) BearerTokenAuthenticationToken token = withBearerToken(jws.serialize());
.block(); Authentication authentication = authenticationManager.authenticate(token).block();
assertThat(authentication).isNotNull();
assertThat(authentication.isAuthenticated()).isTrue();
}
}
@Test
public void resolveWhenUsingSameIssuerThenReturnsSameAuthenticationManager() throws Exception {
try (MockWebServer server = new MockWebServer()) {
String issuer = server.url("").toString();
server.enqueue(new MockResponse().setResponseCode(200).setHeader("Content-Type", "application/json")
.setBody(String.format(DEFAULT_RESPONSE_TEMPLATE, issuer, issuer)));
server.enqueue(new MockResponse().setResponseCode(200).setHeader("Content-Type", "application/json")
.setBody(JWK_SET));
TrustedIssuerJwtAuthenticationManagerResolver resolver = new TrustedIssuerJwtAuthenticationManagerResolver(
(iss) -> iss.equals(issuer));
ReactiveAuthenticationManager authenticationManager = resolver.resolve(issuer).block();
ReactiveAuthenticationManager cachedAuthenticationManager = resolver.resolve(issuer).block();
assertThat(authenticationManager).isSameAs(cachedAuthenticationManager); assertThat(authenticationManager).isSameAs(cachedAuthenticationManager);
} }
} }
@ -98,53 +115,48 @@ public class JwtIssuerReactiveAuthenticationManagerResolverTests {
public void resolveWhenUsingUntrustedIssuerThenException() { public void resolveWhenUsingUntrustedIssuerThenException() {
JwtIssuerReactiveAuthenticationManagerResolver authenticationManagerResolver = new JwtIssuerReactiveAuthenticationManagerResolver( JwtIssuerReactiveAuthenticationManagerResolver authenticationManagerResolver = new JwtIssuerReactiveAuthenticationManagerResolver(
"other", "issuers"); "other", "issuers");
MockServerWebExchange exchange = withBearerToken(this.jwt); Authentication token = withBearerToken(this.jwt);
// @formatter:off // @formatter:off
assertThatExceptionOfType(OAuth2AuthenticationException.class) assertThatExceptionOfType(OAuth2AuthenticationException.class)
.isThrownBy(() -> authenticationManagerResolver.resolve(exchange).block()) .isThrownBy(() -> authenticationManagerResolver.resolve(null)
.flatMap((authenticationManager) -> authenticationManager.authenticate(token))
.block())
.withMessageContaining("Invalid issuer"); .withMessageContaining("Invalid issuer");
// @formatter:on // @formatter:on
} }
@Test @Test
public void resolveWhenUsingCustomIssuerAuthenticationManagerResolverThenUses() { public void resolveWhenUsingCustomIssuerAuthenticationManagerResolverThenUses() {
Authentication token = withBearerToken(this.jwt);
ReactiveAuthenticationManager authenticationManager = mock(ReactiveAuthenticationManager.class); ReactiveAuthenticationManager authenticationManager = mock(ReactiveAuthenticationManager.class);
when(authenticationManager.authenticate(token)).thenReturn(Mono.empty());
JwtIssuerReactiveAuthenticationManagerResolver authenticationManagerResolver = new JwtIssuerReactiveAuthenticationManagerResolver( JwtIssuerReactiveAuthenticationManagerResolver authenticationManagerResolver = new JwtIssuerReactiveAuthenticationManagerResolver(
(issuer) -> Mono.just(authenticationManager)); (issuer) -> Mono.just(authenticationManager));
MockServerWebExchange exchange = withBearerToken(this.jwt); authenticationManagerResolver.resolve(null).flatMap((manager) -> manager.authenticate(token)).block();
assertThat(authenticationManagerResolver.resolve(exchange).block()).isSameAs(authenticationManager); verify(authenticationManager).authenticate(any());
}
@Test
public void resolveWhenUsingCustomIssuerAuthenticationManagerResolverAndCustomServerBearerTokenAuthenticationConverterThenUses() {
ReactiveAuthenticationManager authenticationManager = mock(ReactiveAuthenticationManager.class);
JwtIssuerReactiveAuthenticationManagerResolver authenticationManagerResolver = new JwtIssuerReactiveAuthenticationManagerResolver(
(issuer) -> Mono.just(authenticationManager));
ServerBearerTokenAuthenticationConverter serverBearerTokenAuthenticationConverterSpy = spy(
new ServerBearerTokenAuthenticationConverter());
authenticationManagerResolver
.setServerBearerTokenAuthenticationConverter(serverBearerTokenAuthenticationConverterSpy);
MockServerWebExchange exchange = withBearerToken(this.jwt);
assertThat(authenticationManagerResolver.resolve(exchange).block()).isSameAs(authenticationManager);
verify(serverBearerTokenAuthenticationConverterSpy).convert(any());
} }
@Test @Test
public void resolveWhenUsingExternalSourceThenRespondsToChanges() { public void resolveWhenUsingExternalSourceThenRespondsToChanges() {
MockServerWebExchange exchange = withBearerToken(this.jwt); Authentication token = withBearerToken(this.jwt);
Map<String, ReactiveAuthenticationManager> authenticationManagers = new HashMap<>(); Map<String, ReactiveAuthenticationManager> authenticationManagers = new HashMap<>();
JwtIssuerReactiveAuthenticationManagerResolver authenticationManagerResolver = new JwtIssuerReactiveAuthenticationManagerResolver( JwtIssuerReactiveAuthenticationManagerResolver authenticationManagerResolver = new JwtIssuerReactiveAuthenticationManagerResolver(
(issuer) -> Mono.justOrEmpty(authenticationManagers.get(issuer))); (issuer) -> Mono.justOrEmpty(authenticationManagers.get(issuer)));
assertThatExceptionOfType(OAuth2AuthenticationException.class) assertThatExceptionOfType(OAuth2AuthenticationException.class)
.isThrownBy(() -> authenticationManagerResolver.resolve(exchange).block()) .isThrownBy(() -> authenticationManagerResolver.resolve(null)
.flatMap((manager) -> manager.authenticate(token)).block())
.withMessageContaining("Invalid issuer"); .withMessageContaining("Invalid issuer");
ReactiveAuthenticationManager authenticationManager = mock(ReactiveAuthenticationManager.class); ReactiveAuthenticationManager authenticationManager = mock(ReactiveAuthenticationManager.class);
when(authenticationManager.authenticate(token)).thenReturn(Mono.empty());
authenticationManagers.put("trusted", authenticationManager); authenticationManagers.put("trusted", authenticationManager);
assertThat(authenticationManagerResolver.resolve(exchange).block()).isSameAs(authenticationManager); authenticationManagerResolver.resolve(null).flatMap((manager) -> manager.authenticate(token)).block();
verify(authenticationManager).authenticate(token);
authenticationManagers.clear(); authenticationManagers.clear();
// @formatter:off // @formatter:off
assertThatExceptionOfType(OAuth2AuthenticationException.class) assertThatExceptionOfType(OAuth2AuthenticationException.class)
.isThrownBy(() -> authenticationManagerResolver.resolve(exchange).block()) .isThrownBy(() -> authenticationManagerResolver.resolve(null)
.flatMap((manager) -> manager.authenticate(token))
.block())
.withMessageContaining("Invalid issuer"); .withMessageContaining("Invalid issuer");
// @formatter:on // @formatter:on
} }
@ -153,10 +165,12 @@ public class JwtIssuerReactiveAuthenticationManagerResolverTests {
public void resolveWhenBearerTokenMalformedThenException() { public void resolveWhenBearerTokenMalformedThenException() {
JwtIssuerReactiveAuthenticationManagerResolver authenticationManagerResolver = new JwtIssuerReactiveAuthenticationManagerResolver( JwtIssuerReactiveAuthenticationManagerResolver authenticationManagerResolver = new JwtIssuerReactiveAuthenticationManagerResolver(
"trusted"); "trusted");
MockServerWebExchange exchange = withBearerToken("jwt"); Authentication token = withBearerToken("jwt");
// @formatter:off // @formatter:off
assertThatExceptionOfType(OAuth2AuthenticationException.class) assertThatExceptionOfType(OAuth2AuthenticationException.class)
.isThrownBy(() -> authenticationManagerResolver.resolve(exchange).block()) .isThrownBy(() -> authenticationManagerResolver.resolve(null)
.flatMap((manager) -> manager.authenticate(token))
.block())
.withMessageNotContaining("Invalid issuer"); .withMessageNotContaining("Invalid issuer");
// @formatter:on // @formatter:on
} }
@ -165,9 +179,10 @@ public class JwtIssuerReactiveAuthenticationManagerResolverTests {
public void resolveWhenBearerTokenNoIssuerThenException() { public void resolveWhenBearerTokenNoIssuerThenException() {
JwtIssuerReactiveAuthenticationManagerResolver authenticationManagerResolver = new JwtIssuerReactiveAuthenticationManagerResolver( JwtIssuerReactiveAuthenticationManagerResolver authenticationManagerResolver = new JwtIssuerReactiveAuthenticationManagerResolver(
"trusted"); "trusted");
MockServerWebExchange exchange = withBearerToken(this.noIssuer); Authentication token = withBearerToken(this.noIssuer);
assertThatExceptionOfType(OAuth2AuthenticationException.class) assertThatExceptionOfType(OAuth2AuthenticationException.class)
.isThrownBy(() -> authenticationManagerResolver.resolve(exchange).block()) .isThrownBy(() -> authenticationManagerResolver.resolve(null)
.flatMap((manager) -> manager.authenticate(token)).block())
.withMessageContaining("Missing issuer"); .withMessageContaining("Missing issuer");
} }
@ -175,10 +190,12 @@ public class JwtIssuerReactiveAuthenticationManagerResolverTests {
public void resolveWhenBearerTokenEvilThenGenericException() { public void resolveWhenBearerTokenEvilThenGenericException() {
JwtIssuerReactiveAuthenticationManagerResolver authenticationManagerResolver = new JwtIssuerReactiveAuthenticationManagerResolver( JwtIssuerReactiveAuthenticationManagerResolver authenticationManagerResolver = new JwtIssuerReactiveAuthenticationManagerResolver(
"trusted"); "trusted");
MockServerWebExchange exchange = withBearerToken(this.evil); Authentication token = withBearerToken(this.evil);
// @formatter:off // @formatter:off
assertThatExceptionOfType(OAuth2AuthenticationException.class) assertThatExceptionOfType(OAuth2AuthenticationException.class)
.isThrownBy(() -> authenticationManagerResolver.resolve(exchange).block()) .isThrownBy(() -> authenticationManagerResolver.resolve(null)
.flatMap((manager) -> manager.authenticate(token))
.block())
.withMessage("Invalid token"); .withMessage("Invalid token");
// @formatter:on // @formatter:on
} }
@ -202,13 +219,8 @@ public class JwtIssuerReactiveAuthenticationManagerResolverTests {
return jwt.serialize(); return jwt.serialize();
} }
private MockServerWebExchange withBearerToken(String token) { private BearerTokenAuthenticationToken withBearerToken(String token) {
// @formatter:off return new BearerTokenAuthenticationToken(token);
MockServerHttpRequest request = MockServerHttpRequest.get("/")
.header("Authorization", "Bearer " + token)
.build();
// @formatter:on
return MockServerWebExchange.from(request);
} }
} }