From b7ce65b284fd7a651c60d3e7970fcd22599a85e1 Mon Sep 17 00:00:00 2001
From: Josh Cummings <josh.cummings@gmail.com>
Date: Sat, 29 Feb 2020 13:07:39 -0700
Subject: [PATCH] Register Authentication Provider in Init Phase

Fixes gh-8031
---
 .../OAuth2ResourceServerConfigurer.java       | 38 +++++++++----------
 .../OAuth2ResourceServerConfigurerTests.java  | 31 ++++++++++++++-
 2 files changed, 49 insertions(+), 20 deletions(-)

diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java
index 490dc7f597..e203194ed5 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java
@@ -160,6 +160,25 @@ public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<
 
 	@Override
 	public void init(H http) throws Exception {
+		if ( this.jwtConfigurer == null ) {
+			throw new IllegalStateException("Jwt is the only supported format for bearer tokens " +
+					"in Spring Security and no Jwt configuration was found. Make sure to specify " +
+					"a jwk set uri by doing http.oauth2ResourceServer().jwt().jwkSetUri(uri), or wire a " +
+					"JwtDecoder instance by doing http.oauth2ResourceServer().jwt().decoder(decoder), or " +
+					"expose a JwtDecoder instance as a bean and do http.oauth2ResourceServer().jwt().");
+		}
+
+		JwtDecoder decoder = this.jwtConfigurer.getJwtDecoder();
+		Converter<Jwt, ? extends AbstractAuthenticationToken> jwtAuthenticationConverter =
+				this.jwtConfigurer.getJwtAuthenticationConverter();
+
+		JwtAuthenticationProvider provider =
+				new JwtAuthenticationProvider(decoder);
+		provider.setJwtAuthenticationConverter(jwtAuthenticationConverter);
+		provider = postProcess(provider);
+
+		http.authenticationProvider(provider);
+
 		registerDefaultAccessDeniedHandler(http);
 		registerDefaultEntryPoint(http);
 		registerDefaultCsrfOverride(http);
@@ -179,25 +198,6 @@ public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<
 		filter = postProcess(filter);
 
 		http.addFilter(filter);
-
-		if ( this.jwtConfigurer == null ) {
-			throw new IllegalStateException("Jwt is the only supported format for bearer tokens " +
-					"in Spring Security and no Jwt configuration was found. Make sure to specify " +
-					"a jwk set uri by doing http.oauth2ResourceServer().jwt().jwkSetUri(uri), or wire a " +
-					"JwtDecoder instance by doing http.oauth2ResourceServer().jwt().decoder(decoder), or " +
-					"expose a JwtDecoder instance as a bean and do http.oauth2ResourceServer().jwt().");
-		}
-
-		JwtDecoder decoder = this.jwtConfigurer.getJwtDecoder();
-		Converter<Jwt, ? extends AbstractAuthenticationToken> jwtAuthenticationConverter =
-				this.jwtConfigurer.getJwtAuthenticationConverter();
-
-		JwtAuthenticationProvider provider =
-				new JwtAuthenticationProvider(decoder);
-		provider.setJwtAuthenticationConverter(jwtAuthenticationConverter);
-		provider = postProcess(provider);
-
-		http.authenticationProvider(provider);
 	}
 
 	public class JwtConfigurer {
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java
index 99cde97018..3d7558467e 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java
@@ -298,6 +298,18 @@ public class OAuth2ResourceServerConfigurerTests {
 				.andExpect(header().string(HttpHeaders.WWW_AUTHENTICATE, "Bearer"));
 	}
 
+	// gh-8031
+	@Test
+	public void getWhenAnonymousDisabledThenAllows() throws Exception {
+		this.spring.register(JwtDecoderConfig.class, AnonymousDisabledConfig.class).autowire();
+		JwtDecoder decoder = this.spring.getContext().getBean(JwtDecoder.class);
+		when(decoder.decode(anyString())).thenReturn(JWT);
+
+		this.mvc.perform(get("/authenticated")
+				.with(bearerToken("token")))
+				.andExpect(status().isNotFound());
+	}
+
 	@Test
 	public void getWhenUsingDefaultsWithNoBearerTokenThenUnauthorized()
 			throws Exception {
@@ -652,7 +664,8 @@ public class OAuth2ResourceServerConfigurerTests {
 
 	@Test
 	public void getBearerTokenResolverWhenDuplicateResolverBeansThenWiringException() {
-		assertThatCode(() -> this.spring.register(MultipleBearerTokenResolverBeansConfig.class).autowire())
+		assertThatCode(() -> this.spring
+				.register(JwtDecoderConfig.class, MultipleBearerTokenResolverBeansConfig.class).autowire())
 				.isInstanceOf(BeanCreationException.class)
 				.hasRootCauseInstanceOf(NoUniqueBeanDefinitionException.class);
 	}
@@ -1097,6 +1110,22 @@ public class OAuth2ResourceServerConfigurerTests {
 		}
 	}
 
+	@EnableWebSecurity
+	static class AnonymousDisabledConfig extends WebSecurityConfigurerAdapter {
+		@Override
+		protected void configure(HttpSecurity http) throws Exception {
+			// @formatter:off
+			http
+				.authorizeRequests()
+					.anyRequest().authenticated()
+					.and()
+				.anonymous().disable()
+				.oauth2ResourceServer()
+					.jwt();
+			// @formatter:on
+		}
+	}
+
 	@EnableWebSecurity
 	@EnableGlobalMethodSecurity(prePostEnabled = true)
 	static class MethodSecurityConfig extends WebSecurityConfigurerAdapter {