Polish spring-security-oauth2-resource-server main code
Manually polish `spring-security-oauth-resource-server` following the formatting and checkstyle fixes. Issue gh-8945
This commit is contained in:
Phillip Webb
Rob Winch
parent
20aa8bef25
commit
ba19a9e4b6
|
|
@ -40,7 +40,7 @@ public class BearerTokenAuthenticationToken extends AbstractAuthenticationToken
|
|||
|
||||
private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
|
||||
|
||||
private String token;
|
||||
private final String token;
|
||||
|
||||
/**
|
||||
* Create a {@code BearerTokenAuthenticationToken} using the provided parameter(s)
|
||||
|
|
@ -48,9 +48,7 @@ public class BearerTokenAuthenticationToken extends AbstractAuthenticationToken
|
|||
*/
|
||||
public BearerTokenAuthenticationToken(String token) {
|
||||
super(Collections.emptyList());
|
||||
|
||||
Assert.hasText(token, "token cannot be empty");
|
||||
|
||||
this.token = token;
|
||||
}
|
||||
|
||||
|
|
@ -65,17 +63,11 @@ public class BearerTokenAuthenticationToken extends AbstractAuthenticationToken
|
|||
return this.token;
|
||||
}
|
||||
|
||||
/**
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
@Override
|
||||
public Object getCredentials() {
|
||||
return this.getToken();
|
||||
}
|
||||
|
||||
/**
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
@Override
|
||||
public Object getPrincipal() {
|
||||
return this.getToken();
|
||||
|
|
|
|||
|
|
@ -59,7 +59,6 @@ public final class BearerTokenError extends OAuth2Error {
|
|||
String scope) {
|
||||
super(errorCode, description, errorUri);
|
||||
Assert.notNull(httpStatus, "httpStatus cannot be null");
|
||||
|
||||
Assert.isTrue(isDescriptionValid(description),
|
||||
"description contains invalid ASCII characters, it must conform to RFC 6750");
|
||||
Assert.isTrue(isErrorCodeValid(errorCode),
|
||||
|
|
@ -67,7 +66,6 @@ public final class BearerTokenError extends OAuth2Error {
|
|||
Assert.isTrue(isErrorUriValid(errorUri),
|
||||
"errorUri contains invalid ASCII characters, it must conform to RFC 6750");
|
||||
Assert.isTrue(isScopeValid(scope), "scope contains invalid ASCII characters, it must conform to RFC 6750");
|
||||
|
||||
this.httpStatus = httpStatus;
|
||||
this.scope = scope;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -36,6 +36,9 @@ public final class BearerTokenErrors {
|
|||
|
||||
private static final String DEFAULT_URI = "https://tools.ietf.org/html/rfc6750#section-3.1";
|
||||
|
||||
private BearerTokenErrors() {
|
||||
}
|
||||
|
||||
/**
|
||||
* Create a {@link BearerTokenError} caused by an invalid request
|
||||
* @param message a description of the error
|
||||
|
|
@ -46,7 +49,7 @@ public final class BearerTokenErrors {
|
|||
return new BearerTokenError(BearerTokenErrorCodes.INVALID_REQUEST, HttpStatus.BAD_REQUEST, message,
|
||||
DEFAULT_URI);
|
||||
}
|
||||
catch (IllegalArgumentException malformed) {
|
||||
catch (IllegalArgumentException ex) {
|
||||
// some third-party library error messages are not suitable for RFC 6750's
|
||||
// error message charset
|
||||
return DEFAULT_INVALID_REQUEST;
|
||||
|
|
@ -63,7 +66,7 @@ public final class BearerTokenErrors {
|
|||
return new BearerTokenError(BearerTokenErrorCodes.INVALID_TOKEN, HttpStatus.UNAUTHORIZED, message,
|
||||
DEFAULT_URI);
|
||||
}
|
||||
catch (IllegalArgumentException malformed) {
|
||||
catch (IllegalArgumentException ex) {
|
||||
// some third-party library error messages are not suitable for RFC 6750's
|
||||
// error message charset
|
||||
return DEFAULT_INVALID_TOKEN;
|
||||
|
|
@ -80,14 +83,11 @@ public final class BearerTokenErrors {
|
|||
return new BearerTokenError(BearerTokenErrorCodes.INSUFFICIENT_SCOPE, HttpStatus.FORBIDDEN, message,
|
||||
DEFAULT_URI, scope);
|
||||
}
|
||||
catch (IllegalArgumentException malformed) {
|
||||
catch (IllegalArgumentException ex) {
|
||||
// some third-party library error messages are not suitable for RFC 6750's
|
||||
// error message charset
|
||||
return DEFAULT_INSUFFICIENT_SCOPE;
|
||||
}
|
||||
}
|
||||
|
||||
private BearerTokenErrors() {
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -84,17 +84,11 @@ public abstract class AbstractOAuth2TokenAuthenticationToken<T extends AbstractO
|
|||
this.token = token;
|
||||
}
|
||||
|
||||
/**
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
@Override
|
||||
public Object getPrincipal() {
|
||||
return this.principal;
|
||||
}
|
||||
|
||||
/**
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
@Override
|
||||
public Object getCredentials() {
|
||||
return this.credentials;
|
||||
|
|
|
|||
|
|
@ -40,7 +40,7 @@ public class BearerTokenAuthentication extends AbstractOAuth2TokenAuthentication
|
|||
|
||||
private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
|
||||
|
||||
private Map<String, Object> attributes;
|
||||
private final Map<String, Object> attributes;
|
||||
|
||||
/**
|
||||
* Constructs a {@link BearerTokenAuthentication} with the provided arguments
|
||||
|
|
@ -50,7 +50,6 @@ public class BearerTokenAuthentication extends AbstractOAuth2TokenAuthentication
|
|||
*/
|
||||
public BearerTokenAuthentication(OAuth2AuthenticatedPrincipal principal, OAuth2AccessToken credentials,
|
||||
Collection<? extends GrantedAuthority> authorities) {
|
||||
|
||||
super(credentials, principal, credentials, authorities);
|
||||
Assert.isTrue(credentials.getTokenType() == OAuth2AccessToken.TokenType.BEARER,
|
||||
"credentials must be a bearer token");
|
||||
|
|
@ -58,9 +57,6 @@ public class BearerTokenAuthentication extends AbstractOAuth2TokenAuthentication
|
|||
setAuthenticated(true);
|
||||
}
|
||||
|
||||
/**
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
@Override
|
||||
public Map<String, Object> getTokenAttributes() {
|
||||
return this.attributes;
|
||||
|
|
|
|||
|
|
@ -43,7 +43,6 @@ public class JwtAuthenticationConverter implements Converter<Jwt, AbstractAuthen
|
|||
if (this.principalClaimName == null) {
|
||||
return new JwtAuthenticationToken(jwt, authorities);
|
||||
}
|
||||
|
||||
String name = jwt.getClaim(this.principalClaimName);
|
||||
return new JwtAuthenticationToken(jwt, authorities, name);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -80,10 +80,15 @@ public final class JwtAuthenticationProvider implements AuthenticationProvider {
|
|||
@Override
|
||||
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
|
||||
BearerTokenAuthenticationToken bearer = (BearerTokenAuthenticationToken) authentication;
|
||||
Jwt jwt = getJwt(bearer);
|
||||
AbstractAuthenticationToken token = this.jwtAuthenticationConverter.convert(jwt);
|
||||
token.setDetails(bearer.getDetails());
|
||||
return token;
|
||||
}
|
||||
|
||||
Jwt jwt;
|
||||
private Jwt getJwt(BearerTokenAuthenticationToken bearer) {
|
||||
try {
|
||||
jwt = this.jwtDecoder.decode(bearer.getToken());
|
||||
return this.jwtDecoder.decode(bearer.getToken());
|
||||
}
|
||||
catch (BadJwtException failed) {
|
||||
throw new InvalidBearerTokenException(failed.getMessage(), failed);
|
||||
|
|
@ -91,16 +96,8 @@ public final class JwtAuthenticationProvider implements AuthenticationProvider {
|
|||
catch (JwtException failed) {
|
||||
throw new AuthenticationServiceException(failed.getMessage(), failed);
|
||||
}
|
||||
|
||||
AbstractAuthenticationToken token = this.jwtAuthenticationConverter.convert(jwt);
|
||||
token.setDetails(bearer.getDetails());
|
||||
|
||||
return token;
|
||||
}
|
||||
|
||||
/**
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
@Override
|
||||
public boolean supports(Class<?> authentication) {
|
||||
return BearerTokenAuthenticationToken.class.isAssignableFrom(authentication);
|
||||
|
|
@ -108,7 +105,6 @@ public final class JwtAuthenticationProvider implements AuthenticationProvider {
|
|||
|
||||
public void setJwtAuthenticationConverter(
|
||||
Converter<Jwt, ? extends AbstractAuthenticationToken> jwtAuthenticationConverter) {
|
||||
|
||||
Assert.notNull(jwtAuthenticationConverter, "jwtAuthenticationConverter cannot be null");
|
||||
this.jwtAuthenticationConverter = jwtAuthenticationConverter;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -72,9 +72,6 @@ public class JwtAuthenticationToken extends AbstractOAuth2TokenAuthenticationTok
|
|||
this.name = name;
|
||||
}
|
||||
|
||||
/**
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
@Override
|
||||
public Map<String, Object> getTokenAttributes() {
|
||||
return this.getToken().getClaims();
|
||||
|
|
|
|||
|
|
@ -52,10 +52,8 @@ public final class JwtBearerTokenAuthenticationConverter implements Converter<Jw
|
|||
OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, jwt.getTokenValue(),
|
||||
jwt.getIssuedAt(), jwt.getExpiresAt());
|
||||
Map<String, Object> attributes = jwt.getClaims();
|
||||
|
||||
AbstractAuthenticationToken token = this.jwtAuthenticationConverter.convert(jwt);
|
||||
Collection<GrantedAuthority> authorities = token.getAuthorities();
|
||||
|
||||
OAuth2AuthenticatedPrincipal principal = new DefaultOAuth2AuthenticatedPrincipal(attributes, authorities);
|
||||
return new BearerTokenAuthentication(principal, accessToken, authorities);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -84,11 +84,9 @@ public final class JwtGrantedAuthoritiesConverter implements Converter<Jwt, Coll
|
|||
}
|
||||
|
||||
private String getAuthoritiesClaimName(Jwt jwt) {
|
||||
|
||||
if (this.authoritiesClaimName != null) {
|
||||
return this.authoritiesClaimName;
|
||||
}
|
||||
|
||||
for (String claimName : WELL_KNOWN_AUTHORITIES_CLAIM_NAMES) {
|
||||
if (jwt.containsClaim(claimName)) {
|
||||
return claimName;
|
||||
|
|
@ -99,24 +97,19 @@ public final class JwtGrantedAuthoritiesConverter implements Converter<Jwt, Coll
|
|||
|
||||
private Collection<String> getAuthorities(Jwt jwt) {
|
||||
String claimName = getAuthoritiesClaimName(jwt);
|
||||
|
||||
if (claimName == null) {
|
||||
return Collections.emptyList();
|
||||
}
|
||||
|
||||
Object authorities = jwt.getClaim(claimName);
|
||||
if (authorities instanceof String) {
|
||||
if (StringUtils.hasText((String) authorities)) {
|
||||
return Arrays.asList(((String) authorities).split(" "));
|
||||
}
|
||||
else {
|
||||
return Collections.emptyList();
|
||||
}
|
||||
return Collections.emptyList();
|
||||
}
|
||||
else if (authorities instanceof Collection) {
|
||||
if (authorities instanceof Collection) {
|
||||
return (Collection<String>) authorities;
|
||||
}
|
||||
|
||||
return Collections.emptyList();
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -110,7 +110,6 @@ public final class JwtIssuerReactiveAuthenticationManagerResolver
|
|||
*/
|
||||
public JwtIssuerReactiveAuthenticationManagerResolver(
|
||||
ReactiveAuthenticationManagerResolver<String> issuerAuthenticationManagerResolver) {
|
||||
|
||||
Assert.notNull(issuerAuthenticationManagerResolver, "issuerAuthenticationManagerResolver cannot be null");
|
||||
this.issuerAuthenticationManagerResolver = issuerAuthenticationManagerResolver;
|
||||
}
|
||||
|
|
@ -141,9 +140,7 @@ public final class JwtIssuerReactiveAuthenticationManagerResolver
|
|||
if (issuer == null) {
|
||||
throw new InvalidBearerTokenException("Missing issuer");
|
||||
}
|
||||
else {
|
||||
return issuer;
|
||||
}
|
||||
return issuer;
|
||||
}
|
||||
catch (Exception ex) {
|
||||
throw new InvalidBearerTokenException(ex.getMessage(), ex);
|
||||
|
|
|
|||
|
|
@ -65,7 +65,6 @@ public final class JwtReactiveAuthenticationManager implements ReactiveAuthentic
|
|||
*/
|
||||
public void setJwtAuthenticationConverter(
|
||||
Converter<Jwt, ? extends Mono<? extends AbstractAuthenticationToken>> jwtAuthenticationConverter) {
|
||||
|
||||
Assert.notNull(jwtAuthenticationConverter, "jwtAuthenticationConverter cannot be null");
|
||||
this.jwtAuthenticationConverter = jwtAuthenticationConverter;
|
||||
}
|
||||
|
|
@ -74,9 +73,7 @@ public final class JwtReactiveAuthenticationManager implements ReactiveAuthentic
|
|||
if (ex instanceof BadJwtException) {
|
||||
return new InvalidBearerTokenException(ex.getMessage(), ex);
|
||||
}
|
||||
else {
|
||||
return new AuthenticationServiceException(ex.getMessage(), ex);
|
||||
}
|
||||
return new AuthenticationServiceException(ex.getMessage(), ex);
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -86,10 +86,15 @@ public final class OpaqueTokenAuthenticationProvider implements AuthenticationPr
|
|||
return null;
|
||||
}
|
||||
BearerTokenAuthenticationToken bearer = (BearerTokenAuthenticationToken) authentication;
|
||||
OAuth2AuthenticatedPrincipal principal = getOAuth2AuthenticatedPrincipal(bearer);
|
||||
AbstractAuthenticationToken result = convert(principal, bearer.getToken());
|
||||
result.setDetails(bearer.getDetails());
|
||||
return result;
|
||||
}
|
||||
|
||||
OAuth2AuthenticatedPrincipal principal;
|
||||
private OAuth2AuthenticatedPrincipal getOAuth2AuthenticatedPrincipal(BearerTokenAuthenticationToken bearer) {
|
||||
try {
|
||||
principal = this.introspector.introspect(bearer.getToken());
|
||||
return this.introspector.introspect(bearer.getToken());
|
||||
}
|
||||
catch (BadOpaqueTokenException failed) {
|
||||
throw new InvalidBearerTokenException(failed.getMessage());
|
||||
|
|
@ -97,15 +102,8 @@ public final class OpaqueTokenAuthenticationProvider implements AuthenticationPr
|
|||
catch (OAuth2IntrospectionException failed) {
|
||||
throw new AuthenticationServiceException(failed.getMessage());
|
||||
}
|
||||
|
||||
AbstractAuthenticationToken result = convert(principal, bearer.getToken());
|
||||
result.setDetails(bearer.getDetails());
|
||||
return result;
|
||||
}
|
||||
|
||||
/**
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
@Override
|
||||
public boolean supports(Class<?> authentication) {
|
||||
return BearerTokenAuthenticationToken.class.isAssignableFrom(authentication);
|
||||
|
|
|
|||
|
|
@ -84,7 +84,6 @@ public class OpaqueTokenReactiveAuthenticationManager implements ReactiveAuthent
|
|||
return this.introspector.introspect(token).map((principal) -> {
|
||||
Instant iat = principal.getAttribute(OAuth2IntrospectionClaimNames.ISSUED_AT);
|
||||
Instant exp = principal.getAttribute(OAuth2IntrospectionClaimNames.EXPIRES_AT);
|
||||
|
||||
// construct token
|
||||
OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, token, iat, exp);
|
||||
return new BearerTokenAuthentication(principal, accessToken, principal.getAuthorities());
|
||||
|
|
@ -95,9 +94,7 @@ public class OpaqueTokenReactiveAuthenticationManager implements ReactiveAuthent
|
|||
if (ex instanceof BadOpaqueTokenException) {
|
||||
return new InvalidBearerTokenException(ex.getMessage(), ex);
|
||||
}
|
||||
else {
|
||||
return new AuthenticationServiceException(ex.getMessage(), ex);
|
||||
}
|
||||
return new AuthenticationServiceException(ex.getMessage(), ex);
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -74,7 +74,6 @@ public class NimbusOpaqueTokenIntrospector implements OpaqueTokenIntrospector {
|
|||
Assert.notNull(introspectionUri, "introspectionUri cannot be null");
|
||||
Assert.notNull(clientId, "clientId cannot be null");
|
||||
Assert.notNull(clientSecret, "clientSecret cannot be null");
|
||||
|
||||
this.requestEntityConverter = this.defaultRequestEntityConverter(URI.create(introspectionUri));
|
||||
RestTemplate restTemplate = new RestTemplate();
|
||||
restTemplate.getInterceptors().add(new BasicAuthenticationInterceptor(clientId, clientSecret));
|
||||
|
|
@ -92,7 +91,6 @@ public class NimbusOpaqueTokenIntrospector implements OpaqueTokenIntrospector {
|
|||
public NimbusOpaqueTokenIntrospector(String introspectionUri, RestOperations restOperations) {
|
||||
Assert.notNull(introspectionUri, "introspectionUri cannot be null");
|
||||
Assert.notNull(restOperations, "restOperations cannot be null");
|
||||
|
||||
this.requestEntityConverter = this.defaultRequestEntityConverter(URI.create(introspectionUri));
|
||||
this.restOperations = restOperations;
|
||||
}
|
||||
|
|
@ -117,27 +115,21 @@ public class NimbusOpaqueTokenIntrospector implements OpaqueTokenIntrospector {
|
|||
return body;
|
||||
}
|
||||
|
||||
/**
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
@Override
|
||||
public OAuth2AuthenticatedPrincipal introspect(String token) {
|
||||
RequestEntity<?> requestEntity = this.requestEntityConverter.convert(token);
|
||||
if (requestEntity == null) {
|
||||
throw new OAuth2IntrospectionException("requestEntityConverter returned a null entity");
|
||||
}
|
||||
|
||||
ResponseEntity<String> responseEntity = makeRequest(requestEntity);
|
||||
HTTPResponse httpResponse = adaptToNimbusResponse(responseEntity);
|
||||
TokenIntrospectionResponse introspectionResponse = parseNimbusResponse(httpResponse);
|
||||
TokenIntrospectionSuccessResponse introspectionSuccessResponse = castToNimbusSuccess(introspectionResponse);
|
||||
|
||||
// relying solely on the authorization server to validate this token (not checking
|
||||
// 'exp', for example)
|
||||
if (!introspectionSuccessResponse.isActive()) {
|
||||
throw new BadOpaqueTokenException("Provided token isn't active");
|
||||
}
|
||||
|
||||
return convertClaimsSet(introspectionSuccessResponse);
|
||||
}
|
||||
|
||||
|
|
@ -149,7 +141,6 @@ public class NimbusOpaqueTokenIntrospector implements OpaqueTokenIntrospector {
|
|||
*/
|
||||
public void setRequestEntityConverter(Converter<String, RequestEntity<?>> requestEntityConverter) {
|
||||
Assert.notNull(requestEntityConverter, "requestEntityConverter cannot be null");
|
||||
|
||||
this.requestEntityConverter = requestEntityConverter;
|
||||
}
|
||||
|
||||
|
|
@ -166,7 +157,6 @@ public class NimbusOpaqueTokenIntrospector implements OpaqueTokenIntrospector {
|
|||
HTTPResponse response = new HTTPResponse(responseEntity.getStatusCodeValue());
|
||||
response.setHeader(HttpHeaders.CONTENT_TYPE, responseEntity.getHeaders().getContentType().toString());
|
||||
response.setContent(responseEntity.getBody());
|
||||
|
||||
if (response.getStatusCode() != HTTPResponse.SC_OK) {
|
||||
throw new OAuth2IntrospectionException("Introspection endpoint responded with " + response.getStatusCode());
|
||||
}
|
||||
|
|
@ -219,12 +209,10 @@ public class NimbusOpaqueTokenIntrospector implements OpaqueTokenIntrospector {
|
|||
if (response.getScope() != null) {
|
||||
List<String> scopes = Collections.unmodifiableList(response.getScope().toStringList());
|
||||
claims.put(OAuth2IntrospectionClaimNames.SCOPE, scopes);
|
||||
|
||||
for (String scope : scopes) {
|
||||
authorities.add(new SimpleGrantedAuthority(this.authorityPrefix + scope));
|
||||
}
|
||||
}
|
||||
|
||||
return new OAuth2IntrospectionAuthenticatedPrincipal(claims, authorities);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -54,9 +54,9 @@ import org.springframework.web.reactive.function.client.WebClient;
|
|||
*/
|
||||
public class NimbusReactiveOpaqueTokenIntrospector implements ReactiveOpaqueTokenIntrospector {
|
||||
|
||||
private URI introspectionUri;
|
||||
private final URI introspectionUri;
|
||||
|
||||
private WebClient webClient;
|
||||
private final WebClient webClient;
|
||||
|
||||
private String authorityPrefix = "SCOPE_";
|
||||
|
||||
|
|
@ -71,7 +71,6 @@ public class NimbusReactiveOpaqueTokenIntrospector implements ReactiveOpaqueToke
|
|||
Assert.hasText(introspectionUri, "introspectionUri cannot be empty");
|
||||
Assert.hasText(clientId, "clientId cannot be empty");
|
||||
Assert.notNull(clientSecret, "clientSecret cannot be null");
|
||||
|
||||
this.introspectionUri = URI.create(introspectionUri);
|
||||
this.webClient = WebClient.builder().defaultHeaders((h) -> h.setBasicAuth(clientId, clientSecret)).build();
|
||||
}
|
||||
|
|
@ -85,14 +84,10 @@ public class NimbusReactiveOpaqueTokenIntrospector implements ReactiveOpaqueToke
|
|||
public NimbusReactiveOpaqueTokenIntrospector(String introspectionUri, WebClient webClient) {
|
||||
Assert.hasText(introspectionUri, "introspectionUri cannot be null");
|
||||
Assert.notNull(webClient, "webClient cannot be null");
|
||||
|
||||
this.introspectionUri = URI.create(introspectionUri);
|
||||
this.webClient = webClient;
|
||||
}
|
||||
|
||||
/**
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
@Override
|
||||
public Mono<OAuth2AuthenticatedPrincipal> introspect(String token) {
|
||||
return Mono.just(token).flatMap(this::makeRequest).flatMap(this::adaptToNimbusResponse)
|
||||
|
|
@ -177,7 +172,6 @@ public class NimbusReactiveOpaqueTokenIntrospector implements ReactiveOpaqueToke
|
|||
authorities.add(new SimpleGrantedAuthority(this.authorityPrefix + scope));
|
||||
}
|
||||
}
|
||||
|
||||
return new OAuth2IntrospectionAuthenticatedPrincipal(claims, authorities);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -45,7 +45,6 @@ public final class OAuth2IntrospectionAuthenticatedPrincipal
|
|||
*/
|
||||
public OAuth2IntrospectionAuthenticatedPrincipal(Map<String, Object> attributes,
|
||||
Collection<GrantedAuthority> authorities) {
|
||||
|
||||
this.delegate = new DefaultOAuth2AuthenticatedPrincipal(attributes, authorities);
|
||||
}
|
||||
|
||||
|
|
@ -58,7 +57,6 @@ public final class OAuth2IntrospectionAuthenticatedPrincipal
|
|||
*/
|
||||
public OAuth2IntrospectionAuthenticatedPrincipal(String name, Map<String, Object> attributes,
|
||||
Collection<GrantedAuthority> authorities) {
|
||||
|
||||
this.delegate = new DefaultOAuth2AuthenticatedPrincipal(name, attributes, authorities);
|
||||
}
|
||||
|
||||
|
|
@ -81,17 +79,11 @@ public final class OAuth2IntrospectionAuthenticatedPrincipal
|
|||
return this.delegate.getAuthorities();
|
||||
}
|
||||
|
||||
/**
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
@Override
|
||||
public String getName() {
|
||||
return this.delegate.getName();
|
||||
}
|
||||
|
||||
/**
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
@Override
|
||||
public Map<String, Object> getClaims() {
|
||||
return getAttributes();
|
||||
|
|
|
|||
|
|
@ -59,41 +59,29 @@ public final class BearerTokenAuthenticationEntryPoint implements Authentication
|
|||
@Override
|
||||
public void commence(HttpServletRequest request, HttpServletResponse response,
|
||||
AuthenticationException authException) {
|
||||
|
||||
HttpStatus status = HttpStatus.UNAUTHORIZED;
|
||||
|
||||
Map<String, String> parameters = new LinkedHashMap<>();
|
||||
|
||||
if (this.realmName != null) {
|
||||
parameters.put("realm", this.realmName);
|
||||
}
|
||||
|
||||
if (authException instanceof OAuth2AuthenticationException) {
|
||||
OAuth2Error error = ((OAuth2AuthenticationException) authException).getError();
|
||||
|
||||
parameters.put("error", error.getErrorCode());
|
||||
|
||||
if (StringUtils.hasText(error.getDescription())) {
|
||||
parameters.put("error_description", error.getDescription());
|
||||
}
|
||||
|
||||
if (StringUtils.hasText(error.getUri())) {
|
||||
parameters.put("error_uri", error.getUri());
|
||||
}
|
||||
|
||||
if (error instanceof BearerTokenError) {
|
||||
BearerTokenError bearerTokenError = (BearerTokenError) error;
|
||||
|
||||
if (StringUtils.hasText(bearerTokenError.getScope())) {
|
||||
parameters.put("scope", bearerTokenError.getScope());
|
||||
}
|
||||
|
||||
status = ((BearerTokenError) error).getHttpStatus();
|
||||
}
|
||||
}
|
||||
|
||||
String wwwAuthenticate = computeWWWAuthenticateHeaderValue(parameters);
|
||||
|
||||
response.addHeader(HttpHeaders.WWW_AUTHENTICATE, wwwAuthenticate);
|
||||
response.setStatus(status.value());
|
||||
}
|
||||
|
|
@ -109,20 +97,17 @@ public final class BearerTokenAuthenticationEntryPoint implements Authentication
|
|||
private static String computeWWWAuthenticateHeaderValue(Map<String, String> parameters) {
|
||||
StringBuilder wwwAuthenticate = new StringBuilder();
|
||||
wwwAuthenticate.append("Bearer");
|
||||
|
||||
if (!parameters.isEmpty()) {
|
||||
wwwAuthenticate.append(" ");
|
||||
int i = 0;
|
||||
for (Map.Entry<String, String> entry : parameters.entrySet()) {
|
||||
wwwAuthenticate.append(entry.getKey()).append("=\"").append(entry.getValue()).append("\"");
|
||||
|
||||
if (i != parameters.size() - 1) {
|
||||
wwwAuthenticate.append(", ");
|
||||
}
|
||||
i++;
|
||||
}
|
||||
}
|
||||
|
||||
return wwwAuthenticate.toString();
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -74,7 +74,6 @@ public final class BearerTokenAuthenticationFilter extends OncePerRequestFilter
|
|||
*/
|
||||
public BearerTokenAuthenticationFilter(
|
||||
AuthenticationManagerResolver<HttpServletRequest> authenticationManagerResolver) {
|
||||
|
||||
Assert.notNull(authenticationManagerResolver, "authenticationManagerResolver cannot be null");
|
||||
this.authenticationManagerResolver = authenticationManagerResolver;
|
||||
}
|
||||
|
|
@ -101,11 +100,7 @@ public final class BearerTokenAuthenticationFilter extends OncePerRequestFilter
|
|||
@Override
|
||||
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
|
||||
throws ServletException, IOException {
|
||||
|
||||
final boolean debug = this.logger.isDebugEnabled();
|
||||
|
||||
String token;
|
||||
|
||||
try {
|
||||
token = this.bearerTokenResolver.resolve(request);
|
||||
}
|
||||
|
|
@ -113,33 +108,23 @@ public final class BearerTokenAuthenticationFilter extends OncePerRequestFilter
|
|||
this.authenticationEntryPoint.commence(request, response, invalid);
|
||||
return;
|
||||
}
|
||||
|
||||
if (token == null) {
|
||||
filterChain.doFilter(request, response);
|
||||
return;
|
||||
}
|
||||
|
||||
BearerTokenAuthenticationToken authenticationRequest = new BearerTokenAuthenticationToken(token);
|
||||
|
||||
authenticationRequest.setDetails(this.authenticationDetailsSource.buildDetails(request));
|
||||
|
||||
try {
|
||||
AuthenticationManager authenticationManager = this.authenticationManagerResolver.resolve(request);
|
||||
Authentication authenticationResult = authenticationManager.authenticate(authenticationRequest);
|
||||
|
||||
SecurityContext context = SecurityContextHolder.createEmptyContext();
|
||||
context.setAuthentication(authenticationResult);
|
||||
SecurityContextHolder.setContext(context);
|
||||
|
||||
filterChain.doFilter(request, response);
|
||||
}
|
||||
catch (AuthenticationException failed) {
|
||||
SecurityContextHolder.clearContext();
|
||||
|
||||
if (debug) {
|
||||
this.logger.debug("Authentication request for failed!", failed);
|
||||
}
|
||||
|
||||
this.logger.debug("Authentication request for failed!", failed);
|
||||
this.authenticationFailureHandler.onAuthenticationFailure(request, response, failed);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -46,9 +46,6 @@ public final class DefaultBearerTokenResolver implements BearerTokenResolver {
|
|||
|
||||
private String bearerTokenHeaderName = HttpHeaders.AUTHORIZATION;
|
||||
|
||||
/**
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
@Override
|
||||
public String resolve(HttpServletRequest request) {
|
||||
String authorizationHeaderToken = resolveFromAuthorizationHeader(request);
|
||||
|
|
@ -61,7 +58,7 @@ public final class DefaultBearerTokenResolver implements BearerTokenResolver {
|
|||
}
|
||||
return authorizationHeaderToken;
|
||||
}
|
||||
else if (parameterToken != null && isParameterTokenSupportedForRequest(request)) {
|
||||
if (parameterToken != null && isParameterTokenSupportedForRequest(request)) {
|
||||
return parameterToken;
|
||||
}
|
||||
return null;
|
||||
|
|
@ -104,17 +101,15 @@ public final class DefaultBearerTokenResolver implements BearerTokenResolver {
|
|||
|
||||
private String resolveFromAuthorizationHeader(HttpServletRequest request) {
|
||||
String authorization = request.getHeader(this.bearerTokenHeaderName);
|
||||
if (StringUtils.startsWithIgnoreCase(authorization, "bearer")) {
|
||||
Matcher matcher = authorizationPattern.matcher(authorization);
|
||||
|
||||
if (!matcher.matches()) {
|
||||
BearerTokenError error = BearerTokenErrors.invalidToken("Bearer token is malformed");
|
||||
throw new OAuth2AuthenticationException(error);
|
||||
}
|
||||
|
||||
return matcher.group("token");
|
||||
if (!StringUtils.startsWithIgnoreCase(authorization, "bearer")) {
|
||||
return null;
|
||||
}
|
||||
return null;
|
||||
Matcher matcher = authorizationPattern.matcher(authorization);
|
||||
if (!matcher.matches()) {
|
||||
BearerTokenError error = BearerTokenErrors.invalidToken("Bearer token is malformed");
|
||||
throw new OAuth2AuthenticationException(error);
|
||||
}
|
||||
return matcher.group("token");
|
||||
}
|
||||
|
||||
private static String resolveFromRequestParameters(HttpServletRequest request) {
|
||||
|
|
@ -122,11 +117,9 @@ public final class DefaultBearerTokenResolver implements BearerTokenResolver {
|
|||
if (values == null || values.length == 0) {
|
||||
return null;
|
||||
}
|
||||
|
||||
if (values.length == 1) {
|
||||
return values[0];
|
||||
}
|
||||
|
||||
BearerTokenError error = BearerTokenErrors.invalidRequest("Found multiple bearer tokens in the request");
|
||||
throw new OAuth2AuthenticationException(error);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -59,22 +59,17 @@ public final class BearerTokenAccessDeniedHandler implements AccessDeniedHandler
|
|||
@Override
|
||||
public void handle(HttpServletRequest request, HttpServletResponse response,
|
||||
AccessDeniedException accessDeniedException) {
|
||||
|
||||
Map<String, String> parameters = new LinkedHashMap<>();
|
||||
|
||||
if (this.realmName != null) {
|
||||
parameters.put("realm", this.realmName);
|
||||
}
|
||||
|
||||
if (request.getUserPrincipal() instanceof AbstractOAuth2TokenAuthenticationToken) {
|
||||
parameters.put("error", BearerTokenErrorCodes.INSUFFICIENT_SCOPE);
|
||||
parameters.put("error_description",
|
||||
"The request requires higher privileges than provided by the access token.");
|
||||
parameters.put("error_uri", "https://tools.ietf.org/html/rfc6750#section-3.1");
|
||||
}
|
||||
|
||||
String wwwAuthenticate = computeWWWAuthenticateHeaderValue(parameters);
|
||||
|
||||
response.addHeader(HttpHeaders.WWW_AUTHENTICATE, wwwAuthenticate);
|
||||
response.setStatus(HttpStatus.FORBIDDEN.value());
|
||||
}
|
||||
|
|
@ -90,20 +85,17 @@ public final class BearerTokenAccessDeniedHandler implements AccessDeniedHandler
|
|||
private static String computeWWWAuthenticateHeaderValue(Map<String, String> parameters) {
|
||||
StringBuilder wwwAuthenticate = new StringBuilder();
|
||||
wwwAuthenticate.append("Bearer");
|
||||
|
||||
if (!parameters.isEmpty()) {
|
||||
wwwAuthenticate.append(" ");
|
||||
int i = 0;
|
||||
for (Map.Entry<String, String> entry : parameters.entrySet()) {
|
||||
wwwAuthenticate.append(entry.getKey()).append("=\"").append(entry.getValue()).append("\"");
|
||||
|
||||
if (i != parameters.size() - 1) {
|
||||
wwwAuthenticate.append(", ");
|
||||
}
|
||||
i++;
|
||||
}
|
||||
}
|
||||
|
||||
return wwwAuthenticate.toString();
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -55,13 +55,10 @@ public class BearerTokenServerAccessDeniedHandler implements ServerAccessDeniedH
|
|||
|
||||
@Override
|
||||
public Mono<Void> handle(ServerWebExchange exchange, AccessDeniedException denied) {
|
||||
|
||||
Map<String, String> parameters = new LinkedHashMap<>();
|
||||
|
||||
if (this.realmName != null) {
|
||||
parameters.put("realm", this.realmName);
|
||||
}
|
||||
|
||||
return exchange.getPrincipal().filter(AbstractOAuth2TokenAuthenticationToken.class::isInstance)
|
||||
.map((token) -> errorMessageParameters(parameters)).switchIfEmpty(Mono.just(parameters))
|
||||
.flatMap((params) -> respond(exchange, params));
|
||||
|
|
@ -80,7 +77,6 @@ public class BearerTokenServerAccessDeniedHandler implements ServerAccessDeniedH
|
|||
parameters.put("error_description",
|
||||
"The request requires higher privileges than provided by the access token.");
|
||||
parameters.put("error_uri", "https://tools.ietf.org/html/rfc6750#section-3.1");
|
||||
|
||||
return parameters;
|
||||
}
|
||||
|
||||
|
|
@ -105,7 +101,6 @@ public class BearerTokenServerAccessDeniedHandler implements ServerAccessDeniedH
|
|||
i++;
|
||||
}
|
||||
}
|
||||
|
||||
return wwwAuthenticate.toString();
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -51,9 +51,6 @@ import org.springframework.web.reactive.function.client.ExchangeFunction;
|
|||
*/
|
||||
public final class ServerBearerExchangeFilterFunction implements ExchangeFilterFunction {
|
||||
|
||||
/**
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
@Override
|
||||
public Mono<ClientResponse> filter(ClientRequest request, ExchangeFunction next) {
|
||||
return oauth2Token().map((token) -> bearer(request, token)).defaultIfEmpty(request).flatMap(next::exchange);
|
||||
|
|
|
|||
|
|
@ -62,9 +62,6 @@ public final class ServletBearerExchangeFilterFunction implements ExchangeFilter
|
|||
|
||||
static final String SECURITY_REACTOR_CONTEXT_ATTRIBUTES_KEY = "org.springframework.security.SECURITY_CONTEXT_ATTRIBUTES";
|
||||
|
||||
/**
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
@Override
|
||||
public Mono<ClientResponse> filter(ClientRequest request, ExchangeFunction next) {
|
||||
return oauth2Token().map((token) -> bearer(request, token)).defaultIfEmpty(request).flatMap(next::exchange);
|
||||
|
|
|
|||
|
|
@ -59,7 +59,6 @@ public final class BearerTokenServerAuthenticationEntryPoint implements ServerAu
|
|||
public Mono<Void> commence(ServerWebExchange exchange, AuthenticationException authException) {
|
||||
return Mono.defer(() -> {
|
||||
HttpStatus status = getStatus(authException);
|
||||
|
||||
Map<String, String> parameters = createParameters(authException);
|
||||
String wwwAuthenticate = computeWWWAuthenticateHeaderValue(parameters);
|
||||
ServerHttpResponse response = exchange.getResponse();
|
||||
|
|
@ -74,23 +73,17 @@ public final class BearerTokenServerAuthenticationEntryPoint implements ServerAu
|
|||
if (this.realmName != null) {
|
||||
parameters.put("realm", this.realmName);
|
||||
}
|
||||
|
||||
if (authException instanceof OAuth2AuthenticationException) {
|
||||
OAuth2Error error = ((OAuth2AuthenticationException) authException).getError();
|
||||
|
||||
parameters.put("error", error.getErrorCode());
|
||||
|
||||
if (StringUtils.hasText(error.getDescription())) {
|
||||
parameters.put("error_description", error.getDescription());
|
||||
}
|
||||
|
||||
if (StringUtils.hasText(error.getUri())) {
|
||||
parameters.put("error_uri", error.getUri());
|
||||
}
|
||||
|
||||
if (error instanceof BearerTokenError) {
|
||||
BearerTokenError bearerTokenError = (BearerTokenError) error;
|
||||
|
||||
if (StringUtils.hasText(bearerTokenError.getScope())) {
|
||||
parameters.put("scope", bearerTokenError.getScope());
|
||||
}
|
||||
|
|
@ -112,7 +105,6 @@ public final class BearerTokenServerAuthenticationEntryPoint implements ServerAu
|
|||
private static String computeWWWAuthenticateHeaderValue(Map<String, String> parameters) {
|
||||
StringBuilder wwwAuthenticate = new StringBuilder();
|
||||
wwwAuthenticate.append("Bearer");
|
||||
|
||||
if (!parameters.isEmpty()) {
|
||||
wwwAuthenticate.append(" ");
|
||||
int i = 0;
|
||||
|
|
@ -124,7 +116,6 @@ public final class BearerTokenServerAuthenticationEntryPoint implements ServerAu
|
|||
i++;
|
||||
}
|
||||
}
|
||||
|
||||
return wwwAuthenticate.toString();
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -74,7 +74,7 @@ public class ServerBearerTokenAuthenticationConverter implements ServerAuthentic
|
|||
}
|
||||
return authorizationHeaderToken;
|
||||
}
|
||||
else if (parameterToken != null && isParameterTokenSupportedForRequest(request)) {
|
||||
if (parameterToken != null && isParameterTokenSupportedForRequest(request)) {
|
||||
return parameterToken;
|
||||
}
|
||||
return null;
|
||||
|
|
@ -107,17 +107,15 @@ public class ServerBearerTokenAuthenticationConverter implements ServerAuthentic
|
|||
|
||||
private String resolveFromAuthorizationHeader(HttpHeaders headers) {
|
||||
String authorization = headers.getFirst(this.bearerTokenHeaderName);
|
||||
if (StringUtils.startsWithIgnoreCase(authorization, "bearer")) {
|
||||
Matcher matcher = authorizationPattern.matcher(authorization);
|
||||
|
||||
if (!matcher.matches()) {
|
||||
BearerTokenError error = invalidTokenError();
|
||||
throw new OAuth2AuthenticationException(error);
|
||||
}
|
||||
|
||||
return matcher.group("token");
|
||||
if (!StringUtils.startsWithIgnoreCase(authorization, "bearer")) {
|
||||
return null;
|
||||
}
|
||||
return null;
|
||||
Matcher matcher = authorizationPattern.matcher(authorization);
|
||||
if (!matcher.matches()) {
|
||||
BearerTokenError error = invalidTokenError();
|
||||
throw new OAuth2AuthenticationException(error);
|
||||
}
|
||||
return matcher.group("token");
|
||||
}
|
||||
|
||||
private static BearerTokenError invalidTokenError() {
|
||||
|
|
|
|||
Loading…
Reference in New Issue