Don't Cache ReactiveJwtDecoders Errors

Closes gh-10444
This commit is contained in:
Josh Cummings 2021-11-10 17:33:03 -07:00
parent 89db1c37a3
commit f89a34c30b
3 changed files with 56 additions and 1 deletions

View File

@ -16,6 +16,7 @@
package org.springframework.security.oauth2.server.resource.authentication;
import java.time.Duration;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
@ -174,7 +175,7 @@ public final class JwtIssuerReactiveAuthenticationManagerResolver
return this.authenticationManagers.computeIfAbsent(issuer,
(k) -> Mono.<ReactiveAuthenticationManager>fromCallable(() -> new JwtReactiveAuthenticationManager(ReactiveJwtDecoders.fromIssuerLocation(k)))
.subscribeOn(Schedulers.boundedElastic())
.cache()
.cache((manager) -> Duration.ofMillis(Long.MAX_VALUE), (ex) -> Duration.ZERO, () -> Duration.ZERO)
);
// @formatter:on
}

View File

@ -84,6 +84,35 @@ public class JwtIssuerAuthenticationManagerResolverTests {
}
}
@Test
public void resolveWhednUsingTrustedIssuerThenReturnsAuthenticationManager() throws Exception {
try (MockWebServer server = new MockWebServer()) {
server.start();
String issuer = server.url("").toString();
// @formatter:off
server.enqueue(new MockResponse().setResponseCode(500)
.setHeader("Content-Type", "application/json")
.setBody(String.format(DEFAULT_RESPONSE_TEMPLATE, issuer, issuer))
);
server.enqueue(new MockResponse().setResponseCode(200)
.setHeader("Content-Type", "application/json")
.setBody(String.format(DEFAULT_RESPONSE_TEMPLATE, issuer, issuer))
);
// @formatter:on
JWSObject jws = new JWSObject(new JWSHeader(JWSAlgorithm.RS256),
new Payload(new JSONObject(Collections.singletonMap(JwtClaimNames.ISS, issuer))));
jws.sign(new RSASSASigner(TestKeys.DEFAULT_PRIVATE_KEY));
JwtIssuerAuthenticationManagerResolver authenticationManagerResolver = new JwtIssuerAuthenticationManagerResolver(
issuer);
MockHttpServletRequest request = new MockHttpServletRequest();
request.addHeader("Authorization", "Bearer " + jws.serialize());
assertThatExceptionOfType(IllegalArgumentException.class)
.isThrownBy(() -> authenticationManagerResolver.resolve(request));
AuthenticationManager authenticationManager = authenticationManagerResolver.resolve(request);
assertThat(authenticationManager).isNotNull();
}
}
@Test
public void resolveWhenUsingUntrustedIssuerThenException() {
JwtIssuerAuthenticationManagerResolver authenticationManagerResolver = new JwtIssuerAuthenticationManagerResolver(

View File

@ -86,6 +86,31 @@ public class JwtIssuerReactiveAuthenticationManagerResolverTests {
}
}
// gh-10444
@Test
public void resolveWhednUsingTrustedIssuerThenReturnsAuthenticationManager() throws Exception {
try (MockWebServer server = new MockWebServer()) {
String issuer = server.url("").toString();
// @formatter:off
server.enqueue(new MockResponse().setResponseCode(500).setHeader("Content-Type", "application/json")
.setBody(String.format(DEFAULT_RESPONSE_TEMPLATE, issuer, issuer)));
server.enqueue(new MockResponse().setResponseCode(200).setHeader("Content-Type", "application/json")
.setBody(String.format(DEFAULT_RESPONSE_TEMPLATE, issuer, issuer)));
// @formatter:on
JWSObject jws = new JWSObject(new JWSHeader(JWSAlgorithm.RS256),
new Payload(new JSONObject(Collections.singletonMap(JwtClaimNames.ISS, issuer))));
jws.sign(new RSASSASigner(TestKeys.DEFAULT_PRIVATE_KEY));
JwtIssuerReactiveAuthenticationManagerResolver authenticationManagerResolver = new JwtIssuerReactiveAuthenticationManagerResolver(
issuer);
MockServerWebExchange exchange = withBearerToken(jws.serialize());
assertThatExceptionOfType(IllegalArgumentException.class)
.isThrownBy(() -> authenticationManagerResolver.resolve(exchange).block());
ReactiveAuthenticationManager authenticationManager = authenticationManagerResolver.resolve(exchange)
.block();
assertThat(authenticationManager).isNotNull();
}
}
@Test
public void resolveWhenUsingUntrustedIssuerThenException() {
JwtIssuerReactiveAuthenticationManagerResolver authenticationManagerResolver = new JwtIssuerReactiveAuthenticationManagerResolver(