239 Commits

Author SHA1 Message Date
Phillip Webb
5f64f53c3f Use consistent "@" tag order in Javadoc
Ensure that Javadoc "@" tags appear in a consistent and well defined
order.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb
b7fc18262d Reformat code using spring-javaformat
Run `./gradlew format` to reformat all java files.

Issue gh-8945
2020-08-24 17:32:56 -05:00
Dávid Kováč
dfaf251970 Resolve Bearer token after subscribing to publisher
Bearer token was resolved immediately after calling method convert. In situations when malformed token was provided or authorization header and access token query param were present in request exception was thrown instead of signalling error.
After this change Bearer token is resolved on subscription and invalid states are handled by signaling error to subscriber.

Closes gh-8865
2020-08-03 11:04:21 -05:00
Josh Cummings
d3bea02124
Polish Bearer Token Padding
Issue gh-8502
2020-07-15 18:14:39 -06:00
kothasa
d38dabac02
Bearer Token Padding
Closes gh-8502
2020-07-15 18:13:51 -06:00
Josh Cummings
221c33f558
Polish OAuth2IntrospectionAuthenticatedPrincipal
Removed some duplication by delegating to
DefaultOAuth2AuthenticatedPrincipal

Changed order of listed interfaces to satisfy compiler issue. When
listed with OAuth2AuthenticatedPrincipal first, then
OAuth2ResourceServerBeanDefinitionParserTests would fail to import
OpaqueTokenBeanDefinitionParser. Switching
OAuth2AuthenticatedPrincipal with OAuth2IntrospectionClaimAccessor
resolved the compilation issue.

Issue gh-6489
2020-07-09 18:01:55 -06:00
Dávid Kováč
af1c96b425
Simplify OAuth 2.0 Introspection Attribute Retrieval
In order to simplify retrieving of OAuth 2.0 Introspection specific
attributes, OAuth2IntrospectionClaimAccessor interface was introduced
and also new OAuth2AuthenticatedPrincipal implementing this new
interface (OAuth2IntrospectionAuthenticatedPrincipal).

Also DefaultOAuth2AuthenticatedPrincipal was replaced by
OAuth2IntrospectionAuthenticatedPrincipal in cases where OAuth 2.0
Introspection is performed (NimbusOpaqueTokenIntrospector,
NimbusReactiveOpaqueTokenIntrospector).

DefaultOAuth2AuthenticatedPrincipal can be still used by applications
that introspected the token without OAuth 2.0 Introspection.

OAuth2IntrospectionAuthenticatedPrincipal will also be used as a
default principal in tests where request is post-processed/mutated
by OpaqueTokenRequestPostProcessor/OpaqueTokenMutator.

Closes gh-6489
2020-07-09 17:26:13 -06:00
Rob Winch
ca1252be94 Replace whitelist with allowlist
Issue gh-8676
2020-06-10 11:49:21 -05:00
Julian Müller
60d4d5b7ee Enables empty authorityPrefix
- docs stated that empty authorityPrefix are allowed but implementation denied to use `""`
- commit removes the `hasText`-limitation but restricts to `notNull`

Fixes gh-8421
2020-04-22 08:52:54 -05:00
Evgeniy Cheban
a70d55552b
Resource Server Finds JwtAuthenticationConverter Beans
Fixes gh-8185
2020-04-13 22:47:20 -06:00
Teddy Reinert
2f8eb16d76
Allow custom header during bearer token extraction
Added ability to specify the header that
ServerBearerTokenAuthenticationConverter and
DefaultBearerTokenResolver use to extract a Bearer Token.

Fixes gh-8337
2020-04-09 10:36:03 -06:00
Evgeniy Cheban
25fb1f417d Added setPrincipalClaimName to JwtAuthenticationConverter
Fixes gh-8186
2020-04-07 16:20:43 -06:00
Roman Matiushchenko
9d66f2ccce polish gh-7996
Make defensive collection copy as Collections.unmodifiableCollection
does not protect from the source collection direct modification.
Use Mono#map instead of Mono#flatMap as it allocates less.
Use less operators to reduce allocations.
Use lambda parameter instead of outer method parameter
in authenticationManagers#computeIfAbsent()
to make it non capturing so it could be cached by JVM.
Propagate cause for InvalidBearerTokenException.
2020-02-27 09:29:43 -07:00
Roman Matiushchenko
04e671fb4d Instantiate exceptions lazily
Add lazy Exception instantiation to reduce allocations

Fixes gh-7995
2020-02-27 09:29:43 -07:00
Joe Grandja
fa73b1397a Add missing @FunctionalInterface in oauth2 modules
Fixes gh-8020
2020-02-24 11:53:30 -05:00
Josh Cummings
a90e579350 Add JwtIssuerReactiveAuthenticationManagerResolver
Fixes gh-7857
2020-02-06 13:45:13 -07:00
Josh Cummings
209c81d65d
Add BadOpaqueTokenException
Updated NimbusOpaqueTokenIntrospector and
NimbusReactiveOpaqueTokenIntrospector to throw.
Updated OpaqueTokenAuthenticationProvider and
OpaqueTokenReactiveAuthenticationManager to catch.

Fixes gh-7902
2020-02-04 17:33:08 -07:00
Josh Cummings
0c3754c811
Add BadJwtException
Updated NimbusJwtDecoder and NimbusReactiveJwtDecoder to throw.
Updated JwtAuthenticationProvider and JwtReactiveAuthenticationManager
to catch.

Fixes gh-7885
2020-02-04 17:33:08 -07:00
Josh Cummings
fbdecdafb8
Add Mapping to Invalid Bearer Token
Fixes gh-7793
2020-02-04 17:33:08 -07:00
Josh Cummings
3e07b35611
Polish Bearer Token Error Handling
Issue gh-7822
Issue gh-7823
2020-02-03 17:54:39 -07:00
Josh Cummings
1b15f74f57
Add InvalidBearerTokenException
Fixes gh-7822
2020-02-03 17:54:39 -07:00
Josh Cummings
7b2fcd17f5
Add BearerTokenErrors
Fixes gh-7823
2020-02-03 17:54:33 -07:00
Josh Cummings
de87675f6d Add JwtIssuerAuthenticationManagerResolver
Fixes gh-7724
2020-01-07 23:30:42 -07:00
Rob Winch
65981444f1 Use Version Ranges
Fixes gh-7788
2020-01-06 14:46:48 -06:00
Josh Cummings
ed02ef9773
Add Test for Malformed Scope
Fixes gh-7563
2019-10-28 16:55:56 -06:00
Josh Cummings
387f765595
Catch Malformed BearerTokenError Descriptions
Fixes gh-7549
2019-10-28 12:30:27 -06:00
Josh Cummings
33ba292fed
Resource Server w/ SecurityReactorContextSubscriber
Fixes gh-7423
2019-09-27 11:01:04 -06:00
Rob Winch
00f8991fac Merge Remove Redudant Throws
Fixes gh-7301
2019-09-19 11:04:53 -05:00
Josh Cummings
05caf3d8fb
Use Jwt.Builder
Fixes gh-7443
2019-09-16 14:00:25 -06:00
Josh Cummings
101e0a21a8 Bearer WebClient Filter Authentication Propagation
Fixes: gh-7418
2019-09-11 16:27:21 +01:00
Josh Cummings
099d49aa40 Simplify currentAuthentication() 2019-09-04 15:33:41 -06:00
Josh Cummings
40ff837713 Polish Server|ServletBearerExchangeFilterFunction
Fixes gh-7353
2019-09-04 15:33:41 -06:00
Josh Cummings
d7f7e9d4b7 Add Jwt to BearerTokenAuthentication Converter
Fixes gh-7346
2019-09-03 15:58:05 -06:00
Josh Cummings
068f4f0147 Polish Opaque Token
Use OAuth2AuthenticatedPrincipal
Use BearerTokenAuthentication
Update names to reflect more generic approach.

Fixes gh-7344
Fixes gh-7345
2019-09-03 15:58:05 -06:00
Josh Cummings
c019507770 Add BearerTokenAuthentication
Fixes gh-7343
2019-09-03 15:58:05 -06:00
Josh Cummings
f350988285 Add Servlet and ServerBearerExchangeFilterFunction
Fixes gh-5334
Fixes gh-7284
2019-09-03 15:29:06 -06:00
kostya05983
f6c650db47
Replace Streams with Loops
First version of replacing streams

fix wwwAuthenticate and codestyle

fix errors in implementation to pass tests

Fix review notes

Remove uneccessary final to align with cb

Short circuit way to authorize

Simplify error message, make code readably

Return error while duplicate key found

Delete check for duplicate, checkstyle issues

Return duplicate error

Fixes gh-7154
2019-09-02 15:30:48 -06:00
Lars Grefer
95511331fa fix checkstyle 2019-08-26 22:42:26 +02:00
watsta
2c2e8e5f24 Remove internal Optional usage in favor of null checks
Issue gh-7155
2019-08-26 09:27:40 -04:00
Lars Grefer
34dd5fea30 Remove redundant throws clauses
Removes exceptions that are declared in a method's signature but never thrown by the method itself or its implementations/derivatives.
2019-08-23 01:03:54 +02:00
Rob Winch
a377581951 Fix WebClient Memory Leaks
WebClient exchange requires that the body is consumed. Before this commit
there were places where an Exception was thrown without consuming the body
if the status was not successful. There was also the potential for the
statusCode invocation to throw an Exception of the status code was not
defined which would cause a leak.

This commit ensures that before the Exception is thrown the body is
consumed. It also uses the http status in a way that will ensure an
Exception is not thrown.

Fixes gh-7293
2019-08-21 12:46:11 -05:00
Andreas Falk
766c4434d4 Improve test coverage of JwtGrantedAuthoritiesConverter
Some negative test cases were missing. Added these to have
full test coverage for JwtGrantedAuthoritiesConverter.
2019-08-19 21:14:07 -04:00
Andreas Falk
0a058c973a Add setter for authorities claim name in JwtGrantedAuthoritiesConverter
Prior to this change authorities are always mapped using well known
claim names ('scope' or 'scp'). To change this default behaviour the
converter had to be replaced completely with a custom one.
This commit adds an additional setter to configure a custom
claim name like e.g. 'roles'. Without specifying a custom claim name
the default claims to be used still remains to the well known ones.
This way the authorities can be mapped according to customized
token claims.

Fixes gh-7100
2019-08-19 21:14:07 -04:00
Andreas Falk
b45e57cc40 Add setter for authority prefix in JwtGrantedAuthoritiesConverter
Prior to this change mapped authorities are always prefixed
with default value 'SCOPE_'. To change this default behaviour the
converter had to be replaced completely with a custom one.
This commit adds an additional setter to configure a custom
authority prefix like e.g. 'ROLE_'. Without specifying a custom prefix
the default prefix still remains 'SCOPE_'.
This way existing authorization checks using the standard 'ROLE_'
prefix can be reused without lots of effort.

Fixes gh-7101
2019-08-14 11:25:42 -04:00
Josh Cummings
4ed197e515 Rename OAuth2TokenIntrospectionClient
Renamed to OpaqueTokenIntrospector

Fixes gh-7245
2019-08-12 18:05:28 -04:00
Lars Grefer
ff1070df36 remove redundant modifiers found by checkstyle 2019-08-10 00:18:56 +02:00
Josh Cummings
d843818e48
Polish JwtGrantedAuthoritiesConverter
Rework the implementation so that it is clearer that authorities are
derived from a single claim.

Issue: gh-6273
2019-08-02 14:54:04 -06:00
Eddú Meléndez
50adb6abcb Fix javadoc 2019-07-31 15:36:30 -04:00
matkocsis
e584207a85 Loggin Fix for printing the full stack trace, spring-projects/spring-security#7110 2019-07-23 16:48:37 -05:00
Édouard Hue
e8dd1325fd Fixed misleading OAuth2 error messages
Error messages sent by BearerTokenAccessDeniedHandler included
information about the scopes of the rejected token instead of
the scopes required by the resource.
* Removal of token scopes from error_description attribute.
* Removal of scope attribute from WWW-Authenticate response header.

Fixes gh-7089
2019-07-18 07:01:33 -04:00