OAuth2AuthorizationRequestRedirectFilterTests attempt to validate the constructors throw IllegalArgumentException if an invalid argument is provided, but
they are flawed because it is the relective code that is throwing the IllegalArgumentException due to imprecise type information.
This changes the tests to no longer use unnecessary reflection and casts the types so that the type information is used to target the correct
constructor.
Closes gh-18507
To prevent future compiler warnings from being introduced, this change
applies the `compile-warnings-error` plugin to the
`spring-security-oauth2-core` module.
This ensures that any new warnings will fail the build, maintaining
code quality and preventing warning accumulation.
Fixes: gh-18434
Signed-off-by: Pavel Vassiliev <paulvas@gmail.com>
Signed-off-by: paulvas <paulvas@gmail.com>
This test encodes an JWT with NimbusJwtEncoder, and then decodes it with
NimbusJwtDecoder.
This test will fail when NimbusJwtEncoder emits a JWT with a wrong `typ'
parameter in the header, as NimbusJwtDecoder validates the JWT with
JwtTypeValidator by default. It may be beneficial for finding out other
similiar bugs too.
Signed-off-by: Ziqin Wang <ziqin@wangziqin.net>
The warning is unnecessary since PKCE only applies to authorization_code
flow and the code already corrects this silently.
Closes: gh-18221
Signed-off-by: Andrey Litvitski <andrey1010102008@gmail.com>
- We should not introduce an unnecessary public API
- It would need to be removed when Jackson 2 support was removed, but
was required to configure Jackson 3 support
- There are already existing interfaces that could be used
- OAuth2AuthorizationRowMapper & OAuth2AuthorizationParametersMapper had
unnecessary breaking changes by removing getter/setter for ObjectMapper
- To prevent NoClassDefFoundErrors all optional (Jackson) dependencies
need to be on different classes & we wish to preserve the existing
accessors for ObjectMapper which is this uses subclasses
- With added TestAuthenticationTokenMixin support, no need to explicitly
add it in tests
This commit introduces classpath checks and instantiation of
JacksonJsonHttpMessageConverter (based on Jackson 3) leveraging
a new GenericHttpMessageConverterAdapter which allows to adapt
SmartHttpMessageConverter to GenericHttpMessageConverter.
See gh-17832
Signed-off-by: Sébastien Deleuze <sdeleuze@users.noreply.github.com>
This commit does not cover webauthn which is a special case (uses
jackson sub-package for Jackson 2 support) which will be handled in
a distinct commit.
See gh-17832
Signed-off-by: Sébastien Deleuze <sdeleuze@users.noreply.github.com>
This commit adds support for Jackson 3 which has the following
major differences with the Jackson 2 one:
- jackson subpackage instead of jackson2
- Jackson type prefix instead of Jackson2
- JsonMapper instead of ObjectMapper
- For configuration, JsonMapper.Builder instead of ObjectMapper
since the latter is now immutable
- Remove custom support for unmodifiable collections
- Use safe default typing via a PolymorphicTypeValidator
Jackson 3 changes compared to Jackson 2 are documented in
https://cowtowncoder.medium.com/jackson-3-0-0-ga-released-1f669cda529a
and
https://github.com/FasterXML/jackson/blob/main/jackson3/MIGRATING_TO_JACKSON_3.md.
This commit does not cover webauthn which is a special case (uses
jackson sub-package for Jackson 2 support) which will be handled in
a distinct commit.
See gh-17832
Signed-off-by: Sébastien Deleuze <sdeleuze@users.noreply.github.com>
Since RC1 is right around the corner, let's change the API
footprint as little as possible by using reflection to check
if a class has declared toBuilder themselves. If they have, we
can assume that that class's builder will produce that class.
Issue gh-18052
This reverts commit 95644fb73cd405ef4fd683e12773289343547fec, reversing
changes made to fbf7bb3be1eb7bff50cf311e8df7a869e7d9d21b.
Reverting this commit will allow us more time to
consider the ideal way to add this support to the public API.
This commit consolidates logic common to applying one
authenticaiton to another. Specifically, it will copy the
authorities in one authentication into the builder instance
of another.
Closes gh-18053
Previously GrantedAuthorities had an implicit package tangle because it
was located in ~.core and FactorGrantedAuthority is in ~.core.authority
and FactorGrantedAuthority's authority property was implicitly expected
to be constants found in `GrantedAuthorities`.
This commit moves the constants to the FactorGrantedAuthority which
resolves this tangle. It wasn't initially done because
FactorGrantedAuthority did not exist at that time.
Closes gh-18030
