mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-06-08 05:02:13 +00:00
120 lines
3.4 KiB
Plaintext
120 lines
3.4 KiB
Plaintext
= OAuth 2.0 Migrations
|
|
|
|
== Validate `typ` Header with `JwtTypeValidator`
|
|
|
|
If when following the 6.5 preparatory steps you set `validateTypes` to `false`, you can now remove it.
|
|
You can also remove explicitly adding `JwtTypeValidator` to the list of defaults.
|
|
|
|
For example, change this:
|
|
|
|
[tabs]
|
|
======
|
|
Java::
|
|
+
|
|
[source,java,role="primary"]
|
|
----
|
|
@Bean
|
|
JwtDecoder jwtDecoder() {
|
|
NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withIssuerLocation(location)
|
|
.validateTypes(false) <1>
|
|
// ... your remaining configuration
|
|
.build();
|
|
jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithValidators(
|
|
new JwtIssuerValidator(location), JwtTypeValidator.jwt())); <2>
|
|
return jwtDecoder;
|
|
}
|
|
----
|
|
|
|
Kotlin::
|
|
+
|
|
[source,kotlin,role="secondary"]
|
|
----
|
|
@Bean
|
|
fun jwtDecoder(): JwtDecoder {
|
|
val jwtDecoder = NimbusJwtDecoder.withIssuerLocation(location)
|
|
.validateTypes(false) <1>
|
|
// ... your remaining configuration
|
|
.build()
|
|
jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithValidators(
|
|
JwtIssuerValidator(location), JwtTypeValidator.jwt())) <2>
|
|
return jwtDecoder
|
|
}
|
|
----
|
|
======
|
|
<1> - Switch off Nimbus verifying the `typ`
|
|
<2> - Add the default `typ` validator
|
|
|
|
to this:
|
|
|
|
[tabs]
|
|
======
|
|
Java::
|
|
+
|
|
[source,java,role="primary"]
|
|
----
|
|
@Bean
|
|
JwtDecoder jwtDecoder() {
|
|
NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withIssuerLocation(location)
|
|
// ... your remaining configuration <1>
|
|
.build();
|
|
jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithIssuer(location)); <2>
|
|
return jwtDecoder;
|
|
}
|
|
----
|
|
|
|
Kotlin::
|
|
+
|
|
[source,kotlin,role="secondary"]
|
|
----
|
|
@Bean
|
|
fun jwtDecoder(): JwtDecoder {
|
|
val jwtDecoder = NimbusJwtDecoder.withIssuerLocation(location)
|
|
// ... your remaining configuration
|
|
.build()
|
|
jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithIssuer(location)) <2>
|
|
return jwtDecoder
|
|
}
|
|
----
|
|
======
|
|
<1> - `validateTypes` now defaults to `false`
|
|
<2> - `JwtTypeValidator#jwt` is added by all `createDefaultXXX` methods
|
|
|
|
== Do Not Process `<saml2:Response>` GET Requests with `Saml2AuthenticationTokenConverter`
|
|
|
|
Spring Security does not support processing `<saml2:Response>` payloads over GET as this is not supported by the SAML 2.0 spec.
|
|
|
|
To better comply with this, `Saml2AuthenticationTokenConverter` will not process GET requests by default as of Spring Security 8.
|
|
To prepare for this, the property `shouldConvertGetRequests` is available.
|
|
To use it, publish your own `Saml2AuthenticationTokenConverter` like so:
|
|
|
|
[tabs]
|
|
======
|
|
Java::
|
|
+
|
|
[source,java,role="primary"]
|
|
----
|
|
@Bean
|
|
Saml2AuthenticationTokenConverter authenticationConverter(RelyingPartyRegistrationRepository registrations) {
|
|
Saml2AuhenticationTokenConverter authenticationConverter = new Saml2AuthenticationTokenConverter(
|
|
new DefaultRelyingPartyRegistrationResolver(registrations));
|
|
authenticationConverter.setShouldConvertGetRequests(false);
|
|
return authenticationConverter;
|
|
}
|
|
----
|
|
|
|
Kotlin::
|
|
+
|
|
[source,kotlin,role="secondary"]
|
|
----
|
|
@Bean
|
|
fun authenticationConverter(val registrations: RelyingPartyRegistrationRepository): Saml2AuthenticationTokenConverter {
|
|
val authenticationConverter = new Saml2AuthenticationTokenConverter(
|
|
DefaultRelyingPartyRegistrationResolver(registrations))
|
|
authenticationConverter.setShouldConvertGetRequests(false)
|
|
return authenticationConverter
|
|
}
|
|
----
|
|
======
|
|
|
|
If you must continue using `Saml2AuthenticationTokenConverter` to process GET requests, you can call `setShouldConvertGetRequests` to `true.`
|