Fix credentials precedence over introspector in Kotlin

Fixes: gh-7878

config/src/main/kotlin/org/springframework/security/config/web/servlet/oauth2/resourceserver/OpaqueTokenDsl.kt

@@ -29,11 +29,25 @@ import org.springframework.security.oauth2.server.resource.introspection.OpaqueT
  * @property introspector the [OpaqueTokenIntrospector] to use.
  */
 class OpaqueTokenDsl {
-    var introspectionUri: String? = null
-    var introspector: OpaqueTokenIntrospector? = null
-
+    private var _introspectionUri: String? = null
+    private var _introspector: OpaqueTokenIntrospector? = null
     private var clientCredentials: Pair<String, String>? = null
 
+    var introspectionUri: String?
+        get() = _introspectionUri
+        set(value) {
+            _introspectionUri = value
+            _introspector = null
+        }
+    var introspector: OpaqueTokenIntrospector?
+        get() = _introspector
+        set(value) {
+            _introspector = value
+            _introspectionUri = null
+            clientCredentials = null
+        }
+
+
     /**
      * Configures the credentials for Introspection endpoint.
      *
@@ -42,6 +56,7 @@ class OpaqueTokenDsl {
      */
     fun introspectionClientCredentials(clientId: String, clientSecret: String) {
         clientCredentials = Pair(clientId, clientSecret)
+        _introspector = null
     }
 
     internal fun get(): (OAuth2ResourceServerConfigurer<HttpSecurity>.OpaqueTokenConfigurer) -> Unit {

config/src/test/kotlin/org/springframework/security/config/web/servlet/oauth2/resourceserver/OpaqueTokenDslTests.kt

@@ -138,6 +138,41 @@ class OpaqueTokenDslTests {
         }
     }
 
+    @Test
+    fun `opaque token when custom introspector set after client credentials then introspector used`() {
+        this.spring.register(IntrospectorAfterClientCredentialsConfig::class.java, AuthenticationController::class.java).autowire()
+        `when`(IntrospectorAfterClientCredentialsConfig.INTROSPECTOR.introspect(ArgumentMatchers.anyString()))
+                .thenReturn(DefaultOAuth2AuthenticatedPrincipal(mapOf(Pair(JwtClaimNames.SUB, "mock-subject")), emptyList()))
+
+        this.mockMvc.get("/authenticated") {
+            header("Authorization", "Bearer token")
+        }
+
+        verify(IntrospectorAfterClientCredentialsConfig.INTROSPECTOR).introspect("token")
+    }
+
+    @EnableWebSecurity
+    open class IntrospectorAfterClientCredentialsConfig : WebSecurityConfigurerAdapter() {
+        companion object {
+            var INTROSPECTOR: OpaqueTokenIntrospector = mock(OpaqueTokenIntrospector::class.java)
+        }
+
+        override fun configure(http: HttpSecurity) {
+            http {
+                authorizeRequests {
+                    authorize(anyRequest, authenticated)
+                }
+                oauth2ResourceServer {
+                    opaqueToken {
+                        introspectionUri = "/introspect"
+                        introspectionClientCredentials("clientId", "clientSecret")
+                        introspector = INTROSPECTOR
+                    }
+                }
+            }
+        }
+    }
+
     @RestController
     class AuthenticationController {
         @GetMapping("/authenticated")