Add WebClient Bearer token support

Fixes: gh-5389

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/userinfo/DefaultReactiveOAuth2UserService.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.oauth2.client.userinfo;
 
+import static org.springframework.security.web.http.SecurityHeaders.bearerToken;
+
 import java.net.UnknownHostException;
 import java.util.HashSet;
 import java.util.Map;
@@ -99,8 +101,7 @@ public class DefaultReactiveOAuth2UserService implements ReactiveOAuth2UserServi
 
 			Mono<Map<String, Object>> userAttributes = this.webClient.get()
 					.uri(userInfoUri)
-					.header(HttpHeaders.AUTHORIZATION,
-							"Bearer " + userRequest.getAccessToken().getTokenValue())
+					.headers(bearerToken(userRequest.getAccessToken().getTokenValue()))
 					.retrieve()
 					.onStatus(s -> s != HttpStatus.OK, response -> {
 						return parse(response).map(userInfoErrorResponse -> {

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/reactive/function/client/OAuth2AuthorizedClientExchangeFilterFunction.java

@@ -16,17 +16,19 @@
 
 package org.springframework.security.oauth2.client.web.reactive.function.client;
 
-import org.springframework.http.HttpHeaders;
+import static org.springframework.security.web.http.SecurityHeaders.bearerToken;
+
+import java.util.Map;
+import java.util.Optional;
+import java.util.function.Consumer;
+
 import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
 import org.springframework.web.reactive.function.client.ClientRequest;
 import org.springframework.web.reactive.function.client.ClientResponse;
 import org.springframework.web.reactive.function.client.ExchangeFilterFunction;
 import org.springframework.web.reactive.function.client.ExchangeFunction;
-import reactor.core.publisher.Mono;
 
-import java.util.Map;
-import java.util.Optional;
-import java.util.function.Consumer;
+import reactor.core.publisher.Mono;
 
 /**
  * Provides an easy mechanism for using an {@link OAuth2AuthorizedClient} to make OAuth2 requests by including the
@@ -77,8 +79,4 @@ public final class OAuth2AuthorizedClientExchangeFilterFunction implements Excha
 					.headers(bearerToken(authorizedClient.getAccessToken().getTokenValue()))
 					.build();
 	}
-
-	private Consumer<HttpHeaders> bearerToken(String token) {
-		return headers -> headers.set(HttpHeaders.AUTHORIZATION, "Bearer " + token);
-	}
 }

web/src/main/java/org/springframework/security/web/http/SecurityHeaders.java

@@ -0,0 +1,43 @@
+/*
+ * Copyright 2002-2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.http;
+
+import org.springframework.http.HttpHeaders;
+import org.springframework.util.Assert;
+
+import java.util.function.Consumer;
+
+/**
+ * Utilities for interacting with {@link HttpHeaders}
+ *
+ * @author Rob Winch
+ * @since 5.1
+ */
+public final class SecurityHeaders {
+
+	/**
+	 * Sets the provided value as a Bearer token in a header with the name of {@link HttpHeaders#AUTHORIZATION}
+	 * @param bearerTokenValue the bear token value
+	 * @return a {@link Consumer} that sets the header.
+	 */
+	public static Consumer<HttpHeaders> bearerToken(String bearerTokenValue) {
+		Assert.hasText(bearerTokenValue, "bearerTokenValue cannot be null");
+		return headers -> headers.set(HttpHeaders.AUTHORIZATION, "Bearer " + bearerTokenValue);
+	}
+
+	private SecurityHeaders() {}
+}

web/src/test/groovy/org/springframework/security/web/http/SecurityHeadersTests.java

@@ -0,0 +1,42 @@
+/*
+ * Copyright 2002-2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.http;
+
+import org.junit.Test;
+
+import static org.assertj.core.api.Assertions.*;
+
+/**
+ * @author Rob Winch
+ * @since 5.1
+ */
+public class SecurityHeadersTests {
+
+	@Test
+	public void bearerTokenWhenNullThenIllegalArgumentException() {
+		String bearerTokenValue = null;
+		assertThatThrownBy(() -> SecurityHeaders.bearerToken(bearerTokenValue))
+				.isInstanceOf(IllegalArgumentException.class);
+	}
+
+	@Test
+	public void bearerTokenWhenEmptyStringThenIllegalArgumentException() {
+		assertThatThrownBy(() -> SecurityHeaders.bearerToken(""))
+				.isInstanceOf(IllegalArgumentException.class);
+	}
+
+}