Home Explore Help
Register Sign In
github
/
spring-security
mirror of https://github.com/spring-projects/spring-security
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

Register Authentication Provider in Init Phase

Fixes gh-8031
Josh Cummings 5 years ago
parent
67d561b5f7
commit
b7ce65b284
2 changed files with 49 additions and 20 deletions
Unified View Show Diff Stats
  1. 19 19
      config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java
  2. 30 1
      config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java

+ 19 - 19
config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java
View File 

@@ -160,6 +160,25 @@ public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<
 
 
 
 	@Override
 
 	@Override
 
 	public void init(H http) throws Exception {
 
 	public void init(H http) throws Exception {
 
+		if ( this.jwtConfigurer == null ) {
 
+			throw new IllegalStateException("Jwt is the only supported format for bearer tokens " +
 
+					"in Spring Security and no Jwt configuration was found. Make sure to specify " +
 
+					"a jwk set uri by doing http.oauth2ResourceServer().jwt().jwkSetUri(uri), or wire a " +
 
+					"JwtDecoder instance by doing http.oauth2ResourceServer().jwt().decoder(decoder), or " +
 
+					"expose a JwtDecoder instance as a bean and do http.oauth2ResourceServer().jwt().");
 
+		}
 
+
 
+		JwtDecoder decoder = this.jwtConfigurer.getJwtDecoder();
 
+		Converter<Jwt, ? extends AbstractAuthenticationToken> jwtAuthenticationConverter =
 
+				this.jwtConfigurer.getJwtAuthenticationConverter();
 
+
 
+		JwtAuthenticationProvider provider =
 
+				new JwtAuthenticationProvider(decoder);
 
+		provider.setJwtAuthenticationConverter(jwtAuthenticationConverter);
 
+		provider = postProcess(provider);
 
+
 
+		http.authenticationProvider(provider);
 
+
 
 		registerDefaultAccessDeniedHandler(http);
 
 		registerDefaultAccessDeniedHandler(http);
 
 		registerDefaultEntryPoint(http);
 
 		registerDefaultEntryPoint(http);
 
 		registerDefaultCsrfOverride(http);
 
 		registerDefaultCsrfOverride(http);
 
@@ -179,25 +198,6 @@ public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<
 
 		filter = postProcess(filter);
 
 		filter = postProcess(filter);
 
 
 
 		http.addFilter(filter);
 
 		http.addFilter(filter);
 
-
 
-		if ( this.jwtConfigurer == null ) {
 
-			throw new IllegalStateException("Jwt is the only supported format for bearer tokens " +
 
-					"in Spring Security and no Jwt configuration was found. Make sure to specify " +
 
-					"a jwk set uri by doing http.oauth2ResourceServer().jwt().jwkSetUri(uri), or wire a " +
 
-					"JwtDecoder instance by doing http.oauth2ResourceServer().jwt().decoder(decoder), or " +
 
-					"expose a JwtDecoder instance as a bean and do http.oauth2ResourceServer().jwt().");
 
-		}
 
-
 
-		JwtDecoder decoder = this.jwtConfigurer.getJwtDecoder();
 
-		Converter<Jwt, ? extends AbstractAuthenticationToken> jwtAuthenticationConverter =
 
-				this.jwtConfigurer.getJwtAuthenticationConverter();
 
-
 
-		JwtAuthenticationProvider provider =
 
-				new JwtAuthenticationProvider(decoder);
 
-		provider.setJwtAuthenticationConverter(jwtAuthenticationConverter);
 
-		provider = postProcess(provider);
 
-
 
-		http.authenticationProvider(provider);
 
 	}
 
 	}
 
 
 
 	public class JwtConfigurer {
 
 	public class JwtConfigurer {

+ 30 - 1
config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java
View File 

@@ -298,6 +298,18 @@ public class OAuth2ResourceServerConfigurerTests {
 
 				.andExpect(header().string(HttpHeaders.WWW_AUTHENTICATE, "Bearer"));
 
 				.andExpect(header().string(HttpHeaders.WWW_AUTHENTICATE, "Bearer"));
 
 	}
 
 	}
 
 
 
+	// gh-8031
 
+	@Test
 
+	public void getWhenAnonymousDisabledThenAllows() throws Exception {
 
+		this.spring.register(JwtDecoderConfig.class, AnonymousDisabledConfig.class).autowire();
 
+		JwtDecoder decoder = this.spring.getContext().getBean(JwtDecoder.class);
 
+		when(decoder.decode(anyString())).thenReturn(JWT);
 
+
 
+		this.mvc.perform(get("/authenticated")
 
+				.with(bearerToken("token")))
 
+				.andExpect(status().isNotFound());
 
+	}
 
+
 
 	@Test
 
 	@Test
 
 	public void getWhenUsingDefaultsWithNoBearerTokenThenUnauthorized()
 
 	public void getWhenUsingDefaultsWithNoBearerTokenThenUnauthorized()
 
 			throws Exception {
 
 			throws Exception {
 
@@ -652,7 +664,8 @@ public class OAuth2ResourceServerConfigurerTests {
 
 
 
 	@Test
 
 	@Test
 
 	public void getBearerTokenResolverWhenDuplicateResolverBeansThenWiringException() {
 
 	public void getBearerTokenResolverWhenDuplicateResolverBeansThenWiringException() {
 
-		assertThatCode(() -> this.spring.register(MultipleBearerTokenResolverBeansConfig.class).autowire())
 
+		assertThatCode(() -> this.spring
 
+				.register(JwtDecoderConfig.class, MultipleBearerTokenResolverBeansConfig.class).autowire())
 
 				.isInstanceOf(BeanCreationException.class)
 
 				.isInstanceOf(BeanCreationException.class)
 
 				.hasRootCauseInstanceOf(NoUniqueBeanDefinitionException.class);
 
 				.hasRootCauseInstanceOf(NoUniqueBeanDefinitionException.class);
 
 	}
 
 	}
 
@@ -1097,6 +1110,22 @@ public class OAuth2ResourceServerConfigurerTests {
 
 		}
 
 		}
 
 	}
 
 	}
 
 
 
+	@EnableWebSecurity
 
+	static class AnonymousDisabledConfig extends WebSecurityConfigurerAdapter {
 
+		@Override
 
+		protected void configure(HttpSecurity http) throws Exception {
 
+			// @formatter:off
 
+			http
 
+				.authorizeRequests()
 
+					.anyRequest().authenticated()
 
+					.and()
 
+				.anonymous().disable()
 
+				.oauth2ResourceServer()
 
+					.jwt();
 
+			// @formatter:on
 
+		}
 
+	}
 
+
 
 	@EnableWebSecurity
 
 	@EnableWebSecurity
 
 	@EnableGlobalMethodSecurity(prePostEnabled = true)
 
 	@EnableGlobalMethodSecurity(prePostEnabled = true)
 
 	static class MethodSecurityConfig extends WebSecurityConfigurerAdapter {
 
 	static class MethodSecurityConfig extends WebSecurityConfigurerAdapter {