From 6b66719a83fd0968aede23d6ce9f075885a616b5 Mon Sep 17 00:00:00 2001 From: Joe Grandja Date: Tue, 23 Aug 2022 13:32:51 -0400 Subject: [PATCH] Remove constructor in OAuth2AuthorizationServerMetadataEndpointFilter Closes gh-868 --- .../OAuth2AuthorizationServerConfigurer.java | 2 +- ...orizationServerMetadataEndpointFilter.java | 30 ++++++++----------- ...tionServerMetadataEndpointFilterTests.java | 27 ++++++++--------- 3 files changed, 25 insertions(+), 34 deletions(-) diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationServerConfigurer.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationServerConfigurer.java index 8bb36b2d..28919e88 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationServerConfigurer.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationServerConfigurer.java @@ -255,7 +255,7 @@ public final class OAuth2AuthorizationServerConfigurer } OAuth2AuthorizationServerMetadataEndpointFilter authorizationServerMetadataEndpointFilter = - new OAuth2AuthorizationServerMetadataEndpointFilter(authorizationServerSettings); + new OAuth2AuthorizationServerMetadataEndpointFilter(); httpSecurity.addFilterBefore(postProcess(authorizationServerMetadataEndpointFilter), AbstractPreAuthenticatedProcessingFilter.class); } diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationServerMetadataEndpointFilter.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationServerMetadataEndpointFilter.java index f2b78b69..6823b026 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationServerMetadataEndpointFilter.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationServerMetadataEndpointFilter.java @@ -31,12 +31,12 @@ import org.springframework.security.oauth2.core.AuthorizationGrantType; import org.springframework.security.oauth2.core.ClientAuthenticationMethod; import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationResponseType; import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationServerMetadata; +import org.springframework.security.oauth2.server.authorization.context.AuthorizationServerContext; import org.springframework.security.oauth2.server.authorization.context.AuthorizationServerContextHolder; import org.springframework.security.oauth2.server.authorization.http.converter.OAuth2AuthorizationServerMetadataHttpMessageConverter; import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings; import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; -import org.springframework.util.Assert; import org.springframework.web.filter.OncePerRequestFilter; import org.springframework.web.util.UriComponentsBuilder; @@ -55,20 +55,12 @@ public final class OAuth2AuthorizationServerMetadataEndpointFilter extends OnceP */ private static final String DEFAULT_OAUTH2_AUTHORIZATION_SERVER_METADATA_ENDPOINT_URI = "/.well-known/oauth-authorization-server"; - private final AuthorizationServerSettings authorizationServerSettings; - private final RequestMatcher requestMatcher; + private final RequestMatcher requestMatcher = new AntPathRequestMatcher( + DEFAULT_OAUTH2_AUTHORIZATION_SERVER_METADATA_ENDPOINT_URI, + HttpMethod.GET.name()); private final OAuth2AuthorizationServerMetadataHttpMessageConverter authorizationServerMetadataHttpMessageConverter = new OAuth2AuthorizationServerMetadataHttpMessageConverter(); - public OAuth2AuthorizationServerMetadataEndpointFilter(AuthorizationServerSettings authorizationServerSettings) { - Assert.notNull(authorizationServerSettings, "authorizationServerSettings cannot be null"); - this.authorizationServerSettings = authorizationServerSettings; - this.requestMatcher = new AntPathRequestMatcher( - DEFAULT_OAUTH2_AUTHORIZATION_SERVER_METADATA_ENDPOINT_URI, - HttpMethod.GET.name() - ); - } - @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { @@ -78,21 +70,23 @@ public final class OAuth2AuthorizationServerMetadataEndpointFilter extends OnceP return; } - String issuer = AuthorizationServerContextHolder.getContext().getIssuer(); + AuthorizationServerContext authorizationServerContext = AuthorizationServerContextHolder.getContext(); + String issuer = authorizationServerContext.getIssuer(); + AuthorizationServerSettings authorizationServerSettings = authorizationServerContext.getAuthorizationServerSettings(); OAuth2AuthorizationServerMetadata authorizationServerMetadata = OAuth2AuthorizationServerMetadata.builder() .issuer(issuer) - .authorizationEndpoint(asUrl(issuer, this.authorizationServerSettings.getAuthorizationEndpoint())) - .tokenEndpoint(asUrl(issuer, this.authorizationServerSettings.getTokenEndpoint())) + .authorizationEndpoint(asUrl(issuer, authorizationServerSettings.getAuthorizationEndpoint())) + .tokenEndpoint(asUrl(issuer, authorizationServerSettings.getTokenEndpoint())) .tokenEndpointAuthenticationMethods(clientAuthenticationMethods()) - .jwkSetUrl(asUrl(issuer, this.authorizationServerSettings.getJwkSetEndpoint())) + .jwkSetUrl(asUrl(issuer, authorizationServerSettings.getJwkSetEndpoint())) .responseType(OAuth2AuthorizationResponseType.CODE.getValue()) .grantType(AuthorizationGrantType.AUTHORIZATION_CODE.getValue()) .grantType(AuthorizationGrantType.CLIENT_CREDENTIALS.getValue()) .grantType(AuthorizationGrantType.REFRESH_TOKEN.getValue()) - .tokenRevocationEndpoint(asUrl(issuer, this.authorizationServerSettings.getTokenRevocationEndpoint())) + .tokenRevocationEndpoint(asUrl(issuer, authorizationServerSettings.getTokenRevocationEndpoint())) .tokenRevocationEndpointAuthenticationMethods(clientAuthenticationMethods()) - .tokenIntrospectionEndpoint(asUrl(issuer, this.authorizationServerSettings.getTokenIntrospectionEndpoint())) + .tokenIntrospectionEndpoint(asUrl(issuer, authorizationServerSettings.getTokenIntrospectionEndpoint())) .tokenIntrospectionEndpointAuthenticationMethods(clientAuthenticationMethods()) .codeChallengeMethod("S256") .build(); diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationServerMetadataEndpointFilterTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationServerMetadataEndpointFilterTests.java index 2e222279..43bb4edd 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationServerMetadataEndpointFilterTests.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationServerMetadataEndpointFilterTests.java @@ -49,17 +49,13 @@ public class OAuth2AuthorizationServerMetadataEndpointFilterTests { AuthorizationServerContextHolder.resetContext(); } - @Test - public void constructorWhenAuthorizationServerSettingsNullThenThrowIllegalArgumentException() { - assertThatIllegalArgumentException() - .isThrownBy(() -> new OAuth2AuthorizationServerMetadataEndpointFilter(null)) - .withMessage("authorizationServerSettings cannot be null"); - } - @Test public void doFilterWhenNotAuthorizationServerMetadataRequestThenNotProcessed() throws Exception { - OAuth2AuthorizationServerMetadataEndpointFilter filter = - new OAuth2AuthorizationServerMetadataEndpointFilter(AuthorizationServerSettings.builder().issuer("https://example.com").build()); + AuthorizationServerSettings authorizationServerSettings = AuthorizationServerSettings.builder() + .issuer("https://example.com") + .build(); + AuthorizationServerContextHolder.setContext(new TestAuthorizationServerContext(authorizationServerSettings, null)); + OAuth2AuthorizationServerMetadataEndpointFilter filter = new OAuth2AuthorizationServerMetadataEndpointFilter(); String requestUri = "/path"; MockHttpServletRequest request = new MockHttpServletRequest("GET", requestUri); @@ -74,8 +70,11 @@ public class OAuth2AuthorizationServerMetadataEndpointFilterTests { @Test public void doFilterWhenAuthorizationServerMetadataRequestPostThenNotProcessed() throws Exception { - OAuth2AuthorizationServerMetadataEndpointFilter filter = - new OAuth2AuthorizationServerMetadataEndpointFilter(AuthorizationServerSettings.builder().issuer("https://example.com").build()); + AuthorizationServerSettings authorizationServerSettings = AuthorizationServerSettings.builder() + .issuer("https://example.com") + .build(); + AuthorizationServerContextHolder.setContext(new TestAuthorizationServerContext(authorizationServerSettings, null)); + OAuth2AuthorizationServerMetadataEndpointFilter filter = new OAuth2AuthorizationServerMetadataEndpointFilter(); String requestUri = DEFAULT_OAUTH2_AUTHORIZATION_SERVER_METADATA_ENDPOINT_URI; MockHttpServletRequest request = new MockHttpServletRequest("POST", requestUri); @@ -106,8 +105,7 @@ public class OAuth2AuthorizationServerMetadataEndpointFilterTests { .tokenIntrospectionEndpoint(tokenIntrospectionEndpoint) .build(); AuthorizationServerContextHolder.setContext(new TestAuthorizationServerContext(authorizationServerSettings, null)); - OAuth2AuthorizationServerMetadataEndpointFilter filter = - new OAuth2AuthorizationServerMetadataEndpointFilter(authorizationServerSettings); + OAuth2AuthorizationServerMetadataEndpointFilter filter = new OAuth2AuthorizationServerMetadataEndpointFilter(); String requestUri = DEFAULT_OAUTH2_AUTHORIZATION_SERVER_METADATA_ENDPOINT_URI; MockHttpServletRequest request = new MockHttpServletRequest("GET", requestUri); @@ -141,8 +139,7 @@ public class OAuth2AuthorizationServerMetadataEndpointFilterTests { .issuer("https://this is an invalid URL") .build(); AuthorizationServerContextHolder.setContext(new TestAuthorizationServerContext(authorizationServerSettings, null)); - OAuth2AuthorizationServerMetadataEndpointFilter filter = - new OAuth2AuthorizationServerMetadataEndpointFilter(authorizationServerSettings); + OAuth2AuthorizationServerMetadataEndpointFilter filter = new OAuth2AuthorizationServerMetadataEndpointFilter(); String requestUri = DEFAULT_OAUTH2_AUTHORIZATION_SERVER_METADATA_ENDPOINT_URI; MockHttpServletRequest request = new MockHttpServletRequest("GET", requestUri);