Jwt Decoder Local Key Configuration
Adds support for configuring Resource Server DSL with a local public key. Fixes: gh-5131
This commit is contained in:
@@ -20,10 +20,14 @@ import java.io.BufferedReader;
|
||||
import java.io.FileReader;
|
||||
import java.io.IOException;
|
||||
import java.lang.reflect.Field;
|
||||
import java.security.KeyFactory;
|
||||
import java.security.interfaces.RSAPublicKey;
|
||||
import java.security.spec.X509EncodedKeySpec;
|
||||
import java.time.Clock;
|
||||
import java.time.Duration;
|
||||
import java.time.Instant;
|
||||
import java.time.ZoneId;
|
||||
import java.util.Base64;
|
||||
import java.util.Collection;
|
||||
import java.util.Collections;
|
||||
import java.util.Map;
|
||||
@@ -110,6 +114,7 @@ import static org.mockito.Mockito.mock;
|
||||
import static org.mockito.Mockito.verify;
|
||||
import static org.mockito.Mockito.when;
|
||||
import static org.springframework.security.oauth2.jwt.JwtProcessors.withJwkSetUri;
|
||||
import static org.springframework.security.oauth2.jwt.JwtProcessors.withPublicKey;
|
||||
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
|
||||
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.httpBasic;
|
||||
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
|
||||
@@ -947,6 +952,44 @@ public class OAuth2ResourceServerConfigurerTests {
|
||||
.andExpect(status().isOk());
|
||||
}
|
||||
|
||||
// -- single key
|
||||
|
||||
@Test
|
||||
public void requestWhenUsingPublicKeyAndValidTokenThenAuthenticates()
|
||||
throws Exception {
|
||||
|
||||
this.spring.register(SingleKeyConfig.class, BasicController.class).autowire();
|
||||
String token = this.token("ValidNoScopes");
|
||||
|
||||
this.mvc.perform(get("/")
|
||||
.with(bearerToken(token)))
|
||||
.andExpect(status().isOk());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void requestWhenUsingPublicKeyAndSignatureFailsThenReturnsInvalidToken()
|
||||
throws Exception {
|
||||
|
||||
this.spring.register(SingleKeyConfig.class).autowire();
|
||||
String token = this.token("WrongSignature");
|
||||
|
||||
this.mvc.perform(get("/")
|
||||
.with(bearerToken(token)))
|
||||
.andExpect(invalidTokenHeader("signature"));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void requestWhenUsingPublicKeyAlgorithmDoesNotMatchThenReturnsInvalidToken()
|
||||
throws Exception {
|
||||
|
||||
this.spring.register(SingleKeyConfig.class).autowire();
|
||||
String token = this.token("WrongAlgorithm");
|
||||
|
||||
this.mvc.perform(get("/")
|
||||
.with(bearerToken(token)))
|
||||
.andExpect(invalidTokenHeader("algorithm"));
|
||||
}
|
||||
|
||||
// -- In combination with other authentication providers
|
||||
|
||||
@Test
|
||||
@@ -1519,8 +1562,38 @@ public class OAuth2ResourceServerConfigurerTests {
|
||||
.oauth2ResourceServer()
|
||||
.jwt()
|
||||
.decoder(jwtDecoder);
|
||||
}
|
||||
}
|
||||
|
||||
@EnableWebSecurity
|
||||
static class SingleKeyConfig extends WebSecurityConfigurerAdapter {
|
||||
byte[] spec = Base64.getDecoder().decode(
|
||||
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoXJ8OyOv/eRnce4akdan" +
|
||||
"R4KYRfnC2zLV4uYNQpcFn6oHL0dj7D6kxQmsXoYgJV8ZVDn71KGmuLvolxsDncc2" +
|
||||
"UrhyMBY6DVQVgMSVYaPCTgW76iYEKGgzTEw5IBRQL9w3SRJWd3VJTZZQjkXef48O" +
|
||||
"cz06PGF3lhbz4t5UEZtdF4rIe7u+977QwHuh7yRPBQ3sII+cVoOUMgaXB9SHcGF2" +
|
||||
"iZCtPzL/IffDUcfhLQteGebhW8A6eUHgpD5A1PQ+JCw/G7UOzZAjjDjtNM2eqm8j" +
|
||||
"+Ms/gqnm4MiCZ4E+9pDN77CAAPVN7kuX6ejs9KBXpk01z48i9fORYk9u7rAkh1Hu" +
|
||||
"QwIDAQAB");
|
||||
|
||||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.oauth2ResourceServer()
|
||||
.jwt();
|
||||
// @formatter:on
|
||||
}
|
||||
|
||||
@Bean
|
||||
JwtDecoder decoder() throws Exception {
|
||||
RSAPublicKey publicKey = (RSAPublicKey)
|
||||
KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(this.spec));
|
||||
return new NimbusJwtDecoder(withPublicKey(publicKey).build());
|
||||
}
|
||||
}
|
||||
|
||||
@Configuration
|
||||
|
||||
Reference in New Issue
Block a user