Skip to content

S
spring-boot
Commit a55c3e4a authored by Anastasiia Losieva's avatar Anastasiia Losieva Committed by Madhura Bhave
Browse files
Options

Use jws-algorithm property in ReactiveOAuth2ResourceServerJwkConfiguration 

See gh-20681
parent cea12904
Hide whitespace changes
Inline Side-by-side
Showing with 35 additions and 3 deletions
spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/reactive/ReactiveOAuth2ResourceServerJwkConfiguration.java
View file @ a55c3e4a
...@@ -31,6 +31,7 @@ import org.springframework.context.annotation.Conditional; ...@@ -31,6 +31,7 @@ import org.springframework.context.annotation.Conditional;
import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.web.server.ServerHttpSecurity; import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity.OAuth2ResourceServerSpec; import org.springframework.security.config.web.server.ServerHttpSecurity.OAuth2ResourceServerSpec;
import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
import org.springframework.security.oauth2.jwt.JwtValidators; import org.springframework.security.oauth2.jwt.JwtValidators;
import org.springframework.security.oauth2.jwt.NimbusReactiveJwtDecoder; import org.springframework.security.oauth2.jwt.NimbusReactiveJwtDecoder;
import org.springframework.security.oauth2.jwt.ReactiveJwtDecoder; import org.springframework.security.oauth2.jwt.ReactiveJwtDecoder;
...@@ -45,6 +46,7 @@ import org.springframework.security.web.server.SecurityWebFilterChain; ...@@ -45,6 +46,7 @@ import org.springframework.security.web.server.SecurityWebFilterChain;
* @author Madhura Bhave * @author Madhura Bhave
* @author Artsiom Yudovin * @author Artsiom Yudovin
* @author HaiTao Zhang * @author HaiTao Zhang
* @author Anastasiia Losieva
*/ */
@Configuration(proxyBeanMethods = false) @Configuration(proxyBeanMethods = false)
class ReactiveOAuth2ResourceServerJwkConfiguration { class ReactiveOAuth2ResourceServerJwkConfiguration {
...@@ -62,8 +64,9 @@ class ReactiveOAuth2ResourceServerJwkConfiguration { ...@@ -62,8 +64,9 @@ class ReactiveOAuth2ResourceServerJwkConfiguration {
@Bean @Bean
@ConditionalOnProperty(name = "spring.security.oauth2.resourceserver.jwt.jwk-set-uri") @ConditionalOnProperty(name = "spring.security.oauth2.resourceserver.jwt.jwk-set-uri")
ReactiveJwtDecoder jwtDecoder() { ReactiveJwtDecoder jwtDecoder() {
NimbusReactiveJwtDecoder nimbusReactiveJwtDecoder = new NimbusReactiveJwtDecoder( NimbusReactiveJwtDecoder nimbusReactiveJwtDecoder = NimbusReactiveJwtDecoder
this.properties.getJwkSetUri()); .withJwkSetUri(this.properties.getJwkSetUri())
.jwsAlgorithm(SignatureAlgorithm.from(this.properties.getJwsAlgorithm())).build();
String issuerUri = this.properties.getIssuerUri(); String issuerUri = this.properties.getIssuerUri();
if (issuerUri != null) { if (issuerUri != null) {
nimbusReactiveJwtDecoder.setJwtValidator(JwtValidators.createDefaultWithIssuer(issuerUri)); nimbusReactiveJwtDecoder.setJwtValidator(JwtValidators.createDefaultWithIssuer(issuerUri));
...@@ -76,7 +79,8 @@ class ReactiveOAuth2ResourceServerJwkConfiguration { ...@@ -76,7 +79,8 @@ class ReactiveOAuth2ResourceServerJwkConfiguration {
NimbusReactiveJwtDecoder jwtDecoderByPublicKeyValue() throws Exception { NimbusReactiveJwtDecoder jwtDecoderByPublicKeyValue() throws Exception {
RSAPublicKey publicKey = (RSAPublicKey) KeyFactory.getInstance("RSA") RSAPublicKey publicKey = (RSAPublicKey) KeyFactory.getInstance("RSA")
.generatePublic(new X509EncodedKeySpec(getKeySpec(this.properties.readPublicKey()))); .generatePublic(new X509EncodedKeySpec(getKeySpec(this.properties.readPublicKey())));
return NimbusReactiveJwtDecoder.withPublicKey(publicKey).build(); return NimbusReactiveJwtDecoder.withPublicKey(publicKey)
.signatureAlgorithm(SignatureAlgorithm.from(this.properties.getJwsAlgorithm())).build();
} }
private byte[] getKeySpec(String keyValue) { private byte[] getKeySpec(String keyValue) {
......
spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/resource/reactive/ReactiveOAuth2ResourceServerAutoConfigurationTests.java
View file @ a55c3e4a
...@@ -20,10 +20,12 @@ import java.util.Collection; ...@@ -20,10 +20,12 @@ import java.util.Collection;
import java.util.Collections; import java.util.Collections;
import java.util.HashMap; import java.util.HashMap;
import java.util.Map; import java.util.Map;
import java.util.Set;
import java.util.stream.Stream; import java.util.stream.Stream;
import com.fasterxml.jackson.core.JsonProcessingException; import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper; import com.fasterxml.jackson.databind.ObjectMapper;
import com.nimbusds.jose.JWSAlgorithm;
import okhttp3.mockwebserver.MockResponse; import okhttp3.mockwebserver.MockResponse;
import okhttp3.mockwebserver.MockWebServer; import okhttp3.mockwebserver.MockWebServer;
import org.junit.jupiter.api.AfterEach; import org.junit.jupiter.api.AfterEach;
...@@ -68,6 +70,7 @@ import static org.mockito.Mockito.mock; ...@@ -68,6 +70,7 @@ import static org.mockito.Mockito.mock;
* @author Madhura Bhave * @author Madhura Bhave
* @author Artsiom Yudovin * @author Artsiom Yudovin
* @author HaiTao Zhang * @author HaiTao Zhang
* @author Anastasiia Losieva
*/ */
class ReactiveOAuth2ResourceServerAutoConfigurationTests { class ReactiveOAuth2ResourceServerAutoConfigurationTests {
...@@ -94,6 +97,31 @@ class ReactiveOAuth2ResourceServerAutoConfigurationTests { ...@@ -94,6 +97,31 @@ class ReactiveOAuth2ResourceServerAutoConfigurationTests {
}); });
} }
@SuppressWarnings("unchecked")
@Test
void autoConfigurationUsingJwkSetUriShouldConfigureResourceServerUsingJwsAlgorithm() {
this.contextRunner
.withPropertyValues("spring.security.oauth2.resourceserver.jwt.jwk-set-uri=https://jwk-set-uri.com",
"spring.security.oauth2.resourceserver.jwt.jws-algorithm=RS512")
.run((context) -> {
NimbusReactiveJwtDecoder nimbusReactiveJwtDecoder = context.getBean(NimbusReactiveJwtDecoder.class);
assertThat(nimbusReactiveJwtDecoder).extracting("jwtProcessor.arg$2")
.matches((algorithms) -> ((Set<JWSAlgorithm>) algorithms).contains(JWSAlgorithm.RS512));
});
}
@Test
void autoConfigurationUsingPublicKeyValueShouldConfigureResourceServerUsingJwsAlgorithm() {
this.contextRunner.withPropertyValues(
"spring.security.oauth2.resourceserver.jwt.public-key-location=classpath:public-key-location",
"spring.security.oauth2.resourceserver.jwt.jws-algorithm=RS384").run((context) -> {
NimbusReactiveJwtDecoder nimbusReactiveJwtDecoder = context.getBean(NimbusReactiveJwtDecoder.class);
assertThat(nimbusReactiveJwtDecoder)
.extracting("jwtProcessor.arg$1.jwsKeySelector.expectedJwsAlgorithm")
.isEqualTo(JWSAlgorithm.RS384);
});
}
@Test @Test
void autoConfigurationShouldConfigureResourceServerUsingOidcIssuerUri() throws IOException { void autoConfigurationShouldConfigureResourceServerUsingOidcIssuerUri() throws IOException {
this.server = new MockWebServer(); this.server = new MockWebServer();
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment