Remove OAuth2AuthoritiesPopulator

Since this is not precisely necessary to minimally support JWK sets in Resource Server, we are pushing this code to another PR. Fixes: gh-7 Issue: gh-21
jzheaux · Jun 25, 2018 · 715814a · 715814a
1 parent 05687fb
commit 715814a
Show file tree

Hide file tree

Showing 6 changed files with 31 additions and 191 deletions.
diff --git a/...fig/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java b/...fig/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java
@@ -25,12 +25,10 @@
 import org.springframework.security.config.annotation.web.configurers.CsrfConfigurer;
 import org.springframework.security.config.annotation.web.configurers.ExceptionHandlingConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
-import org.springframework.security.oauth2.core.OAuth2AuthoritiesPopulator;
 import org.springframework.security.oauth2.jose.jws.JwsAlgorithms;
 import org.springframework.security.oauth2.jwt.JwtDecoder;
 import org.springframework.security.oauth2.jwt.NimbusJwtDecoderJwkSupport;
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider;
-import org.springframework.security.oauth2.server.resource.authentication.JwtAuthoritiesPopulator;
 import org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationEntryPoint;
 import org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationFilter;
 import org.springframework.security.oauth2.server.resource.web.BearerTokenRequestMatcher;
@@ -90,11 +88,8 @@ public void configure(H http) throws Exception {
 		if ( decoder != null ) {
 			decoder = postProcess(decoder);
 
-			OAuth2AuthoritiesPopulator populator = postProcess(getAuthoritiesPopulator(http));
-
 			JwtAuthenticationProvider provider =
 					new JwtAuthenticationProvider(decoder);
-			provider.setAuthoritiesPopulator(populator);
 			provider = postProcess(provider);
 
 			http.authenticationProvider(provider);
@@ -119,8 +114,6 @@ public class JwtConfigurer {
 		private String algorithm = JwsAlgorithms.RS256;
 		private JwtDecoder decoder = null;
 
-		private OAuth2AuthoritiesPopulator populator;
-
 		JwtConfigurer() {}
 
 		public SignatureVerificationConfigurer signature() {
@@ -132,11 +125,6 @@ public JwtConfigurer algorithm(String algorithm) {
 			return this;
 		}
 
-		public JwtConfigurer authoritiesPopulator(OAuth2AuthoritiesPopulator populator) {
-			this.populator = populator;
-			return this;
-		}
-
 		public OAuth2ResourceServerConfigurer<H> and() {
 			return OAuth2ResourceServerConfigurer.this;
 		}
@@ -225,22 +213,4 @@ private JwtDecoder getJwtDecoder(H http) {
 
 		return null;
 	}
-
-	private OAuth2AuthoritiesPopulator getAuthoritiesPopulator(H http) {
-		ApplicationContext context = http.getSharedObject(ApplicationContext.class);
-
-		if ( this.jwtConfigurer != null &&
-				this.jwtConfigurer.populator != null ) {
-			return this.jwtConfigurer.populator;
-		}
-
-		Map<String, OAuth2AuthoritiesPopulator> populators =
-				BeanFactoryUtils.beansOfTypeIncludingAncestors(context, OAuth2AuthoritiesPopulator.class);
-
-		if ( !populators.isEmpty() ) {
-			return populators.values().iterator().next();
-		}
-
-		return new JwtAuthoritiesPopulator();
-	}
 }
diff --git a/...re/src/main/java/org/springframework/security/oauth2/core/OAuth2AuthoritiesPopulator.java b/...re/src/main/java/org/springframework/security/oauth2/core/OAuth2AuthoritiesPopulator.java
diff --git a/...ecurity/oauth2/server/resource/authentication/AbstractOAuth2TokenAuthenticationToken.java b/...ecurity/oauth2/server/resource/authentication/AbstractOAuth2TokenAuthenticationToken.java
@@ -44,8 +44,6 @@
 public abstract class AbstractOAuth2TokenAuthenticationToken<T extends AbstractOAuth2Token> extends AbstractAuthenticationToken {
 	private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
 
-	private String scopeAttributeName = "scope";
-
 	private T token;
 
 	/**
@@ -85,25 +83,6 @@ public final T getToken() {
 		return this.token;
 	}
 
-	/**
-	 * Returns the attribute name used to access the scope(s) associated to the access token.
-	 *
-	 * @return the attribute name used to access the scope(s) associated to the access token
-	 */
-	public final String getScopeAttributeName() {
-		return this.scopeAttributeName;
-	}
-
-	/**
-	 * Sets the attribute name used to access the scope(s) associated to the access token.
-	 *
-	 * @param scopeAttributeName the attribute name used to access the scope(s) associated to the access token
-	 */
-	public final void setScopeAttributeName(String scopeAttributeName) {
-		Assert.hasText(scopeAttributeName, "scopeAttributeName cannot be empty");
-		this.scopeAttributeName = scopeAttributeName;
-	}
-
 	/**
 	 * Returns the attributes of the access token.
 	 *

diff --git a/...ngframework/security/oauth2/server/resource/authentication/JwtAuthenticationProvider.java b/...ngframework/security/oauth2/server/resource/authentication/JwtAuthenticationProvider.java
@@ -16,12 +16,12 @@
 package org.springframework.security.oauth2.server.resource.authentication;
 
 import org.springframework.http.HttpStatus;
-import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
-import org.springframework.security.oauth2.core.OAuth2AuthoritiesPopulator;
 import org.springframework.security.oauth2.core.OAuth2Error;
 import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.security.oauth2.jwt.JwtDecoder;
@@ -31,6 +31,11 @@
 import org.springframework.security.oauth2.server.resource.BearerTokenErrorCodes;
 import org.springframework.util.Assert;
 
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.stream.Collectors;
+
 /**
  * An {@link AuthenticationProvider} implementation of the OAuth2 Resource Server Bearer Token when using Jwt-encoding
  * <p>
@@ -47,7 +52,8 @@
 public class JwtAuthenticationProvider implements AuthenticationProvider {
 	private final JwtDecoder jwtDecoder;
 
-	private OAuth2AuthoritiesPopulator authoritiesPopulator = new JwtAuthoritiesPopulator();
+	private static final Collection<String> WELL_KNOWN_SCOPE_ATTRIBUTE_NAMES =
+			Arrays.asList("scope", "scp");
 
 	public JwtAuthenticationProvider(JwtDecoder jwtDecoder) {
 		Assert.notNull(jwtDecoder, "jwtDecoder cannot be null");
@@ -67,12 +73,16 @@ public Authentication authenticate(Authentication authentication) throws Authent
 			throw new OAuth2AuthenticationException(invalidRequest, failed);
 		}
 
-		Authentication token =
-				this.authoritiesPopulator.populateAuthorities(new JwtAuthenticationToken(jwt));
+		Collection<GrantedAuthority> authorities =
+				this.getScopes(jwt)
+						.stream()
+						.map(authority -> "SCOPE_" + authority)
+						.map(SimpleGrantedAuthority::new)
+						.collect(Collectors.toList());
 
-		if ( token instanceof AbstractAuthenticationToken ) {
-			((AbstractAuthenticationToken) token).setDetails(bearer.getDetails());
-		}
+		JwtAuthenticationToken token = new JwtAuthenticationToken(jwt, authorities);
+
+		token.setDetails(bearer.getDetails());
 
 		return token;
 	}
@@ -82,16 +92,24 @@ public boolean supports(Class<?> authentication) {
 		return BearerTokenAuthenticationToken.class.isAssignableFrom(authentication);
 	}
 
-	public void setAuthoritiesPopulator(OAuth2AuthoritiesPopulator authoritiesPopulator) {
-		Assert.notNull(authoritiesPopulator, "authoritiesPopulator cannot be null");
-		this.authoritiesPopulator = authoritiesPopulator;
-	}
-
 	private static OAuth2Error invalidToken(String message) {
 		return new BearerTokenError(
 				BearerTokenErrorCodes.INVALID_TOKEN,
 				HttpStatus.UNAUTHORIZED,
 				message,
 				"https://tools.ietf.org/html/rfc6750#section-3.1");
 	}
+
+	private Collection<String> getScopes(Jwt jwt) {
+		for ( String attributeName : WELL_KNOWN_SCOPE_ATTRIBUTE_NAMES ) {
+			Object scopes = jwt.getClaims().get(attributeName);
+			if ( scopes instanceof String ) {
+				return Arrays.asList(((String) scopes).split(" "));
+			} else if ( scopes instanceof Collection ) {
+				return (Collection<String>) scopes;
+			}
+		}
+
+		return Collections.emptyList();
+	}
 }
diff --git a/...ringframework/security/oauth2/server/resource/authentication/JwtAuthoritiesPopulator.java b/...ringframework/security/oauth2/server/resource/authentication/JwtAuthoritiesPopulator.java
diff --git a/...onfigure/security/oauth2/resourceserver/OAuth2ResourceServerWebSecurityConfiguration.java b/...onfigure/security/oauth2/resourceserver/OAuth2ResourceServerWebSecurityConfiguration.java
@@ -22,7 +22,6 @@
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
-import org.springframework.security.oauth2.server.resource.authentication.JwtAuthoritiesPopulator;
 import org.springframework.util.StringUtils;
 
 import java.net.URL;
@@ -72,18 +71,6 @@ protected void configure(HttpSecurity http) throws Exception {
 								.jwt().signature().keys(new URL(issuer.getJwkSetUri()));
 					// @formatter:off
 				}
-
-				if (StringUtils.hasText(issuer.getScopeAttributeName())) {
-					JwtAuthoritiesPopulator populator = new JwtAuthoritiesPopulator();
-					populator.setScopeAttributeName(issuer.getScopeAttributeName());
-
-					// @formatter:on
-					http
-						.oauth2()
-							.resourceServer()
-								.jwt().authoritiesPopulator(populator);
-					// @formatter:off
-				}
 			}
 
 		}